Yulun Song

I like your first example of segregation of duties. An information security is one of the most important positions because it has the responsibilities of most settings, configuration, management and monitoring for security. However, for other IT functions, like programmers, database administrators, they should be segregated of duties from others…[Read more]

Great example Said. The Application development team has the programming code to change any sensitive data, and maintenance team should not know programming of the application. It prevents lots of frauds within an organization.

That is true Binu, A software developer should not have access to production system because he may have any programming code to change any sensitive data in the production system. This a really good example of segregation of duties.

3. What key (1-2) competencies does the person responsible in a company for security (e.g. for a given process) need to have to be successful? Why?

I think two key competencies a person responsible for security needs are skepticism and communications skills. All people should be skepticism for the security of a company because some detailed…[Read more]

1. What is segregation of duties and why is it a commonly used control? Give an example of two (e.g. IT) roles that should be segregated?

Segregation of duties is a security method to manage conflict of interest, the appearance of conflict of interest, and fraud. It helps restrict the amount of power helped by any one individual. It prevents…[Read more]

the article I read for this week is called “Massive DDoS Attack Knowcs Out Twitter, Box, Spotify.” The article talked about that the DDoS attack targeted New Hampshire-based company Dyn and its managed DNS infrastructure, and began early Friday Morning. The company originally said that “it restored operations around 9:30 am EST, but a second attac…[Read more]

Question 3: In the contexts of being attacked by or unwittingly becoming a resource for distributed denial of service (DDoS), which is a bigger threat to an organization’s network and computer resources and why: Spam phishing or Spear phishing?

For DDos attack, I think spear phishing is a more targeted form of phishing whereas spam phishing i…[Read more]

That is true Yu Ming. It also happened to my previous company. People type all account numbers and password and print it out and post on the wall so that they can see them easily. however, many co-workers can also see the passwords and may take them down and do fraudulent acts. I think this is sooo common for all companies. too many accounts, too…[Read more]

Agreed that one posting opens at one time. If opens for many different times, many unauthorized people may thinks this an opportunity to access to make changes. so having a one posing period at one time is really important to mitigate risk of fraud.

That is true Sean! software security is one of the many different security controls. other controls also important like physical controls, employees internal controls, etc. so Businesses should not focus on administrators as the only standard.

3. Consider the list of financial and accounting controls. Rank them. Which to you believe is the most important, the least. Why?
1) Separation of duties: it involves splitting responsibility for bookkeeping, deposits, reporting and auditing. Less chance of fraudulent acts happens if further duties are separated.
2) Access controls:…[Read more]

1. Do you believe business rely too much on administrators to configure the security protocols in programs like SAP, rather than look for security in the entire network? Explain
I think most of companies focus on the security in the entire network rather than only rely on administrators to configure the security protocols in programs like SAP.…[Read more]

Euro Bank Robbers Blow up 492 ATMs by Phil Muncaster-UK/EMEA News Reporter, Infosecurity Magazine

492 ATMs across Europe were blown up by thieves in the first half of 2016. Criminals are increasingly using diverse tactics, and blending physical and online methods, to steal from banks. The physical attacks cost over 16,000 euro per attack, not…[Read more]

Great point! I think the logon tracks are really helpful for business control!

Are the terms Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) synonyms or are they different? If they are different, what are the differences?

Business continuity plan and disaster recovery plan are different even they are both related practices that describe an organization’s preparation for unforeseen risks and continued o…[Read more]

Thank you for your response Ian. What I am trying to say about loss of personal touch is outsourcing will influence to IT experts because they think they can handle it with familiarizes of the networks or processes they work for.

Good post Daniel. IT people look like not need to know about accounting or finance knowledge, however, when we started studying SAP system, we do need to have the ability to read accounting or finance terms to finish our job(homework). it is really necessary for IT people.

Alex! That is true that on the job descriptions, it is rare to see IT people need accounting knowledge. and for CS development people, it becomes impossible to let them read accounting balance sheet during their works. However, for us, IT auditors within business school, it becomes a requirement for IT related jobs.

4. Outsourcing and SLA audit questions
What service levels will you include in the SLA?
What, exactly, will each service level measure?
How will actual performance be measured?
What will the measurement period be?
What reports will the supplier provide?
How well will the supplier agree to perform?
Will the minimum and expected service…[Read more]

2. What controls can be implemented to mitigate the risks associated with outsourcing?
by mitigating the risks associated with outsourcing, we need to consider a detailed study about vendors including current processes, customer references, rather than blindly believing the track record. Another way we can do is to require vendors to meet…[Read more]