Wenlin Zhou

In the build your first server, 7(b)”Set secondary DNS server to the Azure DNS server (HINT: you can find this by doing “ipconfig /all” in the cmd prompt on your VM)”. I want to know where is the cmd in the MS azure.

The article is “Say Goodbye to Passwords, and Hello to Security Keys”
http://www.infosecurity-magazine.com/news/say-goodbye-passwords-hello/

If somebody’s personal device can recognize its user, and authenticate them securely to a remote resource, passwords can become a thing of the past. These were the words of Google’s Christiaan Brand spe…[Read more]

An audit has six key stages:
Planning: The goal of the planning process is to determine the objectives and scope of the audit. You
need to determine just what it is you’re trying to accomplish with the review. Following are some basic sources that should be referenced as part of each audit’s planning process:
• Hand-off from the audit manag…[Read more]

Hi, Professor,
I thought the IT auditing used the COBIT to audit. Why COBIT is not the audit process? I will change my answer.

Yes I agree with ming, the it auditors is not responsible for making plan to solve the problem. The COBIT aim is to provide an overarching framework that incorporates different subsets of information management and control while promoting greater consistency among these areas. Unlike prescriptive requirements for a specific regulation, COBIT can…[Read more]

Deliver and support domain is concerned with the actual delivery of required services, which includes service delivery, management of security and continuity, service support for users, and management of data and operational facilities. It typically addresses the following management
questions:
• Are IT services being delivered in line with b…[Read more]

Hello Lan,
I think the auditor cannot make the plan, because the internal audit just test the plan, and provide the recommendation. The scope of an audit depends on the goals. The basic approach to performing a security assessment is to gather information about the targeted organization, research security recommendations and alerts for the…[Read more]

I agree with you. A risk assessment is the identification and analysis of relevant risks to the achievement of an organization’s objectives to determine how those risks should be managed. Risk assessment implies an initial determination of operating objectives, then a systematic identification of those things that could prevent each objective from…[Read more]

Why do we need control framework to guide IT auditing?

It organizations seeking to better manage risks to have more predictable enablement of the business will benefit by better understanding controls and how to embed them in processes. those frameworks can guide IT auditing to mitigate risk, and realize the business benefit. The framework can…[Read more]

What are the key activities within each phase?

COBIT v.4.1
1. Plan and Organize:
a) Define a strategic IT plan
b) Define an information architecture
2. Acquire and Implement
a) Identify automated solutions
b) Acquire and maintain application software
3. Deliver and…[Read more]

Explain the key IT audit phases

COBIT v4.1:

Part1: Plan and Organize(PO)-controls that help IT enable and protect business objectives. PO includes defining a strategic IT plan, and defining an information architecture.

Part2: Acquire and Implement (AI)- controls that are tasked with converting the strategy and tactics from PO into new and…[Read more]

There are three types of risk controls:

Preventive controls. These controls are intended to proactively mitigate the occurrence and/or impacts of risks. Examples include policies and procedures, Firewalls, IPS/IDS.

Detective controls. These controls operate after the fact to identify if a predefined event occurred. Examples such as log file…[Read more]

Those issues seemed data leak. As though employees’ desire to share data is not enough of a threat to proprietary information, many business professionals want access to data from anywhere they work, on a variety of devices. To be productive, employees now request access to data and contact information on their laptops, desktops, home computers, a…[Read more]

I agree with you, the monitor was hard to control the employees’ practice, so I think the company should train employee in order to know the importance of the information security. Also, the company should improve IT software in order to reduce the risk.

IT risk is not purely a technical issue. Although IT subject matter experts are needed to understand and manage aspects of IT risk, business management is the most important stakeholder. Business managers determine what IT needs to do to support their business; they set the targets for IT and consequently are accountable for managing the associated risks.

I agree with you, you explained the compliance of the IT Governance. The company also need integrity, and confidentiality. It is the foundation for all other components of internal control, providing discipline and structure. The control environment sets the tone of an organization, influencing the control consciousness of its people

Article: “Modernizing Security”; Topic: Understanding an Organization’s Risk Environment
The clear business security issues were shown:
-Most employees steal proprietary data when quitting or getting fired from an organization.
-Nearly all employees are vulnerable to exploit kits.
-Four out of five breaches go undetected for a week or more. S…[Read more]

Question: What issues did you identify from this video.

The biggest issue is that the company employees did not know the importance and awareness of the security information and equipment. For example, A room required to be secured was left open. Employees leave their desktop without locking it or signing out. An employee put company computer…[Read more]

What is the purpose of all auditors having some understanding of technology?

The important tasks of the internal audit is determining what to audit. Auditors must be efficient and effective in how you use your limited resources by spending your IT audit hours looking at the areas of most importance. IT auditing is an integral part of the audit…[Read more]

Is information security a technical problem, a business problem that the entire organization must frame and solve, or both? Explain the nature of the problem in the context(s) you chose.

Information security is a technical problem and a business problem. Information security is the practice of defending information from unauthorized access,…[Read more]