Binu Anna Eapen

Well said. Having a well defined framework can act as a platform to build on thus reducing the cost and efforts of having to start from scratch everytime.

I found this simple to understand RACI- http://itsmtransition.com/2014/07/basic-raci-chart/..

Yes all the controls are important.

Yu Ming you mentioned that corrective controls are not useful. I disagree.

For example,

An employee may have worked ina company for almost 10 years and have worked on N no. of projects or have very confidential data on his laptop. What happens if his laptop crashes? All his data is lost. What can be…[Read more]

I think along with detective controls there should be some preventive and corrective controls as well. Once some threat is detected and identified, a protective control has to be in place to avoid the same threat to reoccur. This could lead to loss of reputation of the company and may result in no credibility of the firm with their clients as it…[Read more]

What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

There are 3 types of controls:
• Preventive – These controls prevent the loss or harm from occurring. Example: Firewall or the username, password which stops unauthorized access of data, color coded ID’s.
• Detective – These contr…[Read more]

Researchers have said that US 911 emergency phone system vulnerable to DDoS attacks, They have found a way to disable the service across an entire state for an extended period.

The researchers claim that they have found a way to disable the emergency system across entire state by using TDos attack(Telephony denial of service). The emergency…[Read more]

Kaspersky Lab Presents the First Cybersecurity Index
Read more at:
http://economictimes.indiatimes.com/articleshow/54170898.cms?utm_source=contentofinterest&utm_medium=text&utm_campaign=cppst
http://www.securitymagazine.com/articles/87428-kaspersky-lab-presents-first-cybersecurity-index

Kasperky is launching its first Cybersecurity Index…[Read more]

4 Why do we need control framework to guide IT auditing?

A control framework will ensure that the risks are being addressed appropriately and the company’s directives/objectives are carried out in a cost effective way maximizing returns with the available resources. A framework provides guideline for the management and evaluation of the IT p…[Read more]

3. Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

ITIL: Developed by UK Office of Government Commerce
It is a framework with helps us to understand how to achieve successful- operational service management of IT and includes business value delivery.
COBIT 5: Developed by ISACA
It is a…[Read more]

Q. What are the key activities within each phase?

Activities within each phase:.
1. Planning :
– Collect necessary information like the key contacts for audit from the audit manager.
– Take preliminary survey of the area to be audited.
– Take feedback and inputs from the audit customers.
– Make sure there is a standard checklist
-…[Read more]

Q Explain the key IT audit phases
Ans: 1. Planning: Need to plan what needs to be reviewed. Proper planning helps in successful audits. Here the objective and scope of the audit is defined.
2. Fieldwork and Documentation: What has been planned is taken into action.
3. Issue discovery and validation: Check if the risk is worth to be address and…[Read more]

Do you think wrong data entry is a IT risk?

Also shredding important documents after use would be a good idea and should be encouraged.

Smaller companies or organization whose primary aim is not IT can always out source IT services. Benefits being

•Saves costs
•Increaseds efficiency
•Focus on core areas
•Save on infrastructure and technology.
•Access to skilled resources.
•Time zone advantage.
•Faster and better services.

Symantec is a great tool but it consumes a lot of processes on the local machine making it very slow.

In my previous company we had a policy to use cable lock when leaving the laptop at your desk unattended. And we had security who would confiscate the laptop. If in a year if the laptop was confiscated for more that 3 times his manger and HR would be informed to warn him of the consequences.

By setting the policy to lock screen after 5 mins of…[Read more]

I guess the management should identify the teams or projects working on PII and specially limit the capabilities of those machines by pushing security patches or using encryption tools.

In my previous company, we had 2 factor authentication used for securing client information especially for ODC’s other that the regular bit locker encryption on…[Read more]

I guess the management should identify the teams or projects working on PII and specially limit the capabilities of those machines by pushing security patches or using encryption tools.

In my previous company, we had 2 factor authentication used for securing client information especially for ODC’s other that the regular bit locker encryption on…[Read more]

Detection*

I believe that as we find solution or fixes to one set of malwares or virus, there are n number of viruses and malwares created and injected into the network everyday. We might not be able to generate a foolproof security system that cannot be affected by viruses/malwares. But we can have Intrusion Dection and Prevention systems in place to…[Read more]