1. CISA summary
Version 1.0
Christian Reina, CISSP
This document may be used only for informational, training and noncommercial purposes. You are free to copy, distribute, publish and alter this document under the conditions that you give credit to the original author.
2010 ‐ Christian Reina, CISSP.
2. Risk Management IT Management Practices
“Collection of top-down activities intended to control the IT Seek, identify, and manage risk.
organization from a strategic perspective.” Accept 1. Personnel Management
Policy Mitigate a. Hiring: Background check, Employee Policy
Priorities Transfer Manual, Job Description
Standards Avoid b. Employee Development: Training,
Vendor Management Performance evaluation, Career path
Program/Project Management Risk Management Program c. Mandatory vacations: Audit, cross training,
Objectives: reduce costs, incidents reduced risk
IT Strategy Committee Scope d. Termination
Advise board of directors on strategies. Authority: Executive level of commitment e. Transfers and reassignments
2. Sourcing
Resources:
a. Insource
Balanced Scorecard Policies, processes, procedures, and records
Measure performance and effectiveness. b. Outsource: risks, SLA, policy, governance
Business contribution: Perception from Non-IT (service level agreements, change
Risk Management Process
executives management, security, quality, audits), SaaS
User: Satisfaction 3. Change Management
1. Asset Identification: Equipment, information, records,
a. Request
Operational excellence: downtime, defects, support reputation, personnel
b. Review
tickets o Grouping Assets
c. Approve
Innovation: increase IT value w/ innovation o Sources of asset data: Interviews, IT
d. Perform change
systems, Online data
e. Verify change
Information Security Governance o Organizing data: Business process,
4. Financial Management
Roles and responsibilities Geography, OU, Sensitivity, Regulated
a. Develop
Board of Directors: risk appetite and risk management 2. Risk Analysis
b. Purchase
Steering Committee: Operational strategy for security o Threat analysis: All threats with realistic
c. Rent
Domain 1 – IT Governance
and risk management opportunity of occurrence
5. Quality Management
CISO: conducting risk assessment, developing security o Vulnerability Identification: Ranked by
a. Software development
policy, vulnerability management, incident severity or criticality
b. Software acquisition
management, compliance o Probability analysis: Requires research to
c. Service desk
Employees: Comply with policies develop best guesses
d. IT operations
o Impact analysis: Study of estimating the
e. Security
Enterprise Architecture (EA) impact of specific threats on specific assets
f. Standards:
Map business functions into the IT environment as a model. o Qualitative: Subjective using numeric scale
i. ISO 9000: Superseded by ISO
Activities to ensure business needs are met o Quantitative:
9001:2008 Quality Management
Asset Value (AV)
System
Zachman Model Exposure Factor (EF)
ii. ISO 20000: IT Service
IT Systems and environments are described at a high, functional Single Loss Expectancy (SLE): AV
Management for organization
level, and then in increasing detail x EF
adopting ITIL
Annualized rate of occurrence
iii. ITIL
DFD (ARO)
1. Service Delivery
Illustrate the flow of information Annualized loss expectancy (ALE):
2. Control Processes
SLE x ARO
3. Release Processes
3. Risk Treatments
4. Relationship Processes
o Risk Mitigation
5. Resolution Processes
o Risk Transfer
6. Security Management
o Risk Avoidance
a. Security Governance
o Risk Acceptance
b. Risk Assessment
o Residual Risk
c. Incident Management
d. Vulnerability Management
e. Access and Identity management
f. Compliance management
3. g. BCP 3. Reviewing Outsourcing
7. Performance Management a. Distance
a. COBIT b. Lack of audit contract terms
b. SEI CMMI c. Lack of cooperation
Roles and Responsibilities
1. Executive Management: CIO, CTO, CSO, CISO, CPO
2. Software Development: Architect, Analyst, developer,
programmer, tester
3. Data Management: architect, DBA, analyst
4. Network Management: architect, engineer,
administrator, telecom
5. Systems Management: architect, engineer, storage,
systems administrator
6. Operations: manager, analyst, controls analyst, data
entry, media librarian
7. Security Operations: architect, engineer, analyst,
account management, auditor
8. Service Desk: Help desk, technical support
Segregation of Duties Controls
1. Transaction authorization
2. Split custody
Domain 1 – IT Governance
3. Workflow: extra approval
4. Periodic reviews
Auditing IT Governance
1. Reviewing Documentation and Records:
a. IT Charter, strategy
b. IT org chart
c. HR/IT performance
d. HR promotion policy
e. HR manuals
f. Life-cycle processes and procedures
g. IT operations procedures
h. IT procurement process
i. Quality management documents
2. Reviewing Contracts
a. Service levels
b. Quality levels
c. Right to audit
rd
d. 3 party audit
e. Conformance to policies, laws, regulations
f. Incident notification
g. Liabilities
h. Termination terms
i. Protection of PII
4. Assess and evaluate the effectiveness of IT Provide Appropriate Tools Required to Intercept and 3. Serve in the interest of stakeholders in a
Obstruct Terrorism Act (PATRIOT) 2001 lawful and honest manner, while maintaining
Sarbanes-Oxley Act 2002 high standards of conduct and character, and
AUDIT MANAGEMENT Federal Information Security Management Act (FISMA) not engage in acts discreditable to the
2002 profession.
The Audit Charter: Define roles and responsibilities. Sufficient Controlling the Assault of Non-Solicited Pornography 4. Maintain the privacy and confidentiality of
authority and Marketing Act (CAN-SPAM) 2003 information obtained in the course of their
California Privacy Act SB1386 2003 duties unless disclosure is required by legal
The Audit Program: scope, objectives, resources, procedures Identity Theft and Assumption Deterrence Act 2003 authority. Such information shall not be used
Basel II 2004 for personal benefit or released to
Strategic Audit Planning: inappropriate parties.
Payment Card Industry Data Security Standard (PCI-
Factors: Business goals and objectives, Initiatives, DSS) 2004
5. Maintain competency in their respective fields
market conditions, changes in technology, regulatory and agree to undertake only those activities,
North American Electric Reliability Corporation (NERC)
requirements. which they can reasonably expect to
1968/2006
Changes in Audit Activities: New internal audits, new complete with professional competence.
Massachusetts Security Breach Law 2007 6. Inform appropriate parties of the results of
external audits, increase in audit scope, impact on
business process work performed; revealing all significant facts
Canadian Regulations:
Resource planning: Budget and manpower known to them.
Interception of Communications Section 184 7. Support the professional education of
Unauthorized Use of Computer, Section 342.1 stakeholders in enhancing their
Audit and Technology: Continue learning about new
technologies Privacy Act 1983 understanding of information systems security
Personal Information Protection and Electronic and control.
Audit Laws and Regulations: Documents Act (PIPEDA)
Characteristics: Security, Integrity, Privacy
European Regulations Audit Standards
Computer Security and Privacy Regulations:
o Categories: Computer trespass, protection of Convention for the Protection of Individuals with Regard
sensitive information, collection and use of to Automatic Processing of Personal Data 1981 S1, Audit Charter
information, law enforcement investigative Computer Misuse Act (CMA) 1990 S2, Independence
powers Directive on the Protection of Personal Data 2003 S3, Professional Ethics and Standards
European Union S4, Professional Competence
main 2 – The Audit Process
o Consequences: Loss of reputation,
competitive advantage, sanctions, lawsuits, Data Protection Act (DPA) 1998 S5, Planning
fines, prosecution Regulation of Investigatory Powers Act 2000 S6, Performance of Audit Work
Anti-Terrorism Crime and Security Act 2001 S7, Reporting
“An organization should take a systematic approach to determine Privacy and Electronic Communications Regulations S8, Follow-up Activities
the applicability of regulations as well as the steps required to 2003 S9, Irregularities and Illegal Acts
attain compliance and remain in this state. “ Fraud Act 2006 S10, IT Governance
Police and Justice Act 2006 S11, Use of Risk Assessment in Audit Planning
US Regulations: S12, Audit Materiality
Access Device Fraud 1984 Other Regulations S13, Use the Work of Other Experts
Computer Fraud and Abuse Act 1984 Cybercrime Act 2001 Australia S14, Audit Evidence
Electronic Communications Act 1986 Information Technology Act 2000 India S15, IT Controls
Electronic Communications Privacy Act (ECPA) 1986 S16, E-Commerce
Computer Security Act 1987 ISACA AUDITING STANDARS
Computer Matching and Privacy Protection Act 1988 Audit Guidelines
Communications Assistance for Law Enforcement Act Code of Ethics:
(CALEA) 1994 G1, Using the Work of Other Auditors
Economic and Protection of Proprietary Information Act Members and ISACA certification holders shall:
G2, Audit Evidence Requirement
1996 G3, Use of Computer-Assisted Audit Techniques
Health Insurance Portability and Accountability Act 1. Support the implementation of, and
encourage compliance with, appropriate (CAATs)
(HIPPA) 1996 G4, Outsourcing of IS Activities to Other Organizations
Children’s Online Privacy Protection Act (COPPA) 1998 standards, procedures and controls for
information systems. G5, Audit Charter
Identity Theft and Assumption Deterrence Act 1998 G6, Materiality Concepts for Auditing IS
2. Perform their duties with objectivity, due
Gramm-Leach-Bliley Act 1999 G7, Due Professional Care
diligence and professional care, in
Federal Energy Regulatory Commission (FERC) accordance with professional standards and G8, Audit Documentation
best practices.
5. G9, Audit Considerations for Irregularities and Illegal P10, Business Application Change Control PERFORMING AN AUDIT
Acts P11, Electronic Funds Transfer
G10, Audit Sampling Formal Planning:
G11, Effect of Pervasive IS Controls RISK ANALYSIS o Purpose
G12, Organizational Relationship and Independence o Scope
G13, Use of Risk Assessment in Audit Planning Evaluating Business Processes o Risk Analysis
G14, Application Systems Review Identifying Business Risks o Audit procedures
G15, Planning Risk Mitigation o Resources
G16, Effect of Third Parties on an Organization’s IT Countermeasures Assessment o Schedule
Controls Monitoring Types
G17, Efect of Nonaudit Role on the IS Auditor’s o Operational
Independence INTERNAL CONTROLS o Financial
o IS audit
G18, IT Governance
o Administrative
G19, Irregularities and Illegal Acts
o Compliance
G20, Reporting o Forensic
G21, Enterprise Resource Planning (ERP) Systems o Service provider
Review o Pre-audit
G22, Business to Consumer (B2C) E-Commerce Compliance vs. Substantive Testing
Review o Compliance: Determine if control procedures
G23, SDLC Review have been properly designed and
G24, Internet Banking implemented and operating properly.
G25, Review of VPN o Substantive: Determine accuracy and
G26, Business Process Reengineering (BRP) Review integrity of transactions that flow through
G27, Mobile Computing processes and information systems
G28, Computer Forensics Audit Methodology
G29, Post-implementation Review o Audit Subject
Domain 2 – The Audit Process
G30, Competence o Audit Objective
G31, Privacy o Audit type
G32, BCP o Audit Scope
G33, General Consideration on the Use of the Internet o Pre-Audit planning
G34, Responsibility, Authority, and Accountability o Audit SoW
G35, Follow up Activities Control Classification o Audit Procedures
G36, Biometric Controls o Types: Technical, Administrative, Physical o Communication plan
o Classes: Preventative, Detective, Deterrent, o Report preparation
G37, Configuration Management
Corrective, Compensating, Recovery o Wrap-up
G38, Access Controls
o Categories: Manual, Automatic o Post-audit Follow-up
G39, IT Organization
Internal Control Objectives: Statements of desired Audit Evidence
G40, Review of Security Management Practices
outcomes from business operations. Protection of IT o Independence of the evidence provider
assets, Availability of IT systems o Qualifications of the evidence provider
Audit Procedures
o IS Control Objectives: Protection of o Objectivity
information from unauthorized personnel,
P1, Risk Assessment Integrity of Operating Systems
o Timing
P2, Digital Signature and Key management Gathering Evidence
General Computing Controls: GCCs are controls that Org Chart
P3, IDS apply across all applications and services. Passwords
o
P4, Viruses o Review dept and project charters
are encrypted, Strong passwords o
rd
Review 3 party contracts
P5, Control Risk Self-Assessment IS Controls: Each GCC is mapped to a specific IS o Review IS policies and procedures
P6, Firewall control on each system type. o Review IS Standards
P7, Irregularities and Illegal Acts
P8, Security Assessment (Pen test, vulnerability
analysis)
P9, Encryption
6. o Review IS documentation o Ownership of controls
o Personnel Interviews o Improved employee awareness
o Passive observation o Improved relationship between
Observing Personnel departments and auditors
o Real tasks Disadvantages
o Skills and experience o Mistaken as a substitute for internal audit
o Security awareness o May be considered extra work
o Segregation of Duties o May be considered an attempt by an
Sampling auditor to shrug off responsibilities
o Statistical: Reflect the entire population o Lack of employee involvement has no
o Judgmental: Subjectively selects samples results
based on established criteria Life Cycle
o Attribute: Samples are examined and a o Identify and assess risks
specific attribute is chosen o Identify and assess controls
o Variable: Determine the characteristic of a o Develop questionnaire or workshop
given population to determine total value o Analyze completed questionnaire
o Stop-or-go: Sampling can stop at the earliest o Control remediation
possible time due to low risk and rate of o Awareness training
exceptions
o Discovery: Trying to find at least one
exception in a population
o Stratified: Create different classes and review
one attribute common to all classes
Computer-Assisted Audit: CAATs help examine and
evaluate data across complex environments
Domain 2 – The Audit Process
Reporting Audit Results
o Cover letter
o Intro
o Summary
o Description
o Listing of systems and processes examined
o Listing of interviewees
o Listing of evidence obtained
o Explanation of sampling technique
o Description of findings and recommendations
Audit Risk
o Control risk: undetected error by an internal
control
o Detection risk: IS auditor will overlook errors
o Inherent risk: Inherent risks exist independent
of the audit.
o Overall audit risk: summation of all of the
residual risks
o Sampling risk: sampling technique will not
detect
Materiality: A monetary threshold in financial audits
CONTROL SELF-ASSESSMENT
Methodology used by an organization to review key business
objectives, and the key controls designed to manage those risks.
Advantages
o Risks detected earlier
o Improvement of internal controls
7. Organization’s methodologies and practices for the development Managing Projects Other costs: development tools,
and management of software, infrastructure, and business o Managing the project schedule workstations, servers, software
processes. o Recording task completion licenses, network devices, training,
o Running project meetings equipment
PORTFOLIO AND PROGRAM MANAGEMENT: o Tracking project expenditures o Scheduling Project Tasks: Critical phase
o Communicating project status Gantt Chart
A program is an organization of many large, complex activities, Project Roles and Responsibilities Program Evaluation and Review
and can be thought of as a set of projects that work to fulfill one or o Senior management: support the approval of Technique (PERT)
more key business objectives or goals. the project Critical path Methodology (CPM): It
o IT steering committee: Commission the is important to identify the critical
Starting a Program: feasibility study, approve project path in a project, because this
o Program charter o Project manager allows the project manager to
o Identification of available resources o Project team members understand which tasks are most
Running a Program: o End-user management: Assign staff to the likely to impact the project schedule
o Monitoring project schedules project team. Support development of cases and to determine when the project
o Managing project budgets o End users will finally conclude.
o Managing resources o Project sponsor: define project objectives, Timebox Management: A period in
o Identifying and managing conflicts provide budget which a project must be completed.
o Creating status reports o Systems development management o Project Records:
Project Portfolio Management o System developers Project plans
Security manager Project changes
Domain 3 – IT LifeCycle Management
o Executive sponsor o
o Program manager o IT Operations Meetings agendas and minutes
o Project manager Project Planning Resource consumption
o Start and end dates Task identification Task information
o Names of participants Task estimation o Project Documentation: Helps users, support
o Objectives or goals that the project supports Task resources staff, IT operations, developers, and auditors
o Budget Task dependencies o Project Change Management: The
o Resources Milestone tracking procedures for making changes to the project
o Dependencies Task tracking should be done in two basic steps:
Business Case development o Estimating and sizing software projects The project team should identify the
o Business problem Object Breakdown Structure (OBS) specific use, impact, and remedy.
o Feasibility study results Work Breakdown Structure (WBS) Make a formal request
o High-level project plan Source Lines of Code (SLOC): This change request should be
o Budget accurate estimate based on presented to management along
o Metrics previous analysis for the time to with its impact. Management
o Risks develop a program. should make a decision.
COCOMO: Constructive Cost o Project closure
PROJECT MANAGEMENT Model method for estimating Project debrief
software development projects Project documentation archival
Organizing Projects Management review
Direct report: Project team leader Training
Influencer: Influence members but Formal turnover to users,
does not manage them directly operations and support
Pure project: Given authority o Methodologies
Matrix: Authority over each project Project Management Body of
team member Knowledge (PMBOK): Process
o Initiating a project based
Developing Project Objectives Processes:
o Object Breakdown Structure (OBS): Visual Function Point Analysis (FPA): o Inputs
representation of the system, software, or time-proven estimation technique o Techniques
application, in a hierarchical form. for larger software projects. It o Outputs
o Work Breakdown Structure (WBS): Logical studies the detailed design
representation of the high-level and detailed specifications for an application
tasks that must be performed to complete the program and counts the number of
project. user inputs, user outputs, user
queries, files, and external
interfaces.
8. Process groups Access control o Unit testing: by developers during the coding
Initiating Encryption phase. Should be a part of the development
Planning Data validation of each module in the application.
Executing Audit logging o System testing: end to end testing. Includes
Controlling and Security operational requirements interface testing, migration testing.
monitoring o DR/BCP Requirements o Functional testing: Verification of functional
Closing o Privacy Requirements requirements
o Projects IN Controlled Environments o RFP Process: Request For Proposal o User Acceptance Testing (UAT): In most
(PRINCE2): Project management framework Requirements cases, it is a formal step to find out if
Starting up a project (SU) Vendor financial stability organization accepts the software developed
rd
Planning (PL) Product roadmap by a 3 party.
Initiating a project (IP) Experience o Quality Assurance Testing (QAT):
Directing a project (DP) Vision 6. Implementation
Controlling a stage (CS) References o Planning:
Managing product delivery (MP) Questions for clients: Prepare physical space for
Managing Stage Boundaries (SB) Satisfaction with production systems
Closing a project (CP) installation Build production systems
Scrum: Iterative and incremental Satisfaction with Install application software
process most commonly used to migration Migrate data
project manage an agile software Satisfaction with support o Training:
development effort. Satisfaction with long- End users
Domain 3 – IT LifeCycle Management
Scrum master: this is the term roadmap Customers
project manager What went well Support staff
Product owner: This is What did not go well Trainers
the customer Contract negotiation o Data migration
Record counts
Team Closing the RFP
Batch totals
Users 3. Design: A top down approach
Checksums
Stakeholders 4. Development:
o Cutover
Managers Coding the application
Developing program and system Parallel
level documents Geographic
SOFTWARE DEVELOPMENT LIFE CYCLE (SDLC) Module by module
Developing user procedures
Working with users Roll-back
1. Feasibility Study: Determine whether a specific o Rollback Planning
change or set of changes in business processes and Developing in a software
acquisition setting: 7. Post Implementation
underlying applications is practical to undertake. o Implementation review
o Time required to develop / acquire software Customizations
System adequacy
o A comparison between the cost of developing Interfaces of other
Security review
the application vs buying systems
Issues
o Whether an existing system can meet the Authentication
ROI
business need Reports o Software maintenance
o Whether the application supports strategic Debugging
business objectives Correct operations Development Risks
o Whether a solution can be developed that is Input validation o Application inadequacy
compatible with other IT systems Proper output validation o Project risk
o The impact of the proposed changes to the Resource usage o Business inefficiency
business on regulatory compliance Source Code Management (SCM) o Market changes
o Whether future requirements can be met by Protection
the system Control Development Approaches and Techniques
2. Requirements: Characteristics of a new application or Version control o Agile Development
changes being made. Recordkeeping o Prototyping
o Business functional requirements: Must have 5. Testing
to support the business
o Technical requirements and standards: Use
the same basic technologies already in use
as well as formal technical standards.
o Security and Regulatory Requirements:
Authentication
Authorization
9. o Rapid Application Development (RAD) 4. Development o Existence
o Data Oriented System Development (DOSD) 5. Testing o Consistency
o Object-Oriented System Development (OO) 6. Implementation o Length
o Component based development: CORBA, 7. Monitoring o Check digits
DCOM, SOA 8. Post-implementation o Spelling
o Web-Based Application Development: HTML, o Unwanted characters
SOAP, XML Benchmarking a Process o Batch controls
o Reverse Engineering Plan Error handling
Research o Batch rejection
System Development Tools Measure and observe o Transaction rejection
o Computer-Aided Software Engineering Analyze o Request re-input
(CASE) Adapt: understand the fundamental reasons why other
Upper CASE: requirements organizations’ measurements are better than its own.
gathering, DFDs, interfaces Improve Processing Controls
Lower CASE: Creation of program
source code and data schemas Capability Maturity Models Editing
Fourth Generation Languages
Domain 3 – IT LifeCycle Management
o
Calculations
Software Engineering Institute Capability Maturity Model o Run-to-run totals
INFRASTRUCTURAL DEVELOPMENT AND (SEI CMM)
IMPLEMENTATION o Limit checking
o Initial o Batch totals
o Repeatable o Manual recalculation
1. Review of existing architecture o Defined
2. Requirements o Reconciliation
o Managed o Hash values
a. Business functional requirements Optimizing
b. Technical requirements and standards
o Data file controls
Capability Maturity Model Integration (CMMI): An o Data file security
c. Security and regulatory requirements aggregation of these other models into an overall
d. Privacy requirements o Error handling
maturity model. o Internal and external labeling
3. Design
ISO 15504: Software Process Improvement and o Data file version
a. Procurement
Capability dEtermination (SPICE). o Source files
4. Testing
o Level 0 incomplete o Transaction logs
5. Implementation
6. Maintenance
o Level 1 performed Processing errors
o Level 2 managed
o Level 3 established
MAINTAINING INFORMATION SYSTEMS
o Level 4 predictable
Output Controls
o Level 5 optimizing
Change Management Process
Change request APPLICATION CONTROLS Controlling special forms
Change review Report distribution and receipt
Perform change Input Controls Reconciliation
Emergency changes Authorization Retention
o User access controls
Configuration Management o Workstation identification
Recovery: stored independent of the systems o Approved transactions and batches
themselves o Source documents
Consistency: It will simplify administration, reduce Input validation
mistakes, and result in less unscheduled downtime. o Type checking
o Range and value checking
BUSINESS PROCESSES
Business Process Life Cycle (BPLC)
1. Feasibility study
2. Requirements definition
3. Design
10. Auditing Software Acquisition
AUDITING THE SOFTWARE DEVELOPMENT LIFE CYCLE Auditing Change Management
Auditing Project Management
Auditing Development Auditing Configuration Management
Auditing the Feasibility Study
Domain 3 – IT LifeCycle Management
Auditing Requirements AUDITING BUSINESS CONTROLS
Auditing Implementation Identify the key processes in an organization and to understand
the controls that are in place or should be in place that govern the
integrity of those processes
AUDITING APPLICATION CONTROLS
Transaction Flow
Auditing Post-Implementation
Auditing Design
Observations
11. Data Integrity Testing: Used to confirm whether an application
properly accepts, processes, and stores information.
Testing Online Processing Systems:
Auditing Applications
Domain 3 – IT LifeCycle Management
Continuous Auditing: Several techniques are available to
perform online auditing:
12. IT organizations are effective if their operations are effective. IT o Program checkout o Cloud Computing: dynamically scalable and
organizations are service organizations – their existence is to o Program check in usually virtualized
serve the organization and support its business processes. o Version control Data Communication Software
o Code analysis File Systems: Directories, files, FAT, NTFS, HFS
INFORMATION SYSTEMS OPERATIONS Quality Assurance (Hierarchical File System) ISO 9660 (CD-ROM, DVD),
Security Management UDF (Universal Disk Format)
Domain 4 – IT Service Delivery & Infrastructure
Management and control of operations o Policies, procedures, processes, and Database Management Systems
o Process and procedures standards o Relational DB Management (rDBMS):
o Standards o Risk Assessments Primary key, one or more indexes, referential
o Resource allocation o Impact analysis integrity, Encryption, Audit logging, access
o Process management o Vulnerability management controls,
IT Service management (ITSM) o Object Database (ODBMS): Represented as
o Service desk objects, Data and the programming method
o Incident mgt INFORMATION SYSTEMS HARDWARE are contained in an object,
o Problem mgt o Hierarchical Database : Top-down
o Change mgt Computer usage Media Management System: Tape management
o Configuration mgt o Types: supercomputer, mainframe, midrange, systems (TMS) or Disk Management Systems (DMS)
o Release mgt: ITIL terms used to describe server, desktop, laptop, mobile Utility software
SDLC. Used for changes in a system such o Uses: app server, web server, file server, db o Software and data design
as: server, print server, test server, thin client, o Software development
Incidents and problem resolution thick client, workstation o Software testing
Enhancements Computer architecture o Security testing
Subsystem patches and changes o CPU: CISC (Complex Instruction Set o Data management
o Service-level mgt Computer), RISC (Reduced Instruction Set o System health
o Financial mgt Computer), Single processor, Multi-processor o Network
o Capacity mgt o Bus: PCI, PC Card, MBus, Sbus
Periodic measurements o Main Storage NETWORK INFRASTRUCTURE
Considering planned changes o Secondary Storage: Program storage, data
Understanding long-term strategies storage, temporary files, OS, virtual memory, Network Architecture
Changes in technology o Firmware: Flash, EPROM, PROM, ROM, o Physical network architecture
o Service continuity mgt EEPROM o Logical network architecture
o Availability mgt o I/O and Networking o Data flow architecture
Effective change mgt o Multi-computer: Blade computers, grid o Network standards and services
Effective application testing computing, server clusters, virtual servers Types of networks
Resilient architecture Hardware maintenance o Personal Area Network (PAN): up to 3 meters
Serviceable components Hardware monitoring and use to connect peripherals for use by an
Infrastructure Operations individual
o Running scheduled jobs o LAN
o Restarting failed jobs/processes INFORMATION SYSTEMS ARCHITECTURE AND SOFTWARE o Campus Area Network (CAN)
o Facilitating backup jobs o Metropolitan Area Network (MAN)
o Monitoring systems/apps/networks Computer Operating Systems o WAN
Monitoring Access to peripherals Network-based Services: email, print, file storage,
Software Program Library Management: System that Storage mgt remote access, directory, terminal emulation, time
is used to store and manage access to an Process mgt synch, network authentication, web security, anti-
organization’s application source and object code Resource allocation malware, network management
o Access and authorization controls Communication Network Models
Security o OSI: Application, presentation, session,
o OS Virtualization transport, network, data link, physical
o Clustering: using special software o TCP/IP: Link, internet, transport, application
o Grid Computing: a form of distributed Network Technologies
computing o LAN
Physical topology: Star, Ring, Bus