Domain (4): Information Systems Operations and

Business Resilience

1
 Pre-assessment

[Link]
2
 Section A: Information Systems
Operations
• IT Asset Management
• Job Scheduling and Production Process Automation
• System Interfaces
• End-User Computing
• Data Governance
• Systems Performance Management
• Problem and Incident Management
• Change, Configuration, Release, and Patch Management
• IT Service Level Management
• Database Management

3
 IT Components
• Infrastructure
• Network
• Applications and software
• System monitoring and management
• Backup and disaster recovery
• Virtualization and cloud computing
• Documentation and knowledge management

4
OSI Model

5
 OSI Model
Layer Name Description
• The physical layer converts bits into voltage for
transmission
Physical
1 • The physical layer is associated with cables and other
layer
hardware for the physical connection of the device to
the network
• The data link layer converts the electrical voltage into a
data packet and it is forwarded to the network layer
Data link
2 • A data packet received from the network layer is
layer
converted into electrical voltage and forwarded to the
physical layer
• The function of the network layer is to insert the IP
Network
3 address into the packet header and route the packet to
layer
its destination.

6
 OSI Model
Layer Name Description
• The function of the transport layer is to provide an end-
to-end data transport service and establish a logical
connection between the two devices.
• The transport layer ensures the reliability of the data
Transport
4 transfer to its destination in the proper sequence.
layer
• This layer also manages traffic as per network
congestion. In other words, it reduces data transmission
during periods of high congestion and increases
transmission during periods of low congestion.
• The function of the session layer is to establish a
connection between two applications, maintaining the
connection and terminating the connection when
Session
5 required
layer
• It is similar to a phone call, wherein the first connection
is made and then the message is exchanged, and the
connection is terminated
7
 OSI Model
Layer Name Description
• The function of the presentation layer is to translate the
Presentat data as per the format of the application
6
-ion layer • The presentation layer provides services such as
encryption, text compression, and reformatting
• The function of the application layer is to provide an
Applicati-
7 interface and communicate directly with the end user
on layer
• It includes the protocols that support the applications

8
 Local Area Network (LAN)
• A LAN covers a small, local area-from a few devices in a single
room to a network across a few buildings.
• Network Physical Media:
o Copper (twisted - pair) circuits
o Fiber-optic systems
o Radio systems (wireless)

9
 Twisted Pair (Copper Circuit)
• Copper wires are cheaper than fiber optics
• There are two categories of twisted pair, that is, the shielded
twisted pair (STP) or the unshielded twisted pair (UTP)
• STPs are less prone to EMI and crosstalk and so are more reliable
than UTPs
• A UTP is more sensitive to the effects of EMI and crosstalk (when
one cable interferes with signals from adjacent cables)
• The parallel installation of UTPs should be avoided for long
distances since they are more prone to crosstalk.

10
 Fiber-Optic Cables
• Optical fiber is a thin and flexible fiber made of glass or plastic
• These cables carry binary signals as flashes of light
• Fiber-optic cables are more secure than copper wire
• Fiber-optic cables are the preferred choice for managing long-
distance networks and handling high volumes of data
• They are not impacted or affected by electromagnetic interference
(EMI)
• These cables have very marginal transmission loss

11
 Radio Systems (wireless)
• Data is communicated between devices using low-powered
systems that broadcast (or radiate) and receive electromagnetic
signals representing data

12
LAN Topologies

13
 LAN Components
Component Description
Repeaters • Repeaters are used to address the risk of attenuation
(weakening of the signal)
• A repeater receives the signal from one network and
amplifies and regenerates a strong network
• Repeaters extend the signal so that it can cover longer
distances or be received on the other side of an obstruction
Hubs • Hubs are used to connect different devices for the exchange
of data
• A hub operates at layer 1 (physical layer) of the OSI model
• A hub broadcasts a message to all connected devices
• A hub cannot store Media Access Control (MAC) addresses

14
 LAN Components
Component Description
Switches • Switches are used to connect different devices for the
exchange of data
• A switch operates at layer 2 (data link layer) of the OSI model
• A switch is regarded as a more advanced/intelligent version
of a hub
• A switch sends messages only to designated devices
• Switches can store MAC addresses in a lookup table
Bridges • Bridges have the same functionality as switches
• Bridges are software-based, and they are less efficient than
similar hardware based devices, such as switches
• A bridge identifies the MAC address and directs the packet to
its destination
• It also has the ability to store the frame and can act as a
storage and forwarding device

15
 LAN Components
Component Description
Routers • A router is regarded as a more advanced/intelligent version of
a switch
• It operates at layer 3 (the network layer) of the OSI model
• A router can monitor, control, and block network traffic
• It can be considered a very basic level of firewall
• Routers can connect two different networks and each
network remains logically separate and can function as an
independent network
• A router identifies the IP address, whereas a switch operates
by identifying MAC addresses
Gateway • A gateway has the capability to translate and connect
different protocols and networks
• It operates at layer 7 (the application layer) of the OSI model
• A gateway can perform much more complex tasks than
connection devices such as switches and routers

16
Network Devices and the OSI Layer
Device Layer
Hub Physical Layer (1st Layer)
Switch Data Link Layer (2nd Layer)
Bridge Data Link Layer (2nd Layer)
Router Network Layer (3rd Layer)
Gateway Application (7th Layer)

17
 LAN Risk

• Loss of data and program integrity through unauthorized changes

• Lack of current data protection through inability to maintain version
control
• Exposure to external activity through poor user verification and
potential public network access from remote connections
• Virus and worm infection
• Improper disclosure of data because of general access rather than
need-to-know access provisions
• Illegal access by impersonating or masquerading as a legitimate
LAN user
• Internal user sniffing (obtaining seemingly unimportant information
from the network, such as network addresses, that can be used to
launch an attack)

18
 LAN Risk

• Internal user spoofing (reconfiguring a network address to pretend

to be a different address)
• Lack of enabled detailed automated logs of activity (audit trails)
• Destruction of the logging and auditing data

19
 LAN Security

• Declaring ownership of programs, files and storage

• Limiting access under the principle of least privilege (POLP), which
restricts users’ access to what they need to perform their role
• Implementing record and file locking to prevent simultaneous
updates
• Enforcing user ID/password sign-on procedures, including the rules
relating to password length, form at and change frequency
• Implementing port security policies by using switches rather than
hubs or non-manageable routers. This will prevent unauthorized
hosts with unknown MAC addresses from connecting to the LAN
• Encrypting local traffic using Internet Protocol Security (IPSec)
protocol

20
 WAN

• A WAN is a data communications network that transmits

information across geographically dispersed LANs, such as among
plant sites, cities and nations.

21
WAN Transmission Media

22
 Network Performance Metrics

• Latency: The delay that a message or packet experiences on its

way from source to destination (ping command)
• Jitter: Jitter is the difference in latency between packet flow from
origination to destination measured in milliseconds
• Throughput: is the number of bytes per second that pass through a
channel
• Quality of service (QoS): The measurement of the overall
performance of the network, especially from the network users’
point of view

23
 Internet Protocol Networking

IP networking enables devices to communicate by providing the

foundation for other protocols to communicate.
IPv4 IPv6
Number of bits 32 128
Count 4.3 billion addresses infinite
Data security Encryption and authentication Encryption and authentication
are not supported are provided
Security The version is not developed The version is enhanced for
features for security purposes and security purposes
security depends on the
application

24
 Network Address Translation (NAT)

• Is a mechanism for converting internal IP address packet headers

into public IP addresses for transmission over the Internet
• Types:
o Static NAT: A static NAT maps a specific internal IP address
permanently to an external IP address
o Dynamic NAT: A dynamic NAT is a NAT architecture in which
mappings between external and internal addresses change in
sessions
o NAT with port address translation (NPAT): NPAT permits
several private network devices to share the same public IP
address in the network. A dynamic unique port number is
dynamically assigned to each device over a private network.

25
 Network Address Translation (NAT)

• Benefits:
o Cost reduction

o Improved privacy

o Increased security

o Increased flexibility and scalability

o Boundary enforcement

26
 Computer Hardware Components

• Processing Components:
o Central Processing Unit (CPU)

o Graphics Processing Unit (GPU)

• Input /Output Components:

o Input only: Keyboard, mouse

o Input/Output: Touchscreen

o Output only: Printer

• Other Key Components:

o Motherboard

o Random access memory (RAM)

o Read-only memory (ROM)

o Permanent storage devices (hard disk drive [HDD] or solid-state

drive [SSD])
27
 Types of Computers
Type Description
Supercomputers Very large and expensive computers with the highest
processing speeds are designed for specialized purposes
or fields that require extensive processing power
Mainframes Large, general-purpose computers are made to share their
processing power and facilities with thousands of internal
or external users. Mainframes accomplish this by executing
a large variety of tasks almost simultaneously. The range of
capabilities of these computers is extensive
High-end and Multiprocessing systems capable of supporting thousands
midrange servers of simultaneous users can be
servers comparable to a mainframe in size and power, and
they cost much less than mainframes
Personal Small computer systems called PCs or workstations are
computers (PCs) designed for individual users

28
 Types of Computers
Type Description
Thin-client Thin-client PCs are generally configured with minimal
computers hardware (e.g., diskless workstation), with the intent being that
most processing occurs at the server level using software
Laptop computers Lightweight personal computers are easily transportable and
powered by a normal AC connection or a rechargeable battery
pack
Next unit of The NUC is a small form device or computer element that
computing (NUC) delivers a full desktop PC experience, gaming experience or
edge device experience
Single-board A SBC is a complete functioning computer with the
computer (SBC) microprocessor, input/output (I/O) functions, memory and
other features all built on a single circuit board (e.g.,
Raspberry Pi)
Smartphones, Handheld devices enable users to substitute a small
tablets and other computing device for a laptop computer
handheld devices 29
 Enterprise Back-End Devices

• Print servers
• File servers
• Application (program) servers
• Web servers
• Proxy servers
• Database servers
• Data loss prevention (DLP) gateway
• Appliances (specialized devices): Firewalls, IDS/IPS, Switches,
Routers, VPNs, Load balancers

30
 Proxy Servers

• A proxy server is a server that acts on behalf of a user

• Forward proxies sit between a client and the Internet:
o Improving performance
o Filtering traffic
o Anonymizing data
• Reverse proxies sit between the internet and a web server:
o Load balancing
o Security
o Caching

31
 Universal Serial Bus

• A USB is a device that can be connected to different peripherals

through a single standardized interface socket. It improves plug-
and-play capabilities and can be connected or disconnected without
rebooting the computer. Examples of the use of USBs include
memory sticks, Secure Digital (SD) cards, and flash drives.
• USBs – Risks:
o Viruses and other malicious software

o Data theft

o Data and media loss

o Corruption of data

o Compatibility issues

o Physical damage risk

o Loss of confidentiality
32
 Universal Serial Bus

• USBs – Security Controls:

o Encryption

o Granular control

o Security personnel education

o The lock desktop policy enforcement

o Antivirus policy

o Use of secure devices only

o Inclusion of return information

33
 Wireless Communication Technologies

• Wi-Fi is a wireless networking technology that uses radio waves to

provide wireless high-speed Internet access
• Bluetooth is a wireless communication technology that allows
device s to communicate with each other over short distances
• Radio frequency identification (RFID) is a wireless communication
technology that uses radio waves to identify and track objects.
RFID tags are small electronic devices that can be attached to
objects. RFID readers can then be used to read the tags and
identify the objects
• Advantages:
o Convenience

o Mobility

o Scalability
34
 Hardware Maintenance Program
• To ensure proper operation, hardware must be routinely cleaned
and serviced. Maintenance requirements vary based on complexity
and performance workloads (e.g. processing requirements, terminal
access and number of applications running). Maintenance should
be scheduled to closely coincide with vendor-provided
specifications
• When performing an audit of this area, the IS auditor should:
o Verify that the program covers the scope and objectives in
alignment with business requirements, and indicate gaps where
present
o Ensure that a formal maintenance plan has been developed and
approved by management and is being followed
o Identify maintenance costs that exceed the budget or are
excessive
35
 Hardware Maintenance Program
• Hardware Monitoring Reports and Procedures:
o Availability reports
o Hardware error reports
o Asset management reports
o Utilization reports

36
 Hardware Reviews
• During audits of infrastructure and operations, hardware reviews
should include the following areas:
o Hardware acquisition plan
o Acquisition of hardware
o IT asset management
o Capacity management and monitoring
o Preventive maintenance schedule
o Hardware availability and utilization reports
o Problem logs and job accounting system reports

37
 IT Asset Management

• An asset is something of tangible or intangible value worth

protecting, including people, information, infrastructure, finances
and reputation
• The inventory record of each information asset should include:
• Owner • Relative value
• Designated custodian • Access controls
• Specific identification • Disposal date
• Compliance requirements-
• Loss implications and recovery priority
• Location
• Security/ risk classification
• Asset group
• Life cycle management
38
 Job Scheduling

• A job schedule is typically created that lists the jobs that must be
run and the order in which they are run, including any
dependencies
• The advantages of using job scheduling software include:
o Job information is setup only once, reducing reliance on
operators and error probability
o Job dependencies are defined so that if a job fails, subsequent
jobs relying on its output will not be processed
o Logs are maintained of all job successes and failures
o Security over access to production data is available
o The burden on manual tasks is reduced or eliminated

39
 System Interfaces

• System interfaces provide the ability to transfer data even if the

systems use different programming languages or were created by
different developers
• System interfaces categories:
o System-to-system interfaces facilitate transfer of data between
two systems, whether internal or external
o Partner-to-partner interfacing occurs when an organization
needs two or more partner organizations to interface directly
o Person-to-person transfers are human interactions involving
data exchange

40
 System Interfaces Risks

• Problems with system-to-system interfaces can lead to pervasive

errors if not corrected quickly
• Partner-to-partner interfaces can expose confidential data to a third
party or a cybersecurity vulnerability through a partner organization
• Person-to-person interfaces are subject to human error, security
exposure and repercussions from privacy issues that may not be
caught in time
• Integrity of data exchange
• Data security
• Privacy
• Legal

41
 System Interfaces Controls

• The organization has a program that tracks and manages all

internal and external system interfaces and data transfers in line
with business needs and goals
• Controls must be implemented to ensure that the data residing on
the sending system is the same as the data recorded on the
receiving system
• the organization should use encryption, to protect data during
transfer
• There should be control over non repudiation, which ensures that
the intended recipient is the actual recipient of the data
• An audit trail and logs is associated with the system interface, the
organization needs to capture important information

42
 End User Computing

• End-user computing (EUC) refers to the ability of end users (who

typically are not programmers) to design and implement their own
applications or information system using computer software
products
• Benefits:
o Quick deployment of applications
o Enables organizations to be more agile
o Removes some pressure from IT
• Risks
o May not be subject to independent review
o May not have formal department structure

43
 End User Computing

• Results in:
o May contain errors and give incorrect results
o Are not subject to change management or release management,
resulting in multiple, perhaps different, copies
o Are not secured
o Are not backed up

44
 End User Computing Security
Risks
Risk Description
Authorization There may be no security mechanism to authorize access
to the system
Authentication There may be no security mechanism to authenticate
users to the system
Audit logging Logging may not be available on standard EUC solutions
(e.g. Microsoft Excel and Access)
Encryption The application may contain sensitive data that has not
been encrypted or otherwise protected
Data loss Applications may not be properly backed up
Compliance risk Applications may store sensitive or private information
Monitoring / auditing Applications may not be captured within IT inventories,
challenges hindering any monitoring processes
Maintenance / Applications and databases may not be included in IT
security patching maintenance and security patching schedules
45
 Shadow IT

• Shadow IT is the use of systems, services, hardware or software on

an enterprise network or within an enterprise’s infrastructure without
prop r vetting and approval from the IT or cybersecurity department
• Risk: can be used within an organization to collaborate, develop
software, share content, store and manipulate data or serve any
number of other purposes without being reviewed, tested,
approved, implemented or secured by the organization’s IT and/or
information security functions’ written policies and procedures

46
 Shadow IT Controls
Control Description
Shadow IT policy A shadow IT policy that aligns with business objectives
and supports security requirements
IT department as a A culture that encourages and rewards the achievement
service-delivery of a strong and supportive relationship between the IT
organization department and business units, with IT functioning in a
consultative way
IT budgeting and A requirement that the IT department review and approve
procurement all IT-related purchases
IT system limiting the number of service providers, networks,
consolidation platforms, devices and/or media used to store, process or
transmit data, and consolidating applications to facilitate
data management and consolidation of environments
(e.g., data centers) to reduce overall technology footprint

47
 Shadow IT Controls
Control Description
User access and User administration rights or data access rights that are
administrative rights explicitly assigned. Unassigned users cannot freely install
or adopt new applications
User education A formal IT user education program targeted at personnel
in all business units
User activity Recording and monitoring user activity
monitoring
User data exchange Establishing strong end-point controls

48
 Operating Systems

• The OS contains programs that interface between the user,

processor and application software
• Examples:
o IBM Z/OS

o Windows

o Unix

o Linux

49
 Operating Systems Reviews

• System software selection procedures

• Feasibility study and selection Process
• System software security
• IT asset management
• System software implementation
• Authorization documentation
• System documentation
• System software maintenance activities
• System software change controls
• Controls over the installation of changed system software

50
 Software Licensing

• An IS auditor should ensure that software copyright laws are

followed by the organization. Any violation may lead to regulatory
consequences, reputational loss, and financial loss by way of
penalties.
• Even if an organization is using open source software, it is bound to
abide by the terms and conditions of the software’s usage.
• The best way to determine the use of unauthorized software is to
scan the entire network using automated tools and capture a list of
installed software. This is followed by a review of this list by
comparing it with the approved software list.

51
 Free Software Licensing Types
Type Description
Open source This software can be listed, modified, and redistributed as
required. However, this should be done in accordance
with the terms and conditions mentioned in the software
license
Freeware Software is free but source code cannot be redistributed,
for example, Adobe Reader
Trial (Shareware) Software is available for free for a trial period and has
limited functionality compared to the full version

52
 Paid Software Licensing Types
Type Description
Per central Depends on the power of the server, specifically the number of
processing unit the CPUs, and could include the number of CPU cores
(CPU)
Per seat Depends on the number of unique users of the system
Concurrent Depends on the total number of software users within a
users predefined period
Utilization Depends on how busy the CPU is or the number of users that
are active at any particular time
Per device Depends on the number of individual devices (NOT users) that
connect to the software
Enterprise Usually allows unlimited use of the software throughout an
organization without the need to apply any aforementioned
rules, although there may be some restrictions
Mixed A mix of the previous license types (e.g. a per seat license that
allows only a certain number of devices for each user) 53
 Other Software Licensing Types
Type Description
Transaction Calculated based on the number of transactions, such as API
volume call volume
Data volume Based on gigabytes sent or minutes processed
Revenue Calculated as a percentage of revenue or transaction fees
share

54
 IS Auditor in detecting Software
Licensing Violations
• Review the listing of all standard, used and licensed application and
system software.
• Obtain copies of all software contracts to determine the nature of
the license agreements (e.g. , an unlimited enterprise license, per-
seat license or individual copies).
• Scan the network to produce a list of installed software by
leveraging software inventory capabilities offered by asset and
vulnerability management solutions to identify rogue equipment and
to catalog installed software.
• Review a list of server specifications, including CPUs and cores, if
required.
• Compare the license agreements with the installed software, noting
any violations.

55
 Source Code Management

• Source code is a computer program that is created by a

programmer, It is human-readable code
• Source code is converted into object code by assemblers and
compilers, Computers can understand object code but not source
code
• If an application is developed by a third-party vendor, it is essential
for the organization to have access to its source code
• If the source code is not supplied, it is important to arrange for an
escrow agreement
• Access to the source code should be restricted
• Any update to the source code should be managed by using a
Version Control System (VCS)
• Appropriate backups of the source code should be maintained

56
 Capacity Management

• Capacity management is the process of planning and monitoring IT

resources for their effective and efficient utilization
• It ensures the smooth expansion or reduction of resources as per
business requirements
• It is necessary to obtain inputs from business users in order to
manage capacity
• Capacity management should be reviewed and updated on at least
an annual basis
• Advantages of capacity management:
o It ensures the availability of required resources at the optimal
price
o It aligns IT resources as per the requirements of the business

o It reduces the risk of performance problems or failure through

the constant monitoring of utilization thresholds
57
 Problem and Incident Management

• The objective of problem management is to prevent the recurrence

of an incident by identifying its root cause and taking appropriate
preventive action
• The elements of problem management are investigation, in-depth
analysis, root cause analysis, and addressing the issues identified
during the root cause analysis
• Some widely accepted methodologies include fishbone analysis,
Ishikawa cause and effect diagrams, 5 whys, and brainstorming. To
prevent the recurrence of an incident, it is important to conduct a
root cause analysis and address the issues
• The primary risk of lack of attention to problem management is the
interruption of business operations

58
 Problem and Incident Management

• The objective of problem management is reducing the number of

incidents, whereas the objective of incident management is
returning to a normal state as soon as possible after an incident,
thereby minimizing the impact on the business
• An IS auditor should review problem reports and logs to ensure that
problems are addressed in a time-bound manner
• For effective incident management, it is very important to design
and implement a support model in an efficient manner. Ineffective
support models will not be able to prevent and react to potential
outages
• The best performance indicator for an outsourced help desk
function is how quickly and effectively a solution is provided to
users. It is vital to ensure that the end user is informed about the
resolution and that consent for the resolution is obtained
59
 Network Management Tools
Tool Description
Response time To determine the response time taken by the host system to
reports address the user’s query
Downtime reports To determine and track the unavailability of
telecommunication lines and circuits
Help desk reports To determine help desk activities, such as the nature of
queries, number of open calls, turnaround time, and
problems and their resolution
Online monitors To determine data transmission error and accuracy
Network monitors To provide real-time information on network nodes and
status
Network protocol A network diagnostic tool to determine and monitor packets
analyzer flowing along a link. It produces network usage reports

60
 Network Management Tools
Tool Description
Simple Network A TCP/IP-based protocol to monitor, control, and manage
Management configuration. It collects statistics on performance and
Protocol (SNMP) security
Internet Control is a network monitoring protocol specially designed for error
Message Protocol reporting
(ICMP)

61
 Change Management Process

• A change management process is used to change hardware, install

software, and configure various network devices. It includes
approval, testing, scheduling, and rollback arrangements
• When implementing a change, all relevant personnel should be
informed and specific approval should be obtained from the
relevant information asset owners
• To carry out changes, it is always advisable to use individual IDs
rather than generic or shared IDs
• Individual IDs help to establish accountability for any transaction
• For every change, transaction logs should be maintained. A
transaction log is used as an audit trail for further investigation. A
log should contain details such as date, time, user ID, terminal, and
other relevant details of the transaction

62
 Change Management Process

• One of the most important aspects of change management control

is code signing. Code signing provides assurance that software has
been generated from a reputable source and that the code has not
been modified after having been signed. The process employs the
use of a hash function to determine the integrity and authenticity of
code

63
 Patch Management

• A patch is a set of changes to software that aim to update, fix, or

improve it.
• It is important to test a patch before its implementation because
patches may impact other systems and operations.
• Impact analysis is a very important aspect of patch management.
• Patch deployment without appropriate testing may result in system
failure or disruption.

64
 Release Management

• Software release management is the process of making software

available to users
• The term release is used to describe a collection o f authorized
changes
Release Description
Major releases Normally contain a significant change or addition of new
functionality. A major upgrade or release usually supersedes
all previous minor upgrades
Minor software Upgrades; normally contain small enhancements and fixes.
releases A minor upgrade or release usually supersedes all
preceding emergency fixes
Emergency Emergency releases are fixes that require implementation
software releases as quickly as possible to prevent significant user downtime
to business-critical functions

65
 Configuration Management

• Configuration management is considered one of the key

components of network management
• It determines network functionality both internally and externally
• It ensures that the setup and management of a network are done
appropriately
• Configuration management determines a base software release.
The baseline is used to identify the software and hardware
components that make up the specific versions of a system
• In case of the failure of a new release, the baseline will be
considered as a point to which to return

66
 Operational Log Management

• Operational logs, or audit trails, track and log activities within an

application, providing a historical record of actions performed,
system events and user interactions.
• Logs help with monitoring and investigating security incidents and
ensure accountability.
• Operational log management involves collecting, monitoring,
analyzing and storing logs generated by various systems,
applications and devices within an organization’s IT infrastructure.
• Log records contain information about events such as: type, time,
location, source, outcome, Identity of any individuals, subjects, or
objects/ entities associated with the event.
• Many intruders will attempt to alter logs to hide their activities.
• Secure logging is needed to preserve evidence authenticity if logs
are required for legal/court use.
67
 Operational Log Management

• It is important that logs are protected from alteration, a common

way to achieve this is to capture, centralize and analyze the logs on
a secure server using security information and event management
(SIEM) software.

68
Log Management Cycle

69
 IT Service-Level Management

• A Service-Level Agreement (SLA) defines the nature, expectations,

escalations, and other relevant information for the services being
offered
• The SLA should be documented in non-technical terms and serve
as the basis for measuring and monitoring services
• Service-level management is the process of defining, documenting,
and managing service requirements
• The following characteristics should be considered to define an
SLA:
o Accuracy

o Completeness

o Timeliness

o Security

70
 IT Service-Level Management

• It is very important to monitor service levels at regular intervals to

ensure that the objective of the service is achieved
• It must be noted that when service delivery is outsourced, the
accountability of the service still rests with the service receiver
• It is the organization’s responsibility to ensure that the service
provider uses data for correct and agreed-upon purposes only. It
should also ensure that service providers have appropriate controls
in place to protect sensitive and critical data
• An independent third-party audit report is the best assurance of the
effectiveness of service provider controls

71
 Database Management

• A Database Management System (DBMS) helps in organizing,

controlling, and managing data. It aims to reduce data redundancy
and improve access time. It also aims to provide appropriate
security for sensitive data
• Advantages of Database Management:
o Centralized data management reduces the cost, time, and effort
it takes to manage data
o It helps to improve database performance by reducing data
redundancy
o It helps to improve the efficiency of transaction processing

o It ensures data consistency

o It provides security for sensitive data

o Various checks and controls in DBMS ensure data integrity

o It provides a structured way to manage user access 72

 Database Structures

• Hierarchical Database Model

• Network Database Model
• Relational Database Model
• Object-Oriented Database Model
• NoSQL

73
 Hierarchical Database Model

• This model is arranged logically in an inverted tree pattern

• Records are logically organized into a hierarchy of relationships.
• All records in the hierarchy are called nodes
• Each node is related to the others in a parent-child relationship. The
top parent record in the hierarchy is called the root record
• Each parent record may have one or more child records, but no
child record may have more than one parent record
• The hierarchical data structure implements one-to-one and one-to-
many relationships

74
 Network Database Model

• In a network database model, each set is made up of an owner

record and one or more member records
• This model keeps all records in sets
• The network model can show redundancy in data more efficiently
than the hierarchical model
• Unlike the hierarchical model, the network model permits a record
to be a member of more than one set at one time. This allows
many-to-one and many-to-many relationship types
• Network databases directly address the location of a record on disk.
This gives excellent retrieval performance

75
 Relational Database Model

• In a relational database, all the tables are related through one or

more fields
• Through these common fields, it is possible to connect all the tables
in a database
• For each table, one of the fields is identified as a primary key, which
is the unique identifier for each record in the table. The primary key
is used to join or combine data from two or more tables
• Referential integrity refers to the integrity and correctness of data
within a related table
• The data in primary or master tables should be consistent with the
data in related tables (also known as foreign tables)
• Any changes to the primary key must be applied to associated
foreign keys

76
 Relational Database Model

• Referential integrity will prevent users from adding records in a

foreign table, if records are not available in the primary table
• At the same time, users cannot delete primary keys if related
records are available in the foreign table

77
 Object-Oriented Database Model

• An object-oriented database is a set of objects. Each object is an

independently functioning application or program, assigned a
specific task to perform
• The OODM is designed to manage all these independent programs
to quickly process large and complex requests
• An object-oriented database provides a mechanism to store
complex data such as images, audio, and video

78
 Not Only SQL (NoSQL)

• NoSQL databases were developed in response to a rise in the

volume of data stored on the Internet, commonly known as big data
• Much of this data is unstructured audio, video, tweets, logs, blogs,
etc
• This data cannot be broken out into components
• The advantages of NoSQL databases include sharding - the ability
to partition a database horizontally across database servers to
spread the workload and dynamic schemas
• Common NoSQL databases include MongoDB and Cassandra

79
 Database Checks and Controls

• Concurrency control: To prevent integrity issues during

simultaneous updates by multiple users
• Table link/table reference check: To identify table linking errors
such as incomplete or inaccurate content in a database
• Integrity constraint: To allow only valid predefined data to enter the
database, and to prevent out-of-range data in the database. It is a
preventive control
• Atomicity: To ensure that either the entire transaction is processed
or none of it is processed, this will ensure that partially executed
transactions are rolled back and not processed
• Structured Query Language (SQL): This helps to determine the
portability of an application for connecting to a database
• Referential integrity: This prevents the deletion of a primary table as
long as it has associated foreign keys
80
 Database Checks and Controls

• Normalization: This is the process of removing duplicate data

elements from a database and thus improving the database’s
performance
• Commitment and rollback controls: This ensures that a transaction
is completed in its entirety or not at all. It ensures integrity
• Tracing and tagging: This is used to test applications, systems, and
controls
• User spool and database limit control: This helps to control space
utilization and thus improve database query performance
• Restore procedure: In the case of corruption in a database, the
database can be restored to its last archived version. This is a
corrective control

81
 Database Checks and Controls

• Column-and row-level restrictions: This helps to restrict particular

sensitive columns or rows of a database to only a few authorized
users. This means there is no need to have a separate database for
such sensitive information

82
 Database Normalization

• Normalization is the process of reducing duplicate data and thus

reducing data redundancy
• Redundancy is considered a negative thing in a database
environment as it means more effort and storage are required to
handle data
• Denormalization means normalization is not implemented.
Denormalizing increases data redundancy
• Disabling normalization will result in more redundant data, which
may impact the consistency and integrity of data
• When an IS auditor observes that some tables in a database are
not normalized, they should review the justification and
compensatory control for denormalization

83
 Segregation of Duties

• The following are some of the routine activities of a DBA:

o Conducting changes in the database table

o Conducting backup and recovery procedures

o Consulting on database interfaces

o Using tools and techniques to optimize database performance

• It is very important to ensure that the DBA performs the preceding

activities using their named account (and not a shared account) to
establish accountability
• Logs should be captured for all database activities. Logs should be
restricted for modification and DBAs should not be provided with
access to the log server

84
 Segregation of Duties

• DBAs should not be allowed to perform the following activities:

o Activities related to log capturing and the monitoring of DBA
functions
o End user activities

o Security patch updates for the operating system

85
 Section B: Business Resilience

• Business Impact Analysis (BIA)

• Data Backup, Storage, and Restoration
• Business Continuity Plan (BCP)
• Disaster Recovery Plans (DRP)

86
 Section B: Business Resilience

• Business Impact Analysis (BIA)

• Data Backup, Storage, and Restoration
• Business Continuity Plan (BCP)
• Disaster Recovery Plans (DRP)

87
 Application Resiliency – Clustering

• Clustering helps to protect an application against a disaster. The

aim of clustering is to provide for the high availability of the system.
• Application clustering often refers to a method of managing many
servers through software. Clustered servers can help to create
fault-tolerant systems and provide quicker responses and more
capable data management for large networks.
• An application that is clustered is protected against a single point of
failure.
• Application clusters can be either active-passive or active-active.
• In an active-passive setup, an application runs only on one active
node, with the other passive nodes used only if the application fails
on the active node.

88
 Application Resiliency – Clustering

• In an active-active cluster setup, the application runs on every

cluster. An active-active setup, though more expensive than an
active-passive setup, provides faster application recovery, load
balancing, and scalability.

89
 Telecommunication Network Resiliency

• In today’s business scenario, it is important to arrange for

redundant telecommunication and network devices in order to
ensure the continuity of business operations. The following are
network protection methods:
o Redundancy
o Alternative routing
o Last-mile circuit protection
o Long-haul network diversity
o Diverse routing
o Voice recovery
o Satellite connectivity

90
 Telecommunication Network Resiliency

• Redundancy:
o Providing extra capacity with a plan to use the surplus capacity if
the normal primary transmission capability is unavailable. For a
LAN, a second cable can be installed through an alternate route
if the primary cable is damaged.
o Providing multiple paths between routers

o Using dynamic routing protocols, such as Open Shortest Path

First (OSPF) and Enhanced Interior Gateway Routing Protocol
(EIGRP).
o Providing failover devices to avoid single points of failures in
routers, switches, firewalls, etc.
o Saving configuration files for recovery if network devices, such
as those for routers and switches, fail.

91
 Telecommunication Network Resiliency

• Alternative Routing:
o This is a method of routing the information through some
alternative cables such as copper or fiber-optic cables.
o Other examples include cellular and microwave communication
as alternatives to land circuits and couriers as alternatives to
electronic transmissions.
• Last-mile Circuit Protection
o Last-mile circuit protection is used to create redundancy for local
communication.

92
 Telecommunication Network Resiliency

• Long-haul Network Diversity:

o This is used to create redundancy for long distance
communication.
• Diverse Routing:
o In diverse routing, a single cable is split into two parts, whereas
in alternative routing, two entirely different cables are used.
• Voice Recovery:
o Redundant cabling and Voice over Internet Protocol are
common approaches to deal with failures.

93
 Telecommunication Network Resiliency

• Satellite Connectivity:
o In some locations, certain telecommunication options are not
available.
o Broadband satellite service and temporary satellite options can
provide connectivity in distinguishable from cellular networks
that depend on towers.

94
 Data Storage Resiliency

• Redundant Array of Independent Disks (RAID) is a data storage

virtualization technology that combines multiple physical disk drive
components into one or more logical units for the purposes of data
redundancy, performance, improvement or both.
• RAID is used to improve the performance and reliability of data
storage systems. It can create large logical disks from multiple
physical disks or create multiple logical disks from a single physical
disk.

95
 Data Backup and Restoration

• In information technology, a backup, or data backup, is a copy of

computer data taken and generally stored in a remote location to be
used later to restore the original data after a data loss event. Data
loss can be the result of any number of internal or external factors,
including computer viruses, hardware failure, file corruption caused
by fire, natural calamities, and hacking attacks.
• An organization should have a documented backup and recovery
policy in place that clearly identifies the type of data and information
for which backups are mandatory.

96
 Offsite Library Controls
• Secure physical access to library contents, ensuring only
authorized personnel have access.
• Encrypt backup media, especially in transit.
• Ensure that physical construction can withstand fire, heat, water,
etc.
• Locate the library away from the data center preferably in a facility
not subject to the same disaster event to avoid the risk of a disaster
affecting both facilities.
• Ensure an inventory of all storage media and files stored in the
library is maintained for the specified retention time.
• Ensure a record of all storage media and files moved into and outof
the library is maintained for the specified retention/expiration time.
• Ensure that a catalog of information regarding the versions and
location of data files is maintained for the specified retention time
and protected against unauthorized disclosure. 97
 Cloud Backup
• Encrypt the data-in-transit as it traverses the Internet to reach the
remote data center.
• Ensure that encrypted data is stored in the cloud library and that
access to the encryption keys is granted on a need-to-know basis.
• Verify that backup and restore times are appropriate to ensure the
RTOs and RPOs. While a typical restore test generally is performed
only on samples.

98
Types of Media

99
 Types of Disk-Based Backup Systems
• Virtual tape library (VTL) systems consist of disk storage and
software that control backup and recovery data sets. For an
external user (backup and recovery software), VTLs behave like a
conventional tape library; however, data is stored on a disk array.
• Host-based replication is executed at the host (server) level by
special software running on the host server and on the target
server.
• Disk-array-based replication is the same as host-based
replication; however, the replication is performed at the disk array
level, completely hidden from servers and applications.
• Snapshot technology is flexible, allowing different momentary
copies of volumes or file systems. Depending upon the types of
snapshots, either a full copy is created each time or only the
changed blocks of data or files are replicated.

100
 Backup Schemes
Scheme Description
Full Backup • the entire database is backed up every time, regardless of
previous backups.
• A full backup consumes a lot of time and space.
Differential • This type of backup covers only the new data created since
Backup the last full backup.
• This type of backup is faster, requires less media capacity
than a full backup and requires only the last full and
differential backup sets to make a full restoration. It requires
less time to restore than incremental backups but is slower
and requires more media capacity than incremental backups
because backed-up data is cumulative.

101
 Backup Schemes
Scheme Description
Incremental • This type of backup covers only the new data created since
Backup the last backup (which could be either a full backup or
another incremental backup).
• Incremental backup is a faster method of backup. It requires
less media capacity, but all backup sets must restore all
changes since a full backup and restoration will take more
time.

102
 Business Continuity Plan
• The objective of a BCP process is to manage and mitigate the risk
of disaster to ensure the continuity of business operations. It is
important that the BCP is reviewed and approved by senior
management.
• This will ensure that the BCP is aligned with the business goals.

103
BCP Life Cycle

104
 Business Continuity Policy
• A business continuity policy is a document approved by top
management that defines the extent and scope of the
organization’s business continuity effort (a project or an ongoing
program).

105
 Risk Assessment
• It is recommended to review the BCP in terms of its adequacy
every time a risk assessment is conducted in order to ensure that
the BCP is aligned with the findings of the organization’s latest risk
assessment.
• Based on the risk assessment, the worst-case scenarios and
corresponding strategies can be incorporated into the BCP.

106
 Business Impact Analysis

• BIA is a process to determine and evaluate the impact of disruption

on business processes and prepare accordingly to deal with such
events.
• BIA determines critical processes that can have a considerable
impact on business. It determines processes to be recovered as a
priority to ensure an organization’s survival.
• In order to conduct a successful BIA, it is necessary to obtain an
understanding of the organization, its key business processes, and
its dependency on IT and other resources. This can be determined
from the outcome of the risk assessment.
• The involvement of senior management, the IT department, and
end users is critical for a successful BIA.

107
 Business Impact Analysis

• The following are some of the approaches to performing a BIA:

o Questionnaire approach: It involves the development of a
detailed set of questions that is then circulated among key
users. The information obtained is then tabulated and analyzed
to develop a BIA.
o Interview approach: It involves interviewing key users. The
information obtained is then tabulated and analyzed to develop a
BIA.
o Meeting approach: It involves holding meetings with key users to
ascertain the potential business impact of various disruptions.
• The BIA team should also consider past transaction history to
determine the possible impacts if systems are not available due to a
particular incident.

108
 Business Impact Analysis

• To determine the business impact, two independent cost factors

need to be considered. The first one is downtime cost – meaning,
for example, costs from a drop in sales, the cost of idle resources,
and interest costs. Another cost element relates to alternative
collection measures, such as the activation of a BCP and other
recovery costs.
• Once the BIA is available for each process, it is important to
prioritize the processes that need to be recovered first. This
criticality analysis should be performed in coordination with IT and
business users.
• The business process owner possesses the most relevant
information, hence they are regarded as the best source for
determining process criticality.

109
 Business Impact Analysis

• Once the critical assets have been determined through the BIA, the
next step is to develop a recovery strategy that ensures the
recovery of critical assets as soon as possible to minimize the
impact of the disaster. A recovery strategy is primarily influenced by
the BIA.
• The BIA and risk assessment have almost the same elements,
except for a downtime analysis, which is an additional component
in the BIA. A downtime analysis determines the acceptable system
downtime.
• The primary criterion for determining the severity of service
disruption is the period during which the system will remain down.
The higher the system downtime, the higher the disruption severity.

110
 Classification of Systems
Classification Description
These functions cannot be performed unless they are replaced
by identical capabilities. Critical applications cannot be replaced
Critical
by manual methods. Tolerance to interruption is very low;
therefore, the cost of interruption is very high
These function s can be performed manually, but only for a brief
period. There is a higher tolerance to interruption than critical
Vital systems and, therefore, somewhat lower interruption costs,
provided that functions are restored within a certain time frame
(usually five days or less)
These functions can be performed manually, at a tolerable cost
and for an extended period. While they can be performed
Sensitive
manually, it is usually a difficult process that requires additional
staff
These functions may be interrupted for an extended period, at
Nonsensitive little or no cost to the company, and require little or no catching
up when restored 111
Contents of BCP Plan

112
 Plan Testing

• Paper test/desk-based evaluation: In this test, concerned staff do a

walkthrough of the BCP and discuss what might happen if a service
disruption of a particular type occurs.
• Preparedness test: In this test, preparedness is verified in a
localized environment with the help of a simulated system crash.
This is a cost-effective way to determine the adequacy of the plan.
It also provides an opportunity to improve the plan incrementally.
This is regarded as a localized version of a full test, wherein
resources are expended only in the simulation of a system crash. A
preparedness test includes a phase-wise simulation of the entire
environment at a very reasonable cost and helps the recovery team
understand the various challenges associated with the actual test
scenario.

113
 Plan Testing

• Full operational test: In this test, the BCP is implemented in the

context of actual service disruptions involving a complete shutdown
of operations. A full operational test is to be conducted only after
the paper test and preparedness test have been carried out. A full
operational test is a costly and time-consuming affair and involves
many challenges.

114
 Auditing Business Continuity

• Reviewing the Business Continuity Plan

o Review the document

o Review the applications covered by the plan

o Review the business continuity teams

o Plan testing

o Evaluation of prior test results

• Evaluation of Offsite Storage

o Evaluation of security at the offsite facility

• Interviewing key personnel

• Reviewing the alternative processing contract
• Reviewing insurance coverage

115
BCP Requirements from the
Perspective of an IS Audit

116
 Disaster Recovery Plans (DRP)

• A Disaster Recovery Plan (DRP) is a set of documented processes

to recover and protect a business’ IT infrastructure in the event of a
disaster. It involves various plans for action to be taken before,
during, and after a disaster.
• Disaster recovery planning is a continuous process.
• Disaster recovery planning outcomes:
o Changes in IT infrastructure

o DRPs developed as part of the DR process that directs the

response to incidents ranging from simple emergencies to full-
blown disasters

117
 The BCP versus the DRP

• The DRP is a part of the BCP.

• The objective of the BCP is to keep business operations functioning
either from an alternate location or by means of alternative tools
and processes.
• The DRP’s objective is to restore normal business operations and
advance the recovery from a disaster.
• The BCP is the overall architecture for business continuity, whereas
the DRP is regarded as a technological aspect of the BCP with
more focus on IT systems and operations.

118
 RTO/ RPO

• Recovery Time Objective (RTO) is determined based on the

acceptable downtime in case of a disruption of operations.
• Recovery Point Objective (RPO) is determined based on the
acceptable data loss in case of disruption of operations.

119
 Other Parameters

• Mean Time to Repair (MTTR) is a measure of the average time it

takes to repair a failed system or device.
• Interruption window is the maximum period the organization can
wait from the point of failure to the critical services/applications
restoration.
• Service delivery objective (SDO) is the level of services to be
reached during the alternate process mode until the normal
situation is restored.
• Maximum tolerable outages (MTOs) is the maximum time the
organization can support processing in an alternate mode.

120
Recovery Alternatives

121
 Recovery Alternatives

• Mirrored Site:
o A fully redundant site with real-time data replication from the
production site.
o Mirrored sites are fully equipped and staffed and can assume
critical processing with no interruption perceived by the users.
o The cost of maintaining a mirrored site is very high compared to
the other alternatives.
• Hot Site:
o A facility with space and basic infrastructure and all the IT and
communications equipment required to support critical
applications, along with office furniture and equipment for use by
the staff.
o Hot sites usually maintain installed versions of the programs
required to support critical applications.
122
 Recovery Alternatives

o Data also may be duplicated to the hot site in real or near-real

time. If not, the most recent backup copies of data may need to
be loaded before critical applications can be resumed .
o Employees are usually transferred to the hot site from the
primary site to support operations upon activation.
• Warm Site:
o A complete infrastructure, partially configured with IT, usually
with network connections and essential peripheral equipment
such as disk drives and controllers.
o The equipment may be less capable than the standard
production equipment yet still be adequate to sustain critical
applications on an interim basis.
o Typically employees would be transferred to the warm site, and
current versions of programs and data would need to be loaded
before operations could resume at the warm site. 123
 Recovery Alternatives

• Mobile Site:
o A packaged, modular processing facility mounted on
transportable vehicles and kept ready to be delivered and set up
at a location that may be specified upon activation.
• Reciprocal Agreements:
o Agreements between separate but similar companies to
temporarily share their IT facilities if one company loses
processing capability.
o A reciprocal agreement is the least expensive as it relies solely
on an arrangement between two firms.
• Reciprocal Agreements with Other Organizations:
o Agreements between two or more organizations with unique
equipment or applications.

124
Recovery Alternatives Summary

125
 Organization and Assignment of
Responsibilities
• The DRP should identify the teams with their assigned
responsibilities in the event of an incident/ disaster.

126
 Disaster Recovery Testing

• Critical applications and infrastructure are identified for testing

based on the risk assessment and BIA.
• These should be developed into a testing schedule.
• Types of Tests:
o Checklist review: Recovery checklists are distributed to all
recovery team members to review and ensure that the checklist
is current.
o Structured walk-through: Team members physically implement
the plans on paper and review each step to assess its
effectiveness and identify enhancements, constraints and
deficiencies.
o Simulation test: The recovery team roleplays a prepared disaster
scenario without activating processing at the recovery site.

127
 Disaster Recovery Testing

o Parallel test: The recovery site is brought to operational

readiness, but operations at the primary site continue normally.
o Full interruption test: Operations are shut down at the primary
site and shifted to the recovery site to follow the recovery plan;
this is the most rigorous form of testing but is expensive and
potentially disruptive.
• Testing objectives:
o Verify the completeness and precision of the response and
recovery plan.
o Evaluate the performance of the personnel involved in the
exercise.
o Appraise the demonstrated training and awareness level of
individuals not part of the recovery/response team.

128
 Disaster Recovery Testing

o Evaluate coordination among team members and external

vendors and suppliers.
o Measure the ability and capacity of the backup site to perform
prescribed processing.
o Assess the vital records retrieval capability.
o Evaluate the state and quantity of equipment and supplies
relocated to the recovery site.
o Measure the overall performance of operational and IS systems
processing activities related to maintaining the business entity.

129
 Post-assessment

[Link]
130
131
Thank You!

132