4.7.1 IS ARCHITECTURE AND SOFTWARE 27th

Question 1

Access control software is designed to prevent:

Answer 1

(1) unauthorized access to data,
(2) unauthorized use of system functions and programs, and
(3) unauthorized updates/changes to data, and
(4) to detect or prevent unauthorized attempts to access computer resources.

Question 2

When auditing operating software development, acquisition or maintenance, what should be considered regarding System Software selection?

Answer 2

• System software selection
• Do they align with the enterprise architecture?
procedures
• Do they comply with short- and long-range IS plans?
• Do they meet the IS requirements?
• Are they properly aligned with the objectives of the business?
• Do they include IS processing and control requirements?
• Do they include an overview of the capabilities of the software and control options?
• Feasibility study
• Are same selection criteria applied to all proposals?
• Selection process
• Has the cost-benefit analysis of system software procedures
addressed:
• System software security
• Have procedures been established to restrict the ability to
circumvent logical security access controls?
• Have procedures been implemented to limit access to the system interrupt capability?
• Have procedures been implemented to manage software patches and keep the system software up-to-date?
• Are existing physical and logical security provisions adequate to restrict access to the master consoles?
• Were vendor-supplied installation passwords for the system
software changed at the time of installation?
• IT asset management
• Has an owner been designated?
• Have we retained a copy of the contracts/SLAs?
• What is the license agreement?
Are we in compliance with it?
• System software

Question 3

When auditing operating software development, an IS should ensure the following areas adequately documented:

Answer 3

(1) Installation control statements
(2) parameter tables
(3) Exit definitions
(4) Activity logs/reports

Question 4

Questions to ask to audit if controls are adequate in implementation?

Answer 4

(1) Change procedures?
(2) Authorization procedures?
(3) Access security features?
(4) Documentation requirements?
(5) Documentation of system testing?
(6) Audit trails?
(7) Access controls over the software in production?

Question 5

• Has the cost-benefit analysis of system software procedures
addressed:

Answer 5

– Direct financial costs associated with the product?
– Cost of product maintenance?
– Hardware requirements and capacity of the product?
– Training and technical support requirements?
– Impact of the product on processing reliability?
– Impact on data security?
– Financial stability of the vendor’s operations?

Question 6

When auditing operating software development, questions to ask:

Answer 6

• Are system software changes scheduled for times when the changes least impact IS processing?
• Has a written plan been established for testing changes to system software?
• Are test procedures adequate to provide reasonable assurance that changes applied to the system correct known problems and that
they do not create new problems?
• Are tests being completed as planned?
• Have problems encountered during testing been resolved and were the changes retested?
• Have fallback or restoration procedures been put in place in case of production failure?

Question 7

The IS auditor should always be aware of the following:

Answer 7

• Who has access to source code
• Who can commit the code (push the code to production)
• Alignment of program source code to program objects
• Alignment with change and release management
• Backups of source code including those offsite and escrow agreements

Question 8

The advantages of VCSs include:

Answer 8

• Control of source code access
• Tracking of source code changes
• Allowing for concurrent development • Allowing rollback to earlier versions • Allowing for branching

Question 9

To detect software licensing violations, the IS auditor should:

Answer 9

• Review the listing of all standard, used and licensed application and system software.
• Obtain copies of all software contracts for these to determine the nature of the license agreements, be it an unlimited enterprise license, per-seat license or individual copies.
• Scan the entire network to produce a list of installed software.
• If required, review a list of server specifications including CPUs and cores.
• Compare the license agreements with the software that is actually installed noting any violations.

Question 10

Options available to prevent software license violations include:

Answer 10

• Ensure a good software asset management process exists (see section 4.2, IT Asset Management).
• Centralize control, distribution and installation of software (includes disabling the ability of users to install software, where possible).
• Require that all PCs be restricted workstations with disabled or locked-down disk drives, USB ports, etc.
• Install metering software on the LAN and require that all PCs access applications through the metered software.
• Regularly scan user networks endpoints to ensure that unauthorized copies of software have not been loaded (achieved by comparing actual software loaded to the list of software assets).
• Enforce documented policies and procedures that require users to sign an agreement not to install software without management authorization and a software license agreement.

Question 11

Software licenses are primarily contractual compliance—that is,

Answer 11

organizations agree to comply with the terms and conditions of the software publisher, with or without financial consideration.

Question 12

In certain circumstances, an IS auditor may need expert _______ opinion to confirm compliance.

Answer 12

legal

Question 13

By its very nature, source code may contain intellectual property and should be _______, and access should be restricted.

Answer 13

protected

Question 14

If the software is ________ or developed in house, the organization will have full access to the source code.

Answer 14

bespoke

Question 15

The actual source code should be managed using a ___________ ____________ _______, often called revision control software (RCS).

Answer 15

version control system (VCS)

Question 16

_________ management is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively.

Answer 16

Capacity

Question 17

__________ _________ requires that the expansion or reduction of resources takes place in parallel with the overall business growth or reduction.

Answer 17

Capacity Management

Question 18

The capacity plan should be developed based on input from _____ and __ ________ to ensure that business goals are achieved in the most efficient and effective way.

Answer 18

user

IS Management

Question 19

The Capacity Plan plan should be reviewed and updated _____

Answer 19

at least, annually

Question 20

The following information is key to the successful capacity planning:

Answer 20

• CPU utilization
• Computer storage utilization
• Telecommunications
• LAN and WAN bandwidth utilization • I/O channel utilization
• Number of users
• New technologies
• New applications
• Service level agreements (SLAs)

Question 21

An element in capacity management is deciding whether to

Answer 21

(1) host the organization’s applications distributed across several small servers, (2) consolidated onto a few large servers,
(3) in the cloud or (4) combinations of the three hosts.

Question 22

Consolidating applications on a few large servers is also known as

Answer 22

application stacking

Question 23

Consolidating applications on a few large servers often allows the organization to make better overall use of the resources, but

Answer 23

it increases the impact of a server outage, and it affects more applications when the server has to be shut down for maintenance.

Question 24

Larger organizations often have hundreds, if not thousands, of servers that are arrayed in groups referred to as

Answer 24

server farms

Question 25

If an organization has put data storage hardware in place, the IS auditor should review the capacity management plans, which

Answer 25

involve data storage utilization and storage area network (SAN) utilization.

Question 26

Capacity management must also include

Answer 26

network devices, such as switches and routers, that comprise physically and logically separated networks (virtual local area networks [VLANs]).

Question 27

Capacity management ensures that all current and future capacity and performance aspects of the business requirements are provided in

Answer 27

a cost-effective manner.

Question 28

Information system ________ is one of the key business requirements for IT
systems.

Answer 28

capacity

Question 29

IT management should understand the capacity requirements

Answer 29

prior to the design of their information systems

Question 30

IT management should understand the capacity requirements and verify the final design

Answer 30

against the capacity requirements.

Question 31

IT management also must ______ capacity on an ongoing basis and provide additional capability as the business grows.

Answer 31

monitor

Question 32

With capacity management, expensive resources will only be provided when they are needed, thus resulting in a cost savings. T/F

Answer 32

True

Question 33

During procurement of the IT system, the capability management team will work with ___________ to estimate resource requirements and to ensure that adequate, but not excessive, resources are provided to support the new solutions.

Answer 33

the architect

Question 34

The size estimate is normally based

Answer 34

on number of transactions, size

of data being stored, transaction processing time and response time,

Question 35

When designing the application, determine its size by

Answer 35

(number of
concurrent users that can be handled, number of transactions and data storage requirements) and required server capability, memory size, processing power, etc.

Question 36

________ management aims to resolve issues through the investigation and in- depth analysis of a major incident or several incidents that are similar in nature to identify the root cause.

Answer 36

Problem

Question 37

Typical Types of Errors That Are Logged

Answer 37

• Application errors
• Network errors
• System errors
• Telecommunication errors
• Operator errors
• Hardware errors

Question 38

Items to Appear in an Error Log Entry

Answer 38

• Error date
• Initials of the individual responsible for closing the log entry
• Error resolution
• Department/center responsible for error resolution
description
• Status code of problem resolution (i.e., problem open, problem
• Error code
closed pending some future specified date, or problem irresolvable
• Error description in current environment)
• Source of error
• Narrative of the error resolution status
• Escalation date and time
• Initials of the individual responsible for maintaining the log

Question 39

For control purposes, the ability to ____ to the error log should not be restricted.

Answer 39

add

Question 40

The ability to update the error log, however, should be

Answer 40

restricted to authorized individuals,

Question 41

Updates to the error log should be

Answer 41

traceable.

Question 42

Proper segregation of duties requires that the ability to close an error log entry be assigned to a different individual than the one responsible for maintaining or initiating the error log entry. T/F

Answer 42

True

Question 43

The IS auditor should develop operations documentation to ensure that procedures exist for the escalation of unresolved problems to a higher level of IS management. T/F

Answer 43

False

IS management should develop…

Question 44

Problem escalation procedures

generally include:

Answer 44

• Names/contact details of individuals who can deal with specific types of problems
• Types of problems that require urgent resolution
• Problems that can wait until normal working hours
Problem resolution should be communicated to appropriate systems, programming, operations and user personnel to ensure that problems are resolved in a timely manner.

Question 45

The IS auditor should examine problem reports and logs

Answer 45

to ensure that they are resolved in a timely manner and are assigned to the individuals or groups most capable of resolving the problem.

Question 46

The departments and positions responsible for problem resolution should be part of problem management documentation.

Answer 46

problem management documentation.

Question 47

Typical Support Functions

Answer 47

• Determine the source of computer incidents and take appropriate corrective actions.
• Initiate problem reports, as required, and ensure that incidents are resolved in a timely manner.
• Obtain detailed knowledge of the network, system and applications.
• Answer inquiries regarding specific systems.
• Provide second- and third-tier support to business user and customer.
• Provide technical support for computerized telecommunications processing.
• Maintain documentation of vendor software, including issuance of new releases and problem fixes, as well as documentation of utilities and systems developed in house.
• Communicate with IS operations to signal abnormal patterns in calls or application behavior.

Question 48

NETWORK MANAGEMENT TOOLS

Answer 48

Response time reports 
Downtime reports
Help desk reports
Online monitors
Network monitors
Network (protocol) analyzers
Simple Network Management Protocol (SNMP)

Question 49

Response time reports identify

Answer 49

the time necessary for a command entered by a user at a terminal to be answered by the host system.

Question 50

Response time reports should be reviewed by

Answer 50

IS management and system support personnel to track potential problems.

Question 51

If response time is slow,

Answer 51

all possible causes, such as I/O channel bottlenecks, bandwidth utilization and CPU capacity, should be investigated; various solutions should be analyzed; and an appropriate and cost-justified corrective action should be taken.

Question 52

Response time is important because end users experiencing slow response time will be ________ to utilize IS resources to their fullest extent.

Answer 52

reluctant

Question 53

Response Time reports typically identify

Answer 53

average, worst and best response times over a given time interval for individual telecommunication lines or systems.

Question 54

Downtime reports track

Answer 54

the availability of telecommunication lines and circuits.

Question 55

Interruptions due to power/line failure, traffic overload, operator error or other anomalous conditions are identified

Answer 55

a downtime report

Question 56

If downtime is excessive, IS management should consider the following remedies:

Answer 56

• Add or replace telecommunications lines.
• Switch to a more dependable transmission link (such as dedicated lines versus shared lines).
• Install backup power supplies.
• Improve access controls.
• Closely monitor line utilization to better forecast user needs, both in the near and long term.

Question 57

Help desk reports

Answer 57

are prepared by the help desk, which is staffed or supported by IT technicians who are trained to handle problems occurring during normal IS usage. If an end user encounters any problem, he/she can contact the help desk for assistance. Help desk facilities are critical to the telecommunication environment since they provide end users with an easy means of identifying and resolving problems quickly, before they have a major impact on IS performance and end-user resource utilization. Reports prepared by the help desk provide a history of the problems and their resolution.

Question 58

Online monitors

Answer 58

check data transmission accuracy and errors. Monitoring can be performed by echo checking (received data are bounced back to sender for verification) and status checking all transmissions, ensuring that messages are not lost or transmitted more than once.

Question 59

Network monitors

Answer 59

provide a real time display of network nodes and status.

Question 60

Network (protocol) analyzers

Answer 60

are diagnostic tools attached to a network link that use network protocols’ intelligence for monitoring the packets flowing along the link and produce network usage reports. Network analyzers are typically hardware-based and operate at the data link and/or network level.

Question 61

Network (protocol) analyzers output includes:

Answer 61

• Protocol(s) in use
• Type of packets flowing along the monitored link • Traffic volume analysis
• Hardware errors, noise and software problems
• Other performance statistics (e.g., percentage of used bandwidth)
• Problems and possible solutions

Question 62

Simple Network Management Protocol (SNMP)

Answer 62

is a TCP/IP-based protocol that monitors and controls variables throughout the network, manages configurations and collects statistics on performance and security. A master console polls all the network devices on a regular basis and displays the global status. SNMP software is capable of accepting, in real-time, specific operator requests. Based on the operator instructions, SNMP software sends specific commands to an SNMP-enabled device and retrieves the required information. To perform all of these tasks, each device (e.g., routers, switches, hubs, PCs and servers) needs to have an SNMP agent running. The SNMP communication occur between all the agents and the console.