IT SERVICE DELIVERY & SUPPORT (Handout Notes)

IS Operations management control functions:

Ensuring that detailed schedules exist for each operating shift
Planning to ensure the most efficient and effective use of an operations resources
Authorizing changes to the operations schedules
Monitoring operations to ensure compliance with standards
Reviewing console log activities during system shutdown and hardware/software reinitialization
Reviewing the operator log to identify variances between scheduled and actual activity
Ensuring that information systems processing can recover in a timely manner from both minor and
major disruptions of operations
Monitoring system performance and resource usage to optimize computer resource utilization
Anticipating equipment replacement/capacity to maximize current job throughput and to strategically
plan future acquisitions
Monitoring the environment and security of the facility to maintain proper conditions for equipment
performance
Ensuring changes to hardware and software do not cause undue disruption to normal processing
Maintaining job accounting reports and other audit records
Limiting physical access to computer resources to those who require it
IS Operations:

IT service management (ITSM) comprises processes and procedures for efficient and effective
delivery and support of various IT functions. It focuses on tuning IT services to meet the changing
demands of the enterprise, and to measure and show improvements in the quality of IT services
offered with a reduction in the cost of service in the long run = Service Level Agreement (SLA).

Job accounting applications are designed to monitor and record IS resource use. Information
recorded by these applications (such as the performance and utilization of the CPU, secondary
storage media and terminal connect time) is used by IS management to perform activities that
include matching resource utilization with associated users for billing purposes and optimizing
hardware performance by changing or tuning system software defaults.

Scheduling is a major function within the IS department. The schedule includes the jobs that must
be run, the sequence of job execution and conditions that cause program execution. It also permits
the scheduling of low priority jobs if time becomes available.
Monitoring Use of Resources - Computer resources, like any other organizational asset, should
be used in a manner that benefits the entire organization. This includes providing information when
and where it is needed, at a cost that is identifiable and auditable.
Problem Management - IS management should develop operations documentation to ensure that
procedures exist for the escalation of unresolved problems to a higher level of IS management.

Lights Out Operations (Automated Unattended Operations) refers to the automation of key
computer room operations whereby tasks can take place without human intervention (e.g. job
scheduling, console operations, report balancing, restart activities, tape mounting, physical security...)
Job scheduling software is system software used by installations that process a large number of batch
jobs. The scheduling software sets up daily work schedules and automatically determines which jobs
are to be submitted to the system for processing.
Library management system capabilities:
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

IntegrityEach source program is assigned a modification number and version number and each
source statement is associated with a creation date. Security over program libraries, job control
language sets and parameter files is provided through the use of passwords, encryption, data
compression facilities and automatic backup creation.

UpdateLibrary management systems facilitate the addition, modification, deletion,

resequencing, and editing of library members. For example, they can create an automated backup
copy prior to changes being made and maintain an audit trail of all library activity.

R
eportingLists of additions, deletions, modifications, the library catalog and library member
attributes can be prepared for management and auditor review.

InterfaceLibrary software packages may interface with the operating system, job scheduling
system, access control system and online program management.

Types or Classes of Computers:

Supercomputers Very large and expensive computers with the highest processing speed,
designed to be used for specialized purposes or few specific applications that require extensive
processing power (e.g., complex mathematical or logical calculations).

Large computer (mainframe) Large, general-purpose computers that are made to share their
processing power and facilities with thousands of internal or external users.

Midrange computer or minicomputer a multiprocessing system capable of supporting

hundreds of simultaneous users; comparable to small mainframes.
Microcomputer or personal computer (PC) - a small computer referred to as a PC computer or
workstation.
Notebook / Laptop computers these are lightweight personal computers.
Personal digital assistant (PDA) - a handheld device that enables its users use a small
computing device the size of a calculator as a personal organizer and planner.

Computers perform several tasks simultaneously using the following principles:

MultitaskingThe capability of running two or more applications concurrently; often performed

by allocating processing time to each application. Each task appears to be continuous without any
disruption felt by the user of the system.
MultiprocessingThe linking of more than one processor sharing the same memory to execute
programs simultaneously.
MultiusingAlso referred to as timesharing. By using multitasking capabilities, multiple users
can access and use a computer operating system simultaneously. All mainframes, minicomputers
and microcomputer systems designed for client-server computing are multiuser-based
environments.
MultithreadingWhen a program is executed there are several subactivities taking place within
the program. These subactivities are performed through separate predefined or identified threads
and produce output for the entire activity seamlessly.

Common Computer Server Roles:

CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

Print servers Businesses of all sizes require that printing capability be made available to users
across multiple sites and domains. Print servers allow businesses to consolidate printing resources
for cost-savings.
File servers Provide for organization wide access to files and programs. Document repositories
can be centralized to a few locations within the organization and controlled with an access-control
matrix.
Program (application) servers A program server enables a user or users to run programs that
are not installed on the users workstation computer. Consolidation of applications and licenses in
servers enables centralized management and a more secure environment.
Web servers Provide information and services to external customers and internal employees
through web pages. A web server is normally accessed by its DNS name, e.g.,
http://www.isaca.org.
Proxy servers Provide an intermediate link between users and resources. As opposed to direct
access, proxy servers will access services on a users behalf. Depending on the services being
proxied, a proxy server may render more secure and faster response than direct access.
Database servers Store raw data and act as a repository. The servers concentrate on storing
information rather than presenting it to be usable. Application servers and web servers use the data
stored in database servers and process the data into usable information.

Appliances or Specialized Devices for Computers:

FirewallsA specific device that inspects all traffic going between segments and applies security
policies to help ensure a secure network. An effective implementation depends on the quality of the
security policies written and their compliance with best practices.
Intrusion detection system (IDS) Listens to all incoming and outgoing traffic to deduce and
warn of potentially malicious connections
Switches Switches are data link level devices that can divide and interconnect network segments
and help to reduce collision domains in Ethernet-based networks.
Routers Devices used to link two or more physically separate network segments. The network
segments linked remain logically separate and can function as independent networks.
Universal Serial Bus (USB) devices - Adapters, cables, CDRW, DVDRW, scanners, webcams,
flash readers, hard drives, hubs, switches and video phones can be connected to the computer using
the USB connection. USB ports overcome the limitations of the serial and parallel ports in terms of
speed and the actual number of connections that can be made.
Memory Cards - They are nonvolatile, removable, small, easy to erase and store, and often
referred as flash memory cards. They can be used in cameras, music players, PDAs, Mobile
phones, printers, navigation systems and many other portable devices. One of these devices is
known as a memory stick, which is quite useful in storing information.
Radio Frequency Identification (RFID) - Radio frequency identification uses radio waves to
identify tagged objects within a limited radius. A tag consists of a microchip and an antenna. The
microchip stores information along with an ID to identify a product. The other part of the tag is the
antenna, which transmits the information to the RFID reader.
Write Once and Read Many (WORM) - In the past, a floppy disc and a small capacity hard drive
would be sufficient to do almost everything. This no longer holds true. In recent years, many new
technologies have been introduced, including those in the WORM category. It is worth mentioning
that this type of WORM is totally unrelated to the malicious code also referred to as a worm.

Operating Systems. The most important component of the system software category which contains
programs that interface between the user, processor and applications software. It provides the primary
means of managing sharing by various users and controlling the sharing and use of computer resources,
such as processors, real memory (e.g., RAM), auxiliary memory (e.g., disk storage), and input/output
devices.
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

Most modern operating systems have also expanded the basic operating system functionalities to
include capabilities for a more efficient operation of system and applications software.
Data communications software is used to transmit messages or data from one point to another, which
may be local or remote.
File Organization:

SequentialOne record is processed after another, from the beginning to the end of a file.
Indexed sequentialRecords are logically ordered according to a data-related key and can be
accessed based on that key.
Direct random accessRecords are addressed individually based on a key not related to the data
(e.g., record number).
Some others are proprietary methods used by specific vendors, such as IBMs Indexed Sequential
Access Method (ISAM) and the Virtual Storage Access Method (VSAM).
DBMS can be defined as that class of system software that aids in organizing, controlling and using the
data needed by application programs. A DBMS provides the facility to create and maintain a wellorganized database. Primary functions include reduced data redundancy, decreased access time and
basic security over sensitive data.
DBMS data are organized in multilevel schemes, with basic data elements, such as the fields, at the
lowest level.
DBMS related topics:
DBMS Architecture metadata or schema
Detailed DBMS Metadata Architecture external and internal level or schema
Data Dictionary/directory System (DD/DS) create/modify data definition, reporting facility, etc
Database Structure 3 types = hierarchical, network and relational
Database Controls restrict acess to update DB, data backup/recovery, establish standards, etc.
Utility programs are system software used to perform maintenance and routines that frequently are
required during normal processing operations. Utility programs can be categorized, by use, into the
five functional areas.
Smaller computer system (PC and server operating systems) are often equipped with specific utilities
to:
Operate verification, cleaning and defragmenting of hard disk and removable memory units
Define the file system standard [NT file system (NTFS) or file allocation table (FAT)] to be used for
each unit
Initialize removable data volumes (floppy disk) and volumes of disk/removable memory
Save/restore system images
Reconstruct and restore (logically) cancelled files
Test system units and peripherals
Network Services commonly used in organizations networked environments:

File sharingAllows users to share information and information resources among one another
E-mail servicesProvides the ability, via a terminal or PC connected to a communication
network, to send an unstructured message to another individual or group of people
Print servicesProvides the ability, typically through a print server on a network, to manage and
execute print request services from other devices on the network

CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

Remote access servicesProvides remote access capabilities where a computing device appears,
as if directly attached to the remote host (e.g., telnet, rhost, uucp, etc.)
Terminal emulation software (TES)Provides remote access capabilities where it appears that
the remote access from a PC device is a terminal directly attached to a remote host. It is the
terminal emulation software (TES) installed on the PC that provides this capability while working
with a heterogeneous host.
Directory servicesStores information about the various resources on a network and helps
network devices locate services, much like a conventional telephone directory. It includes the
services that make this information available and useful
Network managementProvides a set of functions to control and maintain the network. It
provides detailed information about the status of all components in the network, such as line status
and active terminals.

Network Standards and Protocols:

The most common standard for open system communications using a layered set of protocols is the
Open System Interconnection (OSI) model, developed by the International Organization for
Standardization (ISO) in 1978. The objectives of the ISO/OSI model were to provide a set of open
system standards for equipment manufacturers and to provide a benchmark to compare different
communication systems taking into account other protocols besides the Internet TCP/IP system used
throughout the world.
ISO/OSI Model:
1. Application layer interface used by application S/W to access resources like printer, send email
2. Presentation layer transforms data (e.g. encryption) and provides communication services.
3. Session layer controls the dialog (sessions) between computers and terminates connections.
4. Transport layer - ensures that data sent by session layer is received by transport layer. Provides
reliable and transparent transfer of data; error recovery and control.
5. Network layer this layer understands IP addresses and is responsible for routing, forwarding and
error handling and congestion control. This layer prepares the packets for the data link layer.
6. Data link layer provides reliable transfer of data across a physical link. Error detection using
cyclic redundancy check (CRC); logically connects using MAC address.
7. Physical layer provides and defines the hardware that transmits and receives the bit stream as
electrical, optic or radio signals over a medium or carrier.
Local Area Network (LAN):
A LAN is a localized, packet-based switching network within an organization that enables the sharing
of information resources within a relatively small localized area, such as a specific business department
or a network campus environment.

LAN Components:
RepeatersA physical layer device that extends the range of a network or connects two separate
network segments together. Repeaters receive signals from one network segment and amplify
(regenerate) the signal to compensate for signals (analog or digital) distorted due to a reduction of
signal strength during transmission (i.e., attenuation).
HubsA physical layer device that serves as the center of a star-topology network or a network
concentrator. Hubs can be active (if they repeat signals sent through them) or passive (if they merely
split, signals).
BridgesA data link layer device, bridges were developed in the early 1980s to connect LANs or
create two separate LAN or WAN network segments from a single segment to reduce collision
domains. Bridges act as a store- and forward-device in moving frames toward their destination.

CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

 Layer 2 switchesLayer 2 switches are data link level devices that can divide and interconnect
network segments and help to reduce collision domains in Ethernet-based networks.
RoutersSimilar to bridges and switches in that they link two or more physically separate network
segments. The network segments linked by a router, however, remain logically separate and can
function as independent networks. Routers operate at the OSI network layer and by examining network
addresses, the router can make intelligent decisions to direct the packet to its destination. Routers differ
from switches operating at the data link layer in that they use logically based network addresses, block
broadcast information, block traffic to unknown addresses, and filter traffic based on network or host
information.
Layer 3 and 4 switchesAdvances in switch technology have also provided switches with operating
capabilities at Layer 3 and Layer 4 of the OSI reference model. The Layer 3 switch looks at the
incoming packets networking protocol, e.g., the IP protocol. In Layer 4 switching, some application
information is taken into account along with Layer 3 addresses. For IP, this information includes the
port numbers from protocols such as UDP and TCP. Only address information was stored at the Layer
2 and Layer 3 levels.
BroutersDevices that perform the functions of both bridges and routers
GatewaysDevices that are protocol converters. Typically, they connect and convert between LANs
and the mainframe or between LANs and the Internet at the application layer of the OSI reference
model. Depending on the type of gateway, the operation occurs at various OSI layers.
Metropolitan area network (MAN) is a communication network, local to a metropolitan area, which
features services companies, cable television services and other vendors.
WAN Message Transmission Techniques:
Message switchingSends a complete message to the concentration point for storage and routing to
the destination point as soon as a communications path becomes available. Transmission cost is based
on message length.
Packet switchingA sophisticated means of maximizing transmission capacity of networks. This is
accomplished by breaking a message into transmission units, called packets, and routing them
individually through the network, depending on the availability of a channel for each packet.
Passwords and all types of data can be included within the packet.
Circuit switchingA physical communications channel is established between communicating
equipment, through a circuit switched network. This network can be, for instance, point-to-point (e.g.,
leased line) multipoint, public switched telephone network (PSTN) or an integrated services digital
network (ISDN). The connection, once established, is used exclusively by the two subscribers for the
duration of the call. The network does not provide any error or flow control on the transmitted data, so
this task must be performed by the user.
Virtual circuits A logical circuit between two network devices that provides for reliable data
communications. Two types are available; these are referred to as switched virtual circuits (SVCs) or
permanent virtual circuits (PVCs). SVCs dynamically establish on-demand connectivity, and PVCs
establish an always-on connection.
WAN dial-up servicesDial-up services using asynchronous and synchronous connectivity are
widely available and well-suited for organizations with a large number of mobile users. Its
disadvantages are low bandwidth and limited performance.
WAN Devices, typically operating at either the physical or data link layer of the OSI reference model,
are specific to the WAN environment:
WAN switchA data link layer device used for implementing various WAN technologies, such as
ATM, point-to-point frame relay and ISDN. These devices are typically associated with carrier
networks providing dedicated WAN switching and router services to organizations via T-1 or T-3
connections.
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

 RoutersA device that operates at the network layer of the OSI reference model and provides an
interface between different network segments on an internal network or connects the internal network
to an external network.
Modems (modulator/demodulator)Data communications equipment (DCE) devices that make it
possible to use analog lines (generally the public telephone network) as transmission media for digital
networks. Modems convert computer digital signals into analog data signals and analog data back to
digital. When a link is established, modems operating at both ends of it automatically negotiate the
fastest and safest standard that the line and the modems themselves can use, establishing speed, parity,
cryptographic algorithm and compression.
Access serversProvide centralized access control for managing remote access dial-up services.
Channel service unit/digital service unit (CSU/DSU)Interfaces at the physical layer of the OSI
reference model, data terminal equipment (DTE) to data circuit terminating equipment (DCE), for
switched carrier networks
MultiplexorsA physical layer device used when a physical circuit has more bandwidth capacity
than required by individual signals. The multiplexor can allocate portions of its total bandwidth and
use each portion as a separate signal link. It can also link several low-speed lines to one high-speed line
to enhance transmission capabilities.
Some common types of WAN technologies used to manage the communication links are:
Point-to-point Protocol (PPP) works in the data link layer. PPP provides a single, preestablished
WAN communication path from the customer premises to a remote network, usually reached through a
carrier network, such as a telephone company.
X.25 - As a packet switched or virtual circuit implementation, X.25 is a telecommunication standard
(ITU-T) that defines how connections between data terminal equipment and data communications or
circuit terminating equipment are maintained for remote terminal access and computer communications
in public data networks (PDNs).
Frame Relay - As a packet switched or virtual circuit implementation, Frame Relay is a data link
layer protocol for switch devices that uses a standard encapsulation technique to handle multiple virtual
circuits between connected devices.
Integrated Services Digital Network (ISDN) -As a circuit switched implementation, ISDN
corresponds to integrated voice, data and video, and is an architecture for worldwide
telecommunications. This service integrates voice, data and video communication through digital
switching and transmission over digital public carrier lines.
Asynchronous Transfer Mode (ATM) - As a packet switched implementation operating at the data
link layer, ATM is based on the use of a cell (a fixed-size data block) switching and multiplexing
technology standard that combines the benefits of circuit switching (guaranteed capacity and constant
transmission delay) with those of packet switching (flexibility and efficiency for intermittent traffic).
Multiprotocol Label Switching (MPLS) provides a mechanism for engineering network traffic
patterns that is independent of routing tables. MPLS assigns short labels to network packets that
describe how to forward them through the network. MPLS is independent of any routing protocol and
can be used for unicast packets.
Digital Subscriber Lines (DSL) - A network provider service using modem technology over existing
twisted-pair telephone lines to transport high-bandwidth data, such as multimedia and video.
Characteristics of DSL are
dedicated, point-to-point, public network access on the local loop. Local loops are generally the last
mile between a network service providers (NSP) central office and the customer site.
Virtual Private Networks (VPN) - Extends the corporate network securely via encrypted packets
sent out via virtual connections over the public Internet to distant offices, home workers, salespeople
and business partners. Rather than using expensive, dedicated leased lines, VPNs take advantage of the
public worldwide IP infrastructure, thereby enabling remote users to make a local call (versus dialingin at long distance rates) or use an Internet cable modem or DSL connections for inexpensive public
network connectivity.
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

Wireless WAN (WWAN) using radio, satellite and mobile phone technologies including 2G cellular,
GSM and Mobitex. Good for organizations in rural areas where laying cable is too expensive. In
general, WWAN provides greater system flexibility and control of costs where the equipment is owned.
Wireless LAN (WLAN) connects computers using an access point or wireless NW hub; with
coverage areas up to about 100 meters and can be used within or between buildings.
Wireless Personal Area Network (WPAN) short range wireless networks with Bluetooth as
example of dominant technology (range of about 15 meters or limited to line of sight).
Wireless Ad Hoc Networks designed to dynamically connect remote devices such as cell phones,
PDAs and laptops; with ad hoc or shifting / random network topologies.
Security requirements for wireless networks:
AuthenticityA third party must be able to verify that the content of a message has not been
changed in transit.
NonrepudiationThe origin or the receipt of a specific message must be verifiable by a third party.
AccountabilityThe actions of an entity must be uniquely traceable to that entity.
Network availabilityThe information technology resource must be available on a timely basis to
meet mission requirements or to avoid substantial losses. Availability also includes ensuring that
resources are used only for intended purposes.
General issues and exposures related to wireless access:
The interception of sensitive informationInformation is transmitted through the air, which increases
the potential for unprotected information to be intercepted by unauthorized individuals.
The loss or theft of devicesWireless devices tend to be relatively small, easy to steal or lose. If
encryption is not strong, a hacker can easily get at the information that is password or PIN-protected.
The misuse of devicesDevices can be used to gather information or intercept information that is
being passed over wireless networks for financial or personal benefit.
The loss of data contained in the devicesTheft or loss can result in the loss of data that has been
stored on these devices. Storage capacity can range from a few megabytes to several gigabytes of data
depending on the device.
Distractions caused by the devicesThe use of wireless devices distract the user. If these devices are
being used in situations where an individuals full attention is required (e.g., driving a car), they could
result in an increase in the number of accidents.
Possible health effects of device usageThe safety or health hazards have not, as yet, been
identified. However, there are currently a number of concerns with respect to electromagnetic radiation
especially for those devices that must be held beside the head for use.
Wireless user authenticationThere is a need for stronger wireless user authentication and
authorization tools at the device level. The current technology is just emerging.
File securityWireless phones and PDAs do not use the type of file access security that other
computer platforms can provide.
Wired Equivalent Privacy (WEP) security encryptionWEP security depends particularly on the
length of the encryption key and on the usage of static WEP (many users on a wireless LAN share the
same key) or dynamic WEP (per-user, per-session, dynamic WEP key tied to the network logon). The
64-bit encryption keys that are in use in the WEP standard encryption can be easily broken by the
currently available computing power.
InteroperabilityMost vendors offer 128-bit encryption modes. However, they are not standardized,
so there is no guarantee that they will interoperate. The use of the 128-bit encryption key has a major
impact on performance with 15-20 percent degradation being experienced. Some vendors offer
proprietary solutions; however, this only works if all access points and wireless cards are from the
same vendor.
The use of wireless subnetsTo increase security, it is possible to create special subnets for wireless
traffic and require authorization before packets are routed.
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

 Translation pointThe location where information being transmitted via the wireless network is
converted to the wired network. At this point, the information, which has been communicated via the
WAP security model using Wireless Transport Layer Security, is converted to the secure socket layer,
where the information is decrypted and then encrypted again for communication via TCP/IP.
Network performance matrics measured by latency (delay that a message or packet will have on its
way from source to destination) and throughput (quantity of useful work made by the system per unit
of time such as bytes per second).
Network management five basic tasks are fault management, configuration management,
accounting resources, performance management and security management.
Network management tools response time report, downtime reports, online monitors (check data
transmission accuracy and errors), help desk reports
Client-server Technology
is the name of network architecture in which each computer or process on the network is either a server
(a source of services and data) or a client (a user of these services and data that relies on servers to
obtain them). In a client-server technology, the available computing power can be distributed and
shared among the client workstations.
Client-server architecture can be organized based on two levels of computing tasks (i.e., two-tier
architectures) or three levels of computing tasks (i.e., three-tier architectures).
A two-tier, client-server architecture defines just two parts:
1. A client, which includes a front-end program (developed using popular tools such as Visual Basic,
Power-Builder, Delphi or a similar program).
2. A database server or back end.

A three-tier architecture is composed of:

1. A low-power (thin) client, focused on doing GUI tasks (could be an Internet browser).
2. A group (one or more) of application servers, focused on running the application logic. These servers
could run programs generated with Java (the servlets) or with other development tools.
3. A group (one or more) of database servers.
Middleware
is a client-server-specific term used to describe a unique class of software employed by client-server
applications. It serves as a glue between two otherwise distinct applications. It provides services such
as identification, authentication, authorization, directories and security. This software resides between
an application and the network, and manages the interaction between the GUI on the front end and data
servers on the back end.
Hardware Reviews:
Review capacity management procedures of hardware and performance evaluation procedures
(ensure constinuous review? Supported by historical data?).
Review hardware acquisition plan (compared with business plan? Environment adequate?
Synchronize with IS plan? Adequacy of documentation and lead time?)
Review the microcomputer (or PC) acquisition criteria (are there written policy statements? Adequate
procedures and forms for the process? Centralize to take advantage of volume discounts?)
Review HW change management controls (format process? Effective change so they do not interfere
with normal process? Communicated and coordinated properly? Addressed in timely manner?)
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

Operating System Reviews:

The following approach may be adopted when auditing operating software development, acquisition or
maintenance:
Interview technical service and other personnel (regarding approval process and test procedures;
implementation and documentation procedures)
Review system software selection procedures (whether they comply with short & long-range IS
plans; align with business)
Review the feasibility study (consistent system objectives with request/proposal) and selection
process (same criteria applied to all proposals)
Review cost/benefit analysis of system software procedures (direct financial cost, product
maintenance, training requirements, impact on security)
Review controls over the installation of changed systems software (tests completed as planned,
fallback in place)
Review system software maintenance activities (changes made to system SW are documented,
current versions are supported by vendor)
Review system software change controls (limit access to libraries, authorized prior to moving from
test to production)
Review system documentation (in the areas of installation control statements, parameter tables, exit
definitions and activity logs/reports)
Review and test systems software implementation (change procedures, authorization, access security
features, audit. Trails )
Review authorization documentation (whether additions, deletions or changes to access authority
have been documented; violation reporting review and follow up
Review system software security (physical and logical security; established procedures; vendorsupplied passwords changed)
Database Reviews:
Design - Verify the existence of a database model should be verified and all entities should have a
significant name and identified primary and foreign keys. Verify that the relations have explicit
cardinality and coherent and significant names and that the business rules are expressed in the diagram.
Access - Analyze the main accesses to the database as well as stored procedures and triggers, verify
that the use of indexes minimizes access time and that open searches, if not based in indexes, are
justified. If the DBMS allows the selection of the methods or types of indexes, the correct use should
be verified.
Administration - Security levels for all users and their roles should be identified within the database
and access rights for all users and/or groups of users should be justified.
Interfaces - To ensure the security and confidentiality of data, information import and export
procedures should be verified with other systems.
Portability - Verify that, whenever possible, Structured Query Language (SQL) is used.
LAN Reviews:
The potentially unique nature of each LAN makes it difficult to define standard audit procedures.
Physical controls should limit access to those individuals authorized by management. However,
unlike most mainframes, the computers in a LAN are usually decentralized. A file server
containing critical company data is much easier to damage or steal and it should be physically
protected.
Environmental controls are similar to those considered in the mainframe environment. However,
the equipment may not require as extensive atmospheric controls as a mainframe.
Logical security controls - a method should be in place to restrict, identify and report authorized
and unauthorized users of the LAN. LAN access should be monitored.
CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

10

IS Operations Reviews:

Computer operations controls - relate to the day-to-day operation of the hardware and software
within the IS organization, the responsibility for the operator of the computers including the
mounting of files located on secondary storage media, changing printer forms and the
discontinuance of the use of devices requiring maintenance.
File handling procedures - should be established to control the receipt and release of files and
secondary storage media to / from other locations. Internal tape labels should be used to help
ensure the correct tapes are mounted for processing.
Data entry controls
- Authorization of input documents
- Reconciliation of batch totals
- Segregation of duties between the person who keys the data and the person who reviews the
keyed data for accuracy and errors.

Problem Management Reporting Reviews- Adequately documented procedures should have been
developed to guide IS operations personnel in logging, analyzing,resolving and escalating problems in
a timely manner in accordance with management's intent and authorization.
Hardware Availability and Utilization Reporting Reviews - Hardware availability and utilization
can be obtained from the problem log, processing schedules, job accounting system reports,
preventative maintenance schedules and reports, and the hardware performance monitoring plan.
Scheduling Reviews - Workload job scheduling and personnel scheduling should be reviewed.

CISA Chapter : IT Service Delivery

by Joe Sabater, 2008

11