You are on page 1of 101

2007 CISA Review Course

Chapter 4

IT Service Delivery and Support

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 1
Process Area Overview
4.1 Information Systems Operations
4.1.1 Management of IS Operations
4.1.2 IT Service Management
4.1.3 Infrastructure Operations
4.1.4 Monitoring Use of Resources
4.1.5 Support / Help Desk
4.1.6 Change Management Process
4.1.7 Program Library Management Systems
4.1.8 Library Control Software
4.1.9 Release Management
4.1.10 Quality Assurance
4.1.11 Information Security Management

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 2
Process Area Overview
4.2 Information Systems Hardware
4.2.1 Computer Hardware Components and Architecture
4.2.2 Hardware Maintenance Program
4.2.3 Hardware Monitoring Preocedures
4.2.4 Capacity Management

4.3 IS Architecture and Software


4.3.1 Operating Systems
4.3.2 Access Control Software
4.3.3 Data Communications Software
4.3.4 Data Management
4.3.5 Database Management System
4.3.6 Tape and Disk Management Systems

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 3
Process Area Overview
4.3.7 Utility Programs
4.3.8 Software Licensing Issues

4.4 IS Network Infrastructure


4.4.1 Enterprise Network Architectures
4.4.2 Type of Networks
4.4.3 Network Services
4.4.4 Network Standards and Protocols
4.4.5 OSI Architecture
4.4.6 Application of the OSI Model in Network Architectures

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 4
Process Area Overview
4.5 Auditing Infrastructure and Operations
4.5.1 Hardware Reviews
4.5.2 Operating System Reviews
4.5.3 Database Reviews
4.5.4 Network Infrastructure and Implementation Reviews
4.5.5 Network Operating Control Reviews
4.5.6 IS Operations Reviews
4.5.7 Lights-out Operations
4.5.8 Problem Management Reporting Reviews
4.5.9 Hardware Availability and Utilization Reporting Reviews
4.5.10 Scheduling Reviews

4.6 Chapter 4 Case Study


4.6.1 Case Study Scenario
4.6.2 Case Study Questions

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 5
Chapter Objective
The objective of this area is to ensure that the
CISA candidate understands and can provide
assurance that the IT service management
practices will ensure the delivery of the level of
services required to meet the organizations
objectives.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 6
Chapter Summary

According to the CISA Certification

Board, this area represents 14 % of the

CISA examination

(approximately 28 questions).

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 7
4.1 Information
Systems Operations

4.1.1 Management of IS Operations


Control functions

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 8
4.1 Information
Systems Operations

4.1.2 IT Service Management


Service level
Abnormal job termination reports
Operator problem reports
Output distribution reports
Console logs
Operator work schedules

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 9
4.1 Information
Systems Operations

4.1.2 IT Service Management (cont.)


Service level
Abnormal job termination reports
Operator problem reports
Output distribution reports
Console logs
Operator work schedules

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 10
4.1 Information
Systems Operations

4.1.3 Infrastructure Operations

Lights-out Operations (Automated Unattended


Operations)
Input / output control function
Job accounting
Scheduling
Job Scheduling Software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 11
4.1 Information
Systems Operations

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended


Operations)

Input / output control function

Job accounting

Scheduling

Job Scheduling Software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 12
4.1 Information
Systems Operations

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended


Operations)

Input / output control function

Job accounting

Scheduling

Job Scheduling Software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 13
4.1 Information
Systems Operations

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended


Operations)

Input / output control function

Job accounting

Scheduling

Job Scheduling Software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 14
4.1 Information
Systems Operations

4.1.3 Infrastructure Operations (cont.)

Lights-out Operations (Automated Unattended


Operations)

Input / output control function

Job accounting

Scheduling

Job Scheduling Software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 15
4.1 Information
Systems Operations

4.1.4 Monitoring use of Resources

Process of Incident Handling


Problem Management
Detection, Documentation, Control, Resolution and
Reporting of Abnormal Conditions

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 16
4.1 Information
Systems Operations

4.1.4 Monitoring use of Resources (cont.)

Process of Incident Handling


Problem Management
Detection, Documentation, Control, Resolution and
Reporting of Abnormal Conditions

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 17
4.1 Information
Systems Operations

4.1.5 Support/Help Desk


Prioritize the issues, and forward them to the
appropriate managers, accordingly
Follow up on unresolved problems.

Close out resolved problems, noting proper


authorization to close out the problem by the
user.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 18
4.1 Information
Systems Operations

4.1.6 Change Management Process


System, operations and program documentation
Job preparation, scheduling and operating
instructions
System and program test
Data file conversion.
System conversion

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 19
4.1 Information
Systems Operations

4.1.7 Program Library Management


Systems
Integrity
Update
Reporting
Interface

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 20
4.1 Information
Systems Operations

4.1.8 Library Control Software

Executable and source code integrity;


each production executable module should have
one corresponding source module
Source code comparison; is an effective
and easy-to-use method for tracing changes to
programs.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 21
4.1 Information
Systems Operations

4.1.8 Library Control Software (cont.)

Executable and source code integrity;


each production executable module should have
one corresponding source module
Source code comparison; is an effective
and easy-to-use method for tracing changes to
programs.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 22
4.1 Information
Systems Operations

4.1.9 Release Management

Major releases
Minor software releases
Emergency software fixes

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 23
4.1 Information
Systems Operations

4.1.10 Quality Assurance

Verify that system changes are authorized,


tested and implemented in a controlled manner
prior to being introduced into the production
environment.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 24
4.1 Information
Systems Operations

4.1.11 Information Security


Management
Performing risk assessments on information assets
Performing business impact analyses
Conducting security assessments on a regular basis
Implementing a formal vulnerability management
process

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 25
Chapter 4 Question 1

When reviewing a service level agreement for an outsourced


computer center an IS auditor should FIRST determine that:

A. the cost proposed for the services is reasonable.


B. security mechanisms are specified in the agreement.
C. the services in the agreement are based on an analysis of
business needs.
D. audit access to the computer center is allowed under the
agreement.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 26
Chapter 4 Question 2

Which of the following is the MOST effective method for an


IS auditor to use in testing the program change management
process?

A. Trace from system generated information to the change


management documentation.
B. Examine change management documentation for
evidence of accuracy.
C. Trace from the change management documentation to a
system generated audit trail.
D. Examine change management documentation for
evidence of completeness.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 27
Chapter 4 Question 3

A universitys IT department and financial services office (FSO)


have an existing service level agreement that requires availability
during each month to exceed 98 percent. FSO has analyzed
availability and noted that it has exceeded 98 percent for each of
the last 12 months, but has averaged only 93 percent during
month-end closing. Which of the following options BEST reflects
the course of action FSO should take?

A. Renegotiate the agreement.


B. Inform IT that it is not meeting the required availability standard.
C. Acquire additional computing resources.
D. Streamline the month-end closing process.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 28
4.2 Information
Systems Hardware

4.2.1 Computer Hardware Components

and Architectures
Processing Components
Input/Output Components
Types of Computers

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 29
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers
Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 30
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components and
Architectures
Types of Computers (cont.)
Supercomputers

Large (mainframes)
Midrange computer
Microcomputer (personal computers, PC
Notebook / laptop computers
Personal digital assistant (PDA)

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 31
4.2 Information
Systems Hardware
4.2.1 Computer Hardware Components
and Architectures
Common Characteristics of Different
Types of Computers
Multitasking
Multiprocessing
Multiusing
Multithreading

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 32
4.2 Information
Systems Hardware

4.2.1 Computer Hardware Components


and Architectures
Common Computer Roles

Print servers
File servers
Program (application) servers
Web servers
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 33
4.2 Information
Systems Hardware

4.2.1 Computer Hardware Components


and Architectures
Common Computer Roles (cont.)

Proxy servers

Database servers

Appliances (specialized devices)

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 34
4.2 Information
Systems Hardware

4.2.1 Computer Hardware Components


and Architectures
Universal Serial Bus

Memory Cards

Radio Frequency Identification

Write Once and Read Many


2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 35
4.2 Information
Systems Hardware

4.2.1 Computer Hardware Components


and Architectures
Universal Serial Bus
Memory Cards
Radio Frequency Identification
Write Once and Read Many
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 36
4.2 Information
Systems Hardware

4.2.2 Hardware Maintenance Program


Reputable service company
Maintenance schedule
Maintenance cost
Maintenance performance history, planned
and exceptional

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 37
4.2 Information
Systems Hardware

4.2.3 Hardware Monitoring


Procedures
Availability reports

Hardware error reports

Utilization reports

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 38
4.2 Information
Systems Hardware

4.2.4 Capacity Management


CPU utilization (processing power)
Computer storage utilization
Telecommunications and WAN bandwidth
utilization
Terminal utilization
I/O channel utilization
Number of users
New technologies
New applications
Service level agreements
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 39
Chapter 4 Question 4

Which one of the following provides the BEST method for


determining the level of performance provided by similar
information-processing-facility environments?

A. User satisfaction
B. Goal accomplishment
C. Benchmarking
D. Capacity and growth planning

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 40
Chapter 4 Question 5

The key objective of capacity planning procedures is to


ensure that:

A. available resources are fully utilized.


B. new resources will be added for new applications in a
timely manner.
C. available resources are used efficiently and effectively.
D. utilization of resources does not drop below 85%.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 41
4.3 Information Systems
Architecture and Software

Operating systems
Software Control Features or Parameters
Data communication software
Data management
Database management system (DBMS)
Tape and Disk Management System
Utility Programs
Software Licensing Issues
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 42
4.3 Information Systems
Architecture and Software

4.3.1 Operating systems


Defines user interfaces
Permits users to share hardware
Permits users to share data
Inform users of any error
Permits recovery from system error
Communicates completion of a process
Allows system file management
Allows system accounting management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 43
4.3 Information Systems
Architecture and Software

4.3.1 Operating systems (cont.)


Defines user interfaces
Permits users to share hardware
Permits users to share data
Inform users of any error
Permits recovery from system error
Communicates completion of a process
Allows system file management
Allows system accounting management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 44
4.3 Information Systems
Architecture and Software

Software Control Features or


Parameters
Data management
Resource management
Job management
Priority setting

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 45
4.3 Information Systems
Architecture and Software

Software Integrity Issues


Protect itself from deliberate and inadvertent
modification.

Ensure that privileged programs cannot be


interfered with by user programs.
Provide for effective process isolation.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 46
4.3 Information Systems
Architecture and Software

Software Integrity Issues (cont.)


Protect itself from deliberate and inadvertent
modification.

Ensure that privileged programs cannot be


interfered with by user programs.
Provide for effective process isolation.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 47
4.3 Information Systems
Architecture and Software

Activity Logging and Reporting


Options
Data file versions used for production processing.
Program accesses to sensitive data
Programs scheduled and run
Utilities or service aids usage
Operating system operation
Changes to system parameters and libraries
Databases
Access control
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 48
4.3 Information Systems
Architecture and Software

4.3.2 Access Control Software


Prevent unauthorized access to data
Unauthorized use of system functions and programs
Unauthorized updates/changes to data
Detect or prevent unauthorized attempts to access
computer resources.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 49
4.3 Information Systems
Architecture and Software

4.3.3 Data communication software


Transmits information or data
Consists of three components
The transmitter (source)
The transmission path (channel or line)
The receiver (the sink)

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 50
4.3 Information Systems
Architecture and Software

4.3.4 Data management


File Organization
Sequential
Indexed sequential

Direct random access

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 51
4.3 Information Systems
Architecture and Software

4.3.5 Database management system


(DBMS)
DBMS architecture

Detailed DBMS metadata architecture


Data dictionary/directory system (DD/DS)
Database structure
Database controls

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 52
4.3 Information Systems
Architecture and Software

4.3.5 Database management system


(DBMS) (cont.)

DBMS architecture

Detailed DBMS metadata architecture


Data dictionary/directory system (DD/DS)
Database structure
Database controls
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 53
4.3 Information Systems
Architecture and Software

4.3.5 Database management system


(DBMS) (cont.)

DBMS architecture

Detailed DBMS metadata architecture


Data dictionary/directory system (DD/DS)
Database structure
Database controls

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 54
4.3 Information Systems
Architecture and Software

4.3.5 Database management system


(DBMS) (cont.)

DBMS architecture

Detailed DBMS metadata architecture


Data dictionary/directory system (DD/DS)
Database structure
Database controls

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 55
4.3 Information Systems
Architecture and Software

4.3.6 Tape and Disk Management


System

An automated tape management system (TMS) or


disk management system (DMS) is specialized
system software that tracks and lists tape/disk
resources needed for data center processing.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 56
4.3 Information Systems
Architecture and Software

4.3.7 Utility Programs


Understanding application systems
Assessing or testing data quality
Testing a programs ability to function correctly
and maintain data integrity
Assisting in faster program development
Improving operational efficiency
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 57
4.3 Information Systems
Architecture and Software

4.3.8 Software Licensing Issues


Documented policies and procedures that guard
against unauthorized use or copying of software.
Listing of all standard, used and licensed
application and system software.
Centralizing control and automated distribution
and the installation of software
Requiring that all PCs be diskless workstations
and access applications from a secured LAN
Regularly scanning user PCs
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 58
Chapter 4 Question 6

When conducting an audit of client-server database security,


the IS auditor should be MOST concerned about the
availability of:

A. system utilities.
B. application program generators.
C. systems security documentation.
D. access to stored procedures.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 59
Chapter 4 Question 7

The PRIMARY benefit of database normalization is the:

A. minimization redundancy of information in tables required


to satisfy users needs.
B. ability to satisfy more queries.
C. maximization of database integrity by providing
information in more than one table.
D. minimization of response time through faster processing
of information.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 60
4.4 Information Systems Network

Infrastructure

Telecommunications links for networks can be:


Analog
Digital

Methods for transmitting signals over analog


telecommunication links are:
Baseband
Broadband network

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 61
4.4 Information Systems Network

Infrastructure
4.4.1 Enterprise Network
Architectures
Todays networks are part of a large, centrally-
managed, inter-networked architecture solution of high-
speed local- and wide-area computer networks serving
organizations client-server-based environments. Such
architectures may include clustering common types of
IT functions together in network segments each
uniquely identifiable and specialized to task.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 62
4.4 Information Systems Network
Infrastructure

4.4.2 Types of Networks


Personal Area Networks (PANs)
Local area networks (LANs)
Wide area networks (WANS)
Storage Area Networks (SANs)

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 63
4.4 Information Systems Network

Infrastructure
4.4.3 Networks Services
File sharing
E-mail services
Print services
Remote access services
Terminal emulation software (TES)
Directory services
Network management
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 64
4.4 Information Systems Network
Infrastructure

4.4.4 Network Standards and Protocols


Critical Success Factors
Interoperability
Availability
Flexibility
Maintainability

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 65
4.4 Information Systems Network

Infrastructure
ISO/OSI: is a proof of a concept model
composed of seven layers, each specifying
particular specialized tasks or functions

Objective: to provide a set of open system


standards for equipment manufacturers and
to provide a benchmark to compare different
communication systems

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 66
4.4 Information Systems Network
Infrastructure

Functions of the layers of the ISO/OSI Model


Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 67
4.4 Information Systems Network

Infrastructure
Functions of the layers of the ISO/OSI
Model
Application layer
Presentation layer
Session layer
Transport layer
Network layer
Data link layer
Physical layer
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 68
4.4 Information Systems Network

Infrastructure

4.4.5 OSI Architecture


The International Organization for Standardization
formulated the OSI model to establish standards
for vendors developing protocols supporting open
system architecture.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 69
4.4 Information Systems Network

Infrastructure
4.4.6 Application of the OSI Model in
Network Architectures
Local Area Network (LAN)
Wide Area Network (WAN)
Wireless Networks
Public Global Internet Infrastructure

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 70
4.4 Information Systems Network
Infrastructure
Network physical media specifications
Local Area Network (LAN)
Copper (twisted-pairs) circuits
Fiber-optic systems
Radio Systems (wireless)
Wide Area Network (WAN)
Fiber-optic systems
Microwave radio systems
Satellite radio link systems

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 71
4.4 Information Systems Network
Infrastructure
LAN Components
Repeaters
Hubs
Bridges
Switches
Routers

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 72
4.4 Information Systems Network
Infrastructure
WAN Message transmission
techniques
Message switching
Packet switching
Circuit switching
Virtual circuits
WAN dial-up services
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 73
4.4 Information Systems Network
Infrastructure

WAN Components
WAN switch
Routers
Modems

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 74
4.4 Information Systems Network
Infrastructure
WAN Technologies
Point to point protocol
X.25
Frame Relay
Integrated services digital network (ISDN)
Asynchronus transfer mode
Multiprotocol label switching
Digital suscriber lines
Virtual Private Networks

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 75
4.4 Information Systems Network

Infrastructure
Wireless Networks
Wireless Wide Area Network (WWAN)
Wireless Local Area network (WLAN)
Wireless Personal Area Network (WPAN)
Wireless ad hoc networks

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 76
4.4 Information Systems Network
Infrastructure
Wireless Access: Exposures
Interception of sensitive information
Loss or theft of devices
Misuse of devices
Loss of data contained in devices
Distraction caused by devices
Possible health effects of device usage
Wireless user authentication
File security
Interoperability
Use of wireless subnets

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 77
4.4 Information Systems Network
Infrastructure

Network Administration and Control


Network performance metrics

Network management issues


Network management tools

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 78
4.4 Information Systems Network
Infrastructure

Network Administration and Control (cont.)


Network performance metrics

Network management issues


Network management tools

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 79
4.4 Information Systems Network
Infrastructure

Applications in a Networked
Environment
Client-Server Technology

Middleware

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 80
4.4 Information Systems Network
Infrastructure

Applications in a Networked
Environment (cont.)
Client-Server Technology

Middleware

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 81
Chapter 4 Question 8

An IS auditor when reviewing a network used for Internet


communications will FIRST examine the:

A. validity of password change occurrences.


B. architecture of the client-server application.
C. network architecture and design.
D. firewall protection and proxy servers.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 82
Chapter 4 Question 9

Which of the following would allow a company to extend its


enterprises intranet across the Internet to its business
partners?

A. Virtual private network


B. Client-server
C. Dial-up access
D. Network service provider

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 83
Chapter 4 Question 10

Which of the following statements relating to packet


switching networks is correct?

A. Packets for a given message travel the same route.


B. Passwords cannot be embedded within the packet.
C. Packet lengths are variable and each packet contains the
same amount of information.
D. The cost charged for transmission is based on the packet,
not the distance or route traveled.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 84
4.5 Auditing Infrastructure
and Operations

4.5.1 Hardware Reviews


Review the capacity management
procedures
Review the hardware acquisition plan
Review the PC acquisition criteria
Review (hardware) change management
controls
2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 85
4.5 Auditing Infrastructure
and Operations

4.5.2 Operating System Reviews


Interview technical service and other personnel
Review system software selection procedures
Review the feasibility study and selection process
Review cost-benefit analysis of system software
procedures
Review controls over the installation of changed
system software

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 86
4.5 Auditing Infrastructure
and Operations

4.5.2 Operating System Reviews (cont)

Review system software maintenance activities


Review system software change controls
Review systems documentation
Review and test system software implementation
Review authorization documentation
Review system software security

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 87
4.5 Auditing Infrastructure

and Operations
4.5.3 Database Reviews
Design
Access
Administration
Interfaces
Portability
Database-supported IS controls

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 88
4.5 Auditing Infrastructure
and Operations

4.5.4 Network infrastructure and


implementation reviews
Review controls over network implementations
Physical controls
Environmental controls
Logical security controls

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 89
4.5 Auditing Infrastructure
and Operations

4.5.5 Network Operating Control Reviews


Appropriate implementation, conversion and acceptance test plans
Implementation and testing plans for the networks hardware and
communications links
Operating provisions for distributed data processing networks
All sensitive files / datasets have been identified
Procedures established to assure effective controls over hardware
and software
Adequate restart and recovery mechanisms

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 90
4.5 Auditing Infrastructure
and Operations

4.5.5 Network Operating Control Reviews (cont)

The IS distributed network has been designed to assure that failure


of service at any one site will have a minimal effect
All changes made to the operating systems software used by the
network are controlled
Individuals have access only to authorized applications, transaction
processors and datasets
System commands affecting more than one network site are
restricted to one terminal and to an authorized individual
Encryption is being used on the network to encode sensitive data
Appropriate security policies and procedures have been
implemented

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 91
4.5 Auditing Infrastructure
and Operations

4.5.6 IS Operations Reviews


Computer operations
File handling procedures
Data entry control

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 92
4.5 Auditing Infrastructure
and Operations

4.5.6 IS Operations Reviews (cont.)


Computer operations
File handling procedures
Data entry control

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 93
4.5 Auditing Infrastructure
and Operations

4.5.7 Lights Out Operations


Remote access to the master console
Contingency plans
Program change controls
Assurance that errors are not hidden

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 94
4.5 Auditing Infrastructure
and Operations

4.5.8 Problem Management Reporting Reviews


Reviews of the procedures used for recording, evaluating, and
resolving or escalating any problem
Reviews of the performance records
Reviews of the reasons for delays in application program
processing
Reviews of the procedures used by the IS department to collect
statistics regarding online processing performance
The determination that significant and recurring problems have
been identified and actions are being taken
The determination that processing problems were resolved
Reviews of operations documentation
Reviews of help desk call logs

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 95
4.5 Auditing Infrastructure
and Operations

4.5.9 Hardware availability and utilization


Reporting Reviews
Review the problem log
Review the preventive maintenance schedule
Review the control and management of equipment
Review the hardware availability and utilization reports
Review the workload schedule and the hardware availability
and utilization reports

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 96
4.5 Auditing Infrastructure
and Operations

4.5.10 Scheduling Reviews


Review the console log
Review the schedule
Determine whether the scheduling of rush/rerun jobs is consistent
Determine whether critical applications have been identified
Determine whether scheduling procedures are used to facilitate optimal
use of computer resources
Determine whether the number of personnel assigned to each shift is
adequate
Review the procedures for collecting, reporting and analyzing key
performance indicators

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 97
4.6 Chapter 4: Case Study
4.6.1 Case Study Scenario
The IS auditor has recently been asked to perform an external
and internal network security assessment for an organization
that processes health benefit claims. The organization has a
complex network infrastructure with multiple local area and
wireless networks, a Frame Relay network crosses
international borders. Additionally, there is an Internet site
that is accessed by doctors and hospitals. The Internet site
has both open areas and sections containing medical claim
information that requires an ID and password to access. An
Intranet site is also available that allows employees to check
on the status of their personal medical claims and purchase
prescription drugs at a discount using a credit card. The
frame relay network carries unencrypted nonsensitive
statistical data that are sent to regulatory agencies but do not
include any customer identifiable information. The last review
of network security was performed more than five years ago.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 98
4.6 Chapter 4: Case Study
At that time, numerous exposures were noted in the areas of firewall
rule management and patch management for application servers.
Internet applications were also found to be susceptible to SQL
injection. It should be noted that wireless access as well as the
Intranet portal had not been installed at the time of the last review.
Since the last review, a new firewall has been installed and patch
management is now controlled by a centralized mechanism for
pushing patches out to all servers. Internet applications have been
upgraded to take advantage of newer technologies. Additionally, an
intrusion detection system has been added, and reports produced
by this system are monitored on a daily basis. Traffic over the
network involves a mixture of protocols, as a number of legacy
systems are still in use. All sensitive network traffic traversing the
Internet is first encrypted prior to being sent. Traffic on the internal
local area and wireless networks is encoded in hexadecimal so
that no data appears in cleartext. A number of devices also utilize
Bluetooth to transmit data between PDAs and laptop computers.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 99
4.6.2 Case Study Questions
1. In performing an external network security
assessment, which of the following should
normally be performed FIRST?
A. Exploitation
B. Enumeration
C. Reconnaissance
D. Vulnerability scanning

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 100
4.6.2 Case Study Questions
2. Which of the following presents the GREATEST
risk to the organization?
A. Not all traffic traversing the Internet is
encrypted.
B. Traffic on internal networks is unencrypted.
C. Cross-border data flow is unencrypted.
D. Multiple protocols are being used.

2007 CISA Review Course 2006 ISACA All rights reserved www.isaca.org Chap 4 - Pag - 101