| ๐ Back to Exam Syllabus | ๐บ RooCloud on YouTube | ๐ RooCloud Practice Exams |
Systems Availability & Capacity Management
This episode of the ISACA Certified Information Systems Auditor (CISA) exam prep series covers systems availability and capacity management. It examines how software is layered, what the operating system and its utilities do, how licensing and source code must be governed, and how organisations plan and monitor computing capacity to keep systems both available and right-sized for the business.
What this episode covers
- Software layering โ the hierarchy from hardware and firmware through the kernel to system utilities, and how the operating system acts as the traffic controller for all of them.
- Operating system parameters and integrity โ how configuration settings govern control, and why the OS must isolate processes and enforce least privilege to protect itself.
- Utility programs โ what they do, why powerful ones can bypass security, and why access must be tightly restricted.
- Software licensing โ licence types, auditor steps for catching violations, and the range of paid models from per-seat to enterprise-wide.
- Source code protection โ version control systems, distributed repositories, branching, rollback, and escrow agreements.
- Capacity management โ planning, monitoring, and tuning computing resources to match business growth without overspending.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How is a computerโs software layered and what does the operating system do?
Software is organised as a hierarchy with hardware and firmware at the base, the privileged kernel above it, and system software utilities above that. The operating system sits at the heart of this structure and acts as the interface between the user, the processor, and applications, managing how everything shares the processor, memory, storage, and devices. Reviewing the operating systemโs configuration parameters is the best way for an auditor to understand how controls actually work in practice.
Why must utility programs be tightly restricted in an operating environment?
Utility programs perform routine maintenance tasks such as testing data quality and analysing application behaviour, but many powerful utilities can bypass security controls and leave no audit trail. Because of this risk, access to the most powerful utilities must be tightly restricted to authorised personnel only. An auditor should confirm that these programs are not freely available to general operators or developers.
How should source code be protected according to CISA exam concepts?
Source code is the human-readable text behind a program and may contain intellectual property, so access must be restricted to authorised individuals. A version control system should manage a central repository where developers check code out and back in, creating a revision history that supports parallel work, rollback, and branching. An auditor should confirm who can read the code, who can push it to production, that it is backed up including offsite copies, and whether an escrow agreement protects access when a vendor will not share the source.
What is capacity management and how is it planned?
Capacity management is the discipline of planning and monitoring computing and network resources so that they are used efficiently and can scale with the business. The plan is built with input from users and management, reviewed at least annually, and based on real experience together with projected growth across processor use, storage, bandwidth, and user numbers. The real aim is to match capacity to what the business needs without overspending, buying expensive resources just before they are actually required.
๐ Master the ISACA CISA Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISACA CISA certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in Systems Availability & Capacity Management.