CISA Domain 4: Information Systems Operations, Maintenance and Service Management
This domain aims to ensure the candidate has a sound understanding of the processes for information systems operations, service management, and disaster recovery.
IS Operations are the hub of the IS wheel and ensure systems, applications and infrastructure operate as and when required, meeting the requirements for which they were designed. Internal or external teams can deliver services.
The scope of IS operations will vary depending on the size of the organization and its business context (i.e., different industries will require different types of IS support) but will typically cover hardware and software management, capacity management, job scheduling, data management, system performance management and user support. The starting point for any auditor is to understand the scope and the services in use.
Hardware and software management
Having an accurate inventory of information assets helps companies reduce costs by re-deploying or removing those not needed. Asset management is also the first step in developing an IT security strategy, something we’ll discuss in more detail when considering domain 5. Auditors should confirm that a robust process is in use that identifies all assets, their last known location, recovery priority, security/risk classification, and owner.
Maintenance and release management
Hardware and software need frequent updates and auditors should confirm that a formal, approved, the maintenance plan is in place and covers pre-deployment testing, backup and restore plans, arrangements for priority processing and user communication.
Software releases, whether as part of maintenance or business change activity, also needs to be carefully planned to reduce risk and business impact. Rigorous implementation planning (note to Infosec Institute: link to CISA Domain 3) needs to be applied for each release: ‘simple’ releases have brought some organizations to a standstill because they’re not given enough attention.
Some hardware upgrades and software releases will require system downtime, and this too needs to be carefully orchestrated. Backup and recovery process must be watertight, and the main user stakeholders should be consulted throughout the process.
The use of all computing and infrastructure resources must be planned to ensure they are used optimally, and allocation increases or decreased as appropriate. Auditors should confirm a capacity management plan is in place, prepared and approved at least annually although significant organizational change will require a more frequent update.
The auditor should understand the concepts of database design, database administration, potential problems in transaction processing and security issues associated with database management systems.
Additionally, they should familiarize themselves with the quantity, type, and value of data held by the organization and its criticality to on-going business operations. This information will feed into reviews they might have to perform on service management or disaster recovery arrangements.
Based on the type and value of data, the auditor must make sure data management controls are in place such as validation of data accuracy, data backup and restore procedures, user access, and administration privileges.
Service management is the set of processes, procedures and functions used to manage IS operations. Most organizations will implement industry-wide service management frameworks such as ISO20000-1:2011 and ITIL. Given their wide adoption, candidates should have a good understanding of the content and application of both frameworks.
They should also be familiar with the creation and monitoring of Service Level Agreements (SLAs) especially where third party suppliers are involved. When this is the case, SLAs form part of the contract for the supply and often carry penalty clauses, meaning they need to be well defined and closely managed.
Problem and incident management
An Incident is any event that interrupts or reduces the quality of service.
Auditors should understand good practices for incident and problem management and ensure the organization has processes in place to detect, report, manage and resolve incidents promptly. Incident management processes should also be tested and be the subject of regular training.
A critical element of the IM process is the quick determination of the urgency and impact of the incident and hence the priority for resolution.
As well as checking the IM process, auditors should examine previous incidents to confirm the process was followed and incidents fully resolved. There should also be a problem management process to find the root cause(s) of any incident, ensure a fix is implemented and consider the likelihood of any related problems.
The IS landscape should be developed with resilience as a key feature, i.e., the ability of critical components to resist failure or recover quickly from any disruption, usually with minimal recognizable effect. However, problems will happen, and for high impact incidents, it may be necessary to invoke disaster recovery (DR) arrangements.
The DR plan should contain conditions for invoking and ending DR arrangements; roles and responsibilities, response strategy, recovery point & recovery time objectives, recovery strategies and the communication plan. These items will usually vary for each system or cluster of systems that are affected by the incident.
The recovery point objective (RPO) is the maximum targeted period in which data might be lost as a result of an incident and the recovery time objective (RTO) is the maximum length of time that a computer, system, network, or application can be down after an incident occurs. The RTO is a function of the extent to which the interruption disrupts normal operations and the amount of revenue lost as a result of the incident.
Recovery strategies include hot, warm, cold and mobile sites which provide varying elements of the organization’s IS setup, and reciprocal arrangements between separate, but similar, companies to temporarily share their IT facilities in the event that a partner to the agreement loses processing capability. Cost and speed are factors in deciding which is appropriate as is the RPO and RTO. Different systems will have different solutions.
Auditors must be able to evaluate the contents of the DR plan for completeness and correctness and ensure the criteria and process for invoking DR are clearly defined. Since the DR process is itself a disruption, any ambiguity could be used as a reason by some staff to avoid it.
The DR plan should be continually maintained to reflect changes made to the IS landscape. Some types of business need to prepare a DR plan that complies with country or regulatory requirements most often where consumer impact or the service is being offered by the organization has health and safety considerations. DR plans should be tested, and auditors should review test documents and results. Reference to ISO 27031:2011 can help auditors evaluate the completeness and effectiveness of a DR plan.