Acceptable Use Policy Audit Plan
Please find Our Audit Plan Document and Presentation:
Company Name : Ow! Accounting Services (OAS)
Audit Plan Document:OAS Acceptable Use Policy Audit Plan
Video :OAS Audit Plan Presentation
Christie Vazquez,Yee Ann Chen, Janet Mai, Shahla Raei, Mai Ta
Acceptable Use Policy Audit Plan
aup audit plan– The link to the presentation
ACCEPTABLE USE POLICY AUDIT PLAN– The link to the audit plan
James Levan, Vinh Nguyen, Anthony Lucas, Alaa Abuali
Final Exam
The final exam will be on Blackboard and will be 75 questions. I will post the exam on Saturday December 5th @ 6:00 AM and give you until Sunday night, December 6th at 11:59 PM to complete it. You have an hour to complete the exam, the same question/minute rate as the CISA exam.
If you have any problems with the software you must contact me immediately at 910 880 1254. I recommend you find a quiet place with good connectivity at which to take the exam.
Good luck on the final and call me if you have any questions.
Rich
Carlos Garces, Deloitte, Cali, Colombia on BCM
I hope you all enjoyed Carlos’ talk and learned a lot at last night’s Webex. Here are Carlos’ slides. There is great material in the entire slide deck. As a very visual person I think pages 8 and 20 are the most important, but you may prefer others. You need to understand the process that occurs when disaster strikes, the definitions and terms of BCM, and how to audit a BCP. Everything you need to know is in there.
If you would like to hear Carlos again, here is the recording of last night’s session. Unfortunately I was a little late starting it so you will not see the introduction.
https://foxsbm.webex.com/foxsbm/lsr.php?RCID=50ebe74dec915c3691e986d4727cb9a4
Hi everyone, here is the URL for tonight’s session.
https://foxsbm.webex.com/foxsbm/onstage/g.php?MTID=e29ee42585ffeaa3eae9395dc231bf9b6
Please try to connect early, before 5:30, and then put yourself on mute.
Week 13: Reading Questions & Case
Readings
- What would you do as an individual to be ready for an IT disaster? A real world disaster?
- What is the difference between disaster recovery and business continuity? How are they related?
- What makes this so complicated and difficult for organizations?
Activity: Personal diaster recovery and business continuity plans
Think about these issues from your personal point of view. How are you backing up your data? Do you have an alternative machine if your device died? How would you finish the semester if you lost your machine and all your data the week before finals. Please post your current processes and your analysis of them on the class blog by Tuesday evening at 11:59 PM. I expect that you will comment on at least four other posts on this topic before Friday.
Week 12 Wrap-up: IT Security
Great job everyone on the discussion. If you enjoyed this case I have a few other things you might like:
- Verizon’s 2015 Data Breach Investigations Report
- Deloitte Cyber Security Video 1: Companies Like Yours
- Deloitte Cyber Security Video 2: Evolved
I liked how you referred back to other topics that we have considered in the past 12 weeks. Let me take you through my view of them:
IT Administrative Controls – really lax both inside both iPremier and at the ISP. I get the sense that very little is actually in control here. WoW on company equipment and company time? Poorly organized and poorly run.
IT Governance – There appears to be little knowledge or interest in IT from the executive level of the company. How can this be for a company that runs on an e-platform. Inexcusable. Certainly, there is no conscious effort to guide IT as it supports the business. Ad- hoc decision making and a culture of do what’s needed now and we’ll worry about the rest later seems to be a work here.
Enterprise Architecture, IT Strategy, Portfolio Management – There doesn’t seem to be any.
Policy – Again, if they exist, they seem to be on the shelf like the disaster recovery plans. Even the CEO acknowledged that they needed a closer look at how they did things.
IT Services and Quality – Again, there does not appear to be a disciplined look at what IT services they are using/providing. Furthermore, there is no sense of continuous improvement or some of the Disaster Recovery plans problems would have been identified and fixed.
Outsourcing – They picked the ISP because they knew someone? Really?
Monitoring – Doesn’t appear that they did much beyond the basics of operating a system. But then, if you haven’t defined any IT services, how could you monitor them?
Risk – No risk culture in the organization, no risk culture in IT. I’m tempted to say that they looked at Disaster Recovery planning as a compliance issue, not as a control. They were required to have one, so someone wrote it and put it on the shelf for the auditors to see, but they never did anything with it.
All of this leads to a situation where a breach was eminently possible with a poor response guaranteed.
The whole idea of running an IT organization under control is that you have organizational discipline. This doesn’t eliminate the potential problems of a security attack or any other risk. It makes such risks much less likely to occur and it gives you a much better position from which to deal with them if they do occur. This is the point of everything you will be learning in this program.
IBM Breach Cost Calculator
As I mentioned in class, IBM has a breach cost calculator and has published an neat infographic using data from it. You can see it online here http://www-03.ibm.com/security/services/data-breach-risk-calculator-infographic/ and a pdf print version here, IBM infographic: Data Breach Risk Calculator – United States.
Week 12: Reading Questions & Case
Readings
- What are the risks associated with the 10 processes that Gartner says you must get right? How do these controls help?
- Who or what do you think is the most significant risk to any organization?
- Security education is spoken of often. Why is it important?
The iPremier Case
Read all three parts of the iPremier Case. Consider these questions when you prepare for Tuesday’s class.
- How well did the iPremier Company perform during the seventy-five minute attack? If you were Bob Turley, what might you have done differently during the attack?
- The iPremier Company CEO, Jack Samuelson, had already expressed to Bob Turley his concern that the company might eventually suffer from a “deficit in operating procedures.” Were the company’s operating procedures deficient in responding to this attack? What additional procedures might have been in place to better handle the attack?
- Should iPremier have implemented Ripley’s suggestion to shut down the company and rebuild the production platforms? What were the pros and cons?
Week 11: Wrap-up: IT Risk
You all seem to have the notion of risk and response down well. The three risk processes are
- Risk Governance – setting the appetite and tolerance of risk for the organization. The important point here is that IT risk should be treated like any other enterprise risk and the administration of IT risk governance should be part of the way the enterprise manages all its risk.
- Risk Evaluation – What risks are you facing? How likely are they? How much impact will they have if they occur? The expected outcome of a risk is equal to its likelihood X its impact. The IT organization will need to deal with any IT Risk whose expected outcome is greater than the enterprise’s risk tolerance for risks of this sort.
- Risk Response – your can address risks in four ways
- Accept it – just go with it (which means raising you risk tolerance if the expected outcome is greater than your current risk tolerance.
- Transfer it – get insurance so that you alone don’t feel all of the impact of the risk if it comes to be.
- Mitigate it – put in controls to lessen the likelihood or impact of the risk. Residual risk is the risk that remains after your mitigation and should be less than your risk tolerance.
- Avoid it – change what the organization is doing so as not to face the risk anymore. If you are worried about losing credit card information, don’t take credit cards.
FUD is a major player in all risk discussions and is evidenced in the AWA case. FUD stands for Fear, Uncertainty and Doubt. There are always things that we don’t know or haven’t experienced when thinking about making a change. Its natural. Both AWA and the EHR case we looked at earlier contained compliance risks. Sure, outsourcing changes the nature of compliance risk although the ownership remains the same. We feel comfortable with what we have always done (do everything ourselves) even if we know we don’t do it well. It takes some courage and a lot of due diligence to look as a new arrangement and see that its no worse, maybe even better than what we had before.
This is where controls come in. If you research what could go wrong, talk to others who have already made the move, designed and review a set of controls that you think will work and put them in place, then, with audit, you should be able to make it work. In the AWA case, the firms they were looking at are very experienced and professional. Sabre works with over 400 airlines. To me, the risk of doing an good outsourcing deal are minimal as long as AWA pays attention to what its doing. The risk of continuing as is and underfunding IT to the point of ruin is far higher.
Week 11: Reading Questions & Case
Readings
- What is the difference between risk appetite and tolerance?
- What three types of IT risk are there? Can you give an example of each?
- In your own words explain what occurs in each of the three processes included in the IT Risk Framework.
- How can an organization respond to any IT risk?
The All World Airlines Case
Focus your analysis two of the five areas of risk identified by the CFO. Ignore the questions at the end of the case. Come to class ready to discuss the two areas of risk that you choose. Based on just your analysis would you recommend AWA continue with its plans to outsource it ALCS? Why or why not?
Recent Comments