Ian M. Johnson

Why do we need control framework to guide IT auditing?

1. To provide the data structure that will help design, implement, organize, and categorize Internal controls
2. To make sure internal controls meet requirements and are working properly.
3. To ensure efficient IT audit processes; including means for reporting
4. To risk assess, risk…[Read more]

Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

Simply put: COBIT provides the ‘why’; ITIL provides the ‘how’, COBIT is broader than ITIL in its scope of analysis, and ITIL concentrates on and offers more detailed guidance when it comes to IT service mgmt.

However, I read that there is more…[Read more]

Explain the key IT audit phases
What are the key activities within each phase?

I. The first key IT Audit phase is: Requesting Documents
a. Key activities: Inform the organization of the coming audit, Create the preliminary checklist, Request documents listed on an audit preliminary checklist; Examples:
a. Copy of the previous audit report,…[Read more]

I agree. It is important for the leaders of the organization to lead by example. I think it definitely does work its way down to the company’s employees. I keep saying it but the commitment needs to come from all departments within the organization. It can’t just be the IT department worrying about information security anymore. Its everyone!

At the two companies I have worked for, all employees (in all departments) were required to take training on “Safe computer use”, IT security, etc. The training went through many of the same things as the video and had the same corny jokes too haha! It was definitely needed though and I think it definitely did help a lot of the employees that…[Read more]

I agree. It is crucial to have the entire company invest in Information Security. There needs to be a cross department collaboration to successfully implement the company’s Information Security plan. It definitely is a technical issue as well but that is part of the company’s plan that directly affects the company’s business and the ability to…[Read more]

As a student it is easy to see how your information is at risk and take that side. Priya, do you think that the university is more at risk with all of the students on their network or do you think that students are more at risk that their information could be stolen and held for ransom?

I just hope Temple practice what their Information…[Read more]

Right, I think that auditors need to know the technology so that they can recommend what fits with the company. Some technology will be better for certain environments and organizations. I think it becomes important at the beginning (recommendations), in the middle (setting up controls), and at the end (enforcing and actively participants in the…[Read more]

I have seen both of these at work. I work in a secure area at Lockheed Martin and we actually have individuals that walk around to see if people are breaking these “rules” now. Not locking your screen is an easy mistake to make when you are super busy. Surfing the web and going to sites that may not be secure is tough to monitor but it is…[Read more]

When I worked for the Navy and now Lockheed Martin, one of our greatest risks came from your managers, employees, and business partners. If the a manager was not treated well, an employee was fired, or a business partner caught a bad deal, all three parties had access to information that they could use against the company. So one risk that we…[Read more]

Thanks Daniel. I think that the company lacks a information security strategy. There are things that the company could probably do to increase their information security, like: Inter-Departmental Cooperation, Educating Employees on the Importance of Information Security, and Developing a Proactive Approach to Information Security.

http://www.usnews.com/news/articles/2015/07/09/more-than-21-million-affected-by-government-hacking

^here is an article that goes over what I was referring to. Thanks, Priya. Great article post!

These issues tend to scare me. It reminds me of a 2015 story (to a lesser degree) that involved the US government being hacked of 21 million social security numbers. The government is now notifying and helping the individuals that were affected. The affected individuals have to do way more than the above Yahoo users. Just shows how important…[Read more]

I read the article: “Why Your Firm Should Demonstrate Information Security”. It was written by the Chief Information and Security Office at Dickinson Wright PLLC, Michael P. Kolb. The article described how law firms are finding an increase in audits and as a result how firms are starting to commit to information security. For Dickinson Wri…[Read more]

Quantitative Information Security Risk Analysis is when you are able to examine a risk by looking at its risk factors in order to place a dollar amount or another type of value to the specific risk.

An example is having 100 employee’s sensitive bank account numbers, bank router numbers, and other direct deposit information in a database in o…[Read more]

Organizational IT Risks:
-General IT Risks like viruses, space, scans, phishing, hardware and software failure
-Criminal IT Risks like hackers, fraud, Internal destruction, security breaches
-Natural disasters that affect IT systems: hardware damage, downtime, backup system failure, etc.

What is the purpose of all auditors having some understanding of technology?

IT auditors need to understand the technology because without the knowledge behind the technology, auditors would not be able to properly identify the inefficiencies in IT technology, determine the risk with the technology and recommend methods to minimize those risks, etc.

“The Control Environment is the overall attitude and tone of an organization toward internal control.” With that said, the control environment affects IT through management’s decision to implement internal controls or not. It affects the risk of IT, communication of the IT team, management styles, IT monitoring, and ultimately IT’s quality…[Read more]