Mansi Paun

Q3 Comparing ITIL and COBIT: list some key similarities and difference based on your understanding
A3 Some of the key similarities between ITIL and COBIT are :
• Both are widely accepted frameworks for IT Organizations
• Both ITIL and COBIT represent best practices used in the industry and hence are complimentary to each oth…[Read more]

REPORT OUT ABOUT THE WORST CYBER ATTACK ON A FEDERAL AGENCY

A breach that occurred first in 2014 and which was detected only in April 2015 at the Office of Personnel Management, a Federal Agency points to poor security control processes followed in the agency. This was the worst cyber attack on a federal agency in recent history. As many as 22…[Read more]

Source: IT Auditing Using Controls to Protect Information Assets by Chris Davis and Mike Schiller with Kevin Wheeler

Q2 What are the key activities within each phase?

A2 Listed below are the key activities within each phase of IT Auditing:
• Planning
o Defining scope and objective after discussion with customer
o Initial assessment that could give an idea about possible risks
o Scheduling
• Fieldwork and documentation
o Acquiring data and evidence and…[Read more]

Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :

1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork a…[Read more]

Q1 Explain the key IT Audit phases
A1 The Key Audit phases and their explanation is as below :

1) Planning – involves determining the scope and goals of the audit and the planning of executing steps to achieve the goals. This phase will require thorough research as it would impact the schedule and outcomes of other phases.
2) Fieldwork a…[Read more]

Ans.1
The 3 types of risk mitigating controls are :
1) Preventive controls – These prevent or stop a security incident from occurring.
2) Detective control – through this type of control, a fault in the system is identified upon reviewing the system logs.
3) Corrective or Reactive control – This type of control falls between Preve…[Read more]

Rightly pointed out, Deepali. In my experience, only the Internal Auditors would make recommendations. The external Auditors would only report their findings.

Binu, you’re right when you say that the Auditor can be fooled by the Client if he doesn’t have sufficient understanding of the IT systems. PMs / Leads often try to sweet talk their way out of an Auditor’s finding if they even get an inkling that the Auditor might not have indepth IT knowledge. However, if the Auditor is technically sound,…[Read more]

Professor Yao I believe Fangzhou meant to point out the issue with using an older version of Antivirus.

Fangzhou, I agree that if the systems are using an older version of the Antivirus and not regularly updating the Antivirus definitions it is a security risk as the system is prone to newer types of attack despite running an Antivirus…[Read more]

Great point about the shared password being too simple, Alexandra. I too have often encountered that some of the shared passwords were not meeting the password requirements. Firstly, there should be no password sharing encouraged and in situations where is is absolutely necessary and unavoidable, the passwords should atleast be difficult to guess,…[Read more]

In the video, I found that the general attitude of the employees towards workplace security is very lax. The security risk issues i could identify are listed below :

1) Non-seriousness about workplace security Training
2) Laptops are not physically secured using a Kensignton lock
3) Passwords are being shared over phone and with co-workers…[Read more]

Q3 What is the purpose of all auditors having some understanding of technology?

A3 It is important that Auditors have some understanding of technology for below reasons :
1. When Auditors have a technical know-how of the system they’re auditing they are well versed in finding how the system can be broken into and what kind of risks the s…[Read more]

Yulun,
Thats a very good list of common workplace security risks that most of us would have seen. It’s easy to overlook and miss these, especially Printer controls as employees tend to give a print command and collect the document later. We should always use Confidential print option if the printer supports it.

Desk drawers are often left…[Read more]

Professor Yao,
You’re right in saying that normally companies have a provisioning process for access related requests. Where the process is manual, there is usually a point of contact that is in charge and accountable for ensuring that there is no unauthorized access to systems and strict access control practices are followed. Also, passwords…[Read more]

Q 2) How does the control environment affect IT?

A 2) Control environment lays out the foundation of Management expectations from the employees. It aims to draw employee attention to how the IT systems must be used and how easily they can be exploited leading to adverse business impact. When management stresses on the awareness of following…[Read more]

Q 1) What are some current system-related risks that you have experienced in your organization?

A 1) I worked as a Lotus Domino Server Administrator for a short duration at IBM. Notes Architecture is great when it comes to security, it has 7-layer security so it was almost impossible to break into one’s Lotus Notes or access a database that o…[Read more]

I agree, Abhay. My point was just that. Formation of SOX regulations was certainly called for (to tackle dipping shareholder trust in the US markets). But it seems more like a short-sighted, hasty stop gap arrangement to rebuild investor trust as opposed to well thought loop-hole-free regulations that would hold the right people accountable and…[Read more]

A Canada-based PoS (Point of Sale) vendor, Light Speed suffered a hacker attack to it’s central database which contained customer information. Lightspeed has more than 38,000 customers across 100 countries, processing transactions to the tune of $12 billion annually. As per Eduard Kovacs at Securityweek.com, Lightspeed stated that there was no e…[Read more]

Great example, Sean. Further to the key difference that you mentioned, I’d like to add that the Compliance driven controls rarely change over short time spans whereas profitability driven controls often allow some flexibility based on various factors such as Client / Supplier relationship, long term gains, prospects of new Business as well as…[Read more]