4.7.1 IS ARCHITECTURE AND SOFTWARE 27th Flashcards

1
Q

Access control software is designed to prevent:

A

(1) unauthorized access to data,
(2) unauthorized use of system functions and programs, and
(3) unauthorized updates/changes to data, and
(4) to detect or prevent unauthorized attempts to access computer resources.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

When auditing operating software development, acquisition or maintenance, what should be considered regarding System Software selection?

A

• System software selection
• Do they align with the enterprise architecture?
procedures
• Do they comply with short- and long-range IS plans?
• Do they meet the IS requirements?
• Are they properly aligned with the objectives of the business?
• Do they include IS processing and control requirements?
• Do they include an overview of the capabilities of the software and control options?
• Feasibility study
• Are same selection criteria applied to all proposals?
• Selection process
• Has the cost-benefit analysis of system software procedures
addressed:
• System software security
• Have procedures been established to restrict the ability to
circumvent logical security access controls?
• Have procedures been implemented to limit access to the system interrupt capability?
• Have procedures been implemented to manage software patches and keep the system software up-to-date?
• Are existing physical and logical security provisions adequate to restrict access to the master consoles?
• Were vendor-supplied installation passwords for the system
software changed at the time of installation?
• IT asset management
• Has an owner been designated?
• Have we retained a copy of the contracts/SLAs?
• What is the license agreement?
Are we in compliance with it?
• System software

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

When auditing operating software development, an IS should ensure the following areas adequately documented:

A

(1) Installation control statements
(2) parameter tables
(3) Exit definitions
(4) Activity logs/reports

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Questions to ask to audit if controls are adequate in implementation?

A

(1) Change procedures?
(2) Authorization procedures?
(3) Access security features?
(4) Documentation requirements?
(5) Documentation of system testing?
(6) Audit trails?
(7) Access controls over the software in production?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

• Has the cost-benefit analysis of system software procedures
addressed:

A

– Direct financial costs associated with the product?
– Cost of product maintenance?
– Hardware requirements and capacity of the product?
– Training and technical support requirements?
– Impact of the product on processing reliability?
– Impact on data security?
– Financial stability of the vendor’s operations?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

When auditing operating software development, questions to ask:

A

• Are system software changes scheduled for times when the changes least impact IS processing?
• Has a written plan been established for testing changes to system software?
• Are test procedures adequate to provide reasonable assurance that changes applied to the system correct known problems and that
they do not create new problems?
• Are tests being completed as planned?
• Have problems encountered during testing been resolved and were the changes retested?
• Have fallback or restoration procedures been put in place in case of production failure?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

The IS auditor should always be aware of the following:

A
  • Who has access to source code
  • Who can commit the code (push the code to production)
  • Alignment of program source code to program objects
  • Alignment with change and release management
  • Backups of source code including those offsite and escrow agreements
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

The advantages of VCSs include:

A
  • Control of source code access
  • Tracking of source code changes
  • Allowing for concurrent development • Allowing rollback to earlier versions • Allowing for branching
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

To detect software licensing violations, the IS auditor should:

A
  • Review the listing of all standard, used and licensed application and system software.
  • Obtain copies of all software contracts for these to determine the nature of the license agreements, be it an unlimited enterprise license, per-seat license or individual copies.
  • Scan the entire network to produce a list of installed software.
  • If required, review a list of server specifications including CPUs and cores.
  • Compare the license agreements with the software that is actually installed noting any violations.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Options available to prevent software license violations include:

A
  • Ensure a good software asset management process exists (see section 4.2, IT Asset Management).
  • Centralize control, distribution and installation of software (includes disabling the ability of users to install software, where possible).
  • Require that all PCs be restricted workstations with disabled or locked-down disk drives, USB ports, etc.
  • Install metering software on the LAN and require that all PCs access applications through the metered software.
  • Regularly scan user networks endpoints to ensure that unauthorized copies of software have not been loaded (achieved by comparing actual software loaded to the list of software assets).
  • Enforce documented policies and procedures that require users to sign an agreement not to install software without management authorization and a software license agreement.
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

Software licenses are primarily contractual compliance—that is,

A

organizations agree to comply with the terms and conditions of the software publisher, with or without financial consideration.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

In certain circumstances, an IS auditor may need expert _______ opinion to confirm compliance.

A

legal

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

By its very nature, source code may contain intellectual property and should be _______, and access should be restricted.

A

protected

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

If the software is ________ or developed in house, the organization will have full access to the source code.

A

bespoke

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

The actual source code should be managed using a ___________ ____________ _______, often called revision control software (RCS).

A

version control system (VCS)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

_________ management is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively.

A

Capacity

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

__________ _________ requires that the expansion or reduction of resources takes place in parallel with the overall business growth or reduction.

A

Capacity Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

The capacity plan should be developed based on input from _____ and __ ________ to ensure that business goals are achieved in the most efficient and effective way.

A

user

IS Management

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

The Capacity Plan plan should be reviewed and updated _____

A

at least, annually

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

The following information is key to the successful capacity planning:

A
  • CPU utilization
  • Computer storage utilization
  • Telecommunications
  • LAN and WAN bandwidth utilization • I/O channel utilization
  • Number of users
  • New technologies
  • New applications
  • Service level agreements (SLAs)
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

An element in capacity management is deciding whether to

A

(1) host the organization’s applications distributed across several small servers, (2) consolidated onto a few large servers,
(3) in the cloud or (4) combinations of the three hosts.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Consolidating applications on a few large servers is also known as

A

application stacking

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
23
Q

Consolidating applications on a few large servers often allows the organization to make better overall use of the resources, but

A

it increases the impact of a server outage, and it affects more applications when the server has to be shut down for maintenance.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
24
Q

Larger organizations often have hundreds, if not thousands, of servers that are arrayed in groups referred to as

A

server farms

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
25
Q

If an organization has put data storage hardware in place, the IS auditor should review the capacity management plans, which

A

involve data storage utilization and storage area network (SAN) utilization.

26
Q

Capacity management must also include

A

network devices, such as switches and routers, that comprise physically and logically separated networks (virtual local area networks [VLANs]).

27
Q

Capacity management ensures that all current and future capacity and performance aspects of the business requirements are provided in

A

a cost-effective manner.

28
Q

Information system ________ is one of the key business requirements for IT
systems.

A

capacity

29
Q

IT management should understand the capacity requirements

A

prior to the design of their information systems

30
Q

IT management should understand the capacity requirements and verify the final design

A

against the capacity requirements.

31
Q

IT management also must ______ capacity on an ongoing basis and provide additional capability as the business grows.

A

monitor

32
Q

With capacity management, expensive resources will only be provided when they are needed, thus resulting in a cost savings. T/F

A

True

33
Q

During procurement of the IT system, the capability management team will work with ___________ to estimate resource requirements and to ensure that adequate, but not excessive, resources are provided to support the new solutions.

A

the architect

34
Q

The size estimate is normally based

A

on number of transactions, size

of data being stored, transaction processing time and response time,

35
Q

When designing the application, determine its size by

A

(number of
concurrent users that can be handled, number of transactions and data storage requirements) and required server capability, memory size, processing power, etc.

36
Q

________ management aims to resolve issues through the investigation and in- depth analysis of a major incident or several incidents that are similar in nature to identify the root cause.

A

Problem

37
Q

Typical Types of Errors That Are Logged

A
  • Application errors
  • Network errors
  • System errors
  • Telecommunication errors
  • Operator errors
  • Hardware errors
38
Q

Items to Appear in an Error Log Entry

A

• Error date
• Initials of the individual responsible for closing the log entry
• Error resolution
• Department/center responsible for error resolution
description
• Status code of problem resolution (i.e., problem open, problem
• Error code
closed pending some future specified date, or problem irresolvable
• Error description in current environment)
• Source of error
• Narrative of the error resolution status
• Escalation date and time
• Initials of the individual responsible for maintaining the log

39
Q

For control purposes, the ability to ____ to the error log should not be restricted.

A

add

40
Q

The ability to update the error log, however, should be

A

restricted to authorized individuals,

41
Q

Updates to the error log should be

A

traceable.

42
Q

Proper segregation of duties requires that the ability to close an error log entry be assigned to a different individual than the one responsible for maintaining or initiating the error log entry. T/F

A

True

43
Q

The IS auditor should develop operations documentation to ensure that procedures exist for the escalation of unresolved problems to a higher level of IS management. T/F

A

False

IS management should develop…

44
Q

Problem escalation procedures

generally include:

A

• Names/contact details of individuals who can deal with specific types of problems
• Types of problems that require urgent resolution
• Problems that can wait until normal working hours
Problem resolution should be communicated to appropriate systems, programming, operations and user personnel to ensure that problems are resolved in a timely manner.

45
Q

The IS auditor should examine problem reports and logs

A

to ensure that they are resolved in a timely manner and are assigned to the individuals or groups most capable of resolving the problem.

46
Q

The departments and positions responsible for problem resolution should be part of problem management documentation.

A

problem management documentation.

47
Q

Typical Support Functions

A
  • Determine the source of computer incidents and take appropriate corrective actions.
  • Initiate problem reports, as required, and ensure that incidents are resolved in a timely manner.
  • Obtain detailed knowledge of the network, system and applications.
  • Answer inquiries regarding specific systems.
  • Provide second- and third-tier support to business user and customer.
  • Provide technical support for computerized telecommunications processing.
  • Maintain documentation of vendor software, including issuance of new releases and problem fixes, as well as documentation of utilities and systems developed in house.
  • Communicate with IS operations to signal abnormal patterns in calls or application behavior.
48
Q

NETWORK MANAGEMENT TOOLS

A
Response time reports 
Downtime reports
Help desk reports
Online monitors
Network monitors
Network (protocol) analyzers
Simple Network Management Protocol (SNMP)
49
Q

Response time reports identify

A

the time necessary for a command entered by a user at a terminal to be answered by the host system.

50
Q

Response time reports should be reviewed by

A

IS management and system support personnel to track potential problems.

51
Q

If response time is slow,

A

all possible causes, such as I/O channel bottlenecks, bandwidth utilization and CPU capacity, should be investigated; various solutions should be analyzed; and an appropriate and cost-justified corrective action should be taken.

52
Q

Response time is important because end users experiencing slow response time will be ________ to utilize IS resources to their fullest extent.

A

reluctant

53
Q

Response Time reports typically identify

A

average, worst and best response times over a given time interval for individual telecommunication lines or systems.

54
Q

Downtime reports track

A

the availability of telecommunication lines and circuits.

55
Q

Interruptions due to power/line failure, traffic overload, operator error or other anomalous conditions are identified

A

a downtime report

56
Q

If downtime is excessive, IS management should consider the following remedies:

A
  • Add or replace telecommunications lines.
  • Switch to a more dependable transmission link (such as dedicated lines versus shared lines).
  • Install backup power supplies.
  • Improve access controls.
  • Closely monitor line utilization to better forecast user needs, both in the near and long term.
57
Q

Help desk reports

A

are prepared by the help desk, which is staffed or supported by IT technicians who are trained to handle problems occurring during normal IS usage. If an end user encounters any problem, he/she can contact the help desk for assistance. Help desk facilities are critical to the telecommunication environment since they provide end users with an easy means of identifying and resolving problems quickly, before they have a major impact on IS performance and end-user resource utilization. Reports prepared by the help desk provide a history of the problems and their resolution.

58
Q

Online monitors

A

check data transmission accuracy and errors. Monitoring can be performed by echo checking (received data are bounced back to sender for verification) and status checking all transmissions, ensuring that messages are not lost or transmitted more than once.

59
Q

Network monitors

A

provide a real time display of network nodes and status.

60
Q

Network (protocol) analyzers

A

are diagnostic tools attached to a network link that use network protocols’ intelligence for monitoring the packets flowing along the link and produce network usage reports. Network analyzers are typically hardware-based and operate at the data link and/or network level.

61
Q

Network (protocol) analyzers output includes:

A
  • Protocol(s) in use
  • Type of packets flowing along the monitored link • Traffic volume analysis
  • Hardware errors, noise and software problems
  • Other performance statistics (e.g., percentage of used bandwidth)
  • Problems and possible solutions
62
Q

Simple Network Management Protocol (SNMP)

A

is a TCP/IP-based protocol that monitors and controls variables throughout the network, manages configurations and collects statistics on performance and security. A master console polls all the network devices on a regular basis and displays the global status. SNMP software is capable of accepting, in real-time, specific operator requests. Based on the operator instructions, SNMP software sends specific commands to an SNMP-enabled device and retrieves the required information. To perform all of these tasks, each device (e.g., routers, switches, hubs, PCs and servers) needs to have an SNMP agent running. The SNMP communication occur between all the agents and the console.