3.4.2 (Continued (Infrastructure Operations and Maintenance (control group…
Vendor and Outsourcer Management
With the increase in outsourcing, including the use of multiple vendors, dedicated staff may be required to manage the vendors and outsourcers, performing the following functions:
• Acting as the
PRIME CONTACT for the vendor and outsourcer within the IT function
DIRECTION TO OUTSOURCER on issues and ESCALATING INTERNALLY within the organization and IT function
Monitoring and reporting
SERVICE LEVELS to management
REVIEWING CHANGES TO CONTRACT
due to new and obtaining IT approvals
Infrastructure Operations and Maintenance
is responsible for
computer operations personnel,
including ALL THE STAFF REQUIRED TO RUN DATA CENTER EFFICIENTLY AND EFFECTIVELY
(e.g., computer operators, librarians, schedulers and data control personnel).
responsible for the COLLECTION , CONVERSION AND CONTROL OF INPUT and the BALANCING and DISTRIBUTION OF OUTPUT to the user community.
supervisor of the control group usually reports to the IPF operations manager.
input/output control group
should be in a separate area
where only authorized personnel are permitted since THEY HANDLE SENSITIVE DATA
is required to
record, issue, receive and safeguard ALL PROGRAM AND DATA FILES MAINTAINED ON REMOVABLE MEDIA
Depending on the size of the organization, this function
may be assigned to a full-time individual or a member of operations
who also performs other duties.
many organizations provide additional support through the
use of software that assists in maintaining inventory, movement, version control and configuration management.
is critical to the information processing activity and includes
batch entry or online entry
most organizations personnel in user departments do their own data entry online.
In many online environments, data are captured from the original source (e.g., electronic data interchange [EDI] input documents, data captured from bar codes for time management, departmental store inventory).
User department and the system application must have controls in place to ensure that data are
supervisory control and data acquisition SCADA
need to acquire data at their origination site,
automated systems for data acquisition are being deployed by organizations
built on a commodity database management system,
to allow trending and other analytical auditing
term SCADA usually refers to centralized systems that monitor and control entire sites, or complexes of systems spread out over large areas (on the scale of kilometers or miles)
Systems are typical of industrial plants, steel
mills, power plants, electrical facilities and similar
Most site control is performed automatically by remote terminal units (RTUs) or by programmable logic controllers (PLCs).
Data acquisition begins at the RTU or PLC level
and includes meter readings and equipment status reports that are communicated to SCADA as required.
Data are then compiled and formatted in such a way that a control room operator
using human machine interfacing (HMI) networks can make supervisory decisions to adjust or override normal RTU or PLC controls.
responsible for maintaining major multiuser computer systems, including LANs,WLANs,WANs, virtual machine/server/network environments, PANs,SANs, intranets and extranets, and mid-range and mainframe systems.
• Adding and configuring new workstations and peripherals
• Setting up user accounts
INSTALLING SYSTEMWIDE SOFTWARE
PROCEDURES TO PREVENT/DETECT/CORRECT THE SPREAD OF VIRUSES
ALLOCATING MASS STORAGE SPACE
IT ORGANIZATIONAL STRUCTURE AND
IT Roles and Responsibilities
The IS auditor should spend time in an auditee’s area to observe and determine whether the formal job description and structures coincide with real ones and are adequate.
Systems development manager—
are responsible for programmers and analysts who implement new systems and maintain existing systems
are responsible for planning and executing IS projects
and may report to a project management office or to the development organization
use budgets assigned to them for the delivery of IS initiatives and report on project progress to the IT steering committee.
play a central role in executing the vision of the IT strategy and IT steering committees by
planning, coordinating and delivering IT projects to the enterprise.
Help desk (service desk)
A help desk is a unit within an organization that responds to technical questions and problems faced by users.
A procedure to record the problems reported, solved and escalated should be in place for analysis of the problems/questions.
It helps in monitoring the user groups and improving the software/information processing facility (IPF) services
Help desk/support administration includes the following activities:
Acquire hardware/software (HW/SW)
on behalf of end users.
end users with HW/SW
Train end users
to use HW/SW and databases; answer end-user queries.
Monitor technical developments and inform end users of pertinent developments
Determine the source of problems
with production systems and initiate corrective actions.
Inform end users of problems with HW/SW or
could affect their control of the installation
of HW/SW upgrades.
to improve efficiency.
End users are responsible for operations related to business application services.
“end user” Vs. “user.
” End user is slightly more specific and refers to someone who will access a business application. User is broader and could refer to administrative accounts and accounts to access platforms
End-user support manager—
The end-user support manager acts as a
liaison between the IT department and the end users.
Data management personnel are
responsible for the data architecture
in larger IT environments and
tasked with MANAGING DATA AS CORPORATE ASSETS
Quality assurance (QA) manager—
The QA manager is
responsible for negotiating and facilitating quality activities in all areas of IT
Information security management
This is a function t
hat generally needs to be separate from the IT department and headed by a CISO.
The CISO may report to the CIO or have a dotted-line (indirect reporting) relationship to the CIO.
includes the servers and mainframe, peripherals such as high-speed printers, networking equipment, magnetic media, and storage area networks.
It constitutes a major asset investment and impacts the organization’s ability to function effectively.