4. 4.2.1 Management of IS Operations
• IS management has the overall responsibility for all operations within the IS department
• Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation
5.
6.
7. 4.2.2 IT Service Management (ITSM)
• ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to
business
• Processes managed through SLA (Service Level Agreement)
8. Service Level
• An agreement between IT and the customer (end user)
• SLA details the services to be provided
• Service Level Management (SLM) is the process of defining, agreeing upon,
documenting and managing levels of service that are required and cost justified
• SLM is to maintain and improve customer satisfaction and to improve the services
delivered to the customer
• Tools to monitor the efficiency and effectiveness of services provided by IS
personnel
• Exception Reports
• System and Application logs
9. 4.2.3 Infrastructure Operations
• IT operations are processes and activities that support and manage the entire IT
infrastructure, systems, applications and data, focusing on day-to-day activities
10. Job Scheduling
• Job schedule is created that lists the jobs that must be run and order in which they
are run, including any dependencies
• Job scheduling software to be used to schedule tape backups and other
maintenance activities
• Sets up daily work schedules and automatically determines which jobs are to be
submitted to the system for processing
11. 4.2.4 Incident and Problem Management
• Incident Management is reactive and its objective is to respond and resolve issues as
quickly as possible
• Problem Management aims to resolve issues through the investigation and in-depth
analysis of a major incident, or several incidents of similar nature, in order to identify the
root cause
• Problem Management objective is to “reduce” the number and/or severity of incidents,
while incident management objective is to “return” the effected business process back to
normal as quickly as possible
14. 4.2.6 Change Management Process
• Used when changing hardware, upgrading to new releases of off-the-shelf
applications and configuring various network devices
• Often categorized into emergency changes, major changes, minor changes
15. 4.2.7 Release Management
• Process through which software is made available to users
• Consist of new or changed software required
16.
17. 4.2.8 Quality Assurance
• QA personnel verify that system changes are authorized, tested and implemented
in a controlled manner prior to being introduced into the production environment
18. 4.2.9 Information Security Management
• Includes various security processes to protect the information assets
• Should be integrated in all IT operation processes
19. 4.2.10 Media Sanitization
• Establishes the controls, techniques and processes necessary to preserve the
confidentiality of sensitive information stored on media to be reused, transported,
or discarded
• “Sanitization” involved the eradication of information recorded on storage media
to the extent of providing reasonable assurance that residual content cannot be
salvaged or restored
20. 4.3 Information Systems Hardware
• Key audit considerations such as capacity management, system monitoring,
maintenance of hardware
23. Risks & Security Control
• Viruses and other malicious software
• Data Theft
• Data and Media Loss
• Corruption of Data
• Loss of Confidentiality
• Encryption
• Granular Control
• Educate Security Personnel
• Enforce the “Lock Desktop” policy
• Update the antivirus policy
24. Radio Frequency Identification (RFID)
• RFID uses radio waves to identify “tagged” objects within a limited radius
• “Tag” consists of a microchip and an antenna
• “Microchip” stores information along with an ID to identify a product
• The other part of the “tag” is the “antenna” which transmits the information to
the RFID reader
RFID Applications:
• Asset Management
• Tracking
• Supply Chain Management (SCM)
25. Risks & Security Control
• Business Process Risk
• Business Intelligence Risk
• Privacy Risk
• Management
• Operational
• Technical
28. 4.3.4 Capacity Management
• Planning and monitoring of computing and network resources to ensure that the available
resources are used effectively and efficiently
29. 4.4 IS Architecture and Software
• A collection of computer programs used in the design, processing and control of all computer
applications used to operate and maintain the computer system
• Comprised of system utilities and programs, the system software ensures the integrity of the
system
• Access control software
• Data communications software
• Database management software
• Program library management systems
• Tape and disk management systems
• Network management software
• Job scheduling software
• Utility programs
30. 4.4.1 Operating Systems
• OS contains programs that interface between the user, processor and application software
• Provides the primary means of managing the sharing and use of computer resources such
as processors, real memory, and I/O devices
34. 4.4.5 Database Management System
• DMBS aids in organizing, controlling and using the data needed by application programs
• Primary functions include reduced data redundancy, decreased access time and basic
security over sensitive data
35.
36. 4.4.6Tape and Disk Management Systems (DMS)
• A specialized system software that tracks and lists tape/disk resources needed for data
center processing
• A TMS/DMS minimizes computer operator time and errors caused by locating improper
files
• Systems include the data set name and specific tape reel or disk drive location, creation
date, effective date, retention period, expiration date and contents information
39. 4.4.9 Digital Rights Management (DRM)
• DRM refers to access control technologies that can be used by hardware
manufacturers, publishers, copyright holders and individuals to impose limitations
on the usage of digital content and devices
• Used by companies like Sony, Apple Inc., Microsoft, BBC
43. 4.5.3 Network Services
• Functional features made possible by appropriate OS
applications
• Allow orderly utilization of the resources on the network
45. 4.5.5 OSI Architecture
• OSI (Open Systems Interconnection), benchmark standard for network architecture
• Composed of 7 layers, each layer specifying particular specialized tasks or functions
• Objective of OSI model is to provide a protocol suite used to develop data-networking protocols
and other standards to facilitate multivendor interoperability
46.
47. 4.6 Auditing Infrastructure and Operations
• IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS
operations and problem management reporting
55. 4.7 Disaster Recovery Planning (DRP)
• Establish to manage availability and restore critical processes/IT services in the
event of interruption
• Importance and urgency of the business processes and IT services is defined
through performing a BIA and assigning RTO, RPO
• Ultimate goal is to respond to incidents that may impact people and the ability of
operations to deliver goods and services
56. 4.7.1 RPO, RTO
Recovery Point Objective (RPO):
• Determined based on acceptable data loss in case of disruption of operations
• Indicates the earliest point in time in which it is acceptable to recover the data
Recovery Time Objective (RTO):
• Determined based on acceptable downtime in case of a disruption of operations
• Indicates the earliest point in time at which the business operations must resume after disaster
57.
58. 4.7.2 Recovery Strategies
• A recovery strategy identifies the best way to recover a system in case of interruption, including
disaster, and provides guidance based on which detailed recovery procedures can be developed
63. 4.7.6 Backup and Restoration
• To ensure that the critical activities of an organization are not interrupted in the event of a disaster,
secondary and storage media are used to store software application files and associated data for
backup purposes
Offsite Library Controls
66. Self-Assessment Questions
1. Which of the following provides the BEST method for determining
the level of performance provided by similar information processing
facility environments?
a) User satisfaction
b) Goal accomplishment
c) Benchmarking
d) Capacity and growth planning
67. Self-Assessment Questions
2. For mission critical systems with a low tolerance to interruption and
a high cost of recovery, the IS auditor would, in principle,
recommend the use of which of the following recovery options?
a) Mobile site
b) Warm site
c) Cold site
d) Hot site
68. Self-Assessment Questions
3. The key objective of capacity planning procedures is to ensure that:
a) Available resources are fully utilized
b) New resources will be added for new applications in a timely manner
c) Available resources are used efficiently and effectively
d) Utilization of resources does not drop below 85 percent
69. Self-Assessment Questions
4. An IS auditor should be involved in:
a) Observing tests of the DRP
b) Developing the DRP
c) Maintaining the DRP
d) Reviewing the DR requirements of supplier contracts
70. Answers
1. c) Benchmarking
2. d) Hot site
3. c) Available resources are used efficiently and effectively
4. a) Observing tests of the disaster recovery plan