it service delivery and support
DESCRIPTION
Chapter No. 4. IT Service Delivery and Support. HARWARE REVIEWS : (P-272). Capacity management Continuous review of HW and SS performance and capacity - PowerPoint PPT PresentationTRANSCRIPT
Chapter # : 04 - CISAChapter # : 04 - CISA 11
IT Service Delivery and IT Service Delivery and SupportSupport
Chapter No. 4 Chapter No. 4
Chapter # : 04 - CISAChapter # : 04 - CISA 22
• Capacity managementCapacity management• Continuous review of HW and SS performance and Continuous review of HW and SS performance and
capacitycapacity• Performance monitoring is based on historical data and Performance monitoring is based on historical data and
IS trouble log, Processing, Schedules, Job Accounting IS trouble log, Processing, Schedules, Job Accounting system reports, Preventive maintenance schedules and system reports, Preventive maintenance schedules and reports.reports.
• Hardware acquisition:Hardware acquisition:• Plan is compared regularly to management's business Plan is compared regularly to management's business
plansplans • If environment is adequate for current and new If environment is adequate for current and new
installationsinstallations • Technical Obsolescence of existing and new HWTechnical Obsolescence of existing and new HW • Proper DocumentationProper Documentation
HARWARE REVIEWS : (P-272)HARWARE REVIEWS : (P-272)
Chapter # : 04 - CISAChapter # : 04 - CISA 33
• PC Acquisition CriteriaPC Acquisition Criteria• Policy regarding acquisition of usage of PCPolicy regarding acquisition of usage of PC• Criteria and procedure for approval and acquisition of Criteria and procedure for approval and acquisition of
PCPC • Supporting of cost benefit analysisSupporting of cost benefit analysis• Acquisition through IS purchasing to take advantage of Acquisition through IS purchasing to take advantage of
volume discount and quality volume discount and quality • Review change Management Controls for :Review change Management Controls for :
– Timely instructions to personnel to change HW Timely instructions to personnel to change HW configurationconfiguration
– Allowance of adequate time for installation and testing Allowance of adequate time for installation and testing of HW.of HW.
– Selection of Sample of HW change and procedureSelection of Sample of HW change and procedure– Ascertain that HW change is communicated to all Ascertain that HW change is communicated to all
concerned. concerned. – Effectiveness of change so it do not interfere normal Effectiveness of change so it do not interfere normal
course of production / actioncourse of production / action
HARWARE REVIEWS : HARWARE REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 44
• Interview Technical Services :Interview Technical Services :• Regarding Approval Process, Test Procedures, Regarding Approval Process, Test Procedures,
Implementation Process and documentation Implementation Process and documentation requirementsrequirements
• System Software selection procedures:System Software selection procedures:• Include IS processing and control requirements, Include IS processing and control requirements,
software's capabilities and control optionssoftware's capabilities and control options
• Feasibility and selection process:Feasibility and selection process:• Consistent proposed Sys Objectives and Consistent proposed Sys Objectives and
purposes. Same Criteria for all proposalspurposes. Same Criteria for all proposals
OPERATING SYSTEM REVIEWS : (p-273) OPERATING SYSTEM REVIEWS : (p-273)
During Auditing of Operating Software Development, acquisition or During Auditing of Operating Software Development, acquisition or
maintenance, the following approaches may be adoptedmaintenance, the following approaches may be adopted
Chapter # : 04 - CISAChapter # : 04 - CISA 55
• Review Cost/Benefit analysis:Review Cost/Benefit analysis:• For Direct Financial cost, Maintenance, For Direct Financial cost, Maintenance,
requirement and capacity of HW., Training and requirement and capacity of HW., Training and technical support, Impact on Data Securitytechnical support, Impact on Data Security
• Review controls over installation of Review controls over installation of changed System Software:changed System Software:• That all levels of software has been That all levels of software has been
implemented, least impact on IS processing, implemented, least impact on IS processing, tests are completed, debugging, assurance of tests are completed, debugging, assurance of problem resolutionproblem resolution
• Review of Maintenance Activities:Review of Maintenance Activities:• Ensure that changes in Sys Software are Ensure that changes in Sys Software are
documented and support of vendor for latest documented and support of vendor for latest versionversion
OPERATING SYSTEM REVIEWS : OPERATING SYSTEM REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 66
• Sys Software change Controls:Sys Software change Controls:• Controlled access of Libraries to concerned Controlled access of Libraries to concerned
individuals, Changes must be documented and individuals, Changes must be documented and test before implementation. Proper approval to test before implementation. Proper approval to convert testing mode to productionconvert testing mode to production
• Review of System Documentation:Review of System Documentation:• For Installation control statement, Parameter For Installation control statement, Parameter
tables, Exit conditions, activity Logs/reporttables, Exit conditions, activity Logs/report
• Test control during Implementation of SS :Test control during Implementation of SS :• Change Procedures, Authorization procedures, Change Procedures, Authorization procedures,
Access security features, documentation Access security features, documentation requirement, audit trail, Access control over the requirement, audit trail, Access control over the software in productionsoftware in production
OPERATING SYSTEM REVIEWS : OPERATING SYSTEM REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 77
• Review Authorization documentation:Review Authorization documentation:• Additions, deletion, or changes authorization Additions, deletion, or changes authorization
has been documented. And attempted violation has been documented. And attempted violation is reportedis reported
• Review System Software security:Review System Software security:• Logical security Access controls are safe to be Logical security Access controls are safe to be
circumvent. Procedures to limit the access circumvent. Procedures to limit the access system interrupts, Security provided by system interrupts, Security provided by Software. Physically security of master consoleSoftware. Physically security of master console
• Database supported IS controls to find:Database supported IS controls to find:• Data Access and organization should be Data Access and organization should be
appropriate, Change procedures to ensure appropriate, Change procedures to ensure integrity. Data dictionary is maintained, Data integrity. Data dictionary is maintained, Data redundancy is minimized.redundancy is minimized.
OPERATING SYSTEM REVIEWS : OPERATING SYSTEM REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 88
• Design:Design:• Database model is verified, identified primary Database model is verified, identified primary
and foreign keys. Logical schema including and foreign keys. Logical schema including entities and their relationship. Physical Schema entities and their relationship. Physical Schema including tables, logs, indexes are reviewed.including tables, logs, indexes are reviewed.
• Access:Access:• Indexes are used to have efficient access to the Indexes are used to have efficient access to the
required data.required data.
• Administration:Administration:• Security levels for users and their roles are well Security levels for users and their roles are well
justified Backup and recovery procedures justified Backup and recovery procedures established. Adequate handling for consistency established. Adequate handling for consistency and integrity concurrent accessesand integrity concurrent accesses
DATABASE REVIEWS : (p-274)DATABASE REVIEWS : (p-274)
Chapter # : 04 - CISAChapter # : 04 - CISA 99
• Interfaces:Interfaces:• Integrity and confidentiality of data during Integrity and confidentiality of data during
interfacing with other systems.interfacing with other systems.
• Portability:Portability:• Structured query language (SQL) is used as Structured query language (SQL) is used as
much as possiblemuch as possible
DATABASE REVIEWS : DATABASE REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 1010
• Physical controls:Physical controls:• Physical controls should protect the LAN Physical controls should protect the LAN
hardware and access point to the LAN by hardware and access point to the LAN by limiting access to authorized personnel onlylimiting access to authorized personnel only ..
• LAN Hardware devices, Wiring closet, cablingLAN Hardware devices, Wiring closet, cabling• Keys to the LAN file ServerKeys to the LAN file Server• LAN files server locking and prevention.LAN files server locking and prevention.
• Test of Physical Controls:Test of Physical Controls:• Check the all of above factorsCheck the all of above factors
LOCAL AREA NETWORK REVIEWS : (275) LOCAL AREA NETWORK REVIEWS : (275)
Chapter # : 04 - CISAChapter # : 04 - CISA 1111
• Environmental Controls:Environmental Controls:• Static Electricity /surgesStatic Electricity /surges• Power Supply controlsPower Supply controls• UPSUPS• Free of Dust, , smoke, and food, HumidityFree of Dust, , smoke, and food, Humidity
• LAN Logical SecurityLAN Logical Security• Unique encrypted PasswordsUnique encrypted Passwords• Written AuthorizationWritten Authorization• Automatic disability of un-used display for a timeAutomatic disability of un-used display for a time• Logon attempts LogLogon attempts Log• Information about communication line connectedInformation about communication line connected
• Test of Logical Security:Test of Logical Security:
LOCAL AREA NETWORK REVIEWS : LOCAL AREA NETWORK REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 1212
• In DDP network there should be appropriate implementation, In DDP network there should be appropriate implementation, conversion and acceptance test plansconversion and acceptance test plans
• Test plans for networks hardware communicationTest plans for networks hardware communication• Ensuring consistency with Laws governing transmission of Ensuring consistency with Laws governing transmission of
datadata• Identified the sensitive files/databases and their securityIdentified the sensitive files/databases and their security• Restart and recovery mechanismRestart and recovery mechanism• Assurance of minimum effect due to any failureAssurance of minimum effect due to any failure• Changes in OS at user site should be controlled by IS Changes in OS at user site should be controlled by IS
ManagementManagement• Access to only allowed applications and dataAccess to only allowed applications and data• Encryption is being used for sensitive dataEncryption is being used for sensitive data• Security policies are implemented at following applied Security policies are implemented at following applied
environmentenvironment : :• Highly DistributedHighly Distributed• DistributedDistributed• MixedMixed• CentralizedCentralized• Highly CentralizedHighly Centralized
NETWORK OPERATING CONTROL REVIEWS : NETWORK OPERATING CONTROL REVIEWS :
Chapter # : 04 - CISAChapter # : 04 - CISA 1313
• Computer Operations :Computer Operations :• Restricting Operators Access capabilities toRestricting Operators Access capabilities to : :
LibrariesLibraries
Limited peripheral-equipmentLimited peripheral-equipment
Correcting programsCorrecting programs
System fixes Production Source code, data LibrariesSystem fixes Production Source code, data Libraries
• Scheduling Scheduling ::Recording of jobsRecording of jobs
Processing are on a predetermined basisProcessing are on a predetermined basis
Exception processingException processing
Executing Executing
• Identified the sensitive files/databases and their securityIdentified the sensitive files/databases and their security• Restart and recovery mechanismRestart and recovery mechanism• Assurance of minimum effect due to any failureAssurance of minimum effect due to any failure• Re-run handlingRe-run handling
IS OPERATION REVIEW : (p-276)IS OPERATION REVIEW : (p-276)
Chapter # : 04 - CISAChapter # : 04 - CISA 1414
• Files handling procedure :Files handling procedure :• Control the receipt and release of files and Control the receipt and release of files and
storage media to/from other locationsstorage media to/from other locations• Audit procedure should include review of these Audit procedure should include review of these
procedures that are in line of management’s procedures that are in line of management’s intent and authorizationintent and authorization
IS OPERATION REVIEW : IS OPERATION REVIEW :
• Data Entry Control :Data Entry Control :• Authorization of input documentsAuthorization of input documents• Reconciliation of totals.Reconciliation of totals.• Segregation of dutiesSegregation of duties
• Auditing of above controls and in addition the production Auditing of above controls and in addition the production and review Control reports and their accuracy and and review Control reports and their accuracy and
completenesscompleteness..
Chapter # : 04 - CISAChapter # : 04 - CISA 1515
• Remote Access :Remote Access :• Secure and leased line/dial-back should be used for Secure and leased line/dial-back should be used for
extensive access security to the remote terminal in case extensive access security to the remote terminal in case of contingencyof contingency
• Contingency plan for proper identification of disaster and Contingency plan for proper identification of disaster and its testits test
• Program Change controls and access controls and its Program Change controls and access controls and its periodical testperiodical test
• Error should not be hidden by software Error should not be hidden by software
LIGHT-OUT OPERATIONSLIGHT-OUT OPERATIONS : :
Chapter # : 04 - CISAChapter # : 04 - CISA 1616
• Interview with IS operations personnel (p-278)Interview with IS operations personnel (p-278)• Procedures to record, evaluate and resolve or escalate Procedures to record, evaluate and resolve or escalate
problemsproblems• Performance recordsPerformance records• Review of reasons of delay in processing by Application Review of reasons of delay in processing by Application
SoftwareSoftware• Review of procedure of collecting on-line processing Review of procedure of collecting on-line processing
performanceperformance• Establishment of procedure handling data processing Establishment of procedure handling data processing
handling problemshandling problems• Assurance of resolution of all identified problemsAssurance of resolution of all identified problems• Prevention from recurring problemsPrevention from recurring problems• Resolution of problems in timely and complete mannerResolution of problems in timely and complete manner• IS management reporting produced by problem IS management reporting produced by problem
management system as evidence of proper reviewmanagement system as evidence of proper review• Outstanding error logsOutstanding error logs• Documentation of developed escalation procedures Documentation of developed escalation procedures
PROBLEM MANAGEMENT REPORTING REVIEWSPROBLEM MANAGEMENT REPORTING REVIEWS
Chapter # : 04 - CISAChapter # : 04 - CISA 1717
A layered framework for the design of network systems that A layered framework for the design of network systems that allows communication across all types of computer systems allows communication across all types of computer systems regardless of their underlying architectureregardless of their underlying architecture
The OSI Model (p-252)The OSI Model (p-252)
Please Do Not Touch Shakeel’s Pet Alligator
Network Support Layers 1-3User Support Layers 5-7