4.7.1 IS ARCHITECTURE AND SOFTWARE 27th Flashcards
Access control software is designed to prevent:
(1) unauthorized access to data,
(2) unauthorized use of system functions and programs, and
(3) unauthorized updates/changes to data, and
(4) to detect or prevent unauthorized attempts to access computer resources.
When auditing operating software development, acquisition or maintenance, what should be considered regarding System Software selection?
• System software selection
• Do they align with the enterprise architecture?
procedures
• Do they comply with short- and long-range IS plans?
• Do they meet the IS requirements?
• Are they properly aligned with the objectives of the business?
• Do they include IS processing and control requirements?
• Do they include an overview of the capabilities of the software and control options?
• Feasibility study
• Are same selection criteria applied to all proposals?
• Selection process
• Has the cost-benefit analysis of system software procedures
addressed:
• System software security
• Have procedures been established to restrict the ability to
circumvent logical security access controls?
• Have procedures been implemented to limit access to the system interrupt capability?
• Have procedures been implemented to manage software patches and keep the system software up-to-date?
• Are existing physical and logical security provisions adequate to restrict access to the master consoles?
• Were vendor-supplied installation passwords for the system
software changed at the time of installation?
• IT asset management
• Has an owner been designated?
• Have we retained a copy of the contracts/SLAs?
• What is the license agreement?
Are we in compliance with it?
• System software
When auditing operating software development, an IS should ensure the following areas adequately documented:
(1) Installation control statements
(2) parameter tables
(3) Exit definitions
(4) Activity logs/reports
Questions to ask to audit if controls are adequate in implementation?
(1) Change procedures?
(2) Authorization procedures?
(3) Access security features?
(4) Documentation requirements?
(5) Documentation of system testing?
(6) Audit trails?
(7) Access controls over the software in production?
• Has the cost-benefit analysis of system software procedures
addressed:
– Direct financial costs associated with the product?
– Cost of product maintenance?
– Hardware requirements and capacity of the product?
– Training and technical support requirements?
– Impact of the product on processing reliability?
– Impact on data security?
– Financial stability of the vendor’s operations?
When auditing operating software development, questions to ask:
• Are system software changes scheduled for times when the changes least impact IS processing?
• Has a written plan been established for testing changes to system software?
• Are test procedures adequate to provide reasonable assurance that changes applied to the system correct known problems and that
they do not create new problems?
• Are tests being completed as planned?
• Have problems encountered during testing been resolved and were the changes retested?
• Have fallback or restoration procedures been put in place in case of production failure?
The IS auditor should always be aware of the following:
- Who has access to source code
- Who can commit the code (push the code to production)
- Alignment of program source code to program objects
- Alignment with change and release management
- Backups of source code including those offsite and escrow agreements
The advantages of VCSs include:
- Control of source code access
- Tracking of source code changes
- Allowing for concurrent development • Allowing rollback to earlier versions • Allowing for branching
To detect software licensing violations, the IS auditor should:
- Review the listing of all standard, used and licensed application and system software.
- Obtain copies of all software contracts for these to determine the nature of the license agreements, be it an unlimited enterprise license, per-seat license or individual copies.
- Scan the entire network to produce a list of installed software.
- If required, review a list of server specifications including CPUs and cores.
- Compare the license agreements with the software that is actually installed noting any violations.
Options available to prevent software license violations include:
- Ensure a good software asset management process exists (see section 4.2, IT Asset Management).
- Centralize control, distribution and installation of software (includes disabling the ability of users to install software, where possible).
- Require that all PCs be restricted workstations with disabled or locked-down disk drives, USB ports, etc.
- Install metering software on the LAN and require that all PCs access applications through the metered software.
- Regularly scan user networks endpoints to ensure that unauthorized copies of software have not been loaded (achieved by comparing actual software loaded to the list of software assets).
- Enforce documented policies and procedures that require users to sign an agreement not to install software without management authorization and a software license agreement.
Software licenses are primarily contractual compliance—that is,
organizations agree to comply with the terms and conditions of the software publisher, with or without financial consideration.
In certain circumstances, an IS auditor may need expert _______ opinion to confirm compliance.
legal
By its very nature, source code may contain intellectual property and should be _______, and access should be restricted.
protected
If the software is ________ or developed in house, the organization will have full access to the source code.
bespoke
The actual source code should be managed using a ___________ ____________ _______, often called revision control software (RCS).
version control system (VCS)
_________ management is the planning and monitoring of computing and network resources to ensure that the available resources are used efficiently and effectively.
Capacity
__________ _________ requires that the expansion or reduction of resources takes place in parallel with the overall business growth or reduction.
Capacity Management
The capacity plan should be developed based on input from _____ and __ ________ to ensure that business goals are achieved in the most efficient and effective way.
user
IS Management
The Capacity Plan plan should be reviewed and updated _____
at least, annually
The following information is key to the successful capacity planning:
- CPU utilization
- Computer storage utilization
- Telecommunications
- LAN and WAN bandwidth utilization • I/O channel utilization
- Number of users
- New technologies
- New applications
- Service level agreements (SLAs)
An element in capacity management is deciding whether to
(1) host the organization’s applications distributed across several small servers, (2) consolidated onto a few large servers,
(3) in the cloud or (4) combinations of the three hosts.
Consolidating applications on a few large servers is also known as
application stacking
Consolidating applications on a few large servers often allows the organization to make better overall use of the resources, but
it increases the impact of a server outage, and it affects more applications when the server has to be shut down for maintenance.
Larger organizations often have hundreds, if not thousands, of servers that are arrayed in groups referred to as
server farms