Episode 98: Evaluating IT Operations and Maintenance Practices
Welcome to The Bare Metal Cyber CISA Prepcast. This series helps you prepare for the exam with focused explanations and practical context.
IT operations and maintenance are the foundation of secure and reliable technology services. When operations run smoothly, systems remain stable, users stay productive, and business processes continue without interruption. When maintenance is effective, systems are kept up to date, vulnerabilities are closed, and infrastructure remains compliant with policy and regulation. Weakness in either area—whether due to poor documentation, inadequate monitoring, or inconsistent execution—can lead to downtime, data loss, security incidents, or audit findings. For auditors, evaluating IT operations means looking beyond whether systems are functioning today. It means verifying that procedures, tools, and staffing support long-term service quality, risk reduction, and strategic alignment. The CISA exam often includes questions about operational controls, logging, incident handling, and whether maintenance activities are traceable and risk-aware.
IT operations consist of several interdependent components that must function as a cohesive whole. System administration covers the management of servers, storage devices, and user accounts. Monitoring includes tracking performance indicators such as CPU usage, memory load, disk space, and network latency. Job scheduling coordinates routine processes such as backups, report generation, or automated security scans. Helpdesk support handles incidents and service requests, ensuring that disruptions are addressed and access changes are processed. These functions must be guided by service level agreements and risk tolerance thresholds, and they must align with business goals. Auditors assess whether these operational areas are clearly defined, consistently executed, and supported by tools and procedures that enable traceability and accountability. On the exam, candidates may be asked to evaluate the interaction between operational areas and whether they support or hinder service reliability.
Routine maintenance activities are the backbone of proactive IT management. This includes patch management for operating systems, applications, and firmware—often supported by automated tools and scheduled deployment windows. Configuration management ensures that systems adhere to approved baselines and that deviations are documented. Hardware lifecycle management covers upgrades, repairs, warranty tracking, and device decommissioning. Software licensing must also be monitored to avoid compliance violations, optimize spending, and ensure coverage. Auditors review whether maintenance activities are scheduled, whether changes are documented, and whether testing is conducted to confirm success. The CISA exam may test your knowledge of maintenance coverage gaps, such as outdated systems with unsupported software, or assets that have been excluded from routine patches or configuration checks.
Change management is a vital process that must be integrated with operations and maintenance. Routine maintenance tasks often involve configuration changes, updates, or system reboots—each of which can introduce risk. These tasks must be documented in change requests, categorized by risk level, and approved through established workflows. Change windows must be coordinated with system owners, business units, and support teams. Testing should occur before changes are applied to production, and rollback plans must be documented in case of failure. After implementation, post-change monitoring ensures that the change did not introduce performance issues or unintended consequences. Auditors assess whether operations teams follow change procedures, especially when performing urgent or emergency maintenance. On the CISA exam, candidates may encounter incidents that trace back to unscheduled or poorly documented changes, highlighting the importance of integration between maintenance and change governance.
Monitoring and logging practices provide the visibility needed to detect issues before they escalate. Organizations must use monitoring tools to track system performance, uptime, and utilization. These tools must also generate alerts when predefined thresholds are breached, such as CPU usage exceeding acceptable levels or disk space running low. Logging captures events such as user logins, failed access attempts, system errors, and configuration changes. Logs must be collected from across infrastructure, centralized where possible, and retained according to policy. Regular review of logs helps identify trends, investigate anomalies, and improve detection. Auditors verify whether tools cover all critical systems, whether logs are stored securely, and whether escalation paths exist for unusual or unauthorized activity. The CISA exam may test your understanding of logging completeness, retention policies, and the effectiveness of monitoring in detecting and responding to service issues.
Backup and recovery readiness are essential for operational resilience. Critical systems, data repositories, and configuration files must be backed up regularly according to the organization’s recovery time and recovery point objectives. Backups must be tested periodically to confirm that restoration procedures are reliable and that backup data is not corrupted. Failures in the backup process—such as skipped jobs or incomplete copies—must be logged, reviewed, and corrected promptly. Organizations should retain backup copies for the required duration, using secure storage and encryption to prevent unauthorized access. Auditors evaluate whether backup procedures are defined, tested, and monitored. They also check whether recovery tests are documented and aligned with continuity planning. On the CISA exam, candidates may encounter scenarios involving untested backups or data loss following incomplete recovery steps, reinforcing the need for comprehensive and regularly validated backup strategies.
Asset and configuration tracking ensures that organizations know what systems they operate and how they are configured. Hardware and software inventories must be maintained with accurate details such as asset tags, serial numbers, license information, and support coverage. Configuration management databases link these assets to system owners, dependencies, and current settings. Accurate tracking supports patch deployment, vulnerability management, and troubleshooting. Tracking must include change histories and exception documentation. If a device or application deviates from the standard configuration, the reason must be documented and approved. Auditors assess whether inventories are current, whether configuration baselines are enforced, and whether asset data supports effective maintenance planning. The CISA exam may include questions on missing inventory records, undocumented configurations, or gaps in system dependency tracking that affect maintenance coverage.
Service and capacity management are closely linked to operational effectiveness. Systems must be sized and tuned based on workload demands, seasonal usage patterns, and growth forecasts. Capacity planning helps ensure that systems do not become performance bottlenecks due to resource constraints. Metrics such as system uptime, transaction throughput, and resource utilization are used to identify when resources must be added or reallocated. Proactive tuning and forecasting help prevent outages, delays, and end-user frustration. Reporting tools can highlight when thresholds are regularly approached or exceeded. Auditors review whether capacity is managed based on actual usage and forecasted demand, and whether under-provisioned systems are flagged and addressed. On the CISA exam, you may be asked to evaluate capacity risk scenarios, such as service degradation due to unmonitored growth or unplanned spikes in demand.
People are just as important as systems. Operational roles must be clearly defined, including system administrators, network operators, support analysts, and monitoring personnel. Each role should have defined responsibilities, required skills, and access levels appropriate to their function. Cross-training is essential to reduce single points of failure and maintain service continuity during absences or emergencies. Escalation paths must exist for unresolved incidents, and on-call schedules should support coverage for critical systems. Auditors assess whether staffing levels are adequate, whether access permissions are reviewed, and whether escalation procedures are followed. CISA candidates should expect questions about accountability in IT operations and whether organizational structure supports timely issue resolution and resilient service management.
For CISA candidates, evaluating IT operations and maintenance involves examining whether daily activities support reliability, security, and compliance. You must assess whether routine tasks are documented, changes are controlled, logs are reviewed, backups are tested, and systems are monitored for performance and capacity. Expect questions on maintenance schedules, ticket handling, change integration, and asset tracking. Operational processes may seem routine—but they are where service failures begin if not properly managed. As an auditor, your job is to ensure that these foundational practices are structured, visible, and continuously improved. Operations teams are the stewards of technology health. Their discipline, coordination, and readiness determine whether the organization avoids problems—or simply reacts to them when it's too late.
Thanks for joining us for this episode of The Bare Metal Cyber CISA Prepcast. For more episodes, tools, and study support, visit us at Baremetalcyber.com.
________________________________________
