Ming Hu

What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

Adaptability to change

Technology is constantly evolving, and so is the information security threats, even those well-known, successful companies like Yahoo and Target can’t survive from data b…[Read more]

What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?
Segregation of Duties (SoD) is an important component of internal controls, it shares responsibilities of a key process that disperses the critical functions of that process to more than one person or department.…[Read more]

Morgan Stanley ‘s Hong Kong division, Morgan Stanley Hong Kong Securities Ltd., has been fined HK$18.5 million ($2.4 million) by the Hong Kong’s securities regulator, Securities and Futures Commission (SFC) for internal control failures.

Continued Internal Control Failures
The breach of the Hong Kong’s Code of Conduct included Morgan Stanley’s…[Read more]

What is the relevance of only being able to have one posting period open at a time for real time postings? What does this prevent from happening?

Posting periods are defined in fiscal year, it will allow you to post and make changes in the documents only in a specific period in a company, usually the current posting period is open and all other…[Read more]

Nice post. No one would deny the importance of software security, but when it comes to business perspective, we focus on not only software security, but also hardware security, infrastructure security, look for security in the entire network. Especially considering the frequency and sophistication of cyber threats are at all-time high in nowadays…[Read more]

How would you determine if an organization’s network capacity is adequate or inadequate? What impacts could be expected if a portion of an organization’s network capacity is inadequate?

Network capacity is the maximum capacity of a link or network path to convey data from one location in the network to another. (From IT Law Wiki)

One way to…[Read more]

I agree with you that authorization is the most important one. Authorization makes sure that only authorized user has the proper permission to access a particular file or perform a particular action so as to reduce unauthorized access to a large extent, and then greatly mitigate the potential risks.

Thanks for your sharing. Password management is very important for both users and companies to keep security, I totally agree with you that user experience should be adequately cared, because too strict regulation is very annoying. Besides, like you said, the password is too hard to be remembered so we have to write it down in some cases, that’s a…[Read more]

Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain

I don’t believe yet, compared to the configuration of software security protocols, which could be seen as a part of software security controls, the entire network s…[Read more]

Mac malware can easily spy on your Skype calls

Patrick Wardle, an ex-NSA hacker has proposed a new way snoops might spy on people via their webcams.

As Macs make their camera sharable to multiple apps at the same time for perfectly legitimate reasons, it’s possible to create a malicious app that asks to use the webcam. The app wouldn’t jus…[Read more]

Nice point Priya. Compliance requirements should be carefully taken into consideration, for example, you have to comply with the laws of the foreign countries in which company is operating, know about the different methods of calculating taxes from country to country, consider export / import restriction and deal with the customs of different…[Read more]

Business continuity is based on standards, policies, guidelines, and procedures that facilitate continuous operation regardless of the incidents. Disaster recovery (DR) is a subsection of business continuity and is concerned with data and IT systems. Although BC and DR are always used together, actually, they are two different concepts.

As the…[Read more]

Nice post, Binu. Simply speaking, if they don’t know how the ERP system works, how could they conduct control? Only fully realizing how ERP system works can general IT controllers execute effective control, that is only realizing what to control can you decide how to control. For example, like you said “security”, going through the whole ERP…[Read more]

As we’ve seen in the P2P and OTC Processes many different often non-financial business functions are involved with ERP system transactions that post to accounting records. If you are responsible for Finance / Accounting controls for your company how would you manage the risks coming from these non-Financial function jobs?

If I were r…[Read more]

As we continue to learn about business processes and ERP systems we often discuss financial or account related terms and concepts. How much finance and accounting knowledge should IT personnel supporting business applications know and learn? Explain.

As IT personnel who are using ERP systems to support business processes, it’s necessary to g…[Read more]

iOS 10’s Safari Doesn’t Keep Private Browsing Private

The Safari browser in iOS 10 no longer offers the same level of privacy as before. Previously, Suspend State was stored in a manner that would prevent information recovery, but iOS 10 changes that, in iOS 10, Suspend State is designed to create a list within the web browser to allow easy s…[Read more]

What are the sources of Electromagnet Pulse (EMP)? Why is it a physical security threat? How can an organization defend itself against EMP?

An electromagnetic pulse is a sudden burst of electromagnetic radiation that large enough to cause wide-scale disruption (Wikipedia), the sources of EMP could be but not limited to detonation of a nuclear…[Read more]

Thanks for your sharing. Different from the other processes, which is processed by “ourselves”, the third-party shipping is done by “others”, we all have the feeling that if one thing matters to us significantly will be done by others, there’s always a lot of concerns even with the their promise, such as whether they can do it well as I wish? How…[Read more]

Thanks for your sharing. As you said, nowadays, the common method of payment transactions is using credit/debit card, digital wallet, in each Order to Pay process, this information will be recorded, and all of this information is sensitively financial information. Once the payment system is hacked, the stolen information may be used for financial…[Read more]

Controls are important in all the OTC processes including invoicing and collections. What would be different in the controls of a purely domestic US company vs. an international company? Give 1 – 2 specific examples.

Different from domestic company, an international company need to manage foreign-exchange risk,that’s a kind of risks refers to t…[Read more]