Did you know Cybrary has FREE video training? Join more than 2,500,000 IT and cyber security professionals, students, career changers, and more, growing their careers on Cybrary.
This lesson covers Domain 4; which is about operations, maintenance and support. Participants learn about task statements. Examples include: - Conduct periodic reviews on information systems to determine whether they continue to meet the organization's objectives - Evaluate service level management practices to determine whether the level of service from internal and external practice is managed and defined This unit also covers knowledge statements. Examples include: - Knowledge of service level management practices and the components within a service level agreement - Knowledge of techniques for monitoring third party compliance with the organizations internal controls [toggle_content title="Transcript"] Hello and welcome to domain number four for the CISA prep course. In this domain we'll be talking about operations of our information systems and the maintenance and support of those systems. This makes up approximately 23% of the exam. Our main goal when we're talking about operations and how we manage our systems from throughout their complete life-cycle is thinking about how we can provide assurance. Assurance to the stakeholders, more or less, that their systems are managed properly, that we've accounted for the different security challenges and that the systems are being used efficiently. We want to make sure we can demonstrate that there is some kind of return on the investment for all the equipment and the training and software and hardware. Alright, so we'll start off with our task statements for domain four. First we have to think about conducting periodic reviews. Making sure that the systems and programs and projects that are looked at, or examined, meet the guidelines of the organization: meet the expectations of the organization. Then we have to think about the management practices; making sure that those actually are aligned properly with business objectives as it relates to internal and external service providers. We then think about third-party management perspectives and management practices, making sure that those organizations that are partnered with the primary organization or our vendors or suppliers, that they have the appropriate controls in-place as well. We don't want a partner or vendor organization to be the weak link when it comes to security. Then we think about our operations procedures, making sure that we've got a well-documented procedure for all the major operations that need to take place, and that those plans have been periodically tested to make sure that the procedures as documented actually work, and then we think about the evaluation of our information systems themselves. Making sure that they're properly patched, properly updated, backed-up and so on. To support their goals and also to support the goals of the business. Alright, moving on to the next part of domain four, we have our task statements. This is the second page of task statements, the knowledge statements are coming in just a moment. So we'll start off with thinking about our data administration practices as it relates to the various databases that the organization relies upon. Making sure that those are maintained properly, making sure they're backed-up. Then we think about capacity and performance monitoring tools. Making sure that those are in-place and are being actually utilized. They can be wonderful predictive tools to let us know when problems are about to happen. It helps when the organization can be in a more proactive mode as opposed to being in a reactive mode. Then we think about our change control process. How we manage incident response. We also will want to understand how back-ups and restores are performed, with respect to the appropriate policies data retention records and so on. And then lastly we think about the disaster recovery plans. How mature are those? How often are they tested? Have they been fully tested or was it just a paper or tabletop exercise? These are some of the different variations you might see. Alright, now we're moving on to the knowledge statements for domain number four. So you're expected to know how service level agreements work, and what kinds of components and details might need to be included in an SLA. Then we have to think about monitoring those third-parties for compliance. As I mentioned, we don't want a third-party or a partner or extra-net type scenario becoming the weak link for security. So some monitoring needs to be evident there. We also have to understand how we deal with processes that are perhaps undocumented, and the requirement to close that gap. We think about the hardware/software and firmware in the environment. Knowing how that all fits together, what the preferred vendors might be, how they like to do business and how that aligns with the business objectives of your organization. Then we move on to our change control techniques, making sure that we have the ability to manage the interfaces to our different applications and manage changes to the environment or the operating environment that those applications operate in. Some knowledge of software licensing needs to be obtained. Especially when it becomes important to audit those licenses to make sure that you're in compliance with your agreements with your various vendors. Then we have to think about eliminating single points of failure: whether that means using RAID disk arrays, clustered servers, multiple power circuits, multiple internet service providers. Trying to eliminate as many single points of failure as possible is a definite goal. We need to know a little bit about the administration of databases and what's entailed with managing databases and making sure that they are healthy and well-maintained throughout their life-cycle. We need to understand a little bit about capacity planning. It's important to understand how to have some predictive tools and predictive methods to know when your capacity needs to be expanded. And of course the associated planning and budgeting that's involved. And then lastly in this grouping we have our systems performance monitoring. So this includes monitoring the network, monitoring individual systems, possibly monitoring the performance of applications. We have two more screens of knowledge statements for this module. It's a big module, so bear with me here. We have to think about our incident management practices, how is the help desk managed? What kind of procedures are used for escalation of problems? How do we track problems? Maybe you might think of that as workflow management or dealing with the initial call to the help desk all the way to resolution. Then we have to think about emergency changes, or non-scheduled changes and how that impacts an organization, and how that should be managed in order to provide the least amount of impact. Knowledge of the back-up and storage and data retention procedures, data restoration procedures. Then we have to think also about the legal and contractual requirements for dealing with the various situations that the organization will find itself in. When do you need to consult with legal personnel regarding a situation? Those are kinds of questions you want to be able to answer confidently. We have to think about business impact analysis. Especially as it relates to disaster recovery. In our last set, we think about the development of those disaster recovery plans as well as testing and evaluating them. Especially as it pertains to looking at the lessons learned when a disaster recovery exercise has been completed and keeping an eye on those kinds of details that might be improved next time. Then we have to think about alternate processing sites. So if you have a warm site or a hot site or a cold site, how is that managed and planned for within the organization so that you can survive certain types of disasters by simply failing over to your alternate site. Disaster recovery plan processes will be examined in some level of detail. There needs to be a deep understanding of who's in-charge, who has the authority to make certain decisions and so on. Then, lastly, we'll talk about the testing of those disaster recovery plans. [/toggle_content]