DOMAIN 4: INFORMATION SYSTEMS OPERATIONS AND

RESILIENCE

PART A: INFORMATION SYSTEMS OPERATIONS

 INTRODUCTION
 IT service management practices are important to provide assurance that the
expected level of service will be delivered.
 Service level expectations are derived from the organization’s business
objectives.
 IT service delivery includes IS operations, IT services, and management of I.S and
the groups responsible for supporting them.
 IT services are built on service management frameworks.
COMPUTER H/W COMPONENTS AND ARCHITECTURES
 H/w components are interdependent components that perform specific functions
and can be classified as either processing or input/output
 Processing components: e.g. CPU.
 Input / Output components: used to pas instructions/info to the computer and
display or record the output generated by the computer. They include keyboard,
mouse, printer, touch screen.
 UNIVERSAL SERIAL BUS
Defn: a serial bus standard that interfaces devices with a host.
 It allows devices to be connected and disconnected without rebooting the computer or
turning off the device (i.e. hot swapping)
 Other convenient features include providing power to low-consumption devices without the
need for an external power supply and allowing many devises to be used without requiring
installation of manufacture-specific device drivers.
 USB ports overcome the limitations of the serial and parallel ports in terms of speed and
actual number of connections that can be made.

Risk related to USBs:

 Viruses and other malicious software-through transfer of files between machines
 Data theft-use of unattended or unlocked PCs by hackers, spies and disgruntled employees
 Data and media loss-if unencrypted usb device is lost, anyone who finds it will access the
data on it.
 Corruption of data-through improper unplugging of the device
 Loss of confidentiality-significant amount of data can be stored on usb drive, some of which
is confidential, and loss of the drive increases the risk of the data falling in wrong hands.
Security controls related to USBs
 Encryption-data protection method.
 Granular control-use of strong policies, procedures, standards, and guidelines to
ensure secure operation of usb devices.
 Security personnel education-awareness creation among physical security
personnel
 Lock desktop policy enforcement-automatic locking of desktop computers after
short intervals
 Antivirus policy-use of antivirus s/w to scan all attached drives and removable
media before opening.
 Use of secure devices only-enforce use of encryption
 Inclusion of return information- including a brief readable text file in a usb drive
could help with device retrieval in case it got lost or misplaced.
 COMMON ENTERPRISE BACK-END DEVICES
i. Print servers-allow businesses to consolidate printing resources for cost savings.
ii. File servers –provide for organization-wide access to files and programs
iii. Application( program ) servers –they host the software programs that provide
application access to client computers.
iv. Web servers –provide information and services to external and internal customers
through web pages.
v. Proxy servers –provide an intermediate link between users and resources; they
access services on a user’s behalf.
vi. Database servers- store data and act as a repository.
vii. Appliances(specialised devices)-provide specific service and normally are not
capable of running other services. Examples: firewalls, IDSs, IPSs, routers,
switches, VPNs, load balancers.
 RADIO FREQUENCY IDENTIFICATION
 RFID uses radio waves to identify tagged objects within a limited radius.
 A tag consists of a micro chip and an antenna. The chip stores information along with
an ID to identify a product, while the antenna transmits the info to an RFID reader.
 Applications of RFID:
i. Asset mngt-for managing inventory
ii. Tracking- same as in asset mngt
iii. Authenticity verification- the tag provides evidence of the source of the a tagged
item.
iv. Matching-two tagged items are matched with each other, a signal is triggered if one of
the items is later matched with an incorrect tagged item
v. Process control-allows businesses to use info associated with a tag and take
customized action.
vi. Access control-automatically checking whether an individual is authorized to access a
facility or a system
vii. Supply chain mngt- monitoring and control of products from manufacturer to retail
sale
 Risk associated with RFID
 Business process risk-due to direct attacks on RFID system
 Business intelligence risk-an adversary gaining unauthorized access to RFID-
generated information
 Privacy risk-through compromise of personal privacy rights
 Externality risk-RFID technology represents a threat to non-RFID-networked or
non-RFID-collated systems, assets and people.
 Security controls of RFID
 Management –oversight of the security of RFID system
 Operational-actions performed daily by the system administrator and users
 Technical-use of technology to monitor or restrict actions that can be performed
within the system.
 HARDWARE MAINTENANCE PROGRAM
 To ensure proper operation, hardware must be routinely cleaned and serviced.
 The h/w maintenance program is designed to document the performance of this
maintenance. It includes:
 Reputable service co. info for each h/w
 Maintenance schedule info
 Maintenance cost info
 Maintenance performance history info such as planned vs, unplanned, executed
and exceptional.
 I.S mngt should monitor, identify and document any deviations from vendor
maintenance specifications and provide supporting arguments for the deviation.
 An I.S auditor should:
 Ensure that a formal maintenance plan which was approved by mngt is being
followed;
 Identify maintenance costs that exceed budget or are expensive –an indicator of
lack of adherence to defined procedures or upcoming changes to hardware.
 Hardware monitoring procedures
 They monitor effective and efficient use of hardware. They include:
 Availability reports-they indicate uptime periods. A key concern addressed by this
report is excessive downtime.
 Hardware error reports-identify failures in the hardware. The I.S auditor should be
aware that attribution of an error in h/w or s/w is not necessarily easy and
immediate. These reports should be checked for intermittent or recurring
problems, which might indicate difficulties properly diagnosing the errors.
 Asset mngt reports-Provide an inventory of network-connected equipment.
 Utilization reports-they document the use of the machine and peripherals. Trends
from these reports can be used by IS management to predict whether more or
fewer processing resources are required.
 HARDWARE REVIEWS
 H/w reviews should include:
 h/w acquisition plan
 Acquisition of h/w
 It asset mngt
 Capacity mngt and monitoring
 Preventive maintenance schedule
 h/w availability and utilization reports
 Problem logs job accounting system reports
 IT ASSET MANAGEMENT
 Asset: something of tangible or intangible value that is worth protecting such as
people, information, infrastructure, finances and reputation.
 The first step in IT asset mngt is the process of identifying and creating an
inventory of IT assets. inventory record of each information asset should include:
 Owner
 Designated custodian
 Specific identification of the asset
 Relative value to the organization
 Loss implications and recovery priority
 Location
 Security/risk classification
 Asset group
 IT asset mngt should be employed for software and hardware assets. It is common
to physically tag h/w assets.
 JOB SCHEDULING AND PRODUCTION PROCESS
AUTOMATION
 Following large volumes of data files that are processed daily in IS environments, a
job schedule is created listing the jobs that must be run and the order in which
they’re run. This helps to keep customer demand at a manageable level.
 Due to the inherent complexity of this process, automated job scheduling software
provides control over the scheduling process.
 Tape backups and other maintenance activities can also be scheduled using the
scheduling software.
 High priority jobs should be given optimal resource availability, and maintenance
functions performed during non-peak times.
 Job scheduling ensures that I.S resources are used optimally based on the
processing requirements.
 JOB SCHEDULING SOFTWARE
 It sets up daily work schedules and automatically determines which jobs are to be
submitted to the system for processing.
 Advantages of the software include:
 Job information is set up only once, reducing the probability of an error;
 Job dependencies are defined so that if a job fails, subsequent jobs relying on its
output will not be processed;
 Records are maintained of all job successes and failures;
 Security over access to production data can be provided;
 Reliance on operators is reduced.
 SYSTEM INTERFACES
Exist where data o/p from one application is sent as i/p to another
Provide ability to transfer data even if the systems use different programming
languages
3 categories of system interfaces:
System to system; partner to partner; person to person.
 SYSTEM INTERFACES
Risk associated with system interfaces:-unmanaged interfaces can add to the risk
regarding data security, privacy and error.
If an interface is not fxning correctly, it leads to incorrect mngt reports; this may
lead to negative impact on a business and decision-making.in addition, potential
legal compliance liability.
 SECURITY ISSUES IN SYSTEM INTERFACES
Primary objective of maintaining security of data being transfered is to ensure that
the data extracted from originating system are same as data that are downloaded
and recorded in the recipient system.

Secondary objective is to prevent unauthorized access to the data via interception,

malicious activity, error or other means.

Unavailability of system interfaces can affect reliability of data.

 CONTROLS ASSOCIATED WITH SYSTEM
INTERFACES
I.S auditor should ensure that the org. has a program that tracks and manages all
system interfaces and data transfers.

I.S auditor should ensure that the program is able to:

Manage multiple file transfer mechanisms
Use multiple protocols
Automatically encrypt, decrypt and electronically sign data files
Compress/decompress data files
Connect to common db servers
Send and retrieve files via email and secure email
Automatically schedule regular data transfers among others….
 CONTROLS ASSOCIATED WITH SYSTEM
INTERFACES
Controls need to be implemented with the objective of ensuring that the data
residing on the sending system are precisely same as data on receiving system;
Manual reconciliation;
I.S auditors should ascertain if the org. is using encryption to protect data during
transfer.
Encryption is necessary when risk of unauthorized access or interception is relatively
high.
Password protection of files-may be necessary.
Control over non-repudiation-ensures that intended recipient is the actual recipient
of the data.
Ensure that audit trail is associated with the system by capturing important info
including who sent, when sent, when received, what data structure was used, how
data was sent, who received.
 END USER COMPUTING
Refers to ability of end users to design and implement their own application or info
system using computer software products.
Benefits of EUC include:
Users can quickly build and deploy applications, taking the pressure off IT dept.
Enables orgs to be more flexible and more rapidly address shifting marketplaces,
regulations and consumer interests.
Risk:
Lack of IT dept. Involvement is risky-applications may not be subject to independent
review; they are not created in the context of a formal development methodology.
Lack of IT dept. involvement can result to apllications that:
May contain errors and give incorrect results;
Are not subject to change mngt or release mngt;
Are not secured;
Are not backed up.
 END USER COMPUTING
Further security risk may include:
Authorization
Authentication
Audit logging
Encryption
Mngt should define risk criteria to define the criticality of the application. These
applications should also be subject to data classification.
 DATA GOVERNANCE
Ever changing data environments e.g cloud and data requirements, data maintenance
and mngt are becoming complicated.
Data governance ensures that stakeholder needs, conditions and options are
evaluated;
Direction is set for data/information mngt capabilities;
Performance and compliamce of data resources are monitored and evaluated.
Data gov. reflects the practice of evaluating requirements and bring direction and
control over data and info.-access to data that’s trusted and reliable.
Data gov. involves monitoring performance of IT operations, specifically CIA.
 DATA MANAGEMENT
Defn: Planning and execution of policies, practices, and projects that acquire,
control, protect, deliver and enhance the value of data and information assets
(DMBOK)

Data Quality
3 sub-dimensions of data quality: Intrinsic, contextual and security/accessibility
i. Intrinsic –extent to which data values are in conformance with the actual or true
values i.e. accuracy, objectivity, believability, reputation.
ii. contextual –extent to which info is applicable to the task of the information user
and is presented in an intelligible and clear manner, recognizing that information
quality depends on the context of use i.e. relevancy, completeness, currency,
appropriateness, concise representation, interpretability, understandability, ease
of manipulation.
iii. security/accessibility-extent to which information is available or obtainable i.e.
availability, restricted access.
 DATA MANAGEMENT
Data life cycle
A life cycle describes a series of stages that characterize the course of existence of
an organizational investment.
Data life cycle mngt describes stages that data go through in the course of existence
within an org. This includes:
 Plan- creation, acquisition, use.
 Design-specification of how info will look and how the system will work
 Build/acquire-creation of data records, purchase of data and loading of external
files
 Use/operate-store, share, use.
 Monitor-ensuring that information resource works properly
 Dispose-transfer or retain , destroy or archive.
 DATA MANAGEMENT
I.S auditor should ensure that the:
Quality of the data allows the org to meet its strategic objectives.
Configuration of the organization’s applications and DBMS is in line with
organizational objectives.
 SYSTEMS PERFORMANCE MANAGEMENT
System performance- Refers to the study of an entire sys including h/w and s/w and
how it operates.
Enterprises want to ensure that systems perform as expected and issues are
identified and addressed in a timely manner.
It is important to understand the features of IS architecture and associated s/w to aid
in the systems performance mngt process.

I.S ARCHITECTURE AND SOFTWARE

System architecture can be viewed as a number of layers of circuitry and logic,
arranged in a hierarchical structure that interacts with computer’s OS.
i. Computer h/w
ii. Kernel
iii. OS
I.S ARCHITECTURE
 OPERATING SYSTEMS
 OS contains programs that interface btn the user, processor and application
software.
 It is the control program that runs the computer and acts as a scheduler and
traffic controller.
 It provides the primary means of managing the sharing and use of computer
resources.
 OS’s vary in the resources managed, comprehensiveness of management and
techniques used to manage resources.
 A server with multiple users interacting with its resources requires an OS that
can accommodate multiprocessing, multitasking and multithreading. It must
be able to share disk space and CPU time.
 It is common for Oss to run on virtual servers, whereby the different
environments can run different Oss.
 Software Integrity Issues
 OS integrity is very important and involves using specific hardware and s/w
features to:
 Protect itself from deliberate and inadvertent modification
 Ensure that priviledged programs cannot be interfered with by user programs
 Provide for effective process isolation
 To maintain data /sw integrity it is necessary to correctly and consistently
define, enforce and monitor the Operating environment plus granted
permissions.
 Noting any changes in the registry is crucial for maintaining the CIA of the
systems.
 Critical system configuration files and directories related to the nucleus
(kernel) operations, start up, network file sharing and other remote services
should be secured and checked for correctness.
 ACCESS CONTROL SOFTWARE
 The sw is designed to prevent unauthorized access to data, use of system fxns
and programs, and unauthorized updates/changes and to detect or prevent
unauthorized attempts to access computer resources.

NOTE: Refer to Protection of Information Assets for more details.

 DATA COMMUNICATION SOFTWARE
 Its used to transmit msgs or data from one point to another either locally or
remotely.
 Components of a simple data communications system:
 Transmitter(source)
 Transmission path(channel)
 Receiver

 1-way communication-one direction only;

 2-way communication-both ends may operate as source and receiver, with
data flowing in both directions.
 Data comm. Sys interfaces with OS, application programs, DBs, n/w control
and other operator consoles.
 UTILITY PROGRAMS
 System software used to perform maintenance and routines that frequently
are required during normal processing operations.
 Categorized by use, into 5 fxnal areas:
i. Understanding application systems-e.g. flowcharting s/w, transaction profile
analyzer, executive path analyzer, and data dictionary.
ii. Assessing or testing data quality –e.g. data manipulation utilities, DB dump
utilities, data comparison utility, and query facility.
iii. Testing a program’s ability to function correctly and maintain data integrity-
e.g test data generator, online debugging facility, output analyzer and
network simulator.
iv. Assisting in faster program development-e.g. visual display utility, library
copy, text editor, online coding facility, report generators, and code
generators.
v. Improving operational efficiency-e.g. CPU and memory utilization monitors
and communication line analyzers.
 UTILITY PROGRAMS cont…
 Smaller computer systems are often equipped with specific utilities to:
 Operate verification, cleaning and defragmenting of HDD and removable
memory units
 Initialize removable data volumes and volumes of disk/removable memory
 Save/restore system images
 Reconstruct and restore (logically) cancelled files
 Test system units and peripherals
SOFTWARE LICENSING ISSUES

Reading Assignment
 SOURCE CODE MANAGEMENT
 Source code- the language in which a program is written.
 A source code may contain intellectual property and should be protected, and
access restricted.
 Organizational access to source code may differ depending on the application
and the nature of agreement with the supplier i.e.
 If no source code is supplied, secure an escrow agreement
 If the sw is bespoke or developed in-house , the org. will have full access to
the source code.
 In all instances, source code is subject to the SDLC
 The actual source code should be managed using a version control
system(VCS)- this provides the ability to synchronize source changes with
changes from other developers.
 SOURCE CODE MANAGEMENT
 Advantages of VCSs:
 Control of source code access
 Tracking of source code changes
 Allowing for concurrent development
 Allowing rollback to earlier versions
 Allowing for branching
 I.S auditor should be aware of the following:
 Who has access to source code
 Who can commit the code
 Alignment of program source code to program objects
 Alignment with change and release mngt
 Backups of source code including those offsite and escrow agreements
 CAPACITY MANAGEMENT
Defn: Planning and monitoring of computing and network resources to ensure that the
available resources are used efficiently and effectively.
 Capacity plan should be developed based on input from user and IS mngt to ensure
that business goals are achieved in the most efficient and effective way.
 Capacity planning should include projections substantiated by experience,
considering the growth of existing business and future expansions.
 The following is key to the successful completion of capacity planning:
 CPU utilization
 Computer storage utilization
 Telecommunications
 LAN and WAN bandwidth utilization
 I/O channel utilization
 No. of users
 New technologies/applications
 SLAs
 CAPACITY MANAGEMENT
 Specialized resources of a given class may have an impact on the requirements for
other classes e.g. use of more intelligent terminals may consume less processor power
and bandwidth than other terminals.
 Capacity planning defines the business’ requirements for IT capacity, in business and
technical terms, and presents the consequences of delivering the required volume of
activity through the IT infrastructure and applications.
 Capacity mngt must include network devices, such as switches and routers.
 Business operations and processes can only be supported reliably when IT systems
provide the required capacity.
 IT capacity is expensive and orgs do not want to acquire more than what they need at
the present time.
 Capacity planning ensures that the resource provision can always meet business
requirements.
 With capacity mngt expensive resources are only provided when they are needed thus,
cost savings.
 Capacity mngt aims to consistently provide the required IT resources at the right time
and cost and in alignment with current and future requirements of the business.
 CAPACITY MANAGEMENT
 Capacity planning and monitoring includes the following elements :
 Development
 Monitoring
 Analysis
 Tuning
 Implementation
 Modeling
 Application sizing
 PROBLEM AND INCIDENT MANAGEMENT
 Problem mngt aims to resolve issues through investigation and in-depth
analysis of a major incident or several incidents that are similar in nature to
identify the root cause.
 Standard methodologies for root cause analysis include:
 Fish bone /ishikawa cause-and-effect diagrams
 Brainstorming
 5 whys
 Problem Mngt and incident Mngt are related but have different methods and
objectives.
 Problem mngt’s objective is to reduce the no and/or severity of incidents,
while;
 Incident mngt’s objective is to return the affected business process back to its
normal state as quickly as possible, minimizing the impact on the business.
 PROCESS OF INCIDENT HANDLING
 Incident mngt focuses on providing increased continuity of service by reducing
the adverse effect of disturbances to IT services.
 Incident life cycle steps:
 Initiation
 Classification
 Assignment to specialists
 Resolution
 Closure
DETECTION, DOCUMENTATION, CONTROL, RESOLUTION AND
REPORTING OF ABNORMAL CONDITIONS

 A mechanism should exist to detect and document any abnormal conditions that
could lead to the identification of an error.
 It should not be acceptable for a problem to remain unresolved indefinitely.
 The primary risk resulting from lack of attention to unresolved problems is
interruption of business operations.
 i.s mngt should ensure that the problem escalation procedures are adhered to
properly.
 Problem escalation procedures include:
 Name/contact details of individuals who can deal with specific types of problems
 Types of problems that require urgent resolution
 Problems that can wait until normal working hours
 SUPPORT/HELPDESK
 It’s the responsibility of technical support fxn to provide specialist knowledge
of production systems to identify and assist in system change/ development
and problem resolution.
 The primary purpose of helpdesk is to service the user.
 NETWORK MANAGEMENT TOOLS

 Response time reports

 Downtime reports
 Help desk reports
 Online monitors
 Network monitors
 Network analyzers
 PROBLEM MNGT REPORTING REVIEWS
Areas to review:
 Interviews with IS operations personnel
 Procedures used by the IT dept.
 Operations documentation
 Performance records
 Outstanding error log entries
 Helpdesk call logs
CHANGE, CONFIGURATION, RELEASE AND PATCH MNGT
 Change mngt is used when changing hardware , installing or upgrading to new
releases of the off-the- shelf applications, installing a software patch and
configuring various network devices.
 PATCH MANAGEMENT
 It involves acquiring, testing and installing multiple patches to an administered
computer system to maintain up to date software and often to address security
risk.
 The tasks include the following:
 Maintain current knowledge of available patches
 Decide what patches are appropriate for particular systems
 Ensure that patches are installed properly; testing systems after installation
 Document all associated procedures, such as specific configurations required

 Patches can be ineffective and can cause problems therefore its recommended that
backups are taken and patches tested on non-critical systems prior to installations.
 RELEASE MANAGEMENT
Def: It’s the process through which sw is made available to users.
 The releases, whether major or minor will have a unique identity.
 The releases are controlled, and, if any problems arise in the new release, one should be able
to back out completely and restore the system to its previous state.
 Suitable contingency plans may also be developed before the new release is implemented.
 The main roles and responsibilities shd be defined to ensure that everyone understands their
role and level of authority and those of others.
 Planning a release involves:
 Gain consensus on the release contents
 Agree to the release strategy
 Produce a high-level release schedule
 Plan resource levels (including staff overtime)
 Agree on roles and responsibilities
 Produce back-out plans
 Develop a quality plan for the release
 Plan acceptance of support groups and the customer
 IT SERVICE LEVEL MANAGEMENT
 ITSM focuses on the business deliverables and covers infrastructure mngt of IT
applications.
 It includes fine-tuning IT services to meet the changing demands of the enterprise
and measuring and demonstrating improvements in the quality of IT services
offered with a reduction in the cost of service in the long run.
 IT services can be better managed with SLAs- they define the nature, type, time
and other relevant information for the services being offered.
 SLAs can be supported by Operational Level Agreements (OLAs) i.e. internal
agreements covering the delivery of services that support the IT organization in its
delivery of services.
 SERVICE LEVEL AGREEMENTS
 An SLA is an agreement between the org. and the customer.
 It describes the services in nontechnical terms from the customer’s viewpoint.
 Service level mngt is the process of defining, agreeing on, documenting and
managing levels of service that are required and cost justified. It deals with more
than SLAs themselves.
 The aim of service level mngt is to maintain and improve customer satisfaction and
to improve the service delivered to the customer.
 Tools to monitor the efficiency and effectiveness of IT services include:
 Exception reports-automated reports that identify all applications that did not
successfully complete or otherwise malfunctioned.
 System and application logs-they provide additional , useful information regarding
activities performed on the computer.
 Operator problem reports-manual reports used by operators to log computer
operations problems and their resolutions.
 Operator work schedules-manually maintained by IS mngt to assist in human
resource planning.
 MONITORING OF SERVICE LEVELS
 Defined service levels must be regularly monitored to ensure that the objectives of
IS operations are achieved.
 Monitoring is essential for outsourced services, particularly if third party is involved
in directly providing services to an organization’s customers.
 Failure to achieve service levels will have more of an impact on the organization
than on the third party.
 DATABASE MANAGEMENT
 DBMS data are organized in multilevel schemes, with basic data elements, such as
fields at the lowest level.
 Advantages of a DBMS include:
 Data independence for application systems
 Ease of support and flexibility in meeting changing data requirements
 Transaction processing efficiency
 Reduction of data redundancy
 Ability to maximize data consistency
 Ability to minimize maintenance cost through data sharing
 Opportunity to enforce data/programming stds
 Opportunity to enforce data security
 Availability of stored data integrity checks
 Facilitation of terminal users’ ad hoc access to data
 DBMS ARCHITECTURE
Reading Assignment: DB Structure, DB Controls, DB reviews.