Priya Prasad Pataskar

1. What are the 3 types of risk mitigating controls? Which is the most important? Why is it the most important?

The three forms of controls:

1. Administrative – These are the policies, laws that for overall governance.
2. Logical – These are the virtual controls
3. Physical – These are the environmental controls in physical space

To…[Read more]

Q3] Comparing ITIL and COBIT: list some key similarities and difference based on your understanding

Differences
Implementation:
COBIT provides ‘What’ and ITIL provides the ‘How’. COBIT is complex and broader in scope. It generally gets organizational level budget. ITIL will focus on IT elements and is mostly funded by the IT departm…[Read more]

Q4] Why do we need control framework to guide IT auditing?

Control frameworks were designed so as to have internal controls to monitor efficiency and effectiveness of operations in organization. IT controls are subset of all the internal controls. There are many prominent frameworks ( like COSO, COBIT, ISO27001, ITIL ) emerged to guideline the…[Read more]

[ Source: IT Auditing Using Controls to Protect Information by Chris Davis and Mike Schiller]

This answer also contains answer to Q2 ] What are the key activities within each phase?

Q] Explain the key IT audit phases

The IT Audit phases are as below,
1. Planning
– Understand background, scope, objective to perform audit from audit manager
– Understand area to be review and preliminary assessment of risk
– Involve customer to establish open and honest communication
– Prepare standard and customized audit checklist
-…[Read more]

Thank you for sharing your experience Ian.
In this case, asking employees to sign Non disclosure agreements or a proprietary information agreement might bind them to refrain them from conducting malicious activity.
I am not sure if that is the only way, but letting everyone know about repercussions, and binding repercussions of breaches with…[Read more]

Thank you Prof Yao. That reminds me of of a question I had since long.
External auditors must definitely refrain from going into advisory mode. Do internal auditors also only recommend ‘what’ ?
In my experience, during the audit I used to be in a auditor role so that the auditees get the maximum chance to speak up and be crystal clear. However…[Read more]

Hi Paul. Yes the audit steps did go the way you mentioned. Step 3 surprisingly took the longest time. Understanding of what documentation is requested is very necessary. Auditees spend time in collecting all the data and presenting it, and they do it form Auditee perspective. It might not be the same as what auditor expects. Spending more time in…[Read more]

Good point Alexandra. While doing activities like online shopping or online banking, a cross site request forgery attack can be launched. CSRF is combination of social engineering along with.

It becomes easy to launch CSRF attack when user session cookie details are stored. ex. IP address or credentials. The server will not know if it is a…[Read more]

Thank you for sharing the link Ian. I read the article and I think declining a attack would be the worst mistake. Even if there is a possibility of attack, organizations should alert the users so that they can take preventive steps.
ex. Changing the credentials so that the hacked data is obsolete.

Q : What is the purpose of all auditors having some understanding of technology?

For all the following reasons, auditors must have technical knowledge,

1. Auditors must be in a position to study the system and point out discrepancies. Unless they are technically sound they wont be able to find defects.
2. To save time and energy to have a…[Read more]

Q Week One You-Tube Video:

What issues did you identify from this video?

1. Attitude of employees towards security policies
2. Employees have written down passwords and stored them in vulnerable places
3. Employees uses name as the password and shares the same with the person who is helping her set the password.
4. Employees use the…[Read more]

ITACS students represent vulnerabilities to Temple university and vice versa.

Both entities have access to confidential and restricted data of each other.

Vulnerabilities that students bring in:
1. University provides wifi to all students. The laptops, mobiles phones via which they connect to wifi is a door for hackers to plan Wireless…[Read more]

I believe when we are entering into any account, we might have lot of people around and we do enter our credentials in front of them. That is the reason why passwords are masked.
I agree with your point that eavesdropping can happen. Hence being alert while handling sensitive data is important.

I agree with you Neil and Wenlin. Every business is different and thus the threats it will face be business dependent. That is why it is necessary for security team members to understand the business processes in order to formulate risk analysis and form a secure IT framework.

Also as rightly pointed out by Wenlin, robust security can be used…[Read more]

Sean to answer your query, you can study provided by one of SANS whitepaper, Quantitative Risk Analysis Step- by- Step
[ https://www.sans.org/reading-room/whitepapers/auditing/quantitative-risk-analysis-step-by-step-849 ]

To summarize the steps are as below,

1. Determine risk factors
2. Determine values of assets under risk
3. Determine…[Read more]