Paul M. Dooley

What are the benefits and risks of out-sourcing?

Risks:
Logical IS Security
Total Dependence and Exit Barriers
Legal Consequences
On-time Delivery Performance
Product or Service Quality
Financial stability of Outsourced Vendor

Benefits::
Cost compared to internal resources
Expertise in specific function
Quicker to market vs buiding…[Read more]

What are the advantages of VPN?

The top 5 advantages of a VPN are Security, Privacy Protection, Access to restricted resources, and better connectivity. VPNs secure otherwise public networks by encrypting traffic so anyone monitoring the traffic flow will get meaningless characters instead of useable data. When using an established VPN personal…[Read more]

What is OSI model? What’s the main function of each OSI layer?

The OSI model is a conceptual model that has 7 layers to describe how computers communicate with each other over a network. It shows the flow of traffic through the various stages from the applications layer (the user interface layer) all the way down to the Physical Layer (the m…[Read more]

List common control issues associated with operating systems and remediation strategy/plan.

System hardening standards, build document and build process
Configuration – unused services/client firewall
OS version and Patching
Anti-virus/malware with latest .DAT
Password setting and/or other authentication methods
Remote access
Audit trail…[Read more]

Why is so important to protect operating systems?

The OS are essentially the brains of the computer that interfaces with all of the peripheral components. It also prioritizes certain processes and allocates available computing resources to certain applications. In addition it is how the file systems are accessed. Due to these reasons, it is…[Read more]

List risks associated with database management systems (DBMS)

Easily guessed passwords
Missing patches
Misconfigurations
Excessive privileges
Web application attacks
Insider mistakes
Weak or non-existent audit controls
Social engineering

Source: Class presentation.

Key benefits of relational databases vs traditional file system?

Tradition file system is designed around a single table. File may contain many fields, often with duplicate data that are prone to data corruption and duplicates. Relational databases leverages multiple tables that work together. The relationships between table data can be…[Read more]

What are key characters of relational database management systems?

Data in the relational databases must be represented in tables, with values in columns within rows. Data within a column must be accessible by specifying the table name, the column name, and the value of the primary key of the row. The DBMS must support missing and inapplicable…[Read more]

Why do we need control framework to guide IT auditing?

Frameworks are needed to define policies and procedures around the implementation and management of controls in an environment. They essentially act as a blueprint for building the security program and manage risk. Depending on what the scope of the audit is different frameworks can be leveraged.

Explain the key IT audit phases

What are the key activities within each phase?

The first phase of an audit is the planning stage. This is where you determine what you plan to review and the overall objectives and scope. Some of the key activities include: hand-off from the audit manager, preliminary survey, customer requests, standard…[Read more]

In my experience it’s seemed like more of the risks were from internal people abusing the rights they had rather than external threats coming in. They had the access from the outside world pretty well locked down with technical controls, however, the internal risks seem to be a much larger threat. A common example is when you would walk through…[Read more]

What is the purpose of all auditors having some understanding of technology?

It is critical that some members of the IT audit team that have a background in IT. Without a technical background it would be difficult for the auditors to have real world experience in understanding the balance between mitigating risks and maintaining operational…[Read more]

How does the control environment affect IT?

Internal control environment first is used to establish a common definition among people who may interpret internal controls differently, including business people, legislators, regulators, etc. It also provides a standard against which the enterprise can assess the effectiveness of their control…[Read more]

What are some current system-related risks that you have experienced in your organization?

The number 1 issue that I experienced while at Verizon was employees taking customer proprietary information from the company systems and would bring them via flash-drive or they would email them to themselves. This was against CPNI policy and no customer…[Read more]

Vu Do, in my prior experiences I also have been “thrown to the wolves” so to speak with very little direction on how to accomplish specific things that were critical to completing the job at hand. To second Josh’s point, communication and documentation are critical for the obvious reasons of employee turnover etc, but also just to have a resource…[Read more]

I will second his point. As much as we’ve discussed the important of segregation of duties in all of our classes I still failed to take this into an account. Great answer Paul.

I definitely think most of us are on the same page here. Involving the employee is a critical function to ensuring change management processes are being followed, but more importantly, why they are to be followed so they have an understanding of the critical nature of the requests. It’s very easy for employee’s to get bogged down in their day to…[Read more]

In your company, do you use any blueprints as documentation? Why are process blueprints important in the documentation?

Verizon did in fact use blueprints as documentation to walk people through the various tasks needed to accomplish specific business processes within the organization. This was critical in walking someone through the best…[Read more]

What are the key components of SAP change management controls you would expect the auditor to review? Why?

The key components of SAP change management controls to be reviewed by an auditor would be as follows:

Change Management Policies and Procedures –
Change Initiation and Approval
Development Policies
Testing and…[Read more]

In future weeks we may have the privilege of having real world auditors join us for our discussions. What questions would you like to ask the Auditors to answer for us?

The most important question that I would have is a general open ended question as far as what tools or resources they rely on the most to complete their jobs. Also, any best…[Read more]