s2-m4 Flashcards

1
Q

Steps in the Change Management Process

A
  1. Indentify and define the need for system changes
  2. Design a high level plan including goals to be achieved because of the system change
  3. Obtain approval from management
  4. Develop an appropriate budget and timeline
  5. Assign personnel responsible for managing the system
  6. Identify and address potential risks that could occur during the change or post implementation
  7. Provide an implementation road map
  8. Procure necessary resources and train the appropriate perssonel
  9. Test the system change
  10. Execute the implementation plan
  11. Review and monitor change implementation and test as needed
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
1
Q

What is change managment?

A

The term used to describe the policies , procedures, and resources employed to govern change in an organization

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

Development Environment

A

software programmers write code to create application prototyped. Typically a source code editing tool which is used to create and modify code syntax

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Testing Environment

A

developers test and debug code to identify errors that need to be corrected. May be same has dev environment but some orgs keep separate to focus on debugging

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

Staging Environment

A

Orgs can test programs that are in their final phases of development

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

Disaster Recovery Environment

A

Orgs set up a disaster recovery environment to ensure that applications can be restored quickly, save critical data and systems, notify management, and recover in the event of an outage

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

Lack of Expertise

Selection and Acquistion Risks

A

Risk that the purchasing agent does not have expertise or organizational perspective to purchase software that meets the needs of the org

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Lack of a formal Selection and Acquisition Process

Selection and Acquistion Risks

A

risk that org does not have or does not follow formal selection and acquisition processes it pertains to software. can result in overspending or software does not align with IT gov strat

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Software/Hardware Vulnerability and Incompatibility

Selection and Acquistion Risks

A

risk that proper safeguards and security features that are need to adequately protect organization from unauthorized use do not exist

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Service Organizations Perspective

SOC 2 Guidance

A

perform annual risk assessments to determine whether identified risks and controls linked to those risks are adequate

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

Service Auditors Perspective

SOC 2 Guidance

A

Obtain and inspect the annual risk assessment performed by the service organization to determine that new controls were implemented to address risks not sufficiently addressed by existing controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

User Resistance

Integration Risks

A

resistance to adopt change by employees results in ignoring training and ultimately do not follow through with change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

Lack of Management Support

Integration Risks

A

if management does not provide both resources and adequate support this could magnify existing employee resistance

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

Lack of Stakeholder Support

Integration Risks

A

stakeholders involved in change may range from employees to suppliers to customers any of which may have adverse reaction or disposition toward change

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

Rsource Concerns

Integration Risks

A

change can be resource intensive. Appropriate resources may not be made available for chang

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Business Disruption

Integration Risks

A

changes to IT infrastructure, there is the potential for brief or prolonged information system failures

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
16
Q

Lack of System Integration

Integration Risks

A

organizations may operate many different systems, some of which may be legacy systems that do not effectively adapt or integrate with more modern systems

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
17
Q

Lack of Org Knowledge

Outsourcing Risk

A

must rely on third party to fully comprehend the organizationsbusiness model and needs so the third party can integrate taht change into the organizaton without causing dirsruption

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
18
Q

Uncertainty of the Third Partys Knowledge and Managment

Outsourcing Risk

A

a risk taht the external party has ineffective or weak managment, inexperienced or underqualifed staff, and a lack of technology expertise

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
19
Q

Lack of Security

Outsourcing Risk

A

can lead to transmission of sensitive and confidential data. There is a risk that an external orgainzation does not have sufficient or effective safeguardst to make sure that clinet, customer, emnployee info is kept secure

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
20
Q

Policies and Procedures

Change Mangment Control

A

Clear change management guidelines are needed to outline how the change management process should be executed

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
21
Q

Emergency Change Policies

Change Mangment Control

A

Separate contingency policies and procedures provide direction for emergency change situations that allow for an expedited process that still l maintain an audit trail and appropriate controls

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
22
Q

Standardized Change Requests

Change Mangment Control

A

Standardized Change Requests by using consistent forms and request protocols helps complete all required changes in a timely fashion

23
Q

Impact Assessment

Change Mangment Control

A

analysis documenting the effect change will have on the organizations business activities as well as any potential disruptions will help prepare an organization for successful implementation

24
Q

Authorization

Change Mangment Control

A

requiring designated levels of authorization for changes, including material modifications to the initial change plan, is necessary to protect against unauthorized modification to a projects scope

25
Q

Segregation of Duties

Change Mangment Control

A

segregating job roles will help protect assets or information from being utilized improperly

26
Q

Conversion Controls

Change Mangment Control

A

when migrating form an existing system or process to the new ones, conversion controls help minimize data conversion errors related to the impacted IT assets

27
Q

Reversion Access

Change Mangment Control

A

Some changes may cause unexpected complications; therefore it is important to have the ability to revert to the prior system

28
Q

Pre-Implementation Testing

Change Mangment Control

A

before moving the change into production, testing will help determine if the change is functioning properly and there are no irregularities

29
Q

Post-Implementation testing

Change Mangment Control

A

after the change is made into production, reconciling transactions processed in the new environment against the same transactions that were processed in the previous environment

30
Q

Ongoing Monitoring

Change Mangment Control

A

Continuous periodic reviews after implementation will promote long term success

31
Q

What are the annual risk assessment process that should be evaluated?

Trust service criteria for SOC 2

A
  • the economic, regulatory, and physical environment in which the company operates
  • business environment, industry, competition, and consumer dynamics
  • the effect of how new lines of business, modified lines, expanding through acquisition, or downsizing through divesting can affect internal control
  • managements attitude toward internal controls
  • changes in tech environment
  • partnerships with vendors
32
Q

Baseline Configuration

A

The start of documenting changes to a system. Establishing a starting point for reconfigurations so that changes are deployed in a consistent and secure environment

32
Q

System Component Inventory

A

a list of items that comprise a system including hardware, software, peripherals, and other IT assets

33
Q

Acceptance Criteria

A

Help enhance the likelihood that changes to systems or processes are clear and concise, properly tested prior to implementation, documented, approved, evaluated, and reviewed. Measurable and specific so that change can be objectively evaluated

34
Q

Performance

Acceptance Criteria

A

Quantitatively, this may be measured using metrics such as newly configured systems uptime, downtime, or speed in terms of seconds or minutes. If assessed qualitatively, this could simply be a rating by a testing panel of perceived performance

35
Q

Functionality

Acceptance Criteria

A

qualitative and assess whether an application or infrastructure component performs a target function and how efficient or practical it is to use the system in its intended environment.

36
Q

Scalability

Acceptance Criteria

A

The ease of the systems ability to scale up or down would be quantitatively measured by using such metrics as the max numbered of transactions that can be processed

37
Q

Compliance

Acceptance Criteria

A

May be measured by an objective qualitative assessment that renders a yes or no verdict of compliance

38
Q

Logging

A

The process of recording events into logs or databases so that organization can track activities that occur on a system

39
Q

The Waterfall Model

A

Characterized by different teams of employees performing separate tasks in sequence, with each team beginning work from the pre written authoritative agreement of the preceding team and then ending work when the business requirements for the team have been met

40
Q

Waterfall Challenges

A
  • a lot of time to complete
  • benefits are not realized until completion
  • no customer input and change can be difficult to manage
  • employees may be idle before beginning or after completing
41
Q

The Agile method

A

Characterized by cross functional teams, each dedicated to particular functions or improvements of a system drawn from a prioritized list of customers remaining needs for the system

42
Q

The Agile Principles

A
  1. Satisfy the customer with early and continuous delivery of highest priority features
  2. Welcome change
  3. Deliver working software frequently
  4. complete only the work requested
  5. Conduct short, frequent, and regular meetings to maintain focus
43
Q

Patch Managment

A

systematic process of identifying specific vulnerabilities or software bugs in operating systems or applications and addressing them with patches or fizes between release

44
Q

An effective patch management includes

A
  • Evaluating new patch releases
  • using a vulnerability tool
  • testing patches in a test environment
  • approving and deploying patches
  • verifying patches deployed
45
Q

Direct

System Conversion Method

A

Involves ceasing the use of the old system and starting the new one immediately

46
Q

Parallel

System Conversion Method

A

The new system is implemented while the old system is still in use for an extended period of time with this conversion method

47
Q

Pilot

System Conversion Method

A

organization performs conversion on a small scale within a test environment wile continuing to use the older system

48
Q

Phased

System Conversion Method

A

this transition plan gradually adds volume to the new system while operating the old system

49
Q

Hybrid

System Conversion Method

A

Custom combinations of the other approaches tailored to the needs

50
Q

A Change Advisory Board

A

recommended to be in place so that organizations can adequality plan for change and respond to unwanted change outcomes

51
Q

Rollback

A

Require a complete inventory of system configurations for application and operating systems so that systems can be restored to a state that existed prior to change

52
Q

Unit Testing

A

The process of examining the smallest increment, or unit, of an application. Unit testing can be broken down by function so that developers evaluate units of code that perform specific tasks as the application is being developed

53
Q

Integration testing

A

thread testing or string testing, performed after unit testing to enhance the likelihood that different components or modules within an application will work cohesively once all units are integrated

54
Q

System testing

A

verifies that all combined modules of a completed application work as designed in totality. Focuses on overall functionality

55
Q

Acceptance Testing

A

developers asses an application to determine whether it meets end user requirements. may involve beta testing