CISA Preparation –

Domain 4
• Information Systems Operations and Business
Resilience
Contents
01

01 Overview
02

02 Part A: Information Systems Operations

03
• Common Technology Components

• IT Asset Management 04
• Job Scheduling and Production Process Automation
• System Interfaces
• End-user Computing
• Data Governance
• Systems Performance Management

• Problem Incident Management

• Change, Configuration, Release and Patch
Management
• IT Service Level Management
• Database Management
Contents
01

03 Part B: Business Resilience

02
• Business Impact Analysis

• System Resiliency 03
• Data Backup, Storage and Restoration
• Business Continuity Plan 04

Review
• Disaster Recover Plans
04
• Sample Questions
• IT service management practices are more important to 01

provide assurance to users and to management that the 02

expected level of service will be delivered. Service level
expectations are derived from the organization’s business 03

objectives. 04

4
Part A: Information Systems Operations
Common Technology Components
01

This section introduces:

02
• Technology components

• Hardware platforms
03
• Basic concepts of the different types of computers

• Advances in IT 04
Part A: Information Systems Operations
Common Technology Components – Computer Hardware Components and Architecture

Common Types of Computers

Type Description

Supercomputers • Very large and expensive with the highest processing speed
• Designed for specialized purposes that require extensive processing power
• Typically dedicated to a few specific specialized system or application programs

Mainframes • Large, general-purpose computers that are made to share their processing power and facilitates thousands users
• Executes a large variety of tasks almost simultaneously
• Often has its own proprietary OS that can support main data processing and data warehouse resource of large
organizations
• Protected by a number of the early security and control tools

Personal computers (PCs) • Designed for individual users, inexpensively priced and based on microprocessor technology
• Office automation functions: word processing, spreadsheets and email, small database management, interaction with
web-based applications
• Other functions: personal graphics, voice, imaging, design, web access and entertainment
• Designed as single-user systems, commonly linked together to form a network
Part A: Information Systems Operations
Common Technology Components – Computer Hardware Components and Architecture

Common Types of Computers

Type Description

Thin client computers • Usually configured with minimal hardware features (e.g., diskless workstation)
• Intent: most processing occurs at the server level using software, e.g., Microsoft Terminal Services or Citrix
Presentation Server

Laptop Computers • Lightweight PCs, easily transportable and powered by AC connection or by rechargeable battery pack
• Less vulnerable to power failures
• Vulnerable to theft

Smartphones, tablets and other • Handheld devices that enable users to use a small computer device as a substitute for a laptop computer
handheld devices
Part A: Information Systems Operations
Common Technology Components – Universal serial bus (USB)
01

• What is a USB
02
- Allowing connections to a single standardized interface socket and to improve the plug-and-play capabilities
o Allowing connecting and disconnecting without rebooting the computer or turning off the device
- Providing power to low-consumption devices without the need for an external power supply 03
- Allowing many devices to be used without requiring installation of individual device drivers
• Risk related to USBs 04
- Virus and other malicious software
- Data theft, and Data and media loss
- Loss of confidentiality
• Security controls related to USBs
- Encryption
o Good method to protect information on the device from loss or theft
o Unless info is also encrypted on network or local workstation hard drive, data are still exposed to theft
- Granular control
- Security personal education
- The lock desktop policy enforcement
- Anti-virus policy
- Use of secured devices only
- Inclusion of return information
Part A: Information Systems Operations
Common Technology Components –Radio frequency identification (RFID)
01

• What is RFID
02
- Uses radio waves to identify tagged objects within a limited radius
- A tag consists of a microchip and an antenna: Microchip stores information with an ID, antenna transmits information
03
• Application of RFID
- Asset Management (e.g., inventory): read identifiers of multiple items without optical line of sight or physical contact
- Tracking: identifies the location of the last reader that detected the presence of the tag associated with the item 04
- Authenticity verification: often incorporated into a tracking application
- Matching
- Processing control: allows business process to use info associated with a tag -> customized function
- Access control
- Supply change management: monitoring and control of productions. SCM usually bundles several application types: asset
management, tracking, process control and payment systems
• Risk associated with RFID
- Business process risk: undermine the business process when there are direct attacks on the RFID system components
- Business intelligence risk: unauthorized access by adversaries or competitors
- Privacy Risk: if an RFID system uses personally identifiable information for a purpose outside original intention or design
- Externality risk: RF communication is invisible to operators and users
Part A: Information Systems Operations
Common Technology Components –Radio frequency identification (RFID)
01

• Security Controls for RFID

02
- Management: oversight of the security of RFID systems, e.g., policies might need updates
- Operational: actions performed on a daily basis, e.g., physical security of the RFID systems
- Technical: technologies which monitors or restricts actions that can be performed 03
o Protecting or encrypting data on tags
o Causing tags to self-destruct
04
o Protecting or encrypting wireless communications
Part A: Information Systems Operations
Common Technology Components – Hardware Maintenance Program
01

• Hardware must be routinely cleaned and serviced based on complexity and performance workloads
02
• IS Auditor should ensure a formal maintenance plans has been developed and approved, and identify excessive maintenance cost <-
may indicates a lack of adherence to maintenance procedures
• Hardware monitoring procedures 03
- Availability reports
- Hardware error reports: identify CPU, I/O, power and storage failures, should be reviewed by IS operation management 04
o Intermittent or recurring problems might indicate difficulties in error diagnosis
- Asset management reports
- Utilization reports
• Hardware review
- Hardware acquisition plan
- Acquisition of hardware
- IT Asset management
- Capacity management and monitoring
- Preventive maintenance schedule
- Hardware availability and utilization reports
- Problem logs
Part A: Information Systems Operations
Job scheduling and production process automation
01

• Job Scheduling
02
- Major function within the IT department
- Job schedule includes: Jobs to be run, the sequence of job execution, the conditions that cause program execution
- High priority jobs should be given optimal resources availability. Maintenance functions should, if possible, be performed 03
during non-peak hours
- Lower priority jobs can also be scheduled, if times becomes available
04
• Jobs scheduling software
- Automated – reduce human errors
- Dependencies could be defined – if one job fails, subsequent jobs will not be processed
- Records are maintained
- Security over access to production data could be provided
- Reduced reliance on operators
• Scheduling reviews
- Relevant applications/ input deadlines / data parathion time / estimated processing time / output deadlines / procedures
- Job schedule
- Daily job schedule
- Console log
- Exception processing logs
- Re-executed jobs
- Personnel
Part A: Information Systems Operations
System interfaces
01

• System interfaces exist where data output from one application is sent as input to another, with little or no human interaction
02
• Interfaces involving human -> user interfaces
• 3 categories 03
- System-to-system
- Partner-to-partner
- Person-to-person 04

• Risk associated with system interfaces

- Data security, privacy, error
- Example:
o If not functioning correctly -> incorrect management report -> impact business and decision-making
o Potential legal compliance liability
- Ensuring centralized methodology for tracking and managing system interfaces and availability of documentation and audit
trails for government regulations
Part A: Information Systems Operations
System interfaces
01

• Security Issues
02
- How organization tracks and monitor all system interfaces and data transfers
- If the organization is using managed file transfer (MFT) System -> Auditors should ensure that the program could:
o Management multiple file transfer mechanisms 03
o Use multiple protocols
o Automatically encrypt, decrypt and electronically sign data files
04
o Compress/decompress data files
o Connect to common database servers
o Send and retrieve files via email and secure email
o Automatically schedule regular data transfers
o Analyse, track, and report any attributes of the data being transferred
o Ensure compliance with appropriate regulatory laws and mandates
o Offer a checkpoint or restart capability for interruptions
o Integrate with back office applications to automate data transfers as much as feasible

• IS Auditors should…
- Check whether controls exist to ensure that data being sent are precise the same data recorded in the receiving system
- Ascertain if the organization is using encryption to protect data during the transfer
- Check whether controls over non-repudiation exist -> the intended recipient is the actual recipient
Part A: Information Systems Operations
End-user computing
01

• Ability for end users (usually NOT programmers) to design and implement their own application or information system using
computer software products 02

• Benefits
- Could be quickly built and deployed -> taking the pressure off of the IT department 03
- More flexible, more rapidly addressing shifting marketplaces, regulations and consumer interest
• Risks 04
- Applications might be:
o Containing errors and giving incorrect results
o Not subjecting to change management -> multiple versions
o Not secured
 Authorization
 Authentication
 Audit logging
 Encryption
o Not backed up
Part A: Information Systems Operations
Data Governance
01

02
• Direction is set for
data/information
• Stakeholder needs, management 03
conditions and capabilities through
options are prioritization and
evaluated to decision making 04
determine balanced,
mutually agreed Data governance
enterprise objectives
through acquisition
ensures….
and management of
data
• Performance and
compliance of data
resources are
monitored and
evaluated relative to
agreed directions
Part A: Information Systems Operations
Data Governance – Data Management
01

• “The planning and execution of policies, practices, and projects that acquire, control, protect, deliver, and enhance the value of data
and information assets” 02

• Data quality
- Intrinsic: the extent to which data values are in conformance with the actual or true values 03
- Contextual: the extent to which the information is applicable to the task of the user and is presented in an intelligible and
clear manner
04
- Security/access: the extent to which information is available and obtainable
• Data life cycle
- Plan: understanding information use in processes, determining values and classifications, identifying objectives, planning the
architecture
- Design: specifying how data will look -> development of standards and definitions
- Build/acquire: creation of data records, the purchase of data and the loading of external files
- Use/operate
o Store
o Share: might largely overlap with “store” phase for electronic information
o Use
- Monitor: keeping information up-to-date, data enhancing, cleansing, merging, and removing duplicate information
- Dispose: information retention, archiving or destroying
Part A: Information Systems Operations
Systems performance management – IS architecture and software
01

• Hierarchy of OS infrastructure: hardware -> hard-coded instructions (firmware) -> nucleus (kernel) -> OS processes (system software)
02
• OS processes (system software) – collection of computer programs used in the design, processing and control of all computer
applications
- Used to operate and maintain the system, ensure the integrity of the system, controls the flow of programs and events, 03
manages the interfaces
- Must be compatible with its OS
04
- Examples: access control software, data communication software, database management software, program library
management systems, tape and disk management systems, network management software, job scheduling software, utility
programs
• Operating systems
- Contains programs that interface between the user, processor and applications
- A control program that runs the computer - scheduler and traffic controller, manages the sharing and use of resources
• Software Integrity issue: important requirement and ability, involves using specific hardware and software features to:
- Protect itself from deliberate and inadvertent modification
- Ensure that privileged programs cannot be interfered by user programs
- Provide effective process isolation to ensure that:
o Multiple processing running concurrently will not interfere or write into each others’ memory
o Enforcement of least privilege – processes have no more privilege than needed
Part A: Information Systems Operations
Systems performance management – Data communications software
01

• To transmit messages or data from one point to another, locally or remotely. For example:
02
- Database request initiated by end user: user’s terminal -> online application ->DBMS
• A simple data communications system consists of:
03
- Transmitter (source)
- Transmission path (channel or line)
- Receiver 04
• In a 2-way communication, both ends can be source and receiver simultaneously
• Concerned with correct transmission only, does NOT operates on the content of the information
• Communication-based applications operate in local area network (LAN) and wide area network (WAN) to support:
- Electronic funds transfer (EFT) systems
- Database management systems
- Customer electronic service / electronic data interchange (EDI)
- Internet forums and email
Part A: Information Systems Operations
Systems performance management – Software licensing issues

Free software licensing types

Type Description

Open source • May be used, copied, studied, modified and distributed as required
• Usually accompanied by the program source and a copy of the
software license. Example: Linux

Freeware • Free, BUT the source code could not be redistributed.

• Example: Adobe Acrobat Reader

Shareware • Maybe free initially, however, may only be a trial basis or have limited
functionality compared to the full, commercial version
Part A: Information Systems Operations
Systems performance management – Software licensing issues

Paid software Types

Type Description

Per central processing unit (CPU) • Depends on the power, e.g., no. of CPUs or no. of CPU cores

Per set • No. of unique users of the system

Concurrent users • Total no. of users using the software within a predefined period of time

Utilization • How busy the CPU is or no. of active users at any one time

Per Workstation • No of individual WORKSTATIONS that connect to the software

Enterprise • Usually allows UNLIMITED use of the software without the need to apply any of the rules above
Part A: Information Systems Operations
Systems performance management – Software licensing issues
01

• IS auditors should:
02
- Review the listing of all standard, use and licensed application and system software
- Obtain copies of all software contracts for these to determine the nature of the license agreements
- Scan the entire network to produce a list of installed software 03
- If required, review a list of server specifications including CPUs and cores
- Compare the license agreements with the software that is actually installed noting any violations
04

• Options to prevent software license violation

- Ensure a good software asset management process exists
- Centralized control, distribution and installation of software (e.g., disabling users to installing software)
- Require that all PCs be restricted workstations with disabled or locked-down disk drives, USB ports, etc.
- Install metering software on the LAN and require that all PCs access applications through the metered software
- Regularly scan user network endpoints
- Enforce documented policies and procedures, requiring user to sign an agreement
Part A: Information Systems Operations
Systems performance management – Source code management
01

• Organizational access to source depends on the application and nature of the agreement
02
- No source code is supplied -> maybe important to secure an escrow agreement
- Packaged software -> access to source code may be granted under license to allow customization
- Bespoke or in-house developed software -> full access 03
• Source code management: linked to change management, quality assurance, and information security management
• Version control system (VCS) / Revision control software (RCS) 04
- Maintains a central repository -> allows programmers to check out the source codes, makes changes, then check in
- Synchronizing changes with change from other developers, resolving conflicts, and allowing customization
- Benefits:
o Control of access
o Tracking changes
o Allowing concurrent development
o Allowing roll-back
o Allowing branching (customization)
- IS auditors should be aware of:
o Access to source codes (developers), and access to commit the code (push the code to production)
o Alignment of source codes to program objects
o Alignment with change and release management
o Backup of source code
Part A: Information Systems Operations
Systems performance management – Capacity Management
01

• Planning and Monitoring of computing and network resources -> available resources are used efficiently and effectively
02
• Expansion and reduction of resources in parallel with the overall business <- based only input from user and IS management
• Should be reviewed at least annually 03
• Key information
- CPU utilization
04
- Computer storage utilization
- Telecommunication
- LAN and WAN bandwidth utilization
- I/O channel utilization
- Number of users
- New applications
- Service level agreements (SLAs)
• IS auditor must realize that the amount of distribution of these requirements have intrinsic flexibility.
• Capacity management aims to consistently provide the required resources – at the right time and cost
- Elements includes: Development, monitoring, analysis, tuning, implementation, modeling, application sizing
- Reduces risk of performance problems or failure
- Provides accurate capacity forecasting
Part A: Information Systems Operations
Systems performance management – Incident management
01

• A critical process in ITSM – IT Service Management

02
• Provides increased continuity of services by reducing or removing the adverse effect of disturbance
• Covers almost all non-standard operations of IT Services 03
• Mechanism should exist to detect and document abnormal conditions that could lead to identify cation of errors
• Types of error 04
- Application errors, system errors, operator errors, network errors, telecommunication errors, hardware errors
• Error Log
- Error date, error resolution description, error code, error description, source of error, initials of the individual maintaining the
log, initials of the individual closing the log, department responsible for error resolution, status code, narrative of the status
- Ability to add to the error log should NOT be restricted
- However, ability to update the error log should be restricted, and updates should be traceable
• Recurring or long outstanding issues should be investigated -> procedures should exist for the escalation of unresolved issues
- Names/contact details of individuals who can deal with specific types of problems
- Types of problems that require urgent resolution
- Problems that can wait until normal working hours
• The primary purpose of the help desk, the first and single, and central contact point, is to service the user. The helpdesk personnel
must ensure that all hardware and software incidents that arise are fully documented and escalated based on proprieties
Part A: Information Systems Operations
Change, configuration, release and patch management
01

• Change Management – used when changing hardware, installing or upgrading to new releases, installing software patches and
configuring various network devices 02

• Procedure should ensure that

- All relevant personnel are informed of the change and when 03
- Documentation are complete, up-to-date and in compliance when established standards
- Job preparation , scheduling and operating instructions are established 04
- Test results have been reviewed and approved by user and project management
- Data file conversion has occurred accurately and completely as evidenced by review and approved by user management
- System conversion has occurred accurately and completely as evidenced by review and approved by user management
- All aspects of jobs turned over has been tested, reviewed and approved by control/operations personnel
- Legal and compliance aspects have been considered
- The risk of adversely affecting the business operations are reviewed and a roll-back plan is developed
• Patch management – acquiring, testing and installing multiple patches (code changes). Tasks include:
- Maintain current knowledge of available patches
- Decide what patches are appropriate
- Ensure that patches are installed properly; testing systems after installation
- Document all associated procedures, such as specific configurations required
Part A: Information Systems Operations
Change, configuration, release and patch management – release management
01

• Release Management – process through which software is made available to users.

02
• Release:
- Collection of authorization changes. Each release should have a unique identity.
03
- Could be a partial release, or delta release. It will only contain items that have undergone changes since the last release.
- Controlled – back out plan should be available. Contingency plans should also be developed.
• Planning an release involves: 04
- Gain consensus on the release's contents
- Agree to the release strategy (the phasing over time and by geographical location, business unit and customers)
- Produce a high-level release schedule
- Plan resource levels (e.g., staff OT)
- Agree on roles and responsibilities
- Produce back-out plans
- Develop a quality plan for the release
- Plan acceptance of support groups and the customer
Part A: Information Systems Operations
Change, configuration, release and patch management – IS operations
01

• Support and manage the entire IS infrastructure, systems, applications and data, focusing on day-to-day activities
02
• Responsible for the accurate and efficient operation of network, systems and application, delivering high-quality services
• Tasks: 03
- Execute and monitor scheduled jobs
- Facilitate timely backup
- Monitor unauthorized access and use of sensitive data 04
- Monitor and review the extent of adherence to IS operations procedures
- Participate in tests of DR plans
- Monitor the performance, capacity, availability and failure of information resources
- Facilitate troubleshooting and incident handling
• Operation procedures:
- Operating instructions and job flows
- Monitoring systems and applications
- Detecting systems and application errors and problems
- Handling IS procedures and escalation of unresolved issues
- Backup and recovery
Part A: Information Systems Operations
IT service level management
01

• Service level agreement (SLA) – between the IT organization and the customer (internal or external)
02
- Services to be provided
- Non-technical terms, i.e., from the viewpoint of the customer
- Standard of measuring and adjusting the services 03
• Service-level management – process of defining, agreeing on, documenting and managing levels of services that are required and cost
justified
04
- SLA
- Production and maintenance of service catalog
- Service review meetings
- Service improvement plans (SIPs)
- Aim: to maintain and improve customer satisfaction and the service delivered
• Characteristics of IT services – used to define the SLA
- Accuracy
- Completeness
- Timeliness
- Security
• Service levels must be regularly monitored by an appropriate level of management: Accountability still rest with the organization
• Failure to achieve service levels will have more of an impact on the organization than on the third party
• IS auditors should determine how management gains assurance that controls at the 3rd party are properly designed and operating effectively
Part A: Information Systems Operations
IT service level management – Pop Up Question (1)
01

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST
important thing to review? 02

A. Reference from other clients for the service provider

03
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider
04
D. Background checks of the service provider’s employees
Part A: Information Systems Operations
IT service level management – Pop Up Question (1)
01

An organization is considering using a new IT service provider. From an audit perspective, which of the following would be the MOST
important thing to review? 02

A. Reference from other clients for the service provider

03
B. The physical security of the service provider site
C. The proposed service level agreement with the service provider
04
D. Background checks of the service provider’s employees

Answer: C
When contracting with a service provider, it is a good practice to enter into an SLA with the service provider. An SLA is a guarantee that
the provider will deliver the services according to the contact. The IS auditor will want to ensure that performance and security
requirements are cleared stated in the SLA
Part A: Information Systems Operations
IT service level management – Pop Up Question (2)
01

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was
missing? 02

A. A clause providing a “right to audit” the service provider

03
B. A clause defining penalty payments for poor performance
C. Pre-defined service level report templates
04
D. A clause regarding supplier limitation of liability
Part A: Information Systems Operations
IT service level management – Pop Up Question (2)
01

An IS auditor reviewing a new outsourcing contract with a service provider would be MOST concerned if which of the following was
missing? 02

A. A clause providing a “right to audit” the service provider

03
B. A clause defining penalty payments for poor performance
C. Pre-defined service level report templates
04
D. A clause regarding supplier limitation of liability

Answer: (A)
The absence of a “right to audit” clause or other form of attestation that the supplier was compliant with a certain standard would
potential prevent the IS auditor from investigating any aspect of supplier performances moving forward, including control deficiencies,
poor performance and adherence to legal requirements. Thus, it would be difficult for the organization to assess whether the
appropriate controls are in place.
Part A: Information Systems Operations
Database management
01

• DBMS – software aids in organizing, controlling and using the data needed by application programs. It can control user access at the
following levels: 02
- User and the database
- Program and the database 03
- Transaction and the database
- Program and data field
04
- User and transaction
- User and data field
• Advantages of DBMS:
- Data independence of application systems
- Ease of support and flexibility
- Transaction processing efficiency
- Reduction of data redundancy
- Ability to maximum data consistency
- Ability to minimize maintenance cost through data sharing
- Opportunity to enforce data security and data/programming standards
- Availability of stored data integrity checks
- Facilitation of terminal users’ ad-hoc access to data (e.g., through designed query languages)
Part A: Information Systems Operations
Database management – data dictionaries
01

• Data dictionaries/Directory system (DD/DS) – identifies the fields, their characteristics and their use (definitions).
02
- Active: Requires entries for all data elements, and assists application processing of data elements (e.g. providing validation
characteristics)
- Passive: A repository of information that can be viewed or printed 03
• DD/DS provides below capabilities
- Data definition language processor, which allows the database administrator to create or modify a data definition for
04
mappings between external and conceptual schemas
- Validation of the definition to ensure the integrity of the metadata
- Prevention of unauthorized access to, or manipulation of, the metadata
- Interrogation and reporting facilities that allow the DBA to make inquiries on the data definition
• Benefit of using DD/DS
- Enhance documentation
- Provide common validation criteria
- Facilitate programming by reducing the needs for data definition
- Standardize programming method
Part A: Information Systems Operations
Database management – Database structure
01

• Hierarchical database model • Network database model

- Basic data modeling construct : “A set “ – formed by an owner record
02
- parental-child relationship (one-to-many)
type, a member type and a name
- Data duplication is necessary to express relationship
- A member record type can have that role in more than one set - >
- Reverse pointers are not allowed 03
multi-owner relationship is allowed
- Easy to implement, modify and search
- A set usually defines 1:N relationship, although 1:1 is also allowed
- Can be extremely complex and difficult to comprehend – rarely used 04

Both models do not support high-level queries. User programs must navigate the data structure
Part A: Information Systems Operations
Database management – Database structure
01

• Relational database model

02
- Based on set theory and relational calculations
- Allows the definition of data structure, storage/retrieval operations and integrity constraints
- Data and relationships are organized in tables 03
o Rows (tuples)
o Columns (domains or attributes)
04
- Properties:
o Values are atomic, a single unit that is irreducible
o Each row is uniquely identifiable
o Column values are of the same kind
o The sequence of columns is insignificant
o The sequence of rows is insignificant
o Each column has a unique name
- Benefits:
o For user to understand and implement a physical database system
o To convert from other database structure
o To implement project and join operation
o To create new relations for applications
o To implement access control over sensitive data
o To modify the database
- Common examples: DB2, MYSSQL
Part A: Information Systems Operations
Database management – Database structure
01

• Relational database model

02
- User of normalization is a key feature
o A given instance of a data object has only 1
value for each attribute 03
o Attributes represent elementary data items ->
no internal structure
o Each record consists of a primary key, together 04
with a set of zero or more mutually
independent attributes that describes the
entity in some way (fully dependent on
primary key)
o Any foreign key should have a null value or
should have an existing value linking to other
tables – referential integrity
- A join operation can be performed to select records
in 2 tables by matching values -> there relationships
only specified at retrieval time, thus relationship
databases are dynamic
- Commonly used in ERPs
- Common examples: DB2, MYSSQL
Part A: Information Systems Operations
Database management – Database structure
01

• Object-oriented database management system (OODMBS)

02
- Information is stored as objects rather than data (as in rational database)
- Features of object-oriented programming can be applied:
o Encapsulation (creation of data types / classes, including objects) 03
o Inheritance
- Objects could contain both executable code and data
04
- Actual database storage assigns object a unique identifier -> loaded into
virtual memory when reference -> object could be found quickly
- NoSQL ( a sample of OODMBS)
o Developed in response to a rise in volume of data stored in the
Internet ( big data)
 Video, tweets, logs, blog – could not be broken out into
components, which is required by relational database
o Supports SQL
o Supports object orientation
o Advantages:
 Ability to partition the database horizontally to spread
workload
 Support dynamic schema
o Common samples: MongoDB, Cassandra
Part A: Information Systems Operations
Database management – database controls
01

• Establish and enforce definition standards

02
• Establish and implement data backup and recovery procedures
• Establish the necessary levels of access controls 03
- Privileged level access for data items, tables and files
• Establish controls to ensure that only authorized personnel can update the database
04
• Establish controls to handle concurrent access problems
• Establish controls to ensure accuracy, completeness and consistency of data elements and relationship
- If possible, be contained in the table/columns definitions
• Use database checkpoints at juncture in the job stream that minimize data loss and recovery efforts
• Perform database reorganization to reduce unused disk space and verify defined relationships
• Follow database restructuring procedures when making logical, physical and procedural changes
• User database performance reporting tools to monitor and maintain database efficiency
• Minimize the ability to use non-system tools or other utilities
Part A: Information Systems Operations
Database management – Pop up question (1)
01

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following
should be reviewed? 02

A. Field definition
03
B. Master table definition
C. Composite keys
04
D. Foreign key structure
Part A: Information Systems Operations
Database management – Pop up question (1)
01

During an application audit, an IS auditor is asked to provide assurance of the database referential integrity. Which of the following
should be reviewed? 02

A. Field definition
03
B. Master table definition
C. Composite keys
04
D. Foreign key structure

Answer: (D)
Referential integrity in a relational database refers to consistency between coupled tables. Referential integrity is usually enforced by the
combination of a primary key or candidate key and a foreign key. Any field in a table that is declared a foreign key should contain only
values from a parent table’s primary key or a candidate key.
Part A: Information Systems Operations
Database management – Pop up question (2)
01

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration of database
hardening? 02

A. The default configurations are changed

03
B. All tables in the database are de-normalized
C. Stored procedures and triggers are encrypted.
04
D. The service port used by the database server is changed.
Part A: Information Systems Operations
Database management – Pop up question (2)
01

An IS auditor is reviewing database security for an organization. Which of the following is the MOST important consideration of database
hardening? 02

A. The default configurations are changed

03
B. All tables in the database are de-normalized
C. Stored procedures and triggers are encrypted.
04
D. The service port used by the database server is changed.

Answer: (A)
Default database configurations, such as default passwords and services, need to be changed; otherwise, the database could be easily
compromised.
• Business resilience describes an organization’s ability to 01

adapt to disruptions and incidents in order to maintain 02

continuous operations and to protect the organization’s
assets 03

04

45
Part B: Information Systems Operations
Business resilience
01

• Disaster recovery plans (DRPs)

02
• Business continuity plans (BCPs)
• Data backup – storage, retention and restoration 03

04
Part B: Information Systems Operations
Business resilience – System resilience
01

• System resilience – the ability of a system to withstand a major disruption

02
• Application resilience and disaster recovery methods
- Clustering
o Includes management software that permits control of and tuning of the cluster behavior 03
o Protects against single point of failure
o Active-passive: application runs on only 1 active node, while other nodes are used only if the application fails on the 04
active node
o Active-active: application runs on over very nodes. Cluster agents co-ordinate the information processing between the
nodes.
 Users normally do not experience any down time
 Greater demand on network latency
o Very often, organizations use a combination: active-active for a site and active-passive between the sites

• Telecommunication networks resilience

o Redundancy
o Alternative routing
o Diverse routing
o Long-haul network diversity
o Last-mile circuit protection
o Voice recovery
Part B: Information Systems Operations
Data backup, storage and restoration
01

• Redundant array of independent (or inexpensive) disks (RAID)

02
- Most common way to protect data against a single point of failure
- Provides improvement and fault-tolerant capabilities via hardware or software – breaking up data and writing data to multiple
disks to simultaneously improve performance 03
- Potential for cost-effective mirroring offsite for data backup
- Classified into 11 levels (most popular: 0 [stripe], 1 [mirror], 0+1, 1+1, and 5 04
- CISA candidates will not be tested on the specifics of RAID levels
• Storage arrays
- Hardware that hides all the complexities of forming logical volumes from physical disks -> removing the needs of low-level
configuration
- Provides major RAID levels
- Provides data replication features -> data are saved to the disk on one site appear on another site
- Data replication could be synchronous, asynchronous (data are replicated on a scheduled basis) or adaptive
Part B: Information Systems Operations
Data backup, storage and restoration
01

• Backup and restoration

02
- Secondary storage media are used to store application files and associated data
- Secondary storage media can be removable medias or mirrored disks or network storage
- Usually recorded in one site and stored in an remote site -> offsite libraries 03
• Offsite library controls: physical and logical
- Secure physical access to library contents 04
- Encrypt backup media
- Ensure that physical construction can withstand fire/heat/water
- Locate the library away from the data center
- Ensure that an inventory of all storage media and files stored in library is maintained for the specified retention time
- Ensure that a record of all storage media and files moved into and out of the library is maintained for specified retention
period
- Ensure that a catalog of information regarding versions and locations of data files is maintained
• Security and control of offsite facilities
- At least same constant environment monitoring and control as the originating site, or the ones that are dictated by business
requirements
- Physical access controls ,environmental controls, and etc.
- Record keeping: an inventory of contents should be maintained
o Data set name, volume serial number, date created, accounting period, and offsite storage bin number
o Document name, location, relevant system, and ate of last update for all crucial information
Part B: Information Systems Operations
Data backup, storage and restoration
01

• Backup strategy should be chosen based on a variety of factors

02
- Standardization
- Capacity
- Speed 03
- Price
• Common disk based backup systems 04
- Virtual tape libraries (VTLs): behave like a conventional tape library, but data are stored on a disk array
- Host-based replication: replication is executed at the host (server) level by a software and on the target server, real-time or
with some delay (asynchronous mode)
- Disk-array-based replication: same as hosted-based replications, but replications is performed at disk array level, hidden from
servers and applications
- Snapshots: flexible, allowing making different types of momentary copies
Part B: Information Systems Operations
Data backup, storage and restoration – Periodic backup procedures
01

• Both data and software files should be backed up on a periodic basis

02
• Scheduling is easily accomplished via automated backup/media management systems / scheduling software, or “agents”
• Frequency 03
• Types
- Full backup
04
- Incremental backup: delta since last incremental or full backup
- Differential backup: delta since last full backup
• Method of rotation
- Grandfather-Father Son (Most common): Daily backup are made over a week, final backup taken during the week becomes
the week-backup (father). Earlier daily backup media are rotated for reuse. The final weekly backup is retained as the month-
backup
Part B: Information Systems Operations
Data backup, storage and restoration– Pop up question (1)
01

It is MOST appropriate to implement an incremental backup when?

02
A. There is limited recovery time for critical data
B. Online disk-based media are preferred 03
C. There is limited media capacity
D. A random selection of backup sets is required 04
Part B: Information Systems Operations
Data backup, storage and restoration– Pop up question (1)
01

It is MOST appropriate to implement an incremental backup when?

02
A. There is limited recovery time for critical data
B. Online disk-based media are preferred 03
C. There is limited media capacity
D. A random selection of backup sets is required 04

Answer: C
Part B: Information Systems Operations
IT Business continuity planning – risk assessment and analysis
01

BC Plan monitoring, 02
Project Planning maintenance and
updating
03

04

Risk assessment and

analysis BC Plan testing

BC awareness training

Business impact
analysis

BC Plan development

BC strategy Strategy execution

development (risk countermeasures
implementation)
Part B: Information Systems Operations
IT Business continuity planning – IT Business continuity policy
01

• A message to internal stakeholders (i.e., employees, management, board) that company is undertaking the effort, and expecting the
rest of the organization to do the same 02

• A message to external stakeholders (i.e., shareholders, regulators, authorities) that the organization is treating its obligations
seriously 03
• A statement to the organization, empowering those who are responsible for business continuity
• State the general principles on which business continuity will based 04

• A BCP should be proactive

• BCP (or IT DRP) is the most critical corrective control – depends on other controls, e.g., incident management, backup, and etc, to be
effective
Part B: Information Systems Operations
IT Business continuity planning – risk assessment and analysis
01

• The first step of preparing an new BCP / updating an existing one is to identify the business process, which are responsible for:
02
- Permanent growth of the business
- Fulfilment of business goals
03
• Should be supported by a formal executive policy – overall target for recovery
• Risk Assessment
- Establishing dependencies among critical business processes and IT components 04
- Outcome:
o Human resources, data, infrastructure elements and other resources that support the key processes
o List of vulnerabilities
o Estimated probability of the occurrence
o Efficiency and effectiveness of the existing risk mitigation controls (risk counter measures)
o Dependencies map with threats to and vulnerabilities of the components / dependencies
Part B: Information Systems Operations
Classification of operations and criticality analysis
01

• Risk ranking drives from the critical recovery time period and the likelihood that an adverse disruption will occur
02
- E.g.: 0.1% (1 in 1,000) that an incident which assessed impact is USD 10M will occur in next 5 years
o Maximum reasonable cost of preparation = USD 10M * 0.01% = USD 10,000 over 5 years
o Annual loss expectancy (“ALE”) 03
• Typical risk rating system classification
04
Classification Description

Critical • Cannot be performed unless there are replaced by identical capabilities

• Cannot be replaced by manual method
• Very low tolerance to interruption -> very high cost of interruption

Vital • Can be performed manually but only for a brief period of time

Sensitive • Can be performed manually at a tolerable cost for an extended period of time
• Usually difficult to perform manually, require additional staff

Non-sensitive • Can be interrupted for an extended period of time, at little or not cost
• Require little or no catching up when restored
Part B: Information Systems Operations
Business impact analysis (“BIA”)
01

• Critical step in developing the business continuity strategy and the subsequent
implementation 02
• Evaluating the critical processes (and the corresponding IT components supporting
them), and determining time frames, priorities, resources and interdependence
03
• Understanding of the organization, key business processes, and IT resources
supporting these processes would be important <- often coming from risk
assessment results
04
• Support and sponsorship from senior management, and extensive involvement of
both IT and end-users are required
• To evaluate the impact of downtime for a particular process / application; data loss;
or financial impact
- Impact bands (i.e., high, medium, low); and estimated time (hours, days,
weeks) Disruption costs v.s. recovery cost
• In addition – assess how long the organization may run if a supply is broken - Each possible strategy has a fixed cost
- Fixed cost of each strategy differs
• Questionnaire / interview sessions with groups of key users / bringing relevant IT -
personnel and end-users together Cost of planning and implementation will be paid
even if no disaster take place
• 2 Independent cost factors: (1) downtime cost; and (2) cost of alternate corrective
measures (i.e., implementation, maintenance and activation of the BCP)
• Group information systems according to their recovery time
Part B: Information Systems Operations
IT Business continuity planning – business continuity plan development
01

• IT business continuity strategy

02
- Outline the main technology and principles
- Roadmap to implement them
03

• IT business continuity plan

04
- Identifies what a business will do in the event of disaster
o Natural causes
o Precipitation by human beings
o Pandemic
- Worst-case scenarios and short- and long-term fall back strategies are formulated
- 2 parts: internal and external
- Subcomponent: IT DRP
o Process that IT personnel will use to restore the computer systems, applications, communications and data
o Can be included in the BCP or as a separate document

• Not all system require a recovery strategy

- Cost versus benefit: usually clear after completion of BIA
Part B: Information Systems Operations
IT Business continuity planning – development of business continuity plans
01

• Factors to consider in developing / reviewing BCPs:

02
- Pre-disaster readiness covering incident response management to address all relevant incidents
- Evacuation procedures
- Procedures for declaring a disaster 03
- Circumstances under which a disaster should be declared: a small incident if not addressed in a timely/ proper manner may
lead to disaster
- Clear identification of the responsibilities 04
- Clear identification of the persons responsible for each function
- Clear identification of contract information
- Step-by-step explanation of the recovery process
- Clear identification of the various resources required for recovery
• IT BCP should include planning fro all divisions and units that depend on IS processing functions
• Following items should also be considered:
- A list of staff, with redundant contact information, required to maintain critical business functions
- The configuration of building facilities, desks, chair, telephones, etc., required to maintain critical business functions
- The resources required to resume/ continue operations (not necessarily IT or technology resources)
Part B: Information Systems Operations
IT Business continuity planning – components of a BCP
01

• BCP SHOULD include:

02
- Continuity of operations plan
- DRP
- Business resumption plan 03
• BCP MAY include:
- Continuity of support plan/ IT contingency plan 04
- Crisis communication plan
- Incident response plan
- Transportation plan
- Occupant emergency plan
- Evacuation and emergency relocation plan
• For the planning, implementation, evaluation of the BCP, the following should be agreed on:
- The policies that will govern all of the continuity and recovery efforts
- The goals/requirements/products of each phase
- Alternate facilities to perform tasks and operations
- Critical information resources to deploy
- Persons responsible for completion
- Available resources to aid in deployment
- The scheduling of activities with priorities established
Part B: Information Systems Operations
IT Business continuity planning – Incident management
01

• Incidents and crises are dynamic in nature (Refer to Domain 5.16 Incident response management fore more details)
02
• Classification can dynamically change when the incident is resolved:
- Negligible
03
- Minor: cause no negative material or financial impact
- Major: cause negative material impact, and may impact other systems/ departments or outsiders
- Crisis: 04
o major incident that can be serious material impact on the continuous functioning of the business
o May adversely impact other systems or third parties
o Severity of the impact is generally directly proportional to the impacted time

• Minor, major, and crisis incidents should be documented, classified and revisited until resolved
• Security officer (SO) or other designated individual should be notified of all relevant incidents
• An escalation protocol should be established and followed
Part B: Information Systems Operations
IT Business continuity planning – plan testing
01

• Testing should be performed on the BCPs , addressing all key components, and key recovery team members should be involved
02
• Should be scheduled during a time that will minimize disruption
• Specification 03
- Verify the completeness and precision of the BCP
- Evaluate the performance of the personnel involved in the exercise
- Appraise the training and awareness of employees who are not members of a BC team 04
- Evaluate the co-ordination among the business continuity team and eternal vendors and suppliers
- Measure the ability and capacity of the backup site to perform prescribed processing
- Assess the vital records retrieval capability
- Evaluate the state and quantity of equipment and supplies that have been relocated to the recovery site
- Measure the overall performance of operational and IT processing activities related to maintaining the business entities
• Test Execution
- Pre-test – set up the stage for the actual test
- Test – real action of the BC test
o Desk-based evaluation/ paper test: a paper walkthrough of the plan
o Preparedness test: localized version of a full test
o Full operation test
- Posttest – Clean up, e.g., returning resources, deleting all company data…etc.
- Result analysis – time, amount, count, and accuracy
Part B: Information Systems Operations
IT Business continuity planning – plan maintenance
01

• Plans and strategies for business continuity should be reviewed and updated on a scheduled
basis 02
- A strategy that is appropriate at one point in time may not be adequate as the needs of
the organization change
03
- New resources/ applications may be developed or acquired
- Changes in business strategy may alter the significance of critical applications or deem
additional applications as critical 04
- Change in software or hardware environment may make current provisions obsolete or
inappropriate
- New events or a change in likelihood of events may cause disruption
- Changes are made to key personnel or their contact details
• Maintenance responsibilities of BCP usually falls on the BCP coordinator
- Develop a schedule for periodic review
- Call for unscheduled revision when significant changes occurred
- Arrange and co-ordinate scheduled and unscheduled test
- Participate in the scheduled plan tests, which should be performed at least once per
year on specific dates
- Develop a schedule for training recovery personnel
- Maintain records of BCP maintenance activities – testing, training and reviews
- Periodically update, at least quarterly, the notification directory of all personnel
changes
Part B: Information Systems Operations
IT Business continuity planning – auditing BCP
01

• IS auditors’ tasks:
02
- Understand and evaluate the business continuity strategy
- Review the BIA findings to ensure that they reflect current business priorities
- Evaluate the BCPs to determine their adequacy and currency (e.g., comparing them to standards and regulations) 03
- Verify that BCPs are effective, by reviewing the test results
- Evaluate Cloud-based mechanisms
04
- Evaluate offsite storage to ensure its adequacy, by inspecting the facilities and reviewing its contents and controls
- Verify the arrangements for transporting backup media to ensure that they meet the security standards
- Evaluate the ability of personnel to respond effectively in emergency situation
- Ensure that the process of maintaining plans is in place and effective- scheduled and unscheduled revisions
- Evaluate whether the BC manuals and procedures are written in a simple and easy-to-understand manner
Part B: Information Systems Operations
Disaster recovery plans
01

• To ensure that cost-effective controls are in pace to prevent possible IT disruptions to recover the IT capacity
02
• A continuous process. The criticality of business processes and supporting IT services, systems and data are defined and periodically
reviewed.
03
• 2 important outcome of DR planning:
- Changes in IT infrastructure, supporting processes, procedures and organization structure should be combined into programs,
spanning 3 to 5 years – IT DR strategies 04
- DRPs developed – direct response to incidents ranging from simple emergencies to full-blown disaster
• Parameters in defining
• Level 1 bullet
recovery strategies: • Level 1 bullet
- RPO: −Recovery point objective – acceptable data loss in case of disruption − Level 2
Level 2
o bullet
If the maximum affordable
• Level 1 data
bulletloss is up to 4 hours, then the latest backup available should
• Levelbe up to 4 hours bullet
1 bullet
- RTO: Recovery
◦ Level 3 time objective – acceptable
− Level 2 downtime in case of disruption − Level 2 ◦ Level 3
bullet bullet bullet bullet
- Both RPO and RTO are based on time parameters
- Other parameters: interruption◦ window,
Level 3
service delivery objectives (SDO), and maximum tolerable◦ Level 3
outages (MTOs)
bullet bullet

RPO RTO

4 – 24 hours 1 – 4 hours 0 – 1 hour 0 – 1 hour 1 – 4 hours 1 – 4 hours

- Tape - Disk backups - Mirroring - Active-active - Active- - Cold standby
backups - Snapshots - Real-time clustering passive
- Log shipping - Log shipping replication clustering
- Hot Standby
Part B: Information Systems Operations
Disaster recovery plans – recovery alternatives

Type Description

Cold sites • Facilities with the space and basic infrastructure, but lacking any IT or communications equipment, programs, data or office support
• A plan using cold site should also include provision to acquire and install hardware, software and office equipment

Mobile sites • Packaged, modular processing facilities mounted on transportable vehicles, kept read to be set up at a location
• A plan using mobile sites should include right-of-access to the selected set by the vendor and company, and any required
infrastructure to support the site (e.g., water, power)

Warm sites • Complete infrastructure but are partially configured, and the equipment may be less capable than normal production
• Typically, data would need to be loaded before operation could resume

Hot sites • Facilities with space and basic infrastructure, and ALL of the IT and communication equipment
• Maintained installed versions of programs, data may also be duplicated in real or near real time
• Hot sites may have a small staff assigned, employees are although usually transferred upon activation

Reciprocal agreements • Agreements between separate but SIMILAR companies to temporarily to share their IT facilitates in case of disaster
• Not considered a viable option due to constraining burden, complications of maintaining security and privacy compliance
Part B: Information Systems Operations
IT Business continuity planning – Pop up question (1)
01

Which of the following is the MOST reasonable option for recovering a non-critical system?
02
A. Warm site
B. Mobile site 03
C. Hot site
D. Cold site 04
Part B: Information Systems Operations
IT Business continuity planning – Pop up question (1)
01

Which of the following is the MOST reasonable option for recovering a non-critical system?
02
A. Warm site
B. Mobile site 03
C. Hot site
D. Cold site 04

Answer: D
Generally, a cold site is contracted for a longer period at a lower cost. Because it requires more time to make a cold site operational, it is
generally used for non-critical applications.
Part B: Information Systems Operations
Disaster recovery plans - development
01

• IT DRP is a part of the greater business continuity planning process

02
• IT DRP usually contains
- Procedures for declaring a disaster (escalation procedures)
03
- Criteria for plan activation
- Linkage with the overarching plan (e.g., BCPs, crisis management plans)
- The person responsible for each function in plan execution 04
- Recovery teams and responsibilities
- Contact and notification lists
- The step-by-step explanation of the whole recovery process
- Recovery procedures
- Contacts for important vendors and suppliers
- Identification of resources required for recovery and continued operation
• Scenarios to considered include (but not limit to):
- Loss of network connectivity
- Loss of a key IT system
- Loss of the processing site
- Loss of critical data
- Loss of an office
- Loss of key service provider
Part B: Information Systems Operations
Disaster recovery plans - testing
01

• Similar to BCPs, DRPs should also be regularly tested to ensure that the plans will work. Testing usually includes:
02
- Develop test objectives
- Execute the test
- Evaluate the test 03
- Develop recommendation
- Implement follow-up process
04
• Types of test
- Checklist review: distribute to all members to review to ensure the checklist is current
- Structured walkthrough: team members physically implement the plans on paper and review each step
- Simulation test: role play a prepared disaster without activation
- Parallel test: the recovery site is brought to a state of operational readiness, but the primary site remains business as usual
- Full interruption test: operations are shut down in the primary site
• Objectives of testing
- Verify the completeness and precision of the response and recovery plan
- Evaluate the performance of the personnel involved
- Appraise the demonstrated level of training and awareness of individuals who are NOT part of the recovery team
- Evaluate the co-ordination among teams, vendors and suppliers
- Measure the ability and capacity of the backup site
• Result analysis – time (RTO), data (ROI), amount, percentage and/or number, and accuracy
Part B: Information Systems Operations
IT Business continuity planning – Pop up question (2)
01

Which of the following statement is useful while drafting a disaster recovery plan?
02
A. Downtime cost decrease as the recovery point objective cost increases
B. Downtime costs increase with time 03
C. Recovery cots are independent of time
D. Recovery costs can only be controlled on a short-term basis 04
Part B: Information Systems Operations
IT Business continuity planning – Pop up question (2)
01

Which of the following statement is useful while drafting a disaster recovery plan?
02
A. Downtime cost decrease as the recovery point objective cost increases
B. Downtime costs increase with time 03
C. Recovery cots are independent of time
D. Recovery costs can only be controlled on a short-term basis 04

Answer: B
A: Downtime costs are not related to RPO. RPO defines the data backup strategy, which is related to recovery costs rather than to
downtime costs.
C: Recovery costs decrease with the time allowed for recovery.
 01

Review Questions 02

03

04

74
Review Questions (1)

01

Which of the following would an IS auditor consider to be MOST helpful when evaluating the effectiveness and adequacy of a preventive
computer maintenance program? 02

A. A system downtime log

03
B. Vendors’ reliability figures
C. Regularly scheduled maintenance log
04
D. A written preventive maintenance schedule

Answer: A
A system downtime log provides evidence regarding the effectiveness and adequacy of computer preventive maintenance programs. The
log is a detective control, but because it is validating the effectiveness of the maintenance program, it is a validating preventive control.
Review Questions (2)

01

A large chain of shops with electronic funds transfer at point-of-sale devices has a central communications processor for connecting to
the banking network. Which of he following is the BEST disaster recovery plan for the communications processor? 02

A. Offsite storage of daily backups

03
B. Alternative standby processor onsite
C. Installation of duplex communication links
04
D. Alternative standby processor at another network node

Answer: D
B: The provision of an alternate processor onsite would be fine if it were an equipment problem but would not help in case of a power
outage may require technical expertise to cutover to the alternate equipment
C: Installation of duplex communication links would be most appropriate if it were only the communication failed.
D: Having an alternate standby processor at another network node would be the best solution. The unavailability of the central
communication processor would disrupt all access to the banking network,
Review Questions (3)

01

The database administrator suggests that database can efficiency can be improved by de-normalizing some tables. This would result in:
02
A. Loss of confidentiality
B. Increased redundancy 03
C. Unauthorized accesses
D. Application malfunctions 04

Answer: B
Normalization is a design or optimization process for a relational database that increases redundancy. Redundancy, which is usually
considered positive when it is a question of resource availability, is negative in a database environment because it demands additional
and otherwise unnecessary data handling efforts. De-normalization is sometimes advisable for functional reasons.
Review Questions (4)

01

Which of the following controls would provide the GREATEST assurance of database integrity?
02
A. Audit log procedures
B. Table link / reference checks 03
C. Query / table access time checks
D. Rollback and roll-forward database features 04

Answer: B
B: Performing table link / reference checks serves to detect table linking errors, and thus provides the greatest assurance of database
integrity.
C: Query / table access time checks helps designers improve database performance
D: Rollback and roll-forward database features ensure recovery from an abnormal disruption. They assure the integrity of the transaction
that was being processed at the time of disruption, but do not provide assurance on the integrity of the contents of the database.
Review Questions (5)

01

Which of the following is widely accepted as one of the critical components in networking management?
02
A. Configuration and change management
B. Topological mappings 03
C. Application of monitoring tools
D. Proxy server troubleshooting 04

Answer: A
Configuration management is widely accepted as one of the key components of any network because it establishes how the network will
function internally and externally. It also deals with the management of configuration and monitoring performance. Change
management ensures that the setup and management of the network is done properly, including managing changes to the
configuration, removal of default passwords and possibly hardening the network by disabling unneeded services.
Review Questions (6)

01

An IS auditor is reviewing an organization’s recovery from a disaster in which not all the critical data needed to resume business
operations were retained. Which of the following was incorrectly defined? 02

A. The interruption window

03
B. The recovery time objective
C. The service delivery objective
04
D. The recovery point objective

Answer: D
The recovery point objective is determined based on the acceptable data loss in case of a disruption.
Review Questions (7)

01

There are several methods of providing telecommunication continuity. The method of routing traffic through split-cable or duplicate-
cable facilities is called 02

A. Alternative routing
03
B. Diverse routing
C. Long-haul network diversity
04
D. Last-mile circuit protection

Answer: B
C. Long-haul network diversity is a diverse, long-distance network using different packet switching circuits among the major long-
distance carriers. It ensures long-distance access should any carrier experience a network failure.
D. Last-mile circuit protection is a redundant combination of local carrier T-1s, microwave and/or coaxial cable access to the local
communication loop.
Review Questions (8)

01

Which of the following is a continuity plan test that simulates a system crash and uses actual resources to cost-effectively obtain
evidence about the plan’s effectiveness? 02

A. Paper test
03
B. Post-test
C. Preparedness test
04
D. Walkthrough

Answer: C
A preparedness test is a localized version of a full test. The test is performed regularly on different aspects of the plan and can be a cost-
effectiveness way to gradually obtain evidence about the plan’s effectiveness. Its also provides a mean to improve the plan in
increments.
Review Questions (9)

01

Which of the following stakeholders is the MOST important in terms of developing a business continuity plan
02
A. Process owners
B. Application owners 03
C. The board of directors
D. IT Management 04

Answer: A
Process owners are essential in identifying the critical business functions, recovery times, and resources needed.
Review Questions (10)

01

The BEST audit procedure to determine if unauthorized changes have been made to production code is to:
02
A. Examinee the change control system records and trace them forward to object code files
B. Review access control permissions operating within the production program libraries 03
C. Examine object code to find instances of changes and trace them back to change control records
D. Review change approved designations establishes within the change control system 04

Answer: C
The procedure of examining object code files to establish instances of code changes and tracing these back to the change control system
records is a substantive test that directly addresses the risk of unauthorized code changes.
Thank you.

85