Fred Zajac

An Information Risk Profile is a description of the overall IT risk to which the enterprise is exposed (Risk IT Framework p. 101). The Risk Profile will identify how much value / loss is associated with the risks accepted by the organization.

The Risk Profile is an important document because it outlines the valuable assets of an organization,…[Read more]

The term “Acceptable Information System Security Risk” outlines the Information Security Risks and the level of exposure the company is willing to endure.

The management is responsible to identifying the risks and deciding what is an acceptable level because they know the operation of the business and the impact behind each function.…[Read more]

Which portion / step of the Procure to Pay process do they see as the most vulnerable to theft, fraud or failure of some kind? Explain

I believe the step most susceptible to fraud is the Vendor selection. Many organizations have “preferred” vendors, who are the first and sometimes the only vendor employees can use. In order to entice the pur…[Read more]

Have you ever:
– Been victim of Fraud?
– Had evidence of, suspicions of fraud occurring?
– Been pressured (e.g. by an employer) to commit an act that was morally or legally questionable?
Explain

I have been a victim of fraud recently, committed by a restaurant waitress / manager. My wife and I went out to a chain restaurant, ordered dinne…[Read more]

In class we discussed several dimensions of Management Assertions. Which do you believe is the most important? Why?

In my opinion, the most important management assertion is Financial Reporting / Company Stability. The management team compensation packages of many publicly traded companies are based around performance and stock price, which…[Read more]

The concept of ‘Assertions’ is important to accountants. Who else is it important to? Why?

The concept of Assertions is just as important to the stockholders / stakeholders of the company. When the management team develops financial statements, the public perceives this information to be true. The information is announced during the qua…[Read more]

Last week on Bloomberg radio 1130AM, John McAfee, the creator of McAfee security products went on the air to talk about new innovation in the security arena. He is a CEO for MGT Capital Investments, an investment firm working on numerous futuristic technological products. On exciting claim he has made was how he believes his product will…[Read more]

Noah,

The question asking two made it difficult for me to pick. I thought of Confidentiality in the same way because it would put the information at risk of being leaked,

I decided to go with integrity because they are restricting the truth and availability because it isn’t accessible, but confidentiality is also put at risk because now…[Read more]

The two information security objectives that could be put at risk are:

1. Integrity – You will lose the ability to see previously labeled items. I am not sure if this is a good example but Pluto was mapped as a planet, if the FGDC said it wasn’t there, it must be changed or restricted.

2. Availability – You won’t have access to the data on…[Read more]

I would create the table to match table 8.2 in the Information Security Handbook: A Guide for Managers publication. After reviewing the security risks for the company, I would categorize each risk as a low, moderate, or high impact. I would review the FGDC guidelines to determine if the risks levels require specific safeguard procedures.

If…[Read more]

3 types of risk mitigating controls are:

1. Preventive controls
2. Detective controls
3. Corrective controls

The most important control is the preventive controls. Preventive controls are put in place to reduce the chances of the event from happening. If the preventive controls does the job, there will never be a need to detect or…[Read more]

Alex,

You make great points about a companies options for handling risk. But, in each example, I believe it would cost more to be reactive vs. proactive. However, I will say that my belief is for a majority of the time. Each situation will need to be evaluated independently, but it is safe to assume being pro-active is less expensive than…[Read more]

Laly,

Great examples of the components used to assist the auditors. The component example I liked the most was the Risk Assessment.

This is why IT Audits are an important business risk for any company with sensitive information and more importantly, employees who are in a position to jeopardize the entire company.

Prof, Yao,

You would rank all the possible areas that may be audited. You would look at the Centralized and Decentralized areas to determine priorities.

A great way to do this is to meet with the IT managers and/or any other employees who are involved in the IT Universe. It is important to note there may be an overlap between the IT audit…[Read more]

We need control framework to “provide guidelines for the management and evaluation of IT processes”. (Chapter 16, textbook)

The Committee of Sponsoring Organizations (COSO) was created in the 80’s to oversee the accounting and auditing process for organizations. They published Internal Control – Integrated Framework, the first guide for int…[Read more]

Forgot to add reference link

http://isacasfl.org/wp-content/uploads/2014/02/Elevate-Consulting-ITIL-and-COBIT-Explained.pdf

Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

ITIL – Information Technology Infrastructure Library
COBIT – Control Objective for Information and related Technology

Similarities between ITIL & COBIT
Both are considered best-practices for IT service management
Creates goals for the org…[Read more]

Explain the key IT audit phases & Key activities

The IT audit phases is a broad generalization of many different possible procedures. The book mentions, “One of the most important tasks of the internal audit department is determining what to audit.” Audits are very expensive and takes time to complete. This is why it is important to pri…[Read more]

Ian,

You detailed the three controls and gave great examples of the control flow. I also agree that all controls are important for a controlled environment.

However, I think of the most important control as Preventative control because it costs more money to react to a problem, than to prevent the problem. An example of this would be a…[Read more]

Tamer,

You mention “may need to change reporting structure”, and I think you are right. The thing about a controlled environment is that it is ever changing. Advancements in technology happen so fast, if you are not one step ahead, then you are two steps behind the bad guys.

Staying active with industry associations will give you the upper…[Read more]