Mansi Paun

Very well explained, Joshua. I especially liked the example you shared and the downside that you mentioned for SOD. Sean put forth an excellent point about the probability of fraud still being possible in a small company where employees could be co-located, creating an environment and an opportunity which is favorable for committing fraud. In that…[Read more]

Excellently put, Abhay. I agree with you that authorizations in SAP ERP are very complex. Although the SAP security can be explained and understood with ease, what is tricky is the configuration of the security controls that are to be put. As SAP is extremely customizable, it leaves a lot of room for the business to configure the system in a way…[Read more]

Artificial Intelligence advancement could lead to increased Cyber-crimes

The article I read about this week was about the future of Cyber-criminal activities wherein in an era of Artificial Intelligence, a computer-synthesized voice, an exceptional feat of artificial intelligence technology can be crafted to make it possible for someone to…[Read more]

Segregation of duties means separation of duties or the idea of requiring more than one person assigned to complete a specific task in a business process. It is a commonly used control as sharing of responsibilities to complete a task helps prevent fraud and errors due to oversight. Two IT roles that should be segregated would be PO creator and PO…[Read more]

Well put, Vaibhav. You’ve covered the important points for check network capacity adequacy very well. I especially liked that you’ve mentioned that network growth over time is also an important area to look into. It is easy to overlook slowly but gradually degrading network performance till a major incident occurs. To ensure that such a scenario…[Read more]

Great answer, Wenlin. You’ve correctly pointed out that “QoS policies are essential to ensure traffic spikes/congestion points are smoothed out, and more bandwidth is allocated to critical network traffic”. I’d like to add that to quantitatively measure quality of service, various aspects of the network service are often considered, such as error…[Read more]

I strongly agree with you Deepali, that the decision to choose between allowing inbound traffic or outbound traffic is very much dependent on the scenario that calls for such a choice to be made in the first place. You gave excellent examples of both such scenarios – one where the need of the hour is to contain data within the company and one…[Read more]

Linux backdoor Trojan doesn’t Require Root privileges

A newly observed Linux backdoor Trojan can perform its nefarious activities without root access, by using the privileges of the current user, Doctor Web security researchers have discovered.
Dubbed Linux.BackDoor.FakeFile.1, the malware is being distributed as an archived PDF, Microsoft,…[Read more]

Although this decision would greatly be dependent on the type of business and the situation which calls for such a choice to be made, I personally, would choose to block outbound traffic. My decision is based on the below reasons, keeping in mind the objectives of CIA ( confidentiality, integrity, availability) and assuming that this is only for a…[Read more]

Priya, thanks for sharing the information about special posting periods. You’re right when you say that specific posting periods can be mapped company-wise and they help preventing fraud. I’m reminded of an example from my previous company where earlier, employees were allowed to claim expenses occurring in any month at any time in that fiscal…[Read more]

Very valid point, Deepali – however I thought that there may not a;ways be segregation of duties possible and that there could be compensatory controls in implemented in that scenario. But even before the segregation of duties can be carried out, ensuring that the right personnel are the approval authorities should be paramount. Ofcourse…[Read more]

You highlighted a good point, Yu Ming. Password policies are often seen as cumbersome to follow by the employees. In my experience, I find that smaller companies see computer security to be cumbersome for reasons like increased cost, lost time and reduced productivity. They often do not give it due importance and even employees have a similar…[Read more]

Rightly said, Alexandra. Besides, preventing wrong posting to a particular month, it also reduces opportunity of committing fraud by posting sales data to the wrong month. One could commit fraud by overstating sales in one month to meet monthly targets. Tax fraud could also be committed by posting accounting information to the wrong month.

Sorry, this is the answer to Q.3.

1. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
Ans : In my view, the financial and accounting controls can be ranked as below in decreasing order of importance (most important ranked first) :
• Approval Authority
• Completeness
• Accuracy
• Access Control…[Read more]

Aviation Officials Step Up Cybersecurity Checks of Flight Communication Systems

U.S. and European aviation authorities are focused on cybersecurity threats that could affect ACARS (Aircraft Communications Addressing and Reporting System), which is a basic data-transmission system primarily used for air traffic control purposes. The ACARS is a…[Read more]

Business Continuity Plan and Disaster Recovery Plan are different. BCP refers to the response strategy that kicks in in the event of a Disaster. It involves alternate planning of employee staffing, network availability, physical resources such as office space, desktops, and even power in case of a disaster. BCP are the steps taken to ensure that…[Read more]

Rightly said, Brou. In addition to the points you made, IT personnel also need basic ERP understanding for performing their own roles well. Knowing the risk-prone areas could help IT personnel manage the system better from a security controls perspective. It could also help in Disaster recovery planning as the personnel would be able to point out…[Read more]

Well put, Binu – although an IT personnel supporting Business application might not be using or be required to use Finance or Accounting knowledge, it would help him/her to better understand or even identify the vulnerabilities in the process and formulate the steps to mitigate them. On the other hand, not having finance or accounting knowledge…[Read more]

Great post and discussion, Sean. I too agree with your point about preferring to train personnel rather than look for someone with a specific combination of accounting and IT skills. As you pointed out, its easier and more reliable to train a person as per the job requirements. In addition, it is also quite difficult to find practitioners with…[Read more]