SlideShare une entreprise Scribd logo

CISA Training - Chapter 4 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

CISA Training - Chapter 4 - 2016

Technologie
1  sur  71
2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • Key elements of IT service delivery • Incident handling • Client server technology • BCP/DRP • Data backup and recovery
4.2 Information Systems Operations
4.2.1 Management of IS Operations • IS management has the overall responsibility for all operations within the IS department • Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation
4.2.2 IT Service Management (ITSM) • ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to business • Processes managed through SLA (Service Level Agreement)
Service Level • An agreement between IT and the customer (end user) • SLA details the services to be provided • Service Level Management (SLM) is the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified • SLM is to maintain and improve customer satisfaction and to improve the services delivered to the customer • Tools to monitor the efficiency and effectiveness of services provided by IS personnel • Exception Reports • System and Application logs
4.2.3 Infrastructure Operations • IT operations are processes and activities that support and manage the entire IT infrastructure, systems, applications and data, focusing on day-to-day activities
Job Scheduling • Job schedule is created that lists the jobs that must be run and order in which they are run, including any dependencies • Job scheduling software to be used to schedule tape backups and other maintenance activities • Sets up daily work schedules and automatically determines which jobs are to be submitted to the system for processing
4.2.4 Incident and Problem Management • Incident Management is reactive and its objective is to respond and resolve issues as quickly as possible • Problem Management aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents of similar nature, in order to identify the root cause • Problem Management objective is to “reduce” the number and/or severity of incidents, while incident management objective is to “return” the effected business process back to normal as quickly as possible
Detection, Documentation, Control, Resolution and Reporting
4.2.5 Support/Helpdesk
4.2.6 Change Management Process • Used when changing hardware, upgrading to new releases of off-the-shelf applications and configuring various network devices • Often categorized into emergency changes, major changes, minor changes
4.2.7 Release Management • Process through which software is made available to users • Consist of new or changed software required
4.2.8 Quality Assurance • QA personnel verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment
4.2.9 Information Security Management • Includes various security processes to protect the information assets • Should be integrated in all IT operation processes
4.2.10 Media Sanitization • Establishes the controls, techniques and processes necessary to preserve the confidentiality of sensitive information stored on media to be reused, transported, or discarded • “Sanitization” involved the eradication of information recorded on storage media to the extent of providing reasonable assurance that residual content cannot be salvaged or restored
4.3 Information Systems Hardware • Key audit considerations such as capacity management, system monitoring, maintenance of hardware
4.3.1 Computer Hardware Components & Architectures • Processing Components • CPU, RAM, ROM • Input/output Components • Mouse, keyboard, touch screen • Common Enterprise Back-end Devices • Print Servers • File Servers • Web Servers • Application Servers • Database Servers • Universal Serial Bus (USB) • Memory Cards/Flash Drives
Risks & Security Control • Viruses and other malicious software • Data Theft • Data and Media Loss • Corruption of Data • Loss of Confidentiality • Encryption • Granular Control • Educate Security Personnel • Enforce the “Lock Desktop” policy • Update the antivirus policy
Radio Frequency Identification (RFID) • RFID uses radio waves to identify “tagged” objects within a limited radius • “Tag” consists of a microchip and an antenna • “Microchip” stores information along with an ID to identify a product • The other part of the “tag” is the “antenna” which transmits the information to the RFID reader RFID Applications: • Asset Management • Tracking • Supply Chain Management (SCM)
Risks & Security Control • Business Process Risk • Business Intelligence Risk • Privacy Risk • Management • Operational • Technical
4.3.2 Hardware Maintenance Program
4.3.3 Hardware Monitoring Procedures • Availability Reports • Hardware Error Reports • Utilization Reports
4.3.4 Capacity Management • Planning and monitoring of computing and network resources to ensure that the available resources are used effectively and efficiently
4.4 IS Architecture and Software • A collection of computer programs used in the design, processing and control of all computer applications used to operate and maintain the computer system • Comprised of system utilities and programs, the system software ensures the integrity of the system • Access control software • Data communications software • Database management software • Program library management systems • Tape and disk management systems • Network management software • Job scheduling software • Utility programs
4.4.1 Operating Systems • OS contains programs that interface between the user, processor and application software • Provides the primary means of managing the sharing and use of computer resources such as processors, real memory, and I/O devices
4.4.2 Access Control Software
4.4.3 Data Communications Software • Used to transmit messages or data from one point to another
4.4.4 Data Management
4.4.5 Database Management System • DMBS aids in organizing, controlling and using the data needed by application programs • Primary functions include reduced data redundancy, decreased access time and basic security over sensitive data
4.4.6Tape and Disk Management Systems (DMS) • A specialized system software that tracks and lists tape/disk resources needed for data center processing • A TMS/DMS minimizes computer operator time and errors caused by locating improper files • Systems include the data set name and specific tape reel or disk drive location, creation date, effective date, retention period, expiration date and contents information
4.4.7 Utility Programs
4.4.8 Software Licensing Issues
4.4.9 Digital Rights Management (DRM) • DRM refers to access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices • Used by companies like Sony, Apple Inc., Microsoft, BBC
4.5 IS Network Infrastructure
4.5.1 Enterprise Network Architectures
4.5.2Types of Networks
4.5.3 Network Services • Functional features made possible by appropriate OS applications • Allow orderly utilization of the resources on the network
4.5.4 Network Standards and Protocols
4.5.5 OSI Architecture • OSI (Open Systems Interconnection), benchmark standard for network architecture • Composed of 7 layers, each layer specifying particular specialized tasks or functions • Objective of OSI model is to provide a protocol suite used to develop data-networking protocols and other standards to facilitate multivendor interoperability
4.6 Auditing Infrastructure and Operations • IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS operations and problem management reporting
4.6.1 Hardware Reviews
4.6.2 OS Reviews
4.6.3 Database Reviews
4.6.4 Network Infrastructure and Implementation Reviews
4.6.5 IS Operations Reviews
4.6.6 Scheduling Reviews
4.6.7 Problem Management & Reporting Reviews
4.7 Disaster Recovery Planning (DRP) • Establish to manage availability and restore critical processes/IT services in the event of interruption • Importance and urgency of the business processes and IT services is defined through performing a BIA and assigning RTO, RPO • Ultimate goal is to respond to incidents that may impact people and the ability of operations to deliver goods and services
4.7.1 RPO, RTO Recovery Point Objective (RPO): • Determined based on acceptable data loss in case of disruption of operations • Indicates the earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO): • Determined based on acceptable downtime in case of a disruption of operations • Indicates the earliest point in time at which the business operations must resume after disaster
4.7.2 Recovery Strategies • A recovery strategy identifies the best way to recover a system in case of interruption, including disaster, and provides guidance based on which detailed recovery procedures can be developed
4.7.3 Recovery Alternatives
4.7.4 Development of Disaster Recovery Plans
4.7.5 Organization and Assignment of Responsibilities
4.7.6 Backup and Restoration • To ensure that the critical activities of an organization are not interrupted in the event of a disaster, secondary and storage media are used to store software application files and associated data for backup purposes Offsite Library Controls
Backup Schemes
Self-Assessment Questions 1. Which of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments? a) User satisfaction b) Goal accomplishment c) Benchmarking d) Capacity and growth planning
Self-Assessment Questions 2. For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options? a) Mobile site b) Warm site c) Cold site d) Hot site
Self-Assessment Questions 3. The key objective of capacity planning procedures is to ensure that: a) Available resources are fully utilized b) New resources will be added for new applications in a timely manner c) Available resources are used efficiently and effectively d) Utilization of resources does not drop below 85 percent
Self-Assessment Questions 4. An IS auditor should be involved in: a) Observing tests of the DRP b) Developing the DRP c) Maintaining the DRP d) Reviewing the DR requirements of supplier contracts
Answers 1. c) Benchmarking 2. d) Hot site 3. c) Available resources are used efficiently and effectively 4. a) Observing tests of the disaster recovery plan
CISA Training - Chapter 4 - 2016

Recommandé

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 

Recommandé

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
InfosecTrain
 
CISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrainCISA Domain- 1 - InfosecTrain
CISA Domain- 1 - InfosecTrain
InfosecTrain
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
InfosecTrain
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016
Hafiz Sheikh Adnan Ahmed
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)
Cyril Soeri
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
Ismail aboulezz
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
Desmond Devendran
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
ShivamSharma909
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
Global Manager Group
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
Gaffri Johnson
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
Global Manager Group
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
Shantanu Rai
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
ControlCase
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
Christian F. Nissen
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
Craig Willetts ISO Expert
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
PECB
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
Dam Frank
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
KBIZEAU
 
des
desdes
des
Desmond Devendran
 

Contenu connexe

Tendances

ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
PECB
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
Desmond Devendran
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
PECB
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
tschraider
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
PECB
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
PECB
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
PECB
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
PECB
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
PECB
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
PECB
 

Tendances (20)

Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
ISO/IEC 27001 and ISO 22301 - How to ensure business survival against cyber a...
 
Chap2 2007 Cisa Review Course
Chap2 2007 Cisa Review CourseChap2 2007 Cisa Review Course
Chap2 2007 Cisa Review Course
 
Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001Best Practices in Auditing ISO/IEC 27001
Best Practices in Auditing ISO/IEC 27001
 
Iso27001 The Road To Certification
Iso27001 The Road To CertificationIso27001 The Road To Certification
Iso27001 The Road To Certification
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?How to fulfil requirements of ISO 20000:2018 Documents?
How to fulfil requirements of ISO 20000:2018 Documents?
 
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to KnowCMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
CMMC, ISO/IEC 27001, ISO/IEC 27032, and NIST – What You Need to Know
 
ISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENTISO 27001 ISMS MEASUREMENT
ISO 27001 ISMS MEASUREMENT
 
Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032Improve Cybersecurity posture by using ISO/IEC 27032
Improve Cybersecurity posture by using ISO/IEC 27032
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
 
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to KnowISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
ISO/IEC 27701 vs. ISO/IEC 27001 vs. NIST: Essential Things You Need to Know
 
Top management role to implement ISO 27001
Top management role to implement ISO 27001Top management role to implement ISO 27001
Top management role to implement ISO 27001
 
Presentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCMPresentation on iso 27001-2013, Internal Auditing and BCM
Presentation on iso 27001-2013, Internal Auditing and BCM
 
2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf2022 Webinar - ISO 27001 Certification.pdf
2022 Webinar - ISO 27001 Certification.pdf
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
What is iso 27001 isms
What is iso 27001 ismsWhat is iso 27001 isms
What is iso 27001 isms
 
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance SynergiesITIL and ISO 20000: Fundamentals and necessary compliance Synergies
ITIL and ISO 20000: Fundamentals and necessary compliance Synergies
 
Information Security Governance and Strategy
Information Security Governance and Strategy Information Security Governance and Strategy
Information Security Governance and Strategy
 

Similaire à CISA Training - Chapter 4 - 2016

Dynamic datacenter planning and design
Dynamic datacenter planning and designDynamic datacenter planning and design
Dynamic datacenter planning and design
Yeonki Choi
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
Anne Starr
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
Priyank Hada
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
SolarWinds
 

Similaire à CISA Training - Chapter 4 - 2016 (20)

AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
des
desdes
des
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Dynamic datacenter planning and design
Dynamic datacenter planning and designDynamic datacenter planning and design
Dynamic datacenter planning and design
 
Presilient Worldwide at a Glance
Presilient Worldwide at a GlancePresilient Worldwide at a Glance
Presilient Worldwide at a Glance
 
Technology considerations
Technology considerationsTechnology considerations
Technology considerations
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
 
ITIL Service Operation
ITIL Service OperationITIL Service Operation
ITIL Service Operation
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
RESUME16
RESUME16RESUME16
RESUME16
 
Slide Structure
Slide StructureSlide Structure
Slide Structure
 
Chapter09
Chapter09Chapter09
Chapter09
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
 
Remote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiencyRemote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiency
 
CC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptxCC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptx
 
Harsha CV
Harsha CVHarsha CV
Harsha CV
 
BiznetGio Presentation Business Continuity
BiznetGio Presentation Business ContinuityBiznetGio Presentation Business Continuity
BiznetGio Presentation Business Continuity
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
 

Dernier

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Dernier (20)

GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

CISA Training - Chapter 4 - 2016

  • 1. 2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • Key elements of IT service delivery • Incident handling • Client server technology • BCP/DRP • Data backup and recovery
  • 4. 4.2.1 Management of IS Operations • IS management has the overall responsibility for all operations within the IS department • Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation
  • 5.
  • 6.
  • 7. 4.2.2 IT Service Management (ITSM) • ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to business • Processes managed through SLA (Service Level Agreement)
  • 8. Service Level • An agreement between IT and the customer (end user) • SLA details the services to be provided • Service Level Management (SLM) is the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified • SLM is to maintain and improve customer satisfaction and to improve the services delivered to the customer • Tools to monitor the efficiency and effectiveness of services provided by IS personnel • Exception Reports • System and Application logs
  • 9. 4.2.3 Infrastructure Operations • IT operations are processes and activities that support and manage the entire IT infrastructure, systems, applications and data, focusing on day-to-day activities
  • 10. Job Scheduling • Job schedule is created that lists the jobs that must be run and order in which they are run, including any dependencies • Job scheduling software to be used to schedule tape backups and other maintenance activities • Sets up daily work schedules and automatically determines which jobs are to be submitted to the system for processing
  • 11. 4.2.4 Incident and Problem Management • Incident Management is reactive and its objective is to respond and resolve issues as quickly as possible • Problem Management aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents of similar nature, in order to identify the root cause • Problem Management objective is to “reduce” the number and/or severity of incidents, while incident management objective is to “return” the effected business process back to normal as quickly as possible
  • 14. 4.2.6 Change Management Process • Used when changing hardware, upgrading to new releases of off-the-shelf applications and configuring various network devices • Often categorized into emergency changes, major changes, minor changes
  • 15. 4.2.7 Release Management • Process through which software is made available to users • Consist of new or changed software required
  • 16.
  • 17. 4.2.8 Quality Assurance • QA personnel verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment
  • 18. 4.2.9 Information Security Management • Includes various security processes to protect the information assets • Should be integrated in all IT operation processes
  • 19. 4.2.10 Media Sanitization • Establishes the controls, techniques and processes necessary to preserve the confidentiality of sensitive information stored on media to be reused, transported, or discarded • “Sanitization” involved the eradication of information recorded on storage media to the extent of providing reasonable assurance that residual content cannot be salvaged or restored
  • 20. 4.3 Information Systems Hardware • Key audit considerations such as capacity management, system monitoring, maintenance of hardware
  • 21. 4.3.1 Computer Hardware Components & Architectures • Processing Components • CPU, RAM, ROM • Input/output Components • Mouse, keyboard, touch screen • Common Enterprise Back-end Devices • Print Servers • File Servers • Web Servers • Application Servers • Database Servers • Universal Serial Bus (USB) • Memory Cards/Flash Drives
  • 22.
  • 23. Risks & Security Control • Viruses and other malicious software • Data Theft • Data and Media Loss • Corruption of Data • Loss of Confidentiality • Encryption • Granular Control • Educate Security Personnel • Enforce the “Lock Desktop” policy • Update the antivirus policy
  • 24. Radio Frequency Identification (RFID) • RFID uses radio waves to identify “tagged” objects within a limited radius • “Tag” consists of a microchip and an antenna • “Microchip” stores information along with an ID to identify a product • The other part of the “tag” is the “antenna” which transmits the information to the RFID reader RFID Applications: • Asset Management • Tracking • Supply Chain Management (SCM)
  • 25. Risks & Security Control • Business Process Risk • Business Intelligence Risk • Privacy Risk • Management • Operational • Technical
  • 27. 4.3.3 Hardware Monitoring Procedures • Availability Reports • Hardware Error Reports • Utilization Reports
  • 28. 4.3.4 Capacity Management • Planning and monitoring of computing and network resources to ensure that the available resources are used effectively and efficiently
  • 29. 4.4 IS Architecture and Software • A collection of computer programs used in the design, processing and control of all computer applications used to operate and maintain the computer system • Comprised of system utilities and programs, the system software ensures the integrity of the system • Access control software • Data communications software • Database management software • Program library management systems • Tape and disk management systems • Network management software • Job scheduling software • Utility programs
  • 30. 4.4.1 Operating Systems • OS contains programs that interface between the user, processor and application software • Provides the primary means of managing the sharing and use of computer resources such as processors, real memory, and I/O devices
  • 32. 4.4.3 Data Communications Software • Used to transmit messages or data from one point to another
  • 34. 4.4.5 Database Management System • DMBS aids in organizing, controlling and using the data needed by application programs • Primary functions include reduced data redundancy, decreased access time and basic security over sensitive data
  • 35.
  • 36. 4.4.6Tape and Disk Management Systems (DMS) • A specialized system software that tracks and lists tape/disk resources needed for data center processing • A TMS/DMS minimizes computer operator time and errors caused by locating improper files • Systems include the data set name and specific tape reel or disk drive location, creation date, effective date, retention period, expiration date and contents information
  • 39. 4.4.9 Digital Rights Management (DRM) • DRM refers to access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices • Used by companies like Sony, Apple Inc., Microsoft, BBC
  • 40. 4.5 IS Network Infrastructure
  • 41. 4.5.1 Enterprise Network Architectures
  • 43. 4.5.3 Network Services • Functional features made possible by appropriate OS applications • Allow orderly utilization of the resources on the network
  • 44. 4.5.4 Network Standards and Protocols
  • 45. 4.5.5 OSI Architecture • OSI (Open Systems Interconnection), benchmark standard for network architecture • Composed of 7 layers, each layer specifying particular specialized tasks or functions • Objective of OSI model is to provide a protocol suite used to develop data-networking protocols and other standards to facilitate multivendor interoperability
  • 46.
  • 47. 4.6 Auditing Infrastructure and Operations • IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS operations and problem management reporting
  • 51. 4.6.4 Network Infrastructure and Implementation Reviews
  • 54. 4.6.7 Problem Management & Reporting Reviews
  • 55. 4.7 Disaster Recovery Planning (DRP) • Establish to manage availability and restore critical processes/IT services in the event of interruption • Importance and urgency of the business processes and IT services is defined through performing a BIA and assigning RTO, RPO • Ultimate goal is to respond to incidents that may impact people and the ability of operations to deliver goods and services
  • 56. 4.7.1 RPO, RTO Recovery Point Objective (RPO): • Determined based on acceptable data loss in case of disruption of operations • Indicates the earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO): • Determined based on acceptable downtime in case of a disruption of operations • Indicates the earliest point in time at which the business operations must resume after disaster
  • 57.
  • 58. 4.7.2 Recovery Strategies • A recovery strategy identifies the best way to recover a system in case of interruption, including disaster, and provides guidance based on which detailed recovery procedures can be developed
  • 60. 4.7.4 Development of Disaster Recovery Plans
  • 61. 4.7.5 Organization and Assignment of Responsibilities
  • 62.
  • 63. 4.7.6 Backup and Restoration • To ensure that the critical activities of an organization are not interrupted in the event of a disaster, secondary and storage media are used to store software application files and associated data for backup purposes Offsite Library Controls
  • 64.
  • 66. Self-Assessment Questions 1. Which of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments? a) User satisfaction b) Goal accomplishment c) Benchmarking d) Capacity and growth planning
  • 67. Self-Assessment Questions 2. For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options? a) Mobile site b) Warm site c) Cold site d) Hot site
  • 68. Self-Assessment Questions 3. The key objective of capacity planning procedures is to ensure that: a) Available resources are fully utilized b) New resources will be added for new applications in a timely manner c) Available resources are used efficiently and effectively d) Utilization of resources does not drop below 85 percent
  • 69. Self-Assessment Questions 4. An IS auditor should be involved in: a) Observing tests of the DRP b) Developing the DRP c) Maintaining the DRP d) Reviewing the DR requirements of supplier contracts
  • 70. Answers 1. c) Benchmarking 2. d) Hot site 3. c) Available resources are used efficiently and effectively 4. a) Observing tests of the disaster recovery plan