CISA Domain 4: Information Systems Operations, Maintenance and Service Management

This domain aims to ensure the candidate has a sound understanding of the processes for information systems operations, service management, and disaster recovery.

IS Operations are the hub of the IS wheel and ensure systems, applications and infrastructure operate as and when required, meeting the requirements for which they were designed. Internal or external teams can deliver services.

The scope of IS operations will vary depending on the size of the organization and its business context (i.e., different industries will require different types of IS support) but will typically cover hardware and software management, capacity management, job scheduling, data management, system performance management and user support. The starting point for any auditor is to understand the scope and the services in use.

Hardware and software management

Asset management

Having an accurate inventory of information assets helps companies reduce costs by re-deploying or removing those not needed. Asset management is also the first step in developing an IT security strategy, something we’ll discuss in more detail when considering domain 5. Auditors should confirm that a robust process is in use that identifies all assets, their last known location, recovery priority, security/risk classification, and owner.

Maintenance and release management

Hardware and software need frequent updates and auditors should confirm that a formal, approved, the maintenance plan is in place and covers pre-deployment testing, backup and restore plans, arrangements for priority processing and user communication.

Software releases, whether as part of maintenance or business change activity, also needs to be carefully planned to reduce risk and business impact. Rigorous implementation planning (note to Infosec Institute: link to CISA Domain 3) needs to be applied for each release: ‘simple’ releases have brought some organizations to a standstill because they’re not given enough attention.

Some hardware upgrades and software releases will require system (Read more...)

*** This is a Security Bloggers Network syndicated blog from InfoSec Resources authored by Brian Hickey. Read the original post at: