Binu Anna Eapen

1. What are the key components of SAP change management controls you would expect the auditor to review? Why?
Ans: An auditor will have to review the system’s request and incident management processes which provides input to the change management systems. The number of times an incident occurred, frequency, root cause of the issue, t…[Read more]

Well said Mansi. Nice points about the impact of inaccurate data. Incorrect data or excessive repetitive data has a negative effect on the clients loyalty. But by having the right tools and checks when entering the data in the database, we can prevent duplicates and the negative consequences they have. Where as incorrect or inaccurate data can…[Read more]

I agree with you Annamarie. Master data management becomes complex especially when the company grows through merger or acquisitions. Any merger will create a duplicate master data. Database administrator resolves this by a process called as deduplication which is a data compression technique for eliminating duplicate copies of repeating data. But…[Read more]

Master data is the basic data required to record the business transactions. Most important master data in SAP is general ledgers and sub-ledgers. General ledgers can be general ledger accounts, cost centers, profit centers. Sub-ledgers include specific master data like customer master data, asset master data, vendor master data, HR master data,…[Read more]

Well written Annamarie. Role maintenance is definitely very sensitive area and improper/incorrect access given to anyone can result in fraud. Role maintenance and profile generator (transaction PFCG) can maintain roles, profiles and authorizations. A central user administrator can create new roles as well and assign these roles to any no. of…[Read more]

3. Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain
Ans. Missing, incorrect or inconsistent master data leads to processes with errors having unreliable information. The quality of the customer master data has immediate influence on sales-relevant operation of an organization and can influence the…[Read more]

I found onion routing interesting too. Private enhancing technology(PET) to enhance privacy of users of IT has 3 different classes. First class which deals with Principle of Data minimization, Second class deals with technologies that enforce legal privacy requirements and third class deals with technology that combine the first and second class.…[Read more]

Rightly said Yang. Not only does it make it easier for hacker but also allows human errors to happen. For example like you said an employee having right to propriety data accidently deletes the file or shares it with outsider. This requires that the principle of least privilege be applied for each role. Only minimum rights needs to be given to…[Read more]

I agree with you Annamarie. The principle of least privilege is one of the most commonly used and most important control after the segregation of duties. Limiting access to minimal level and ensuring the normal functioning of business with those privileges results in fewer security incidents, reduced support cost, simplified path to compliance,…[Read more]

Nice example Vu Do. Approvals for access is a great way to manage system users.

In my previous company, the access to imaging lab was limited and the access was provided to the IT Technicians by the executive manager only after a written mail communication was send with justification as to why one needed access. And this security measure was…[Read more]

Great post Ming Hu. I guess adaptability to change is the most important characteristics and is also the most difficult competency for a security professional. As technology keeps changing one must be always updated with latest technological changes to be able to make better decisions for the firm.

I also think the security professional should…[Read more]

Red Cross Data Leak: Medical history of 550000 blood donors made public

The Australian Red cross has taken responsibility and apologized after 1.74GB sized backup database containing over half a million personal details of blood donors leaked. It comprised of registration information from 2010 to 2016 containing data like Name, addresses, date…[Read more]

Nice point Abhay. Of course good communication skills help in communicating the need for security through out the firm. Along with being observant, a security professional should be analytical. They should always be eager to learn new things and keep themselves updated with the latest technologies and threats/risks in the market to be able to…[Read more]

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Ans: Segregation of duties means dividing the tasks so that different people are handling different tasks. No person should have more that one duty or authority to in business. This control is vital to reduce…[Read more]

Chinese Manufacture would be replacing the IoT component partially which were involved in DDoS attack.

Chinese manufacturer Xiongmai Technologies has promised to recall or patch some components and circuit boards that it manufactures including CCTV, webcam devices, digital video recorders which attackers compromised and used to help power a…[Read more]

I agree that administrators will have more idea about the security protocols and will be able to suggest on better solutions as they are the one’s who directly work and handle day to day issues. Normally it is of practice that the technician/administrator will study the issue, number of occurrence, suggest resolution, But the decision for change…[Read more]

Good suggestions Paul.

But in this case I do not think that would be applicable for the following reasons:
1. Not all teams/projects work in the same period. That would mean the system admin will have to identify which team or which project requires what account for how much time. I do not think that this would come under the role of an AD…[Read more]

If I had to choose whether to allow inbound traffic or outbound traffic I would go for outbound traffic (intranet to internet) for security reasons alone and block inbound traffic (internet to intranet). In most cases that we hear of data breach, we find that attackers come in on inbound connections rather than outbound.
Though there are cases…[Read more]

Nice point Joshua. To add an example, In the firm that I had worked earlier, particular team was supporting a different company and that company had created accounts for these employees and had given the hiring status as contractors.

Now as a contractor:

1. the account would expire in 90 days and needed to be extended with approval from…[Read more]