Fred Zajac

Laly,

I agree this is the most sensitive process. As I mentioned in my answer, this is access to the cash, or most liquid asset. Financial gain is one of the biggest pressures for committing fraud. Having the ability to change bank account information is a very powerful position, with many opportunities to commit fraud. We can’t stop the…[Read more]

Sean & Said,

I would have to agree with Paul with his comment about the Data Stewart, and believe the Data Stewart would fall under the CIO in the IT department.

I see how some may think accounting should be the main player, but since the master data is used by so many different internal and external IT resources, MDM (Master Data…[Read more]

4. Which transaction do you believe is the most ‘Sensitive’ and therefore should have extra focus in an SAT (Sensitive Access to Transaction) audit? Explain
The most Sensitive transaction would be the payment process. This includes access to the businesses most “liquid” assets. The payment includes information highly sensitive to the financi…[Read more]

3. Which is more of a risk to a company: inaccurate data or excessive repetitive data? Explain
I believe inaccurate data is more of a business risk to the company, but excessive data is more of a security risk for the company.

Inaccurate data will place problems throughout the company. Will slow things down, mess things up, and just cause…[Read more]

2. Which department or person should play the key role in defining master data and assuring it’s quality?

In my opinion, I believe the IT department / CIO should oversee defining master data and its quality. The integrity of Master Data is very important. If one thing is out of place with the mapping, it could affect the entire system. To e…[Read more]

1. Master data in an ERP system is highly integrated with various processes and effects many parts of the organization. How does an organization assure this integration works well for all?

The Master Data is Centrally Stored and integrated with various processes within an organization. In order to reduce storage size on the network, or data…[Read more]

Payback? Russia Gets Hacked

A Ukrainian group called Cyber Hunta hacked the personal assistants of Vladislav Surkov, a top-aid of Putin. Since Surkov doesn’t have an email account, all computer type communication is conducted by his assistants.

The hack gathered all the information stored in the assistants Outlook program, including…[Read more]

Vu,

You bring up a great point about Application developers and the segregation of duties within the IT department. Many times, having one person perform multiple IT functions increases fraud risks. Not only does this pertain to internal employees, which is obvious but it also pertains to 3rd party vendors. Having one vendor providing all of…[Read more]

Ming Hu,

Remaining a “student” for your entire life is what makes a person wise. It is important to keep up to date on all of the latest industry best practices to remain relevant in any business environment.

One way for us to stay current is to keep up with industry association certifications. Take a look at ISACA’s latest event in Blue…[Read more]

Ming Hu,

Remaining a “student” for your entire life is what makes a person wise. It is important to keep up to date on all of the latest industry best practices to remain relevant in any business environment.

One way for us to stay current is to keep up with industry association certifications. Take a look at ISACA’s latest event in Blue…[Read more]

4. All companies are dynamic entities with employees and others using systems coming and going all the time. What best practices have you experienced or would you recommend for managing system users and their related security access?

Since company turnover, switching vendors, and changing systems are things every company will experience, it is…[Read more]

3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

The two most important competencies a security person needs to have are:

Integrity:
Integrity revolves around trust. As a business owner, I would want to know my security person shares…[Read more]

2. Security in an ERP system (e.g. SAP) is complex. What is the most fuzzy, difficult to understand component? Explain

The most fuzzy and difficult to understand for me is the FI (Financial / Accounting) component. I guess it was the most fuzzy for me because of the mistakes an employee may make. The security control in an ERP system…[Read more]

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is assigning different employees to handle the activities of a business process. Segregation of duties is a common control in many businesses because of the potential of fraud. By…[Read more]

3. What is the one interesting point you learned from the readings this week? Why is it interesting?

One interesting point I learned was about privacy, mainly overall privacy. It seems in today’s day and age, people don’t like to waste time re-entering the typical, name, email address, and other repetitive information people enter when sig…[Read more]

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

In the contexts of being attacked by a DDoS, a bigger threat to an organization is Spear phishing b…[Read more]

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and…[Read more]

Question 2: Suppose an organization is only able to filter and selectively block either: a) network traffic coming into its intranet from the internet (incoming) or b) network traffic going out from the intranet to the internet (outbound). With respect to each of the 3 information system security objectives (i.e. confidentiality, integrity, and…[Read more]

Question 1: How would you determine if an organization’s network capacity is adequate or inadequate?

What impacts could be expected if a portion of an organization’s network capacity is inadequate?
The capacity are the available resources for the network. To determine if the capacity of the network is adequate, you would conduct a Per…[Read more]