SlideShare une entreprise Scribd logo

CISA Training - Chapter 4 - 2016

Hafiz Sheikh Adnan Ahmed
Hafiz Sheikh Adnan Ahmed

CISA Training - Chapter 4 - 2016

Technologie
1  sur  71
2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
Quick Reference Review • Key elements of IT service delivery • Incident handling • Client server technology • BCP/DRP • Data backup and recovery
4.2 Information Systems Operations
4.2.1 Management of IS Operations • IS management has the overall responsibility for all operations within the IS department • Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation
4.2.2 IT Service Management (ITSM) • ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to business • Processes managed through SLA (Service Level Agreement)
Service Level • An agreement between IT and the customer (end user) • SLA details the services to be provided • Service Level Management (SLM) is the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified • SLM is to maintain and improve customer satisfaction and to improve the services delivered to the customer • Tools to monitor the efficiency and effectiveness of services provided by IS personnel • Exception Reports • System and Application logs
4.2.3 Infrastructure Operations • IT operations are processes and activities that support and manage the entire IT infrastructure, systems, applications and data, focusing on day-to-day activities
Job Scheduling • Job schedule is created that lists the jobs that must be run and order in which they are run, including any dependencies • Job scheduling software to be used to schedule tape backups and other maintenance activities • Sets up daily work schedules and automatically determines which jobs are to be submitted to the system for processing
4.2.4 Incident and Problem Management • Incident Management is reactive and its objective is to respond and resolve issues as quickly as possible • Problem Management aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents of similar nature, in order to identify the root cause • Problem Management objective is to “reduce” the number and/or severity of incidents, while incident management objective is to “return” the effected business process back to normal as quickly as possible
Detection, Documentation, Control, Resolution and Reporting
4.2.5 Support/Helpdesk
4.2.6 Change Management Process • Used when changing hardware, upgrading to new releases of off-the-shelf applications and configuring various network devices • Often categorized into emergency changes, major changes, minor changes
4.2.7 Release Management • Process through which software is made available to users • Consist of new or changed software required
4.2.8 Quality Assurance • QA personnel verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment
4.2.9 Information Security Management • Includes various security processes to protect the information assets • Should be integrated in all IT operation processes
4.2.10 Media Sanitization • Establishes the controls, techniques and processes necessary to preserve the confidentiality of sensitive information stored on media to be reused, transported, or discarded • “Sanitization” involved the eradication of information recorded on storage media to the extent of providing reasonable assurance that residual content cannot be salvaged or restored
4.3 Information Systems Hardware • Key audit considerations such as capacity management, system monitoring, maintenance of hardware
4.3.1 Computer Hardware Components & Architectures • Processing Components • CPU, RAM, ROM • Input/output Components • Mouse, keyboard, touch screen • Common Enterprise Back-end Devices • Print Servers • File Servers • Web Servers • Application Servers • Database Servers • Universal Serial Bus (USB) • Memory Cards/Flash Drives
Risks & Security Control • Viruses and other malicious software • Data Theft • Data and Media Loss • Corruption of Data • Loss of Confidentiality • Encryption • Granular Control • Educate Security Personnel • Enforce the “Lock Desktop” policy • Update the antivirus policy
Radio Frequency Identification (RFID) • RFID uses radio waves to identify “tagged” objects within a limited radius • “Tag” consists of a microchip and an antenna • “Microchip” stores information along with an ID to identify a product • The other part of the “tag” is the “antenna” which transmits the information to the RFID reader RFID Applications: • Asset Management • Tracking • Supply Chain Management (SCM)
Risks & Security Control • Business Process Risk • Business Intelligence Risk • Privacy Risk • Management • Operational • Technical
4.3.2 Hardware Maintenance Program
4.3.3 Hardware Monitoring Procedures • Availability Reports • Hardware Error Reports • Utilization Reports
4.3.4 Capacity Management • Planning and monitoring of computing and network resources to ensure that the available resources are used effectively and efficiently
4.4 IS Architecture and Software • A collection of computer programs used in the design, processing and control of all computer applications used to operate and maintain the computer system • Comprised of system utilities and programs, the system software ensures the integrity of the system • Access control software • Data communications software • Database management software • Program library management systems • Tape and disk management systems • Network management software • Job scheduling software • Utility programs
4.4.1 Operating Systems • OS contains programs that interface between the user, processor and application software • Provides the primary means of managing the sharing and use of computer resources such as processors, real memory, and I/O devices
4.4.2 Access Control Software
4.4.3 Data Communications Software • Used to transmit messages or data from one point to another
4.4.4 Data Management
4.4.5 Database Management System • DMBS aids in organizing, controlling and using the data needed by application programs • Primary functions include reduced data redundancy, decreased access time and basic security over sensitive data
4.4.6Tape and Disk Management Systems (DMS) • A specialized system software that tracks and lists tape/disk resources needed for data center processing • A TMS/DMS minimizes computer operator time and errors caused by locating improper files • Systems include the data set name and specific tape reel or disk drive location, creation date, effective date, retention period, expiration date and contents information
4.4.7 Utility Programs
4.4.8 Software Licensing Issues
4.4.9 Digital Rights Management (DRM) • DRM refers to access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices • Used by companies like Sony, Apple Inc., Microsoft, BBC
4.5 IS Network Infrastructure
4.5.1 Enterprise Network Architectures
4.5.2Types of Networks
4.5.3 Network Services • Functional features made possible by appropriate OS applications • Allow orderly utilization of the resources on the network
4.5.4 Network Standards and Protocols
4.5.5 OSI Architecture • OSI (Open Systems Interconnection), benchmark standard for network architecture • Composed of 7 layers, each layer specifying particular specialized tasks or functions • Objective of OSI model is to provide a protocol suite used to develop data-networking protocols and other standards to facilitate multivendor interoperability
4.6 Auditing Infrastructure and Operations • IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS operations and problem management reporting
4.6.1 Hardware Reviews
4.6.2 OS Reviews
4.6.3 Database Reviews
4.6.4 Network Infrastructure and Implementation Reviews
4.6.5 IS Operations Reviews
4.6.6 Scheduling Reviews
4.6.7 Problem Management & Reporting Reviews
4.7 Disaster Recovery Planning (DRP) • Establish to manage availability and restore critical processes/IT services in the event of interruption • Importance and urgency of the business processes and IT services is defined through performing a BIA and assigning RTO, RPO • Ultimate goal is to respond to incidents that may impact people and the ability of operations to deliver goods and services
4.7.1 RPO, RTO Recovery Point Objective (RPO): • Determined based on acceptable data loss in case of disruption of operations • Indicates the earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO): • Determined based on acceptable downtime in case of a disruption of operations • Indicates the earliest point in time at which the business operations must resume after disaster
4.7.2 Recovery Strategies • A recovery strategy identifies the best way to recover a system in case of interruption, including disaster, and provides guidance based on which detailed recovery procedures can be developed
4.7.3 Recovery Alternatives
4.7.4 Development of Disaster Recovery Plans
4.7.5 Organization and Assignment of Responsibilities
4.7.6 Backup and Restoration • To ensure that the critical activities of an organization are not interrupted in the event of a disaster, secondary and storage media are used to store software application files and associated data for backup purposes Offsite Library Controls
Backup Schemes
Self-Assessment Questions 1. Which of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments? a) User satisfaction b) Goal accomplishment c) Benchmarking d) Capacity and growth planning
Self-Assessment Questions 2. For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options? a) Mobile site b) Warm site c) Cold site d) Hot site
Self-Assessment Questions 3. The key objective of capacity planning procedures is to ensure that: a) Available resources are fully utilized b) New resources will be added for new applications in a timely manner c) Available resources are used efficiently and effectively d) Utilization of resources does not drop below 85 percent
Self-Assessment Questions 4. An IS auditor should be involved in: a) Observing tests of the DRP b) Developing the DRP c) Maintaining the DRP d) Reviewing the DR requirements of supplier contracts
Answers 1. c) Benchmarking 2. d) Hot site 3. c) Available resources are used efficiently and effectively 4. a) Observing tests of the disaster recovery plan
CISA Training - Chapter 4 - 2016

Recommandé

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 

Recommandé

CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016CISA Training - Chapter 5 - 2016
CISA Training - Chapter 5 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016CISA Training - Chapter 3 - 2016
CISA Training - Chapter 3 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016CISA Training - Chapter 2 - 2016
CISA Training - Chapter 2 - 2016Hafiz Sheikh Adnan Ahmed
 
CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)CISA Domain 1 - IS Auditing (day 1)
CISA Domain 1 - IS Auditing (day 1)Cyril Soeri
 
CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016CISA Training - Chapter 1 - 2016
CISA Training - Chapter 1 - 2016Hafiz Sheikh Adnan Ahmed
 
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSM
ISO 20000-1:2018 Awareness and Auditor Training PPT Presentation kit for ITSMGlobal Manager Group
 
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITCOBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise IT
COBIT 2019 webinar Use Cases: Tailoring Governance of Your Enterprise ITMark Constable
 
CISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationCISA Domain 3 - Information Systems Acquisition, Development and Implementation
CISA Domain 3 - Information Systems Acquisition, Development and ImplementationInfosecTrain
 
ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISONIKELtd
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1 Ismail aboulezz
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and YouSchellman & Company
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1Iyad Mourtada, CMA, CIA, CFE, CCSA, CRMA, CPLP
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS ComplianceSaumya Vishnoi
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseDesmond Devendran
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 
AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
des
desdes
desDesmond Devendran
 

Contenu connexe

Tendances

ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISONIKELtd
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainInfosecTrain
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITShivamSharma909
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOXMahesh Patwardhan
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfControlCase
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSSSaumya Vishnoi
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSShivamSharma909
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019Gregor Polančič
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated frameworkIrfan Ahmed - ACA, CICA
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementChristian F. Nissen
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001Imran Ahmed
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice questionArshad A Javed
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?PECB
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseDesmond Devendran
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Goutama Bachtiar
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxDr Madhu Aman Sharma
 

Tendances (20)

ISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition ArragementsISO/IEC 27001:2022 Transition Arragements
ISO/IEC 27001:2022 Transition Arragements
 
Cisa domain 1
Cisa domain 1 Cisa domain 1
Cisa domain 1
 
CISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | InfosectrainCISA Domain 4 Information Systems Operation | Infosectrain
CISA Domain 4 Information Systems Operation | Infosectrain
 
CISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of ITCISA DOMAIN 2 Governance & Management of IT
CISA DOMAIN 2 Governance & Management of IT
 
SOC 2 and You
SOC 2 and YouSOC 2 and You
SOC 2 and You
 
IT Control Objectives for SOX
IT Control Objectives for SOXIT Control Objectives for SOX
IT Control Objectives for SOX
 
ISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdfISO 27001 2002 Update Webinar.pdf
ISO 27001 2002 Update Webinar.pdf
 
CISA Review Course Slides - Part1
CISA Review Course Slides - Part1CISA Review Course Slides - Part1
CISA Review Course Slides - Part1
 
Introduction to PCI DSS
Introduction to PCI DSSIntroduction to PCI DSS
Introduction to PCI DSS
 
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMSCISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
CISA Domain 1 The Process On AUDITING INFORMATION SYSTEMS
 
An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019An Introduction to IT Management with COBIT 2019
An Introduction to IT Management with COBIT 2019
 
Coso internal control integrated framework
Coso internal control integrated frameworkCoso internal control integrated framework
Coso internal control integrated framework
 
Introduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT managementIntroduction to COBIT 2019 and IT management
Introduction to COBIT 2019 and IT management
 
Basic introduction to iso27001
Basic introduction to iso27001Basic introduction to iso27001
Basic introduction to iso27001
 
CISA exam 100 practice question
CISA exam 100 practice questionCISA exam 100 practice question
CISA exam 100 practice question
 
ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?ISO/IEC 27001:2022 – What are the changes?
ISO/IEC 27001:2022 – What are the changes?
 
PCI DSS Compliance
PCI DSS CompliancePCI DSS Compliance
PCI DSS Compliance
 
Chap3 2007 Cisa Review Course
Chap3 2007 Cisa Review CourseChap3 2007 Cisa Review Course
Chap3 2007 Cisa Review Course
 
Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018Information Security Management System with ISO/IEC 27000:2018
Information Security Management System with ISO/IEC 27000:2018
 
ISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptxISO 27001 Awareness/TRansition.pptx
ISO 27001 Awareness/TRansition.pptx
 

Similaire à CISA Training - Chapter 4 - 2016

AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014KBIZEAU
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptxdotco
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewShankar Subramaniyan
 
Dynamic datacenter planning and design
Dynamic datacenter planning and designDynamic datacenter planning and design
Dynamic datacenter planning and designYeonki Choi
 
Presilient Worldwide at a Glance
Presilient Worldwide at a GlancePresilient Worldwide at a Glance
Presilient Worldwide at a GlanceKrystanne
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2Anne Starr
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk AssessmentsPriyank Hada
 
ITIL Service Operation
ITIL Service OperationITIL Service Operation
ITIL Service OperationMarvin Sirait
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptxams1ams11
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance WebinarSolarWinds
 
Remote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiencyRemote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiencyAbimanyu V
 
CC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptxCC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptx121910301016gitam
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup Ricoh India Limited
 

Similaire à CISA Training - Chapter 4 - 2016 (20)

AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014AFAC session 2 - September 8, 2014
AFAC session 2 - September 8, 2014
 
des
desdes
des
 
CISA_WK_4.pptx
CISA_WK_4.pptxCISA_WK_4.pptx
CISA_WK_4.pptx
 
ISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process OverviewISO27001: Implementation & Certification Process Overview
ISO27001: Implementation & Certification Process Overview
 
Dynamic datacenter planning and design
Dynamic datacenter planning and designDynamic datacenter planning and design
Dynamic datacenter planning and design
 
Presilient Worldwide at a Glance
Presilient Worldwide at a GlancePresilient Worldwide at a Glance
Presilient Worldwide at a Glance
 
Technology considerations
Technology considerationsTechnology considerations
Technology considerations
 
gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2gkkCloudtechnologyassociate(cta)day 2
gkkCloudtechnologyassociate(cta)day 2
 
Security Baselines and Risk Assessments
Security Baselines and Risk AssessmentsSecurity Baselines and Risk Assessments
Security Baselines and Risk Assessments
 
ITIL Service Operation
ITIL Service OperationITIL Service Operation
ITIL Service Operation
 
CH12-CompSec4e.pptx
CH12-CompSec4e.pptxCH12-CompSec4e.pptx
CH12-CompSec4e.pptx
 
RESUME16
RESUME16RESUME16
RESUME16
 
Slide Structure
Slide StructureSlide Structure
Slide Structure
 
Chapter09
Chapter09Chapter09
Chapter09
 
DGI Compliance Webinar
DGI Compliance WebinarDGI Compliance Webinar
DGI Compliance Webinar
 
Remote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiencyRemote IT Infra - lower cost & higher efficiency
Remote IT Infra - lower cost & higher efficiency
 
CC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptxCC_M2_T1_Data Center Technology.pptx
CC_M2_T1_Data Center Technology.pptx
 
Harsha CV
Harsha CVHarsha CV
Harsha CV
 
BiznetGio Presentation Business Continuity
BiznetGio Presentation Business ContinuityBiznetGio Presentation Business Continuity
BiznetGio Presentation Business Continuity
 
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
RPASS - Ricoh Proactive ServiceS for Remote Monitoring & Backup
 

Dernier

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 

Dernier (20)

GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 

CISA Training - Chapter 4 - 2016

  • 1. 2016 CISA® Review Course Hafiz Sheikh Adnan Ahmed – CISA, COBIT 5, ISO 27001 LA [PECB Certified Trainer]
  • 2. Quick Reference Review • Key elements of IT service delivery • Incident handling • Client server technology • BCP/DRP • Data backup and recovery
  • 4. 4.2.1 Management of IS Operations • IS management has the overall responsibility for all operations within the IS department • Involves allocation of resources, adherence to standards, procedures, monitoring of IS operation
  • 5.
  • 6.
  • 7. 4.2.2 IT Service Management (ITSM) • ITSM – comprises of processes and procedures for efficient and effective delivery of IT services to business • Processes managed through SLA (Service Level Agreement)
  • 8. Service Level • An agreement between IT and the customer (end user) • SLA details the services to be provided • Service Level Management (SLM) is the process of defining, agreeing upon, documenting and managing levels of service that are required and cost justified • SLM is to maintain and improve customer satisfaction and to improve the services delivered to the customer • Tools to monitor the efficiency and effectiveness of services provided by IS personnel • Exception Reports • System and Application logs
  • 9. 4.2.3 Infrastructure Operations • IT operations are processes and activities that support and manage the entire IT infrastructure, systems, applications and data, focusing on day-to-day activities
  • 10. Job Scheduling • Job schedule is created that lists the jobs that must be run and order in which they are run, including any dependencies • Job scheduling software to be used to schedule tape backups and other maintenance activities • Sets up daily work schedules and automatically determines which jobs are to be submitted to the system for processing
  • 11. 4.2.4 Incident and Problem Management • Incident Management is reactive and its objective is to respond and resolve issues as quickly as possible • Problem Management aims to resolve issues through the investigation and in-depth analysis of a major incident, or several incidents of similar nature, in order to identify the root cause • Problem Management objective is to “reduce” the number and/or severity of incidents, while incident management objective is to “return” the effected business process back to normal as quickly as possible
  • 14. 4.2.6 Change Management Process • Used when changing hardware, upgrading to new releases of off-the-shelf applications and configuring various network devices • Often categorized into emergency changes, major changes, minor changes
  • 15. 4.2.7 Release Management • Process through which software is made available to users • Consist of new or changed software required
  • 16.
  • 17. 4.2.8 Quality Assurance • QA personnel verify that system changes are authorized, tested and implemented in a controlled manner prior to being introduced into the production environment
  • 18. 4.2.9 Information Security Management • Includes various security processes to protect the information assets • Should be integrated in all IT operation processes
  • 19. 4.2.10 Media Sanitization • Establishes the controls, techniques and processes necessary to preserve the confidentiality of sensitive information stored on media to be reused, transported, or discarded • “Sanitization” involved the eradication of information recorded on storage media to the extent of providing reasonable assurance that residual content cannot be salvaged or restored
  • 20. 4.3 Information Systems Hardware • Key audit considerations such as capacity management, system monitoring, maintenance of hardware
  • 21. 4.3.1 Computer Hardware Components & Architectures • Processing Components • CPU, RAM, ROM • Input/output Components • Mouse, keyboard, touch screen • Common Enterprise Back-end Devices • Print Servers • File Servers • Web Servers • Application Servers • Database Servers • Universal Serial Bus (USB) • Memory Cards/Flash Drives
  • 22.
  • 23. Risks & Security Control • Viruses and other malicious software • Data Theft • Data and Media Loss • Corruption of Data • Loss of Confidentiality • Encryption • Granular Control • Educate Security Personnel • Enforce the “Lock Desktop” policy • Update the antivirus policy
  • 24. Radio Frequency Identification (RFID) • RFID uses radio waves to identify “tagged” objects within a limited radius • “Tag” consists of a microchip and an antenna • “Microchip” stores information along with an ID to identify a product • The other part of the “tag” is the “antenna” which transmits the information to the RFID reader RFID Applications: • Asset Management • Tracking • Supply Chain Management (SCM)
  • 25. Risks & Security Control • Business Process Risk • Business Intelligence Risk • Privacy Risk • Management • Operational • Technical
  • 27. 4.3.3 Hardware Monitoring Procedures • Availability Reports • Hardware Error Reports • Utilization Reports
  • 28. 4.3.4 Capacity Management • Planning and monitoring of computing and network resources to ensure that the available resources are used effectively and efficiently
  • 29. 4.4 IS Architecture and Software • A collection of computer programs used in the design, processing and control of all computer applications used to operate and maintain the computer system • Comprised of system utilities and programs, the system software ensures the integrity of the system • Access control software • Data communications software • Database management software • Program library management systems • Tape and disk management systems • Network management software • Job scheduling software • Utility programs
  • 30. 4.4.1 Operating Systems • OS contains programs that interface between the user, processor and application software • Provides the primary means of managing the sharing and use of computer resources such as processors, real memory, and I/O devices
  • 32. 4.4.3 Data Communications Software • Used to transmit messages or data from one point to another
  • 34. 4.4.5 Database Management System • DMBS aids in organizing, controlling and using the data needed by application programs • Primary functions include reduced data redundancy, decreased access time and basic security over sensitive data
  • 35.
  • 36. 4.4.6Tape and Disk Management Systems (DMS) • A specialized system software that tracks and lists tape/disk resources needed for data center processing • A TMS/DMS minimizes computer operator time and errors caused by locating improper files • Systems include the data set name and specific tape reel or disk drive location, creation date, effective date, retention period, expiration date and contents information
  • 39. 4.4.9 Digital Rights Management (DRM) • DRM refers to access control technologies that can be used by hardware manufacturers, publishers, copyright holders and individuals to impose limitations on the usage of digital content and devices • Used by companies like Sony, Apple Inc., Microsoft, BBC
  • 40. 4.5 IS Network Infrastructure
  • 41. 4.5.1 Enterprise Network Architectures
  • 43. 4.5.3 Network Services • Functional features made possible by appropriate OS applications • Allow orderly utilization of the resources on the network
  • 44. 4.5.4 Network Standards and Protocols
  • 45. 4.5.5 OSI Architecture • OSI (Open Systems Interconnection), benchmark standard for network architecture • Composed of 7 layers, each layer specifying particular specialized tasks or functions • Objective of OSI model is to provide a protocol suite used to develop data-networking protocols and other standards to facilitate multivendor interoperability
  • 46.
  • 47. 4.6 Auditing Infrastructure and Operations • IS auditor to perform audits and specific reviews of hardware, OS, databases, networks, IS operations and problem management reporting
  • 51. 4.6.4 Network Infrastructure and Implementation Reviews
  • 54. 4.6.7 Problem Management & Reporting Reviews
  • 55. 4.7 Disaster Recovery Planning (DRP) • Establish to manage availability and restore critical processes/IT services in the event of interruption • Importance and urgency of the business processes and IT services is defined through performing a BIA and assigning RTO, RPO • Ultimate goal is to respond to incidents that may impact people and the ability of operations to deliver goods and services
  • 56. 4.7.1 RPO, RTO Recovery Point Objective (RPO): • Determined based on acceptable data loss in case of disruption of operations • Indicates the earliest point in time in which it is acceptable to recover the data Recovery Time Objective (RTO): • Determined based on acceptable downtime in case of a disruption of operations • Indicates the earliest point in time at which the business operations must resume after disaster
  • 57.
  • 58. 4.7.2 Recovery Strategies • A recovery strategy identifies the best way to recover a system in case of interruption, including disaster, and provides guidance based on which detailed recovery procedures can be developed
  • 60. 4.7.4 Development of Disaster Recovery Plans
  • 61. 4.7.5 Organization and Assignment of Responsibilities
  • 62.
  • 63. 4.7.6 Backup and Restoration • To ensure that the critical activities of an organization are not interrupted in the event of a disaster, secondary and storage media are used to store software application files and associated data for backup purposes Offsite Library Controls
  • 64.
  • 66. Self-Assessment Questions 1. Which of the following provides the BEST method for determining the level of performance provided by similar information processing facility environments? a) User satisfaction b) Goal accomplishment c) Benchmarking d) Capacity and growth planning
  • 67. Self-Assessment Questions 2. For mission critical systems with a low tolerance to interruption and a high cost of recovery, the IS auditor would, in principle, recommend the use of which of the following recovery options? a) Mobile site b) Warm site c) Cold site d) Hot site
  • 68. Self-Assessment Questions 3. The key objective of capacity planning procedures is to ensure that: a) Available resources are fully utilized b) New resources will be added for new applications in a timely manner c) Available resources are used efficiently and effectively d) Utilization of resources does not drop below 85 percent
  • 69. Self-Assessment Questions 4. An IS auditor should be involved in: a) Observing tests of the DRP b) Developing the DRP c) Maintaining the DRP d) Reviewing the DR requirements of supplier contracts
  • 70. Answers 1. c) Benchmarking 2. d) Hot site 3. c) Available resources are used efficiently and effectively 4. a) Observing tests of the disaster recovery plan