Deepali Kochhar

you made a good point Annamarie, it is always good to have 2 level authentication to manage quality. it can be possible that one might miss a mistake and it comes in the notice of other. Also it helps in getting different opinions. definitely accounting department will have dependency on material management and if both remain integrated, they can…[Read more]

overall in a way it harms the data integrity and hinders one of the three goals of information security i.e. confidentiality, availability and integrity. This in a way explains that their is lack of information security policies and procedures in an organization.

Definitely, governance of sensitive data is very important in order to avoid accounting scandels such as Enron and worldcom.
Here comes the role of segregation of duties and data ownership. This helps in creating a clear picture of who is responsible for what and ultimately helps in tracking down each and every transactions made at lower level…[Read more]

Q3. Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain

In my point of view inaccurate data is of more risk to a company as this directly harm the integrity of data. The prime motive of information security team is to manage and maintain data confidentiality, integrity and availability because every…[Read more]

very good point made here Mansi. Both Identity and access management have different KPI’s , Objectives and specially the risk associated with them which should be addressed.
Identity management is associated with addressing risk related to unauthenticated role whereas access management is associated with addressing risk related to unauthorized…[Read more]

Great point Annamarie. One of the examples can be VPN access rights. Since it is a very important to monitor the activities happening over the VPN. Users should be given least privileges. There should be session time out policy towards the use of VPN and also the renew process should be frequent in a way that employees should not be given the…[Read more]

Also to add to your point, I would say analysis of critical issue is also important To this one can be a preventive way where analysis should be performed to identify what all security controls should be in place to avoid any unwanted event and other can be corrective where an already occurred scenario should be analysed so as to find the root…[Read more]

This is a a good point Magaly. It is important to define the duties before implementation. But it is equally important to manage the errors during the implementation. The organisation chart if maintained can help in identifying the errors occurred during the implementation which can than be tracked and appropriate changes can be made.
Apart from…[Read more]

I agree with you Joshua. I think more than giving power to the employees it is about managing the services well. It is about assignment of right duties to the right person in a way that it should match with the capabilities of the employees. Also it creates multiple level of data review which helps in reducing errors.
For example in case of…[Read more]

DDoS attack on StarHub first of its kind on Singapore’s telco infrastructure:

After a massive attack against US based domain name server provider DYN there is another similar attack that has happened. Singaporean ISP StarHub suffered two similar DNS attacks disrupting its DNS services, blocking access to major websites for many internet users.…[Read more]

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is the concept of having more than one person required to complete a task. In business the separation by sharing of more than one individual in one single task is an internal control…[Read more]

1. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

In my point of view, the most difficult to understand security component in SAP is Authorization. This includes managing user ID to the roles and profiles. This is designed to protect system availability, integrity and…[Read more]

Priya,

This is a very good explanation to this question. You mentioned all important points which should be considered to determine if an organization’s network capacity is adequate or inadequate. One point I like the most is to test should be stimulated taking failure cases into consideration. It is very important to manage the network d…[Read more]

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and…[Read more]

3.2 Million Debit Card Hacked in India

In what has been termed as the biggest data breaches in the banking industry in India, 3.2 million debit card details have been stolen. These debit cards have been understood to be used at ATM’s that are suspected to have exposed card and pin details to malware at the back-end. A forensic audit has been…[Read more]

Definitely Mansi. In the similar way, banking industry use 2 factor authentication which is on one side complex for the users to but on the other side is very important to protect customers from criminals to gain access to a user’s private data such as personal and financial details. So such policies are very important to follow even if they seem…[Read more]

Said, it is not the case that once a period has been closed there is no possibility to post in that period. It is a very common practice is to keep the prior period open to allow period-end adjustments along with the current posting period and with that there is no restriction on number of posting periods which can simultaneously run. It is just…[Read more]

One of the similar case occurred in my organisation. There were people from infrastructure team who never use to lock their system while leaving the desk for some temporary period of time. This came into the notice of the information security team and they were warned. Still they found it complex to lock the system every time they leave the desk.…[Read more]

very well pointed Priya. This is where segregation of duties comes into the play. It is necessary to focus on both the aspects and give attention to internal as well as external frauds. Companies are constantly evolving in terms of managing internal and and external threats specially for systems like SAP which has all of their financial data and…[Read more]