Priya Prasad Pataskar

Hacker Claims to have access to 200m Yahoo user records! Yahoo says they are investigating!

A hacker named Peace has claimed that he has access to 200m credentials of Yahoo users. The hacker confirmed with the Motherboard that he was selling these accounts privately and now they are on the dark web for sale. The cost of each credential is…[Read more]

The accident is supposed to have happened in May 2016 which was published around August 1st 2016.

That is huge damage! As posted by Mandiant in 2015, on an average hackers spend 146 days on the system before the attack is noticed. This is a positive sign considering the average time of 205 days in 2014.
In the news you posted, the attackers probably used the data to exploit users. Mandiant has claimed that since 2014 the number of disruptive…[Read more]

Q How does the control environment affect IT?

Control environment helps organization increase efficiency and effectiveness of IT governance.
– Establishes control over data being sent out and data that comes in the organization. ex. DLP software
– Control over access management ex. Authentication to access the facility
– Helps in keeping…[Read more]

In addition to the competency required to audit I would also like to add that auditors technical knowledge determines success of the audit. A technically sound person will be able to do a quality audit.

Also based on my experience, auditors get a defined timeline to complete the audit. If the auditor is not technically sound and lacks business…[Read more]

Nice post Deepali! It goes without saying, that if someone wants to point out flaws in a system, that someone must have the know how of the system in and out.

The auditor must have the business knowledge, operational knowledge and technical knowledge of the system that they are auditing.

Ex. The 7.1 requirement of PCI DSS requires to” Limit…[Read more]

Rightly pointed out Daniel. To add a few more,

– Employee attitude towards following security practices is shallow
– Laptops are not physically locked. Visitors who are in the building can also have access to those laptops. We are not sure if laptops have encrypted hard disks.
– The employee uses her name in the password. Such passwords are…[Read more]

Deepali correctly pointed out few very important ones.
I believe the most important one is regarding formal training to the employees. Although senior management makes lot of effort in certification or making brilliant policies, the number of employees that are directly associated in making those policies is very less may be 2-5% of the…[Read more]

[Q] What are some current system-related risks that you have experienced in your organization?

An organization faces risks from the varied external and internal factors. I came across many such scenarios at my organization.

Although risk was identified and mitigation actions were followed, practically while working we faced new risks that…[Read more]

What you say is right Said, If grade A is too costly the investment cost is going to increase. However if the standard recommends to use grade A must be with logical reasons. In longer term grade B material will incur more costs to company in terms of return of goods as users were not satisfied, poor quality or it might lower the brand…[Read more]

I believe, if the management has to sign on agreeing that they are responsible for the financial accounting that is happening within their company, it mandates the management to have adequate internal control and also maintain that control.
To maintain this type of control, a framework is established by management and there is an audit team to…[Read more]

Great post Annamarie!
I also think having compliance driven controls helps increase profitability in some cases.
There would be a huge one time cost to establish compliance controls and may take time to be implemented. However, in the longer run the well established control will help the company against fraudulent data, law suits,…[Read more]

Question: Describe a real life example of a company’s profitability-driven controls. What are the differences between a compliance-driven vs. a profitability-driven control?

Compliance driven controls are those regulatory decisions that are taken in order to follow set of procedures and standards. They help establish controlled e…[Read more]

I agree with your point Annamarie.
Laws like SOX are not only sufficient but also prove beneficial for the management to establish control over the happenings in the company. SOX mandates to exhibit clarity with the shareholders and thus helps in building trust.

3. In your own words, how would you define a control environment?

Control environment is established by defining set of policies and procedures by the governing body (board of directors/ senior management) of the organization. The control environment establishes the culture, practices and behavior in the organization.

Ex. To list a few…[Read more]

1. Describe a business process you have experienced (either as an external or internal participant) and what your role was?

As an internal auditor I was also responsible for audit scheduling and initiating audit process.

Function : Information and Data Security
Process : Audit Scheduling and Initiating process
Aim : The…[Read more]