Page 139 - DCOM509_ADVANCED_AUDITING
P. 139
Advanced Auditing
Notes Delivery and Support: This domain is concerned with the actual delivery of required
services, which range from traditional operations over security and continuity aspects to
training. In order to deliver services, the necessary support processes must be set up. This
domain includes the actual processing of data by application systems, often classified
under application controls. This domain contains 13 processes divided into 126 control
objectives.
Monitoring: All IT processes need to be regularly assessed over time for their quality and
compliance with control requirements. This domain thus addresses management’s oversight
of the organization’s control process and independent assurance provided by internal and
external audit or obtained from alternative sources. This domain contains 4 processes
divided into 24 control objectives.
Here, it may be important to mention that the CobiT principles lay down the control objectives
and are independent of the level of the technology or software.
Example: Under Acquisition and Implementation domain, one of the processes is Acquire
and Maintain Application Software, within which under Application Software Testing, CobiT
has to say that, “Unit testing, application testing, integration testing, system testing and load
and stress testing should be performed according to the project test plan and established testing
standards before it is approved by the user. Adequate measures should be conducted to prevent
disclosure of sensitive information used during testing.”
8.3.1 Operating System Controls
Operating System is an interface between user and computer. It manages memory, devices,
peripherals and various tasks; controls computer’s resources and provides base for writing
application programmes. The operating systems fall into categories of single user and multi-
user (network) environment. The most common type of single user operating system is DOS
(Disk Operating System). This also forms the base of some other single user operating systems
such as Windows 95/98. Those, who have worked on Windows 95/98 operating systems, might
have noticed that before this operating system boot, certain DOS commands are run. Actually
these operating systems are based on DOS. However, Windows 2000 is independent of DOS. The
only security available in DOS is the boot level password, which can be set up by the owner. It
may appear that once a boot level password is set up for the system it may not allow one to boot,
but the fact is that just by opening the CPU and replacing the battery will remove the boot level
password. As such, no security is available with boot level password.
Multi-user operating systems have better security features. Novell Netware, which generally
works on client server architect, provides security at Net-user level as well as for accessing
database. In this operating system, one can create new users, manage rights to different users,
create drive mappings and assign rights to file system / directories (S: Supervisory rights; R:
Read right; W: write right; C: create right; E: erase right; M: modify right; F: File scan and A:
Access control).
Did u know? One needs a server console and to login as supervisor from server console, no
password is required? Hence, one has to have physical controls to server room access in
Novell Netware system.
The UNIX operating system, which is generally used for server cantered processing, requires
the password for booting. UNIX divides the universe of users into three categories i.e. user,
134 LOVELY PROFESSIONAL UNIVERSITY
