Page 193 - Courses
P. 193

IT Essentials — Computer Operations

            When the build of the source code is complete, the source code is compiled into object code (i.e.,
            what the computer can read). The next step, after the change is accepted by the user and approved
            by the change approval board (CAB), is to build or update the job in the job scheduler so it uses the
            latest version of object code.

            Separation of duties (SoD) issues occur if the same personnel update source code and administer
            the version control and job scheduling software.

            The individual(s) responsible for versioning and scheduling should be informed when changes are
            taking place to coordinate timing. Failure to add or update a job to a schedule will cause a variety of
            errors when the job runs, including job failure and possibly creating a chain reaction that results in
            data corruption.

            Deploying effective separation of duties (SoD) controls is critical for computer operations. By
            assigning specific roles during implementation and other change processes, separation of duties
            (SoD) can be enforced. In large organizations, many functions should be considered to ensure
            appropriate SoD.

            This process is described in The IIA’s GTAG “Information Technology Risk and Controls, 2nd Edition,”
            which states, “computer operations should be responsible for running production systems — except
            for change deployment — and should have little or no responsibility with the development process.
            This control includes restrictions preventing operators from accessing or modifying production
            programs, systems, or data. Similarly, systems development personnel should have little contact
            with production systems.”

            Backup Services

            Backups should be performed for critical systems on a recurring basis, as stated in the corporate
            record retention and data destruction policy. These backups are typically scheduled through a tool
            but can also be manually invoked by a human. The specific tool used will vary based on the platform
            and the type of data or information being backed up. Organizations may automate backup
            processing through their primary job scheduling tool, through a console in the storage area network
            (SAN), and or through the database management systems (DBMS).

            In addition, some database management systems (DBMS) solutions have backup jobs and
            schedulers built directly into the solution. It is important to remember that backups are rarely
            enabled “out of the box,” so identifying and scheduling backups should be a part of the overall
            hardening process for each device or system.

            Backed up data may be stored on a hard drive or on an external storage device.  Organizations
            should consider the sensitivity of the data and regulatory requirements when determining the
            location and media used for storage. Computer operations is typically responsible for the
            monitoring that backup jobs and/or activities run and complete successfully.



            Copyright © 2021 by The Institute of Internal Auditors, Inc. All rights reserved.
   188   189   190   191   192   193   194   195   196   197   198