Abhay V Kshirsagar

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of Duties or SoD is a key concept of internal controls. It is ensuring that right people have right access but not enough access to bypass any other controls.

Most of the large regulatory rules…[Read more]

Vu,

I can certainly relate to this. In my case, the authorization request sometimes took more than three days. On one hand, I had a pile of customization requests growing and on the other hand, I was waiting to get the authorization.

Dan,

I believe that the authorization control is the most important one of all. For instance, in the context of principle of least privilege, think about a company where a sales person has access to the HR system data. That sales person doesn’t need that access in order to finish his/her job resulting in violation of the principle of lease…[Read more]

Just to add another risk related to posting period, there have been incidents in my company where amounts were posted before the period that led to financial irregularities, which is a risk.

I think it was important to monitor and review the general ledger for any prior period postings. If there was any entry discovered, it was important to…[Read more]

Priya,

I absolutely agree with you. Just like the PCs, the ERP applications were developed to process data and help companies manage their business processes efficiently. As you rightly pointed out that contexts in which the technology is consumed has increased and so have the tools.

For e.g.: various ERPs have mobile apps that my company…[Read more]

Absolutely, I agree.

There is a huge security risk associated with out bound traffic. For instance, DDoS attacks. But if you don’t have an open port to move traffic out, the probability of your network to be a participant (botnet) of such an attack decreases.

There are other risks as well, like, uncontrolled email and file transfers from…[Read more]

Paul,

I absolutely agree.

In one of my internships, I occasionally customized the ERP tabs as per the requests from department came in. My primary job as an intern was related to the database and not system development. But, every time a customization request came in, it used to take at least 24 hours for it to grant me required privileges…[Read more]

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

From my experience, the COO, focused more on security protocols than the security of the enterprise network. Throughout different projects, I noticed how vigilant the…[Read more]

In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

Fraudsters use phishing emails to steal personal information. Although, the email may look harmless but they c…[Read more]

“Major DDoS attack on Dyn DNS knocks Spotify, Twitter, Github, Etsy, and more offline”

Some popular websites including Twitter, Etsy, Reddit experienced disruptions when hackers launched a large cyber-attack. The cause appears to be the outage of DNS provider called Dyn. On Friday morning, domain host company Dyn confirmed that the attack sta…[Read more]

“Android Banking Trojan Tricks Victims into Submitting Selfie Holding their ID Card”

According to Kaspersky Lab Anti-Malware Research team, Acecard is the most dangerous Android Banking Trojans out today.

You can read more about the evolution of Acecard malware here [ht…[Read more]

I like that you pointed out about assessing system security with respect to sensitive customer data and segregation of duties. I think SAP has a very sophisticated automated access control and enforced governance to minimize access risk and prevent the events like you mentioned in the posts from happening.

And, to add to your Patch management…[Read more]

Thanks! It just struck me at the end 🙂

Correct,

And to add another example to your list, US and other countries like, Australia, don’t follow the same accounting standards when they produce their financial reports;

US uses GAAP system and Australia uses AASB. This is eomething even the domestic companies need to keep in mind if they are planning to set up a branch in Australia.

Great Post, Jaspreet.

I like that you brought the point of Segregation of Duties (SoD). Cash is every organization’s favorite asset and thus it becomes imperative to put a big lock on the cash account to ensure its safety. Locks like Authorization (cash not going out of the organization without permission) and Record Keeping (what is going on…[Read more]

Wenlin,

Great post. I would like to add a point about “integration” of different systems. There was a time when organizations were adopting different systems to increase their digital quotient. Now, the trend is to integrate different systems as a whole to increase efficiency in organizations.

Data redundancy reduced, and organizations ended…[Read more]

Alexandra,

You do raise a good point here. Whereas I believe that although, job descriptions for a Systems Analyst position may not say that it’s required for you to know about basic financial accounting, but there is a good chance that the employee will have to learn some basic concepts in the future.
For example, I was working as a…[Read more]

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain

In some cases, IT personnel who support business applications also customize system…[Read more]

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Disaster Recovery and Business continuity although sound very similar and have a lot of overlap, they are different.

Disaster Recovery:

Disaster Recovery outlines how a company…[Read more]

For an organization choosing among Denver Colorado, Miami Florida, Redlands California and Tulsa Oklahoma, from a physical security perspective – where would be the best place to locate their data center? Why is this place better and the other places worse?

Out of the options provided, I think Denver, Colorado will be the best choice to l…[Read more]