Tamer Tayea

I agree with you Said , the weakest link in enterprise security is desktop and user behavior. Social engineering has gained ground in recent years due to lack of end-user’s training.

Good Summary Priya , the solution development section is all about proposing controls to mitigate potential risks.

Jianhui , Nice recap of DBMS risks , it is important to log DBMS activities to remote syslog facility for purpose of spotting misconfigurations and excessive privilege access.

I think Unix/Linux is more secure than windows in general going back to early days of both operating systems. Windows was built for personal use, while Unix/Linux was built as multi-user operating system.. Two UNIX/Linux features set it apart from windows, managing accounts privileges and how Linux separates file and directory permissions in…[Read more]

Good Point Yang, I see tunneling is the biggest advantage of VPN, creating separate tunnel per remote user , each tunnel if fully secured using IPSec .

Nice summary Magaly, I believe the biggest outsourcing risks are SLA and security. There are several issues around managing SLA in outsourced environment including performance metrics , measuring basis for SLA. Security risks are another crucial component due to lack of direct control of enterprise over vendor’s security process.

Jianhui,

Auditors will need to understand data collected and be able to decipher the ambiguity comes with examining loads of data. Auditors need to have same metric to evaluate sample data collected against audit requirements.

I agree with your summary Abhay, control environment calls for instituting several procedural and asset safeguards that adds to infrastructure complexity.

One of major system-related risks are misconfigured or none-patched systems, makes them easy target for hacking.

Good Recap of Audit process, I would add the importance to keep customer engaged during all phases of audit process. The customer communication is crucial part of successful IT Audit ..

ITIL provides answer to “THE HOW Question” , while COBIT provide answer to the “WHAT Question”

Good summary , Controls provide process to create paper/electronic trail for different IT assets and business processes, later audit process evaluate data drawn from paper/electronic trail logs, evaluate it against audit requirements.

Good comparison Victoria, I would add another key contrast is the fact that DBMS is structured data type whilst traditional file system in unstructured in nature.

I would add authentication, authorization , in addition to data integrity to list of DBMS risks.

I agree with Ian on key characteristics of database management systems DBMS, however one of the key identifiers of DBMS is “relational” aspect of aspect, where data is connected vertically and horizontally via several relations using keys and associations.

One of critical operating system controls should be the ones addressing vulnerabilities and patch management particularly with zero-day type exploits. There need to be comprehensive security policy in addition to layered security architecture to mitigate potential impact of zero day attacks.

Hi Ian,

One point to add to what it is important to protect operating system , The importance comes from the way OS manages shared compute assets in memory and disk. OS protection provides logical isolation of multi-tenant compute environment, in which each application need not to interact with memory/disk/CPU cache allocated to other application.

List common control issues associated with operating systems and remediation strategy/plan.

The Operating System controls are part of every OS to protect end to end compute base. Operating system by default offers process traffic isolation to separate and protect trusted compute base (TCB) of each application/process running on the same system.…[Read more]

Hi Fangzhou,

Good summary of OSI model, the model is more of a conceptual abstraction of end to end data flows. In real network and systems configuration some of the layers are combined , others are spanning multiple layers.

I agree of your summary of OSI mode. In nutshell, OSI is abstract model for operating systsme ocmmunication stack starting from physical media all the way up to operating system kernel. The structure describes the functions and interactions of various data communication protocols in systems.