Additional Software Considerations

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
Required fields are marked with an *
or

Already have an account? Sign In »

Time
7 hours 15 minutes
Difficulty
Intermediate
CEU/CPE
8
Video Transcription
00:00
>> Hello and welcome to
00:00
our next lesson, Additional Software Considerations.
00:00
What we'll cover in this lesson we'll be
00:00
a little bit about data communication software,
00:00
utility programs, software licensing,
00:00
and their different models and audit considerations,
00:00
how to prevent licensing violations of this software,
00:00
issues around source code management
00:00
and some of the audit considerations,
00:00
and capacity management planning and considerations.
00:00
So let's begin. All right,
00:00
so data communication software,
00:00
basically it is software used to
00:00
transmit messages or data from one point to another.
00:00
Obviously, with data communications,
00:00
there's usually a hardware component but this is
00:00
a software that's used to manage this transmission.
00:00
Now this communication could be either
00:00
be local or remote transmission so it
00:00
could be within a particular building all through wires
00:00
or it could actually be across
00:00
great distances around the world, for example.
00:00
Now there are three components.
00:00
We've got transmitted source, we've transmission path,
00:00
which is the channel or the line and
00:00
the receiver which is the destination.
00:00
When you're talking about data communication software,
00:00
they're the key terms that you need to remember;
00:00
source, channel or line and destination.
00:00
They describe the three participants
00:00
in the communications process.
00:00
Now, communications based applications can
00:00
operate in either a LAN or WAN configuration.
00:00
You can have applications which are
00:00
simply designed to talk across
00:00
the length of a room
00:00
or talk across the length of the country for example.
00:00
Now, utility program,
00:00
so these are basically system software
00:00
used to perform maintenance
00:00
and routines required during
00:00
normal processing operations.
00:00
These would be things like
00:00
your hard drive maintenance utilities,
00:00
backup utilities, and those sorts of applications.
00:00
Generally, they're categorized into
00:00
five functional areas so understanding
00:00
application system utilities that
00:00
help define what's happening within an application.
00:00
Assessing or testing data quality,
00:00
so things that can actually look at the data as
00:00
it's transmitted and determine if there are any problems.
00:00
Testing and programs ability to function
00:00
correctly or maintain integrity,
00:00
assisting in foster program development
00:00
so utilities that help
00:00
the actual coding process
00:00
and improving operational efficiency.
00:00
software copyright laws must
00:00
be followed by organizations.
00:00
Now, software licensing is
00:00
basically the agreement set terms and conditions.
00:00
When an organization purchases software,
00:00
the license will tell the organization
00:00
exactly how it can be
00:00
used and from a corporate perspective,
00:00
there are a number of different models
00:00
which can be determined.
00:00
The first one we'll look at is
00:00
essentially the frame model,
00:00
this is often open-sourced
00:00
which open source, which is an example.
00:00
It can be used, copied, studied,
00:00
modified, and redistributed as required.
00:00
Freeway, now in this case the software is free but
00:00
the source code cannot be
00:00
redistributed and there's also shareware,
00:00
which is probably a little bit less common these days,
00:00
but it's software that may be free initially,
00:00
but subject to some limitations that
00:00
can be removed on the commercial version so
00:00
try before you buy software or
00:00
freemium is probably a term used today.
00:00
Now, the paid model can be
00:00
complex from an enterprise perspective.
00:00
Certainly if you go down to
00:00
your local computer store and you buy
00:00
a copy of Microsoft Office
00:00
, that's relatively straightforward.
00:00
You have a license to install it onto your computer or
00:00
up to three computers
00:00
depending upon the nature of the license.
00:00
But in enterprises,
00:00
the software licenses models
00:00
can be a little bit more complex.
00:00
They can be done on a per CPU basis
00:00
so this class will depend
00:00
upon the power of the server that you
00:00
actually install the software into.
00:00
The per seat license so the number
00:00
of actual unique users or
00:00
the concurrent users so that's the total number of
00:00
users using the software within a predefined time.
00:00
You may have a 1,000 people in your organization,
00:00
but you know that only a 100 people are going to be using
00:00
this software at any one time and so therefore,
00:00
you have a 100 concurrent user license.
00:00
We have Utilization,
00:00
how busy the CPU is or the number of
00:00
concurrent active users per workstation
00:00
so very similar to the home software licensing,
00:00
so the number of individual workstations connecting
00:00
to the software and enterprise.
00:00
In these cases it's usually
00:00
unlimited use within a given organization,
00:00
but will generally come with some terms.
00:00
A lot of large organizations will often get
00:00
enterprise licenses for
00:00
their common office type software for example.
00:00
Licensing audit considerations. As an auditor,
00:00
you need to review the listing of
00:00
all the software used within the organization.
00:00
This would basically be a list of what software,
00:00
how many licenses, what license requirements there are,
00:00
and how many users for example.
00:00
There might be software contracts
00:00
which have been negotiated between
00:00
an organization and the software vendor
00:00
and you can even scan the network to produce a list of
00:00
installed software so that can be
00:00
then reviewed against the actual listing of
00:00
all the software within the organization
00:00
so you can determine
00:00
what has been recorded and what is actually in use.
00:00
You can also review the list of
00:00
the service specifications if you
00:00
have CPU and core licensing models,
00:00
which depending upon if
00:00
the organization is using that type of licensing model,
00:00
and you can compare the scanned results
00:00
with any licensing agreements.
00:00
There's a number of points that can be checked to
00:00
determine if licensing is being done correctly.
00:00
Now preventing software license violations.
00:00
Software asset management process is key
00:00
so an organization should have the ability to be
00:00
able to deploy and remove
00:00
licenses from users on a required basis.
00:00
There's often cases where centralized control,
00:00
distribution and installation of software is maintained,
00:00
rather than have a lot of IT technicians
00:00
walking around with copies of
00:00
CD ROM or hard drives with the software
00:00
these can be pushed out from
00:00
a central location on the network.
00:00
Often cases that will come with
00:00
a built-in licensing control system as well.
00:00
Restrict installation capabilities on
00:00
workstation so often cases,
00:00
if there is the ability for
00:00
users to install their own software,
00:00
this can bring the company into areas
00:00
of license violation even without them knowing it.
00:00
Using software deployment tools,
00:00
as I mentioned with the centralized control,
00:00
there are tools that can actually
00:00
deploy software on an enterprise basis.
00:00
Regularly scan the network for any unauthorized software,
00:00
and address the software licensing requirements
00:00
in user agreement.
00:00
In terms of any of your users accessing the system,
00:00
make it so that they are understanding what
00:00
their responsibilities are in
00:00
use of software within the enterprise.
00:00
All right, now in enterprises
00:00
particularly source code management may be an issue.
00:00
If your organization has actually purchased
00:00
software that has been developed
00:00
specifically for the organization,
00:00
there may be requirements or there may be rights for
00:00
the organization to actually
00:00
obtain copies of the source code.
00:00
Now depending upon the nature of the contract,
00:00
the axis can vary,
00:00
and often cases you may see there are
00:00
escrow agreements in place so whereas
00:00
the company will basically will give the source code to
00:00
an independent third party who
00:00
hold that on the organization's behalf.
00:00
Now, software could also be developed in-house,
00:00
in which case source code management is
00:00
an internal issue and
00:00
source code needs to be managed by
00:00
version control systems or revision control systems,
00:00
particularly if it's developed in house so to
00:00
ensure that any changes
00:00
are done in a very orderly fashion.
00:00
Advantage of this basically is it
00:00
controls the source code, tracks the changes.
00:00
It also permits concurrent development
00:00
particularly for large organizations,
00:00
different modules of the software might
00:00
be being updated at the same time.
00:00
It also allows the rollback to
00:00
earlier versions if need be,
00:00
and it also permits branching in case there might be
00:00
two different versions of
00:00
the software being run concurrently.
00:00
Now a couple of considerations
00:00
for audits with source code,
00:00
first and foremost, who has access to the source code.
00:00
Now that's pretty key,
00:00
who can commit the code so basically push
00:00
changes to production and is this
00:00
aligned with any documented
00:00
change and release management policies
00:00
and procedures and
00:00
any backup arrangements including
00:00
the escrow and offsite arrangements
00:00
for source code to ensure that it is protected.
00:00
Now that brings us onto capacity management.
00:00
This is basically the planning and monitoring of
00:00
computing and network resources to ensure that
00:00
there is basically enough resources
00:00
for the organization to do the job that they needed to
00:00
do and it also helps ensure
00:00
the efficient and effective use so that there is
00:00
sufficient amount of hard drive space for example,
00:00
but there is not an excessive amount of hard drive space.
00:00
Basically what this helps is the
00:00
basically determining the expansion
00:00
of the infrastructure,
00:00
mirrors the business growth.
00:00
If your business is growing,
00:00
you need to ensure that
00:00
capacity management helps the infrastructure grow to meet
00:00
the business needs and basically capacity planning
00:00
is developed based upon
00:00
the input from users and IS management.
00:00
If an organization or
00:00
a particular unit within an organization is
00:00
going to be hiring
00:00
a large number of people an extra 500 users for example,
00:00
that needs to be factored into the process of managing
00:00
those resources for those additional users.
00:00
Couple of considerations.
00:00
CPU utilization is key,
00:00
so make sure there's enough processing power.
00:00
Computer storage utilization also very key to make sure
00:00
that there's certainly enough storage spice
00:00
to manage the needs of the users.
00:00
Telecommunications, if we have
00:00
a large number of users that's going to put extra load,
00:00
extra bandwidth requirements
00:00
on your telecommunication systems.
00:00
Any of the LAN and
00:00
WAN bandwidth utilization to make sure that the system
00:00
is running as efficiently as possible and
00:00
likewise for the input output channel utilization.
00:00
Number of users are certainly
00:00
key so every additional user
00:00
may bring with it
00:00
an associated amount of hard drive space
00:00
that will be used also for
00:00
any new technologies and applications so certainly
00:00
with mobile computing for example and
00:00
any other new devices that come into the organization,
00:00
is the organization going to be able to support
00:00
these new devices and also any service
00:00
level agreements that may exist between vendors and
00:00
the actual system itself
00:00
or the organization itself rather.
00:00
Okay, couple of capacity planning activities
00:00
so development,
00:00
monitoring, analysis and tuning.
00:00
All the things that will go into ensure that
00:00
basically the system is
00:00
being managed accordingly to
00:00
their capacity of the organization and implementation,
00:00
modeling and application sizing.
00:00
This is ensuring that there
00:00
is essentially an understanding of
00:00
what resources are needed for
00:00
any new development for example.
00:00
If an organization is
00:00
bringing along a brand new database application,
00:00
will there basically be sufficient capacity for
00:00
this database to be around within
00:00
the organization and that's done
00:00
through application sizing and modeling.
00:00
Okay, so that's the end of our lesson,
00:00
we've talked about data communication
00:00
software, what it is,
00:00
and a few of the terms utility programs,
00:00
software licensing and the various models,
00:00
preventing licensed violations so that's
00:00
a key thing from an auditing perspective.
00:00
Source code management and audit considerations,
00:00
as well as capacity management planning considerations.
00:00
I hope you enjoyed
00:00
this lesson and I will see you at the next one.
Up Next