Information Systems and Data Management Flashcards
What is in the IT Infrastructure
Operating systems
Servers
Network Infrastructure
End-user devices
Operating Systems (OS)
A software that manages computer
hardware and provides services for computer programs. It
acts as an intermediary between the computer hardware and
the computer user, making it possible for software applications to function.
Examples of Operating Systems (OS)
● Windows 10
● macOS Big Sur
● Linux distributions such as Ubuntu
● Mobile OSs like Android and iOS
Servers
Are computers designed to process requests and deliver data to another computer over the internet or a local network. They’re the backbone of any IT infrastructure, providing centralized data storage, processing, and management.
Examples of Servers
● Web Servers: Host websites. E.g., Apache or Nginx.
● Database Servers: Store and manage databases. E.g.,
MySQL, PostgreSQL.
● File Servers: Store and manage files within a network.
E.g., Network Attached Storage (NAS) devices.
● Mail Servers: Manage and store emails. E.g., Microsoft
Exchange.
Network Infrastructure
Consists of the hardware and software
components used to connect computers and devices to communicate and share resources. It ensures the integrity and security of data transmission.
Examples of Network Infrastructure
Switches: Devices that connect devices within a network, operating at the data link layer. E.g., Cisco Catalyst switches.
● Routers: Devices that connect different networks together, directing data traffic. E.g., Netgear routers.
● Firewalls: Devices or software that monitor and control incoming and outgoing network traffic, establishing a barrier between a trusted and an untrusted network. E.g., Fortinet firewalls.
● Wireless Access Points: Devices that allow wireless devices to connect to the wired network. E.g., Ubiquiti UniFi APs.
End-user Devices
Are the devices that end-users employ to access, input, and interact with data. They’re the primary interface between users and the IT infrastructure.
Examples of End-user Devices
● Desktops: Workstation computers like the Dell OptiPlex series.
● Laptops: Portable computers like Apple’s MacBook Pro or Lenovo’s ThinkPad.
● Tablets: Touchscreen devices such as the Apple iPad or Samsung Galaxy Tab.
● Smartphones: Mobile phones with advanced capabilities like the iPhone or Google Pixel.
● Thin clients: Lightweight computers that rely on a server for the heavy lifting, often used in centralized IT environments.
Cloud Computing
Refers to the on-demand delivery of computing resources over the internet, often on a pay-as-you-go basis. Instead of owning and maintaining physical servers, businesses
can rent access to a range of services from a cloud service provider. This can lead to cost savings, increased scalability, and flexibility.
List the Cloud Computing Models
Infrastructure as a Service (IaaS)
Platform as a Service (PaaS)
Software as a Service (SaaS)
Infrastructure as a Service (IaaS)
Provides users with virtualized computing
resources over the internet. IaaS is like renting space on a physical server or renting that server itself. Users get the raw infrastructure and have to manage the OS, applications, and data.
Examples of Infrastructure as a Service (IaaS)
● Amazon EC2 (Elastic Compute Cloud)
● Google Compute Engine
● Microsoft Azure VMs
Platform as a Service (PaaS)
Provides users with a platform and environment to directly develop, run, and manage applications without dealing with the complexity of building and maintaining the infrastructure.
Examples of Platform as a Service (PaaS)
● Google App Engine
● Microsoft Azure App Service
● Heroku
Software as a Service (SaaS)
Delivers software applications over the internet, on-demand, and typically on a subscription basis. Users access the software through a web browser.
Examples of Software as a Service (SaaS)
● Google Workspace (formerly G Suite)
● Microsoft 365
● Salesforce
● Dropbox
Deployment Models
Public Cloud
Private Cloud
Hybrid Cloud
Public Cloud
Owned and managed by third-party cloud
service providers, which deliver computing resources such as servers and storage over the internet. Multiple users or tenants share the same infrastructure pool.
Benefits of a Public Cloud
Economies of scale
reduced costs
easy scalability
Examples of a Public Cloud
Amazon Web Services (AWS)
Google
Cloud Platform (GCP)
Microsoft Azure.
Private Cloud
Used exclusively by a single organization.
It can be hosted on-premises or by a third party, but the infrastructure is not shared.
Benefits of a Private Cloud
Greater control and security
data sovereignty
customization
Examples of a Private Cloud
VMware vCloud
OpenStack.
Hybrid Cloud
Combines public and private clouds,
allowing data and applications to be shared between them. Organizations can move workloads as needs and costs change, harnessing greater flexibility and more
deployment options.
Benefits of a Hybrid Cloud
Flexibility
scalability
security
cost-efficiency
Examples of a Hybrid Cloud
Using AWS and on-premises data centers
together, or Azure with a private cloud setup.
What is the availability formula?
(Agreed Service Time- Downtime/Agreed Service Time) x 100
What are the backup types?
Full Backup
Incremental Backup
Differential Backup
Steps to Detect Deficiencies
- Review Documentation
- Conduct Interviews
- Test Controls
- Monitor System Performance Metrics
- Examine Incident Logs
- Compare Against Benchmarks
What is the role of Cloud Service Providers? (CSPs)
CSPs offer cloud computing services that allow businesses to access and use computing resources over the internet on a pay-as-you-go or subscription basis.
What are the key responsibilities of CSPs?
Remember IPSSSSTII “I Put So So So So Much Transparency In Integration”
Infrastructure Maintenance
Platform & Software Updates
Security & Compliance
Service Availability & Reliability
Scalability & Performance Optimization
Support & Customer Service
Transparent Billing & Cost Management
Integration & Compatibility
Innovation & Feature Development
What is COSO Internal Control - Integrated Framework (ICIF)?
The ICIF emphasizes effective internal controls within an organization. With the shift towards cloud computing, businesses need to ensure that their internal controls extend to the cloud environment.
How does COSO Internal Control-Integrated Framework apply? (ICIF)
- Control Environment: This relates to the organization’s stance on governance and risk management.
- Risk Assessment: Cloud computing introduces new risks, like potential data breaches or loss of data.
- Control Activities: With cloud computing, control activities could involve ensuring the proper configuration of cloud services.
- Information & Communication: Communication is vital when using cloud services.
- Monitoring: Organizations must continuously monitor cloud services to ensure they adhere to the set internal controls.
What is the COSO Enterprise Risk Management (ERM) Framework?
The ERM framework deals more with identifying and responding to risks in a strategic context.
In terms of cloud computing:
1. Governance and Culture
2. Strategy and Objective-Setting
3. Performance
4. Review and Revision
5. Information, Communication, and Reporting.
Sections in Availability
- Business Reiliency, Distaster Recovery ,Business Continuity Plan
- Objective of mirroring & Replication
- Steps in a business impact analysis
- Measures of sytems availabilty
- Appropiatness of organizations data backup
- Detecting deficencies in controls related to availability using the TSC
Business Resiliency
Strategies to ensure a organization can continue operations during & after a disruptive event
Purpose- Make possible to rebound quickly or continue operations during challenges.
Sets up measures to be proactive, reactive, and adaptive
Data Lifecycle Phases
Creation/Collection- How types of data are created and gathered from various sources
Use- how data is used
Storage- retaining data on various devices for future use
Disposal- archiving, deleting, and destroying data
Trust Services Criteria (TSC)
Suitable criteria for measuring or evaluating controls
5 TSC
-Security
-Availability
-Processing Integrity
-Confidentiality
-Privacy
All SOC exams must include security, the others are optional
NIST Privacy Framework
Seeks to reduce privacy incidents that may cause issues for individual data subjects
5 functions
Identify- develop an understanding of privacy risks from data processing
Govern- Develop and implement a structure that allows understanding of privacy risk management priorities
Control- Control activities that respond to privacy risks
Communicate- Activities that support discussion and awareness of privacy
Protect- Develop and implement data processing safeguards
Order of execution for SQL SELECT queries
- FROM- specifies the tables from which to extract the data
- WHERE- filters the data
- GROUP BY- aggregates the data
- HAVING- filters aggregated data
- SELECT- specifies the fields extracted
- ORDER BY- sorts the returned data
- Limit: restricts the rows returned
Privacy vs Confidential
Confidential- pertains to many types of restrictive or proprietary information from unauthorized people.
Come with legal obligation limiting use, retention, or disclosure of info
Privacy- pertains to personal info.
While confidentiality is about unauthorized access, privacy is about unauthorized or inappropriate collection, storage, use, and sharing of personal data.
Type of Opinions
Unqualified (or Unmodified) Opinion- This is the “clean”
opinion. It indicates that the service organization’s controls were suitably designed (for a Type 1 report) and operating effectively (for a Type 2 report) during the review period. No significant exceptions or deficiencies were noted.
Qualified Opinion- This opinion is provided when the
service auditor determines that there are exceptions or
deficiencies in certain areas, but they are limited in scope. In other words, most controls are deemed effective, but some specific issues were identified.
Adverse Opinion- An adverse opinion is provided when the service auditor determines that the controls were not suitably designed (for Type 1) or were not operating effectively (for Type 2) during the review period. This is a strong negative opinion indicating widespread issues.
Disclaimer of Opinion-This occurs when the service
auditor cannot form an opinion due to significant scope
limitations. For example, a lack of available evidence or
significant restrictions on the auditor’s work may lead to a disclaimer of opinion.
Unqualified (or Unmodified) Opinion
This is the “clean” opinion. It indicates that the service organization’s controls were suitably designed (for a Type 1 report) and operating effectively (for a Type 2 report) during the review period. No significant exceptions or deficiencies were noted.
Qualified Opinion
This opinion is provided when the service auditor determines that there are exceptions or deficiencies in certain areas, but they are limited in scope. In other words, most controls are deemed effective, but some specific issues were identified.
Adverse Opinion
When the service auditor determines that the controls were not suitably designed (for Type 1) or were not operating effectively (for Type 2) during the review period. This is a strong negative opinion indicating widespread issues.
Disclaimer of Opinion
This occurs when the service auditor cannot form an opinion due to significant scope limitations. For example, a lack of available evidence or significant restrictions on the auditor’s work may lead to a disclaimer of opinion.
Data Dictionary
Stores metadata related to the properties of fields in a relational database table, such as the correct data type, value, range, format, descriptions, and constraints.
COBIT 2019
Control Objectives for Information and Related Technologies
A framework for developing, implementing, monitoring, and improving IT governance and management practices.
Governance System Principles
● Stakeholder Value Delivery: Governance should focus on delivering value to stakeholders.
● Holistic Approach: Approach governance from a comprehensive perspective considering all components.
● Dynamic Governance System: The governance system should adapt to changes in enterprise goals and the context it operates in.
● Governance Distinct from Management: Clearly separate governance from management to ensure checks and balances.
Governance Framework Principles
● Flexible Framework: It should cater to any entity regardless of size, sector, or other variables.
● Based on a Conceptual Model: The framework is based on a structured and interconnected conceptual model.
● Aligned to Major Standards: The framework is aligned to other leading frameworks and standards.
● Science-Based Foundation: The foundation of the framework is rooted in research and academic rigor.
NIST SP 800-53
Offers a catalog of security and privacy controls designed to protect federal information systems and organizations from various threats such as cyber-attacks, natural disasters, and human errors. It helps organizations tailor and implement controls based on their risk assessments to safeguard operations, assets, and individuals.
Criteria for a vendor to be considered a subservice organization
- Providing services on behalf of the service org that is relevant to the system being described in the SOC report
- Services provide impact to the service org ability to meet control objectives stated in SOC 1 report or TSC in SOC 2 report
- Has autonomy or discretion in decision-making processes
- Activities are integrated with service org operations that they are part of the services it provides to user entities.
Types of Data Storage
Data Storage
Data Warehouse
Data Lake
Data Mart
Database schemas
Star
Snowflake
Data Warehouse
A large, centralized repository of data that
consolidates data from various sources to support business intelligence (BI) activities such as reporting and analysis.
Data is structured
Maintains historical data and doesn’t change
Integrated from various sources-cleaned and transformed
Data Lake
A storage repository that holds a vast amount of
raw data in its native format until it’s needed. It can store structured, semi-structured, or unstructured data.
Can store any data—logs, sensor data, audio,
video, etc.
Structure is not defined when storing,
only when reading.
Often built on low-cost storage.
OODA Loop
Observe
Orient
Decide
Act
What is the observe category in OODA Loop
Security monitoring tools that identify events that might need further investigation
-Security information and event management
-Intrusion detection systems
-Netflow analyzers
-Vulnerability scanners
-Availability monitoring
-Web Proxies
CIS Critical Security Controls
Critical controls that organizations should implement to mitigate cyber risks:
- Inventory and Control of Enterprise Assets
- Inventory and Control of Software Assets
- Data Protection
- Secure Configuration of Enterprise Assets and Software
- Account Management
- Access Control Management
- Continuous Vulnerability Management
- Audit Log Management
- Email and Web Browser Protections
- Malware Defenses
- Data Recovery
- Network Infrastructure Management
- Network Monitoring and Defense
- Security Awareness and Skills Training
- Service Provider Management
- Application Software Security
- Incident Response Management
- Penetration Testing
