CISA EXAM PREP COURSE: SESSION 2 - Amazon S3...Source: ISACA, CISA Review Manual 26th Edition, figure 3.24 Vendor selection Architecture Workshop 1 1. Review of existing architecture

CISA EXAM PREP COURSE:

SESSION 2

2 © Copyright 2016 ISACA. All rights reserved.

Job Practice

Domain 1: The

Process of Auditing

Information

Systems, 21%

Domain 2:

Governance and

Management of IT,

16%

Domain 3: Information

Systems Acquisition,

Development and

Implementation, 18%

Domain 5:

Protection of

Information Assets,

25%

Domain 4:

Information Systems

Operations,

Maintenance and

Service

Management, 20%

©Copyright 2016 ISACA. All rights reserved.

Domain 3

Information Systems Acquisition,

Development and Implementation


Domain 3

Provide assurance that the practices for

the acquisition, development, testing and

implementation of information systems

meet the organization’s strategies and

objectives.


Task 3.1

Evaluate the business case for the

proposed investments in information

systems acquisition, development,

maintenance and subsequent retirement

to determine whether it meets business

objectives.


Benefits Realization

To assess whether IT management is fulfilling its value

management responsibilities, the IS auditor must

understand how the business defines value or an ROI for

development-related projects.

Because IT-related initiatives have high expenditures,

these projects must be evaluated on:

o Cost

o Quality

o Development/delivery time

o Reliability and dependability


Benefits Realization Objectives

The objectives of benefits realization include:

o IT-enabled business investments achieve the

promised benefits and deliver measurable business

value.

o Required capabilities (solutions and services) are

delivered on time and within budget.

o IT services and assets continue to contribute to

business value.


Business Case

A business case provides the information required for an

organization to decide whether a project should proceed.

It allows for a comparison of costs and business benefits

and provides justification for setting up or continuing a

project.

It is often the first step in a project and normally derives

from a feasibility study.


Feasibility Study

Conduct a formal review with stakeholders.

Evaluate the cost-effectiveness of the approach.

Provide a recommended approach.

Identify requirements based on stakeholder needs.

Conduct a current analysis.

Define the project scope.


IS Auditor’s Role

During the feasibility study, the IS auditor should perform

the following:

o Review the documentation for the phase to ensure

that it is reasonable.

o Determine whether all cost justifications/benefits are

verifiable and that they show the anticipated costs

and expected benefits.

o Identify and determine the criticality of the need.

o Determine if a solution can be achieved with systems

already in place. If not, review the evaluation of

alternative solutions for reasonableness.

o Determine the suitability of the chosen solution.


Requirements Definition (cont’d)

In order to successfully complete a requirements definition,

the project team will complete tasks such as:

o Identify stakeholders.

o Record requirements in a structured format and consult

with stakeholders.

o Verify requirements are complete, consistent,

unambiguous, verifiable, modifiable, testable and

traceable.

o Detect and correct conflicts.

o Identify any constraints.

o Resolve conflicts.


Task 3.2

Evaluate IT supplier selection and

contract management processes to

ensure that the organization’s service

levels and requisite controls are met.


System Acquisition Factors

Factors impacting whether to develop or acquire a system

include:

o The date the system needs to be functional

o The cost to develop the system as opposed to buying it

o The resources, staff and hardware required

o In a vendor system, the license characteristics (e.g., yearly

renewal, perpetual) and maintenance costs

o Other systems that will need the ability to interface with the

new system

o Compatibility with strategic business plans, risk appetite,

regulatory compliance requirements and the organization’s

IT infrastructure

o Likely future requirements for changes to functionality


Requirements Definition

Requirements definition should include descriptions of what a

system should do, how users will interact with a system,

conditions under which the system will operate and the

information criteria the system should meet.


IS Auditor’s Role

When determining system requirements, the IS auditor should perform

the following:

o Obtain the detailed requirements definition document, and verify its

accuracy through interviews.

o Identify the key team members on the project team.

o Verify that project initiation and cost have received proper

management approval.

o Review the conceptual design specifications to ensure that they

address the needs of the user.

o Review the conceptual design to ensure that control specifications

have been defined.

o Review the UAT specification.

o Determine whether a reasonable number of vendors received a

proposal covering the project scope and user requirements.

o Determine whether an embedded audit routine can be used.


Request For Proposal (RFP)

Product vs. system requirements

Product scalability and interoperability

Customer references

Vendor viability/financial

stability

Availability of complete and

reliable documentation

Vendor support Source code availability

Number of years of experience in

offering the product

A list of recent or planned

enhancements to the product, with

dates

Number of client sites using the

product with a list of current users

Acceptance testing of the product

Source: ISACA, CISA Review Manual 26th Edition, figure 3.14


Software Acquisition Process

During software acquisition, the IS auditor should perform the

following:

o Analyze the documentation from the feasibility study to

determine whether the decision to acquire a solution was

appropriate.

o Review the RFP to ensure that it covers the items listed and

whether the selected vendor is supported by the RFP

documentation.

o Attend agenda-based presentations and conference room pilots

to ensure that the system matches the vendor’s response to the

RFP.

o Review the vendor contract prior to its signing.

o Ensure the contract is reviewed by legal counsel before it is

signed.


Physical Architecture Analysis

Requirements are validated using a proof of concept.

The proof of concept should deliver a working prototype

that demonstrates basic setup and functionality.


Vendor selection

Architecture

Workshop 1

1. Review of existing

architecture

2. Analysis and design

3. Draft functional

requirements

4. Functional requirements

5. Define final

functional requirements

6. Proof of concept

Architecture

Workshop 2 Presentation and

discussion of

functional

requirements

Architecture

Workshop 3

Delivery of

prototype


Implementation Planning

• Establish the communication process, and determine the deliverables, contracts and SLAs. Requirements statement is produced.

1. Procurement Phase

• Develop delivery plan: priorities, goals, key facts, principles, communication strategies, key indicators, progress on key tasks and responsibilities.

2. Delivery Time

• Develop and review the plan with involved parties. 3. Installation

Plan

• Develop test plan to include test cases, basic requirements specifications, definition of processes and metrics.

4. Installation Test Plan



Task 3.3

Evaluate the project management

framework and controls to determine

whether business requirements are

achieved in a cost-effective manner while

managing risks to the organization.


Project Management

The project management approach is dependent on the

size of the organization and complexity of the business.

Prior to project involvement, the IS auditor must become

familiar with the standard or structure used by the

organization.

Project management processes include:

o Initiating

o Planning

o Executing

o Controlling

o Closing


Project Context

When analyzing the context of a project, the IS auditor

must consider:

o Importance of the project in the organization

o Connection between the organization’s strategy and

the project

o Relationship between the project and other projects

o Connection between the project and the underlying

business case


Project Context (cont’d)

Understanding the environment and context of the

projects help to identify:

o Common objectives for the organization

o Risk

o Resource connections


Project Objectives

Project objectives are the specific action statements that

support the project goals.

Project objectives should always begin with an action

verb.

A project needs clearly

defined results that are:

mart S

easurable M

ttainable A

ealistic R

imely T


IS Auditor’s Role

The IS auditor should review the adequacy of the following

project management activities:

o Levels of oversight by project committee/board

o Risk management methods

o Issue management

o Cost management

o Processes for planning and dependency management

o Reporting processes

o Change control processes

o Stakeholder management involvement

o Sign-off process


Task 3.4

Conduct reviews to determine whether a

project is progressing in accordance with

project plans, is adequately supported by

documentation, and has timely and

accurate status reporting.


Project Planning

When planning a project, the project manager needs to

determine the various tasks to be performed, as well as

the following:

o Task sequence

o Task duration

o Task priority

o Task budget

o Task resources

During project execution, the project manager must

control the scope, resource usage and risk.



SDLC

Phase 1–Feasibility Study

Phase 2–Requirements Definition

Phase 3A–Software Selection

and Acquisition Phase 3B–Design

Phase 4A–Configuration Phase 4B–Development

Phase 5–Final Testing and

Implementation

Phase 6–

Postimplementation


IS Auditor Role in SDLC (cont’d)

The IS auditor should ensure that:

o The project meets the organization’s goals and

objectives.

o Project planning is performed, including effective

estimates of resources, budget and time.

o Scope creep is controlled and there is a software

baseline.

o Management is tracking software design and

development activities.

o Senior management support is provided.

o Periodic review and risk analysis is performed in each

project phase.


Business Application Development

Two major categories include:

o Organization-centric computing―The objective is to

collect, collate, store, archive and share information

with business users and various applicable support

functions.

o End-user-centric computing―The objective is to

provide different views of data for their performance

optimization.


IS Auditor’s Role

During the design and development phases, the IS auditor should do

the following:

o Review the system flowcharts for adherence to the general design.

o Verify that appropriate approvals were obtained for any changes.

o Review the input, processing and output controls designed into the

system for appropriateness.

o Interview the key users to determine their understanding of how the

system will operate.

o Assess the adequacy of audit trails to provide traceability and

accountability of system transactions.

o Verify the integrity of key calculations and processes.

o Verify that the system can identify and process erroneous data

correctly.

o Review the quality assurance results.

o Verify that all recommended corrections were made.


Task 3.5

Evaluate controls for information

systems during the requirements,

acquisition, development and testing

phases for compliance with the

organization’s policies, standards,

procedures and applicable external

requirements.


Virtualization Controls

The IS auditor will need to understand the following concepts:

o Hypervisors and guest images (OS and networks) are securely

configured according to industry standards. Apply hardening to

these virtual components as closely as one would to a physical

server, switch, router, firewall or other computing device.

o Hypervisor management communications should be protected on a

dedicated management network.

o The hypervisor should be patched as the vendor releases the fixes.

o The virtualized infrastructure should be synchronized to a trusted

authoritative time server.

o Unused physical hardware should be disconnected from the host

system.

o All hypervisor services should be disabled unless they are needed.

o Host inspection capabilities should be enabled to monitor the

security of each guest OS and of each activity occurring between

guest OSs.


Application Controls

Application controls ensure that:

o Only complete, accurate and

valid data are entered and

updated in a computer

system.

o Processing accomplishes

the correct task.

o Processing results

meet expectations.

o Data are maintained.

Application Controls

Input

Processing Output


IS Auditor’s Role

The IS auditor’s tasks include the following:

o Identifying significant application components and the

flow of transactions

o Identifying the application control strengths and

evaluating the impact of the control weaknesses

o Developing a testing strategy

o Testing the controls to ensure their functionality and

effectiveness

o Evaluating the control environment by analyzing the

test results and other audit evidence to determine that

control objectives were achieved

o Considering the operational aspects of the application

to ensure its efficiency and effectiveness


Application Control Documentation

The IS auditor should review the following

documentation to gain an understanding of the

application’s development:

System development methodology documents

Functional design

specifications

Program changes

User manuals Technical reference

documentation


Application Control Testing

The IS auditor must test application controls to ensure

their functionality and effectiveness.

Some of the methods and techniques to test the

application system include:

o Snapshot

o Mapping

o Tracing and tagging

o Test data/deck

o Base-case system

evaluation

o Parallel operation

o Integrated test facility

o Parallel simulation

o Transaction selection

programs

o Embedded audit data

collection

o Extended records


Continuous Online Auditing

• Embeds specially written software in the host application system to monitor it on a selective basis

Systems Control Audit Review File and Embedded Audit Modules (SCARF/EAM)

• Captures the processing path a transaction follows and applies identifiers for subsequent reviews

Snapshots

• Embeds hooks in the application system to function as red flags, which allows IS or the auditor to intervene

Audit Hooks

• Sets up dummy entities on the production files to confirm the correctness of the processing

Integrated Test Facility (ITF)

• Simulates the execution of an application and audits the transaction if it meets predetermined criteria

Continuous and Intermittent Simulations (CIS)


Task 3.6

Evaluate the readiness of information

systems for implementation and

migration into production to determine

whether project deliverables, controls

and organization’s requirements are met.


Testing

Testing determines that the user requirements have

been validated, the system is performing as anticipated

and internal controls work as intended.

The two primary approaches to testing include:

o Bottom up―Begin testing of individual units, and work

upward until a complete system testing has taken

place.

o Top down―Begin testing the complete system, and

work downward to individual units.


Types of Testing

Unit testing

• Tests program logic within a particular program or module

• Ensures that the internal operation of the program performs according to specification

• Uses a set of test cases that focus on the control structure of the procedural design

Interface or integration testing

• A hardware or software test that evaluates the connection of two or more components that pass information from one area to another

System testing

• A series of tests designed to ensure that modified programs, objects, database schema, etc., which collectively constitute a new or modified system, function properly

Final acceptance testing

• System testing that takes place during the implementation phase and applies the organization’s QA methodology


User Performance Testing

Some of the user procedures that should be observed and tested include:

• SoD―ensures that no individual has the capability of performing more than one of the following processes: origination, authorization, verification or distribution.

• Authorization of input―use written authorization on input documents or unique passwords.

• Balancing―verify that run-to-run control totals and other application totals are reconciled on a timely basis.

• Error control and correction―reports that provide evidence of appropriate review, research, timely correction and resubmission.

• Distribution of reports―produce and maintain critical output reports in a secure manner.

• Review and testing of access authorizations and capabilities―provide information on access levels by individuals.

• Activity reports―provide details, by user, of activity volume and hours.

• Violation reports―indicate any unsuccessful and unauthorized access attempts.


Data Integrity Testing

Data integrity testing is a set of substantive tests that

examine accuracy, completeness, consistency and

authorization of data presently held in a system. Two

common types include:

o Relational integrity tests―Data validation routines

performed at the data element and record-based

levels.

o Referential integrity tests―Define existence

relationships between entities in different tables of a

database that needs to be maintained by the DBMS.


IS Auditor’s Role

During testing, the IS auditor should perform the following:

o Review the test plan, error reports, end user documentation and procedures

used for completeness and accuracy.

o Reconcile control totals and converted data.

o Verify cyclical processing and critical reports for accuracy.

o Interview end users of the system for their understanding of new methods,

procedures and operating instructions.

o Verify that system security is functioning as designed.

o Review parallel testing results and the user acceptance testing.

o Review unit and system test plans to determine whether tests for internal

controls are planned and performed.

o Review the user acceptance testing and ensure that the accepted software

has been delivered to the implementation team. The vendor should not be

able to replace this version.

o Review procedures used for recording and following through on error

reports.


Task 3.7

Conduct post-implementation reviews of

systems to determine whether project

deliverables, controls and organization’s

requirements are met.


Implementation Planning

After successful testing, the system is implemented

according to the organization’s change control

procedures.

An implementation plan should be prepared well in

advance of the implementation date.

Each step of setting up the production environment

should be documented, including who will be

responsible, how the step will be verified and the

back-out procedure.


Implementation Planning Steps

Step 1―Develop Support Structures

• Develop a gap analysis process.

• Define required roles.

Step 2―Establish Support Functions

• Develop service level agreements (SLAs). SLAs should consider:

• Operating time

• Support time

• Meantime between failures (MTBF)

• Meantime to repair (MTTR)

• Technical support response time

• Implementation plan/knowledge transfer plan

• Develop training plans:

• Staff training

• End user training


IS Auditor’s Role

During the implementation phase, the IS auditor should

perform the following:

o Verify appropriate sign-offs have been obtained.

o Review the programmed procedures used for

scheduling and running the system.

o Review all system documentation to ensure its

completeness.

o Verify all data conversion to ensure that they are

correct and complete.


Post-implementation

Post-implementation reviews are typically conducted

after the project has been in use long enough to realize

its business benefits and costs and to measure the

project’s overall success and impact on the business

units.

Metrics include:

o Total cost of ownership (TCO)

o Return on investment (ROI)


Project Close

Projects have a finite life. Once the project is closed, it is

handed over to end users.

During project closure:

o Assign outstanding issues.

o Assign custody of contracts.

o Archive or hand off documentation.

o Discuss lessons learned.

o Conduct a post-project review.


Certification and Accreditation

Certification is a process by which an assessor

performs a comprehensive assessment against a

standard of management and operational and technical

controls and determines the level of compliance.

o The goal is to determine the extent to which controls

are implemented correctly, operating as intended and

producing the desired outcome.

Accreditation authorizes operation of an information

system, thereby accepting the risk. A senior official

accepts responsibility and is fully accountable for any

adverse impacts.


System Maintenance

Following implementation, a system enters into the

ongoing development or maintenance stage.

System maintenance practices refer primarily to the

process of managing change to application systems

while maintaining the integrity of both the production and

application source and executable code.

A standard change management process needs to be in

place for recording and performing changes, which is

typically established during the project design phase.


Change Management

Change management is a process to document and

authorize any change requests.

Change requests are initiated from the end user,

operational staff, and system development and

maintenance staff.


Change Management (cont’d)

A change management process should include the

procedures for the following:

o A formal change request process

o Documentation

o Testing of changes

o Emergency changes

o Deploying changes into production

o Handling unauthorized changes


Configuration Management

Configuration management uses change management

processes along with checkpoints, reviews and sign-off

procedures.

Develop the configuration

management plan.

Baseline applicable

components.

Analyze and report on the

results.

Develop configuration

status reports.

Develop release procedures.

Perform configuration

control activities.

Update the configuration

status accounting database.


IS Auditor’s Role

The IS auditor should review the change management

process for possible improvements in the following:

o Change request methodology and procedures

o Response time and response effectiveness

o User satisfaction

o Security access restrictions

o Emergency procedures

o Acknowledgement and resolution of items on the

change control log


Process Improvement Practices―BPR

Define the areas to be reviewed.

Develop a project plan.

Gain an understanding of

the process under review.

Redesign and streamline the

process.

Implement and monitor the new

process.

Establish a continuous

improvement process.

BPR Steps


BPR Methods and Techniques

BPR Method Description

Benchmarking

Process

A continuous, systematic process for evaluating the products,

services or work processes of organizations recognized as a

world-class “reference” in a globalized world

ISO 9126 An international standard to assess the quality of software

products

Capability Maturity

Model Integration

(CMMI)

A model used by many organizations to identify best practices

useful in helping them assess and increase the maturity of their

software development processes

ISO/IEC 330xx A series of standards that provide guidance on process

assessment

Business Process

Control Assurance

A technique to evaluate controls at the process and activity level

and the controls specific to the business process owner


Domain 3 Summary

In this domain we have covered the following:

o Evaluating the business case for the proposed information

systems acquisition and development

o Evaluating IT supplier selection and contract management

processes

o Evaluating the project management framework and controls

o Conducting reviews to determine whether a project is

progressing in accordance with project plans

o Evaluating controls for information systems during the

requirements, acquisition, development and testing phases

o Evaluating the readiness of information systems for

implementation and migration into production

o Conducting post-implementation reviews of systems to

determine whether project deliverables, controls and

organization’s requirements are met


A legacy payroll application is migrated to a new

application. Which of the following stakeholders should be

PRIMARILY responsible for reviewing and signing-off on

the accuracy and completeness of the data before going

live?

A. IS auditor

B. Database administrator

C. Project manager

D. Data owner

Discussion Question


An IS auditor should ensure that review of online electronic

funds transfer (EFT) reconciliation procedures should

include:

A. vouching.

B. authorizations.

C. corrections.

D. tracing.

Discussion Question


The PRIMARY objective of conducting a

postimplementation review for a business process

automation project is to:

A. ensure that the project meets the intended business

requirements.

B. evaluate the adequacy of controls.

C. confirm compliance with technological standards.

D. confirm compliance with regulatory requirements.

Discussion Question

©Copyright 2016 ISACA. All rights reserved.

Domain 4

Information Systems Operations,

Maintenance and Service Management


Domain 4

Provide assurance that the processes for

information systems operations,

maintenance and service management

meet the organization’s strategies and

objectives.


Task 4.1

Evaluate the IT service management framework

and practices (internal or third party) to

determine whether the controls and service

levels expected by the organization are being

adhered to and whether strategic objectives

are met.


IT Service Management

IT service management (ITSM) supports business needs

through the implementation and management of IT

services.

People, processes, and information technology are each

a part of IT services.

A service management framework provides support for

the implementation of ITSM.


The ITSM Premise

The bases of ITSM are:

o IT can be managed through a series of discrete

processes.

o These processes provide “service” to the business and

are interdependent.

Service level agreements (SLA) detail service

expectations.

To ensure high levels of service, ITSM metrics are

compared against the SLA expectations.


SLA Tools

Several reporting tools aid in determining whether

service expectations are being met. These include:

o Exception reports

o System and application logs

o Operator problem reports

o Operator work schedules


Audit of Infrastructure

Enterprise architecture (EA) describes the design of the

components of a business system or subsystem.

o EA documents an organization’s IT assets in a

structured form, facilitating consideration of IT

investments and clarifying interrelationships between

IT components.


Audit of Infrastructure (cont’d)

When auditing infrastructure and operations, the IS

auditor should:

o Follow the overall EA.

o Use the EA as a main source of information.

o Ensure that IT systems are aligned with the EA and

meet organizational objectives.


Task 4.2

Conduct periodic reviews of information

systems to determine whether they continue to

meet the organization’s objectives within the

enterprise architecture (EA).


Hardware Review


Hardware acquisition plan and execution

IT asset management

Capacity management

and monitoring

Preventive maintenance

schedule

Hardware availability and

utilization reports

Problem logs, job accounting system reports


Operating System Review


System software selection

procedures

Feasibility study and selection

process

System software security

IT asset management

System software implementation

Authorization documentation

System documentation

System software maintenance

activities

System software change controls

System software installation

change controls


Database Review


Logical schema

Physical schema Access time reports

Database security controls

Interfaces with other software

Backup and disaster recovery procedures

and controls

Database-supported IS controls

IT asset management


Network Review Areas


Physical controls

• Network hardware devices

• File server

• Documentation

• Key logs

• Network wiring closet and transmission wiring

Environmental controls

• Controls in the server facility, including temperature, humidity, static electricity, surge and fire protection

• Protection of backup media

• Cleanliness

Logical security controls

• Passwords

• Network user access and change requests

• Test plans

• Security reports and mechanisms

• Network operation procedures

• Personnel awareness of risks


IS Operations Review


Observe IS personnel

Review operator access

Consider adequacy of

operator manuals

Examine access to the library

Consider contents/location of offline storage

Examine file handling

procedures

Examine data entry processes

Review lights-out operations


Task 4.3

Evaluate IT operations (e.g., job scheduling,

configuration management, capacity and

performance management) to determine

whether they are controlled effectively and

continue to support the organization’s

objectives.


IS Operations

The IS operations function is responsible for the ongoing

support of an organization’s computer and IS

environment, ensuring:

o Computer processing requirements are met

o End users are satisfied

o Information is processed securely

o Outside parties (third parties, cloud computing) meet

the company’s processing requirements


Job Scheduling

Job scheduling is a major function within the IT

department, and in environments in which a large

number of batch routines are processed, this may be

managed through the use of job scheduling software.

It is necessary to ensure that IS resources are optimized

based on processing requirements.


Scheduling Review


Regularly scheduled

applications

Input deadlines

Data preparation

time

Estimated processing

time

Output deadlines

Procedures for use of KPIs

Processing priorities

Daily job schedule

Console log Exception

processing log Re-executed

jobs Personnel


Task 4.4

Evaluate IT maintenance (patches,

upgrades) to determine whether they are

controlled effectively and continue to

support the organization’s objectives.


Hardware Maintenance

To perform optimally, hardware must be cleaned and serviced

on a routine basis.

When performing an audit of this area, the IS auditor should:

o Ensure that a formal maintenance plan has been

developed. This must be:

• Approved by management

• Implemented and followed

o Identify maintenance costs that exceed budget or are

excessive.


Capacity Management

Computing and network resources must be planned and

monitored to ensure that they are used efficiently and

effectively.

A capacity plan should be developed based on input from

both users and IS managers, and should be reviewed and

updated at least annually.

The IS audit should take into account that capacity

requirements may:

o Fluctuate according to business cycles

o Be interdependent across the capacity plan


Release Management

Major release

• Normally contains a significant change or addition to a new functionality

• These usually supersede all preceding minor upgrades

Minor release

• Upgrades, offering small enhancements and fixes

• Usually supersedes all preceding emergency fixes

Emergency release

• Normally contains corrections to a small number of known problems

• These require implementation as quickly as possible, limiting the execution of testing and release management activities



Patch Management

A patch is software code that is installed to maintain

software as current between full-scale version releases.

A patch often addresses security risks that have been

detected in the original code.


Quality Assurance (QA)

Prior to the introduction of system changes to the

production environment, a QA process should be in

place to verify that these changes are:

o Authorized

o Tested

o Implemented in a controlled manner

QA personnel also oversee the proper maintenance of

program versions and source code to object.


Backup Schemes

Features Full Backup Incremental Backup Differential Backup

What it does? Copies all main

files and folders to

the backup media

Copies files and

folders that have

changed or are new

since last backup

Copies files and

folders that have been

added or changed

since a full backup

was performed

What are its

advantages?

Creates a unique

archive in case of

restoration

Requires less time and

media than full backup

Faster than full

backup; requires only

latest full and

differential backup sets

for full restoration

What are its

disadvantages?

Requires more time

and media capacity

than other methods

All backup sets are

required to implement

a full restoration,

taking more time

Requires more time

and media capacity

than incremental

backup


Contractual Provisions

The use of third-party recovery alternatives should be

guided by contractual provisions such as the following:

o Hardware and software configurations

o Disaster magnitude definition

o Private versus shared facility use

o Organization’s priority relative to other users

o Immediacy and duration of availability

o Security and audit considerations


Task 4.5

Evaluate database management

practices to determine the integrity and

optimization of databases.


Database Management System

Database management system (DBMS) software offers

several benefits:

o Aids in organizing, controlling and using the data

needed by application programs

o Provides the facility to create and maintain a

well-organized database

o Reduces data redundancy and access time, while

offering basic security over sensitive data


Database Controls

Enforced definition standards

Data backup and recovery

procedures

Access control levels

Updates by authorized

personnel only

Controls on concurrent

updating of same data

Checks on data accuracy,

completeness and consistency

Job stream checkpoints

Database reorganization to ensure efficiency

Database restructuring procedures

Use of performance

reporting tools

Minimize use of non-system tools

or utilities


Task 4.6

Evaluate data quality and life cycle

management to determine whether they

continue to meet strategic objectives.


Data Life Cycle

Adapted from: ISACA, COBIT 5: Enabling Information, USA, 2013, figure 23

Plan Design Build/

Acquire

Use/

Operate Monitor Dispose


Data Quality Criteria

Data quality is key to data management, and the IS auditor

should ensure that data is of sufficient quality to allow the

organization to meet its strategic objectives.

Questions such as the following can aid in this determination:

o Are the data being captured and processed to required

standards?

o Are the configurations of the organization’s applications

and database management systems aligned with

organizational objectives?

o Are data being archived, retained or destroyed in line with

a data retention policy?


IT Asset Management (cont’d)

To achieve the objectives of asset management, assets must

be identified.

The inventory record of each information asset should

include:

o Specific identification of the asset

o Relative value to the organization

o Loss implications and recovery priority

o Location

o Security/risk classification

o Asset group, when the asset is part of a larger information

system

o Owner and designated custodian


IT Asset Management (cont’d)

IT asset management is a fundamental prerequisite to

developing a meaningful security strategy.

It is also the first step in managing software licenses and

classifying and protecting information assets.

IT asset management procedures should be employed

for both software and hardware assets.


Types of Software Licenses

Free software licensing types

• Open source

• Freeware

• Shareware

Paid software licensing types

• Per central processing unity (CPU)

• Per seat

• Concurrent users

• Utilization

• Per workstation

• Enterprise

Adapted from: ISACA, CISA Review Manual 26th Edition, figures 4.18 and 4.19


Source Code Management

Source code is the language in which a program is

written; it tells the computer what to do.

Source code may contain intellectual property that

should be protected, and access should be restricted.

The management of source code is related to change

management, release management, quality assurance

and information security management.


Source Code Management (cont’d)

Source code should be managed using a version control

system (VCS), which maintains a central repository.

This allows programs to check program source code out

and in to the repository. With check-in, a new version is

created.


Source Code Audit

The IS auditor must be aware of the following items

relating to source code:

o Who has access to the code

o Who can commit code, pushing it into production

o Alignment of program source code to program objects

o Alignment with change and release management

o Backup of source code, including those located offsite

and in escrow agreements


Task 4.7

Evaluate problem and incident management

practices to determine whether problems and

incidents are prevented, detected, analyzed,

reported and resolved in a timely manner to

support the organization’s objectives.


Problem Management

Problem Management

• Reduce the number and/or severity of incidents.

• Improve the quality of service of an IS organization.

Incident Management

• React to issues as they arise.

• Return the affected process back to normal service quickly.

• Minimize business impacts of incidents.

Objective


Problem Reporting Review


Interviews with IS personnel

• Have documented procedures been developed to guide the logging, analysis, resolution and escalation of problems?

• Are these actions performed in a timely manner, in accordance with management’s intent and authorization?

Procedures and documentation

• Are procedures adequate for recording, evaluating, resolving or escalating problems?

• Is IT statistics collection and analysis adequate, accurate and complete?

• Are all identified problems recorded for verification and resolution?

Logs and records

• Are the reasons for delays in application program processing valid?

• Are significant and recurring problems identified and actions taken to prevent their recurrence?

• Are there any recurring problems that are not being reported to IS management?


The Support Function

Determine source of computer incidents;

take appropriate corrective action.

Initiate problem reports; ensure timely

incident resolution.

Obtain detailed knowledge of

network, system and applications.

Answer inquiries regarding specific

systems.

Provide second- and third-tier support to business user and

customer.

Provide technical support for

computerized telecommunications

processing.

Maintain documentation of

vendor software and proprietary systems.

Communicate with IS operations to signal abnormal incident

patterns.



Task 4.8

Evaluate change and release

management practices to determine

whether changes made to systems and

applications are adequately controlled

and documented.


Change Management

The change management process is implemented when:

o Hardware is changed.

o Software is installed or upgraded.

o Network devices are configured.

Change control is part of the broader change management

process.

It is designed to control the movement of application changes

from the test environment through QA and into the production

environment.


Change Management (cont’d)

The change management process ensures that:

o Relevant personnel are aware of the change and its timing.

o Documentation is complete and in compliance.

o Job preparation, scheduling and operating instructions have been

established.

o System and program results have been reviewed and approved

by both project management and the end user.

o Data file and system conversions have been completed

accurately and completely.

o All aspects of jobs turned over have been tested, reviewed and

approved by control/operations personnel.

o Legal and compliance issues have been addressed.

o Risk associated with the change has been planned for, and a

rollback plan has been developed to back out the changes

should that become necessary.


Change Requests

Formalized and documented change processes

incorporate the following elements:

o Change request

o Authorization

o Testing

o Implementation

o Communication to end users


Change Requests (cont’d)

Procedures associated with these may vary according to

the type of change request, including:

o Emergency changes

o Major changes

o Minor changes


Task 4.9

Evaluate end-user computing to

determine whether the processes are

effectively controlled and support the

organization’s objectives.


End-User Computing

End-user computing (EUC) refers to the ability of end

users to design and implement their own information

system using computer software products.

EUC allows users to quickly build and deploy

applications but brings the risk that applications may not

be independently reviewed and created using a formal

development methodology.


End-User Computing (cont’d)

The IS auditor should ensure that the policies for use of

EUC exist.

o An inventory of all such applications should be in

place.

o Those deemed critical enough should be subject to

the same controls of any other application.


Task 4.10

Evaluate IT continuity and resilience

(backups/restores, disaster recovery plan

[DRP]) to determine whether they are

controlled effectively and continue to support

the organization’s objectives.


Disaster Recovery Planning

Planning for disasters is an important part of the risk

management and BCP processes.

The purpose of this continuous planning process is to

ensure that cost-effective controls are in place to prevent

possible IT disruptions and to recover the IT capacity of

the organization in the event of a disruption.


DRP Compliance Requirements

DRP may be subject to compliance requirements depending

on:

o Geographic location

o Nature of the business

o The legal and regulatory framework

Most compliance requirements focus on ensuring continuity of

service with human safety as the most essential objective.

Organizations may engage third parties to perform

DRP-related activities on their behalf; these third parties are

also subject to compliance.


Disaster Recovery Testing

The IS auditor should ensure that all plans are regularly

tested and be aware of the testing schedule and tests to be

conducted for all critical functions.

Test documentation should be reviewed by the IS auditor to

confirm that tests are fully documented with pre-test, test and

post-test reports.

o It is also important that information security is validated to

ensure that it is not compromised during testing.


RPO and RTO Defined

Recovery point objective (RPO)

• Determined based on the acceptable data loss in case of a disruption of operations. It indicates the earliest point in time that is acceptable to recover the data.

• The RPO effectively quantifies the permissible amount of data loss in case of interruption.

Recovery time objective (RTO)

• The amount of time allowed for the recovery of a business function or resource after a disaster occurs.


Application Resiliency

The ability to protect an application against a disaster

depends on providing a way to restore it as quickly as

possible.

A cluster is a type of software installed on every server in

which an application runs. It includes management

software that permits control of and tuning of the cluster

behavior.


Data Storage Resiliency

The data protection method known as RAID, or

Redundant Array of Independent (or Inexpensive) Disks,

is the most common and basic method used to protect

data against loss at a single point of failure.

Such storage arrays provide data replication features,

ensuring that the data saved to a disk on one site

appears on the other site.


Telecommunications Resiliency

The DRP should also contain the organization’s

telecommunication networks.

These are susceptible to the same interruptions as data

centers and several other issues, for example:

o Central switching office disasters

o Cable cuts

o Security breaches

To provide for the maintenance of critical business processes,

telecommunications capabilities must be identified for various

thresholds of outage.


Offsite Library Controls

Secure physical access to library

contents, accessible only to authorized

persons

Encryption of backup media, especially

during transit

Ensuring that the physical construction can withstand heat,

fire and water

Location of the library away from the data center and disasters that may strike both

together

Maintenance of an inventory of all

storage media and files for specified retention periods

Maintenance of library records for specified

retention periods

Maintenance and protection of a catalog

of information regarding data files


During an IS audit of the disaster recovery plan (DRP) of a global enterprise, the IS auditor observes that some remote offices have very limited local IT resources. Which of the following observations would be the MOST critical for the IS auditor?

A. A test has not been made to ensure that local resources could maintain security and service standards when recovering from a disaster or incident.

B. The corporate business continuity plan (BCP) does not accurately document the systems that exist at remote offices.

C. Corporate security measures have not been incorporated into the test plan.

D. A test has not been made to ensure that tape backups from the remote offices are usable.

Discussion Question


Which of the following is the BEST indicator of the

effectiveness of backup and restore procedures while

restoring data after a disaster?

A. Members of the recovery team were available.

B. Recovery time objectives (RTOs) were met.

C. Inventory of backup tapes was properly maintained.

D. Backup tapes were completely restored at an

alternate site.

Discussion Question


Domain 4 Summary

Evaluate IT service management framework and

practices.

Evaluate IT operations (e.g., job scheduling,

configuration management, capacity and performance

management).

Evaluate IT maintenance (patches, upgrades).

Evaluate database management practices.


Domain 4 Summary (cont’d)

Evaluate data quality and life cycle management.

Evaluate problem and incident management practices.

Evaluate change and release management practices.

Evaluate end-user computing.

Evaluate IT continuity and resilience (backups/restores,

disaster recovery plan [DRP]).


Which of the following is the MOST efficient way to test the

design effectiveness of a change control process?

A. Test a sample population of change requests

B. Test a sample of authorized changes

C. Interview personnel in charge of the change control

process

D. Perform an end-to-end walk-through of the process

Discussion Question


Which of the following is the GREATEST risk of an

organization using reciprocal agreements for disaster

recovery between two business units?

A. The documents contain legal deficiencies.

B. Both entities are vulnerable to the same incident.

C. IT systems are not identical.

D. One party has more frequent disruptions than the

other.

Discussion Question


During an audit of a small enterprise, the IS auditor noted that

the IS director has superuser-privilege access that allows the

director to process requests for changes to the application

access roles (access types). Which of the following should the IS

auditor recommend?

A. Implement a properly documented process for

application role change requests.

B. Hire additional staff to provide a segregation of duties

(SoD) for application role changes.

C. Implement an automated process for changing

application roles.

D. Document the current procedure in detail, and make it

available on the enterprise intranet.

Discussion Question

Documents

CISA EXAM PREP COURSE: SESSION 2 - Amazon S3...Source: ISACA, CISA Review Manual 26th Edition, figure 3.24 Vendor selection Architecture Workshop 1 1. Review of existing architecture