Information Systems Operations & Business Resilience

IT Operations Overview

IT Operations encompasses the daily activities required to deliver reliable, secure, and efficient IT services. The IS auditor evaluates whether operations controls are adequate to ensure availability, integrity, and confidentiality of IT services and data.

Key IT Operations Functions

Segregation of Duties in IT Operations

• Computer operators should NOT perform system programming
• Operators should NOT have access to modify production programs
• Operators should NOT perform security administration
• No single operator should have unrestricted access to all systems
• Job scheduling changes should require separate authorization

Operator Activity Logs

All operator activities on critical systems must be logged. IS auditors review logs to detect:

• Unauthorized commands or system access
• Bypassing of normal job scheduling
• Access to sensitive data outside normal job duties
• Overriding of system controls or error messages

IT Operations Audit Procedures

• Review operator logs for unusual activity and unauthorized commands
• Verify job scheduling is authorized and monitored for failures
• Test restart and recovery procedures for critical jobs
• Verify output is distributed only to authorized recipients
• Review shift handover procedures for continuity of operations
• Verify sensitive output (payroll, financial reports) is controlled and disposed of securely

ITIL 4 Service Management Practices

ITIL 4 replaces processes with 34 practices across three categories:

Service Level Management

• SLA (Service Level Agreement): Agreement between IT and the business customer on service levels
• OLA (Operational Level Agreement): Internal IT team-to-team agreement supporting an SLA
• UC (Underpinning Contract): External vendor contract supporting SLA delivery

Availability Management

Key availability concepts the IS auditor must know:

Continual Service Improvement (CSI)

ITIL's approach to continuously improving services using the CSI register and the 7-Step Improvement Process: Define → Measure → Gather → Process → Analyze → Present → Implement improvements.

Service Catalogue Management

The service catalogue documents all IT services offered, their descriptions, SLAs, and dependencies. IS auditors verify the catalogue is maintained, accurate, and used for service request management.

Network Architecture & Security Zones

Network Security Controls

• Firewall: Packet filtering, stateful inspection, next-generation (application-aware) firewalls
• IDS (Intrusion Detection System): Monitors and alerts on suspicious traffic — passive, detection only
• IPS (Intrusion Prevention System): Monitors and actively blocks suspicious traffic — inline, active prevention
• WAF (Web Application Firewall): Protects web applications from OWASP Top 10 attacks (SQLi, XSS)
• VPN (Virtual Private Network): Encrypted tunnels for remote access (IPsec, SSL/TLS)
• NAC (Network Access Control): Validates device compliance before granting network access
• Proxy Server: Intermediary for outbound web traffic; content filtering and caching
• SIEM (Security Information & Event Management): Aggregates, correlates, and analyzes security logs

Network Protocols & Audit Considerations

Wireless Network Security

• WPA3 is the current standard (WEP and WPA are insecure)
• Enterprise wireless uses 802.1X with RADIUS authentication
• Rogue access point detection is critical
• Guest WiFi must be isolated from corporate networks
• Regular wireless security assessments (site surveys)

Hardware Controls

• Redundant hardware: RAID, redundant power supplies, dual NICs, clustering
• Hardware lifecycle: Procurement, inventory, maintenance, secure disposal (data sanitization)
• Server hardening: Disable unused ports/services, apply patches, remove default accounts
• Endpoint controls: EDR, full disk encryption, USB port control, patch management

Capacity Management

Capacity management ensures IT infrastructure can meet current and future business demand in a cost-effective manner. Three sub-processes:

• Business Capacity Management: Translates business requirements into future IT capacity needs
• Service Capacity Management: Ensures services deliver agreed performance levels
• Component Capacity Management: Monitors and optimizes individual components (CPU, memory, disk, network)

Capacity Planning Process

1. Monitor current utilization and performance baselines
2. Analyze trends and forecast future demand
3. Model scenarios (organic growth, new applications, acquisitions)
4. Identify capacity gaps and thresholds
5. Plan infrastructure additions or optimizations
6. Review and update the Capacity Plan regularly

Performance Metrics

Performance Monitoring Tools

• SNMP-based network monitoring (Nagios, PRTG, SolarWinds)
• Application Performance Monitoring (APM) — Dynatrace, New Relic, AppDynamics
• Log aggregation and analytics — Splunk, ELK Stack
• Cloud-native monitoring — AWS CloudWatch, Azure Monitor, Google Cloud Operations

IS Auditor's Review of Capacity Management

• Is a formal capacity plan documented and reviewed regularly?
• Are performance baselines established and monitored?
• Are alert thresholds defined and acted upon?
• Does the capacity plan incorporate business growth projections?
• Is capacity data used to support IT investment decisions?

IT Asset Management (ITAM)

ITAM tracks and manages IT assets (hardware and software) throughout their lifecycle to optimize utilization, control costs, and ensure compliance.

Configuration Management Database (CMDB)

The CMDB is the authoritative repository of all Configuration Items (CIs) and their relationships. It is the foundation for change management, incident management, and capacity planning.

• Configuration Item (CI): Any component that needs to be managed (servers, apps, network devices, services, documents)
• CI Attributes: Owner, version, status, location, relationships to other CIs
• Configuration Baseline: Approved configuration state at a specific point in time
• Configuration Audit: Verification that actual configurations match CMDB records

Software License Management

• Maintain accurate inventory of licenses purchased and deployed
• Types: perpetual, subscription, concurrent, per-seat, per-CPU
• Software Asset Management (SAM) tools automate discovery and compliance
• Under-licensing risk: fines and legal exposure
• Over-licensing risk: unnecessary costs

Patch Management

Timely patching is one of the most effective security controls. IS auditors review:

• Patch identification: subscriptions to vendor advisories and CVE feeds
• Patch assessment: risk rating, applicability testing
• Patch deployment: testing in non-production → production via change management
• Patch verification: confirmation patches applied successfully
• SLAs: critical patches within 24-72 hours; high within 7-14 days; medium within 30 days

Backup Types

Recovery Objectives (Critical CISA Definitions)

Backup Best Practices (3-2-1 Rule)

• 3 copies of data
• 2 different storage media types
• 1 copy offsite (or in cloud)
• Backups must be tested regularly — untested backups cannot be relied upon
• Backup media must be encrypted (especially offsite/cloud)
• Backup access must be restricted to authorized personnel

Data Retention & Archiving

• Retention policies must comply with legal, regulatory, and business requirements
• Data classification drives retention periods (e.g., financial records 7 years, HR records varies)
• Legal holds override normal retention/destruction schedules
• Archived data must remain accessible for the retention period
• Secure disposal at end of retention period (NIST SP 800-88 guidelines)

Data Replication

BCP Overview

Business Continuity Planning (BCP) ensures an organization can continue critical business functions during and after a disruptive event. BCP is broader than DRP — it covers all business functions, not just IT.

BCP Development Process

1. Project Initiation: Management commitment, scope definition, team formation
2. Business Impact Analysis (BIA): Identify critical functions, dependencies, RTO, RPO, MTPD
3. Risk Assessment: Identify threats, vulnerabilities, and likelihood of disruptions
4. Strategy Development: Select recovery strategies for each critical function
5. Plan Development: Write BCP documenting procedures, responsibilities, and resources
6. Testing & Exercises: Validate the plan through various test types
7. Maintenance & Review: Update plan regularly and after significant changes

Business Impact Analysis (BIA)

The BIA is the foundation of BCP — it identifies what matters most and how quickly it must be restored. BIA outputs:

• List of critical business functions ranked by priority
• RTO and RPO for each function
• MTPD (Maximum Tolerable Period of Disruption)
• Resource requirements (people, systems, data, facilities)
• Internal and external dependencies
• Financial impact of disruption over time

BCP Testing Types

BCP Strategies

• Do nothing (accept disruption): For non-critical functions only
• Manual workarounds: Paper-based processes during IT outage
• Reciprocal agreements: Mutual aid agreements with other organizations (unreliable)
• Third-party hot/warm/cold sites: Dedicated recovery facilities
• Cloud-based recovery: Cloud infrastructure for failover

DRP Recovery Site Strategies

DRP Key Concepts

• Failover: Automatic or manual switch from primary to recovery systems
• Failback: Return to primary systems after disaster is resolved
• Switchover: Planned transition (vs. unplanned failover)
• Recovery Procedures: Step-by-step instructions for restoring systems in priority order

DRP Plan Components

• Disaster declaration criteria and authority (who can declare a disaster)
• Emergency contact lists (staff, vendors, regulators)
• System recovery priority list (based on BIA)
• Step-by-step recovery procedures for each system
• Data recovery procedures (backup restoration or replication failover)
• Communication plan (internal and external)
• Recovery team roles and responsibilities
• Return-to-normal (failback) procedures

DRP Testing

IS auditors assess whether DRP testing is:

• Conducted at least annually (more frequently for critical systems)
• Using documented test plans and test cases
• Covering all critical systems identified in the BIA
• Measuring actual RTO and RPO achievement against targets
• Resulting in documented test results and lessons learned
• Driving plan updates to address identified gaps

High Availability (HA) Technologies

• Clustering: Multiple servers share a workload; automatic failover if one fails
• Load Balancing: Distributes traffic across multiple servers for performance and redundancy
• RAID (Redundant Array of Independent Disks): Disk redundancy and performance (RAID 1 mirror, RAID 5 parity, RAID 10 stripe+mirror)
• UPS (Uninterruptible Power Supply): Protects against short power outages; buys time for generator startup
• Generator: Long-term backup power (diesel or gas)

Physical Security — Defense in Depth

Physical security uses layered controls to protect IT assets and facilities:

1. Perimeter Security: Fencing, barriers, security lighting, CCTV, security guards
2. Building Access: Badge readers, key locks, visitor management, reception control
3. Data Center Access: Mantrap (airlock), biometrics, multi-factor authentication, access logs
4. Server Room / Rack: Locked cabinets, cable management, equipment tags

Data Center Environmental Controls

Mantrap (Airlock)

A mantrap consists of two interlocking doors where the first must close before the second can open. It prevents tailgating/piggybacking — one of the most important physical security controls for data centers.

CCTV & Physical Access Logs

• CCTV provides deterrence and forensic evidence — cameras must cover all entry/exit points
• Video must be retained for sufficient period (typically 90 days minimum)
• Electronic access logs record who entered/exited and when — must be reviewed regularly
• Physical access must be reviewed periodically — revoke access for leavers immediately

IS Auditor's Physical Control Review

• Walk through the data center — observe controls in practice
• Review access logs for unauthorized access or after-hours access
• Verify visitor log is maintained and visitors are escorted
• Test fire suppression system records and maintenance logs
• Verify UPS and generator test records (frequency, load tested)
• Check temperature and humidity monitoring and alert records

Cloud Service Models & Operational Responsibility

Cloud Deployment Models

• Public Cloud: Shared infrastructure (AWS, Azure, GCP) — most cost-effective; regulatory concerns
• Private Cloud: Dedicated cloud for one organization — greater control; higher cost
• Hybrid Cloud: Combination; critical workloads private, general workloads public
• Multi-Cloud: Using multiple public cloud providers — avoids vendor lock-in; complexity
• Community Cloud: Shared by organizations with common concerns (healthcare, government)

Cloud Resilience Concepts

• Availability Zones (AZs): Isolated data centers within a region; independent power/networking
• Regions: Geographic areas containing multiple AZs — data sovereignty compliance
• Auto-Scaling: Automatically adjusts capacity based on demand
• Multi-Region Deployment: Ultimate resilience — survives complete regional outage
• Chaos Engineering: Intentionally injecting failures to validate resilience (Netflix Chaos Monkey)

Cloud Operations Audit Considerations

• Shared Responsibility Model: Auditor must assess controls on both sides
• Data Residency: Verify data stored in legally compliant jurisdictions
• Cloud Access Security Broker (CASB): Visibility and control over cloud app usage
• Cloud Security Posture Management (CSPM): Continuous misconfiguration detection
• Provider Assurance Reports: SOC 2, ISO 27001, CSA STAR certification
• Exit Strategy: Data portability, format, migration plan

Cloud-Native Resilience Patterns

• Circuit Breaker: Stops cascading failures by breaking connections to failing services
• Bulkhead: Isolates failures to prevent them spreading across services
• Retry with Backoff: Retries failed requests with increasing delays
• Health Checks & Self-Healing: Kubernetes restarts failed containers automatically

Event vs. Incident vs. Problem (ITIL Definitions)

Incident Management Process

1. Detection & Logging: Incident identified and logged with timestamp, reporter, description
2. Classification & Prioritization: Impact × Urgency = Priority; P1-P4 typically
3. Investigation & Diagnosis: Identify symptoms and potential cause
4. Resolution & Recovery: Apply fix or workaround; restore service
5. Closure: Confirm with user; document resolution; update knowledge base

Major Incident Management

• Separate process for high-impact incidents (P1/P2)
• Major Incident Manager coordinates response
• War room / crisis bridge established
• Regular stakeholder updates (every 30-60 mins)
• Post-Incident Review (PIR) / Root Cause Analysis (RCA) mandatory after major incidents

Problem Management

Problem management identifies and eliminates root causes to prevent incident recurrence. Two modes:

• Reactive: Triggered by recurring or major incidents
• Proactive: Analysis of trends to prevent future incidents

Root Cause Analysis (RCA) Techniques:

• 5 Whys: Repeatedly ask "why?" to drill to root cause
• Fishbone / Ishikawa Diagram: Visual cause-and-effect analysis
• Fault Tree Analysis: Top-down logical diagram of failure paths
• Timeline Analysis: Chronological event reconstruction

Security Incident Response (NIST SP 800-61)