...and combine them into one final report. These reports will consist of: - The two auditing frameworks or hardening guidelines / security checklists used by the DoD. - How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance. - How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered. - The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening. - The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening. - The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. - The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. Part 1: Purpose: The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks. Background: A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing...
Words: 2140 - Pages: 9
...Business Research and Ethical Issues in Independent Auditing Te’ Portia Sibley RES 351 John Gilpin Jan, 22, 2014 The role of an auditor is to audit with integrity and objectivity. In an essay by Roger D. Martin, the role of an auditor should expand to assess the integrity and ethical values of their client as well. The purpose of this research was to bring to light how the auditor-client relationships could devolve into questionable behaviors. This article is in response to the regulations of the Sarbanes-Oxley act of 2002, that an independent auditing firm be contracted to audit a company in compliance with the Generally Accepted Accounting Practices. Prior to the act, company management hired the auditing firm, negotiated the fee and could request the firm perform other services. The Sarbanes-Oxley Act requires that an audit committee of the company’s Board of Directors hire the auditing firm with restricted duties. The researcher concludes that an auditor could and should be trained to understand ethics and how it influences behavior. This is a tool auditors could use to assess the integrity and ethical values of clients and better understand the ethical infrastructure (organizational elements that contribute to an organizations ethical effectiveness) of an organization. What unethical research behavior was involved? The article discusses how auditors maintain integrity and fulfill their responsibilities independently. Auditors should be aware of risks when dealing...
Words: 815 - Pages: 4
...The Sarbanes-Oxley Act of 2002 Presented by: Ibrahim M. Conteh; Ruby Proctor Garcia; Kathleen M. Parry; Joseph M. Schmerling; Jaime Ulloa Auditing Theory and Practice 0902 ACCT422 4021 Due: April 29, 2009 Table of Contents Page Number What is the Sarbanes-Oxley Act of 2002? 3 Why was SOX established? 4 When did SOX take effect? 5 What companies were affected and how? 6 What does SOX compliance require? 9 Conclusion 11 References 13 What is the Sarbanes-Oxley Act of 2002? The Sarbanes-Oxley Act of 2002 – its official name being “Public Company Accounting Reform and Investor Protection Act of 2002” – is recognized to be the most significant U.S. federal disclosure and corporate governance legislation since the Securities Act of 1933 (the Securities Act) and the Securities Exchange Act of 1934 (the Exchange Act), and, the provisions of the Act are significant enough that it is considered by many to be the most significant change to federal securities laws in the U.S. since the New Deal. It is best understood, however, not as a piece of legislation centered on a new concept of regulation, but as a process which mandated that many major reforms be implemented as soon as possible (in some cases, within 30 days) on the precise schedule specified by Congress. In that sense, the Enron and WorldCom debacles provided the impetus of public outrage that...
Words: 3247 - Pages: 13
...monitor effective internal controls over financial reporting. The cost of implementing an effective internal control structure are onerous, and SOX inflicts opportunity costs upon an enterprise as executives have become more risk adverse due to fears of incrimination. The Public Company Accounting Oversight Board (PCAOB) was created by SOX to oversee the accounting process and dictate independence requirements for auditors and auditing committees. The PCAOB proposed regulations must be approved by the SEC before they are enacted. Since the passage of SOX, the IT department has become critical in designing and implementing the internal controls in company accounting information systems. The Information Technology Governance Institute (ITGI) created a framework called Control Objectives for Information and Related Technology (COBIT) to provide guidance for companies to implement and monitor IT governance. Accounting Information Systems Research Paper The Sarbanes-Oxley Act of 2002 changed the landscape of corporate financial reporting and auditing. In the wake of corporate reporting scandals, Congress decided the accounting profession was unable to self-regulate, and The Sarbanes-Oxley Act of 2002 was signed into law. The law addresses corporate greed and dishonesty by requiring companies to implement extensive internal control procedures to deter fraud and hold corporate...
Words: 3250 - Pages: 13
...monitor effective internal controls over financial reporting. The cost of implementing an effective internal control structure are onerous, and SOX inflicts opportunity costs upon an enterprise as executives have become more risk adverse due to fears of incrimination. The Public Company Accounting Oversight Board (PCAOB) was created by SOX to oversee the accounting process and dictate independence requirements for auditors and auditing committees. The PCAOB proposed regulations must be approved by the SEC before they are enacted. Since the passage of SOX, the IT department has become critical in designing and implementing the internal controls in company accounting information systems. The Information Technology Governance Institute (ITGI) created a framework called Control Objectives for Information and Related Technology (COBIT) to provide guidance for companies to implement and monitor IT governance. Accounting Information Systems Research Paper The Sarbanes-Oxley Act of 2002 changed the landscape of corporate financial reporting and auditing. In the wake of corporate reporting scandals, Congress decided the accounting profession was unable to self-regulate, and The Sarbanes-Oxley Act of 2002 was signed into law. The law addresses corporate greed and dishonesty by requiring companies to implement extensive internal control procedures to deter fraud and hold corporate...
Words: 3250 - Pages: 13
...employees has not been implemented. Security measures are not in place to prevent protection from physical threats. Network security measures have not been implemented with a firewall, or with an antivirus system to prevent malware. Cross functionality of the systems are not considered with respect to the disaster recovery, incident response planning. The IT department does not have the diagram of the infrastructure mapped out with a topology which would also aid in the event of a disaster or other incident. Permissions are not enforced with appropriate industry standards, acknowledging the laws of least privilege. Policies and procedures should be implemented and enforced to mitigate security issues, and should be updated no less than annually. Phase 2 Lack of information technology governance can harm a company in many ways. Ensuring that employees with roles of protecting the infrastructure have the proper training and support of senior management will help to support security and compliance concerns. Failure to adhere to industry best practices can lead to compliance concerns, loss of confidentiality of data and potentially it can lead to lawsuits. Without proper permissions access monitoring, the company cannot enforce policy or procedures. This can lead to virus or malware infiltrating your network, which can cause an interruption in productivity, loss of revenue and can ultimately cause damage to the company’s reputation. Phase 3 Key findings above are...
Words: 415 - Pages: 2
...Compliance Audit Report Public Version ExxonMobil Corporation-Baton Rouge NERC ID # NCR00128 Confidential Information (including Privileged and Critical Energy Infrastructure Information) – Has Been Removed Date of Audit: July 17-19, 2012 Date of Report: August 11, 2012 Confidential information (including Privileged and Critical Energy Infrastructure Information) – Has Been Removed TABLE OF CONTENTS Executive Summary ........................................................................................................ 3 Audit Process .................................................................................................................. 3 Objectives ................................................................................................................................................ 3 Scope ....................................................................................................................................................... 4 Confidentiality and Conflict of Interest ................................................................................................ 4 Methodology............................................................................................................................................ 4 Company Profile ..................................................................................................................................... 5 Audit Participants ...............................................
Words: 1830 - Pages: 8
...Student Lab Manual © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION Student Lab Manual © Jones & Bartlett Learning, LLC © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT Auditing IT Infrastructures for Compliance © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION IS4680 © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett Learning, LL NOT FOR SALE OR DISTRIBUT © Jones & Bartlett Learning, LLC NOT FOR SALE OR DISTRIBUTION © Jones & Bartlett©Learning, LLC Learning, LLC, an Ascend Learning Company Bartlett Current Version Date: 11/21/2011 © Jones & Learning, LLC Copyright 2013 by Jones & Bartlett www.jblearning.com! NOT FOR SALE OR DISTRIBUTION ...
Words: 30948 - Pages: 124
...firm that also with prior knowledge of accounting ethics, which at most times makes it more risky, given the legal involvement. Lastly, manipulations are also likely to occur as the biggest threat in the audit consultancy services. So, professional ethics are likely to arise. Hence, self-governance is largely a matter that can pose greater risk. When it matters to preparation and retention of audit work paper, the requirement prepare by auditor should be in a manner that it helps the auditors to carry out auditing services in the most appropriate way. Hence the working paper requirement at most should avoid accumulating unnecessary working papers for the sake of client and for the requirement of professional auditing standards. When it comes to the ownership of audit work paper and as with the general principles, audit paper is the property of the auditor concerned in all circumstances. However, the auditor and the audit paper are also subject to some compliance. Hence, in the first instance audit firm own audit...
Words: 860 - Pages: 4
...validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). RFI is a common vulnerability and all website hacking is not entirely focused on SQL injection. Using RFI you can deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one. 2. What country is the top host of SQL Injection and SQL Slammer infections? Why can't the US Government do anything to prevent these injection attacks and infections? The U.S. is the top host of SQL Injection and SQL Slammer infections. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity. 3. What does it mean to have a policy of Nondisclosure in an organization? It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material, knowledge, or information that the parties wish to share with one another for certain purposes, but wish to restrict access to or by third parties. 4. What Trends were tracked when it came to Malicious Code in 2009 by the Symantec Report researched during this lab? DoS attacks are...
Words: 1109 - Pages: 5
...Introduction All internal audits carried out are carried out in compliance with Internal company standards and procedrues has been assessed by the National Safety Authority (Railway Safety Commission) as part of the submission for safety certification under Commission Regulation 1158/2010. Our internal audit processes meets the requirements of section S of the Common Safety Method Directive (CSM) by demonstrating that there is an auditing system that is • Independent • Impartial and transparent • Planned and revised dependant on results of previous audits • Procedures are in place for competent auditors • Management of recommendations and communications of findings to persons who have accountability to implement findings. This requirement is not dissimilar to the obligations imposed on UK railway undertakings under Schedule 1 (k) of the Railways and Other Guided Transport Systems (Safety) Regulations 2006 (ROGS). However from July 2013 the CSM for monitoring will require more defined processed for monitoring to enable effective management of safety in the railway The risk is that without audit structures which define the role, purpose and processes of auditing, the benefits of auditing and the potential outcomes of not carrying out diligent audits is not understood by the management team. This paper will attempt to clarify the role, purpose and processes involved in auditing its value to the organisation if carried out to appropriate and transparent standards. ...
Words: 2172 - Pages: 9
...strategy, goals and objectives while adding business value and controlling risks. IT governance is concerned with strategic alignment between the goals and objectives of the business and the utilization of its IT resources to effectively achieve the desired results. In comparison, IT execution is the usage of sound management practices and the use of IT controls. These controls are usually based on a framework consisting of best practices that are used as guidelines to help successfully implement IT governance. For this discussion, we will focus on the Control Objectives for Information and related Technology (COBIT) Framework. The COBIT framework is a set guidelines that lay the groundwork for best practices that provide for the managing, auditing, and assistance of users, which allows them to measure their processes, and develop and improve the controls of a company. There are two major organizations that are associated with IT governance: ISACA (Information Systems Audit and Control Association) and the IT Governance Institute. Effective and efficient enterprise IT governance is crucial to the ongoing success of an organization. IT governance is an important high level subset of business processes that provides guidance to IT operations. From these high level processes, policies and decisions are made for the IT department on how the department will execute its functions with regards to the overall business model. Key factors that can influence IT governance on the...
Words: 883 - Pages: 4
...Kudler Fine Foods is a company that uses a significant amount of electronic data and information to flow through their system on a daily basis. The company relies on this data to be accurate and trustworthy. Considering the dependency and importance of the electronic data flowing through the system in such a high volume, they would benefit from computer assisted audit techniques (CAATs). A CAATs audit is focused on testing the computer systems for data integrity and security of the company’s information data processing. CAATs provide a 10 step process made available to the auditor for use as guidelines in conducting an efficient audit. The guidelines will reduce the time to complete the audit, save money and ensure a high degree of confidence in the audit results. The CAATs audit will provide the owner of Kudler Fine Foods with assurance that the systems are operating with accuracy and the data is secure. To initiate the audit procedure, the auditor will first collaborate with the owner of Kudler Fine Foods to define the intents and desired end results of the audit. The auditor will review the computer systems, processes, types of data and process controls with Kathy Kudler to ensure that she thoroughly understands the system. Through this collaboration, the auditor will determine the best strategies for assessing the risks associated with the system and current processes. He or she will also determine the optimal strategy for collecting and testing data. Once...
Words: 1856 - Pages: 8
...transactions for loan applications and other banking services. A task team has been formed to study the cost, performance, and security of maintaining a Linux and open source infrastructure. According to rough estimates, annual cost savings in licensing fees alone can be up to $4,000,000. At the same time, the confidentiality, integrity, and availability (CIA) triad perspective needs to be taken into account for infrastructure maintenance. The task team has engaged a network engineer with the network and routing design. The team has determined the following server services that would be needed to support the online transaction infrastructure: * A database server * A Web server * A file server * A Simple Mail Transfer Protocol (SMTP) server * A Lightweight Directory Access Protocol (LDAP) server All servers would be physically located in a third-party data center. Tasks You need to: Understand the business need of First World Bank Savings and Loan. Point out specific legislation and regulations that meet the statutory compliance criteria. Assess the feasibility of Linux and open source infrastructure in handling security demands listed by the legislation and regulations. Make recommendations to model a tiered architecture for the proposed online transaction in a Linux-based infrastructure. Identify a suitable security framework that forms the basis of your recommended security policy, providing a valid rationale for your recommendation. Create a professional...
Words: 780 - Pages: 4
...Risk-Based IT Audit Risk-Based Audit Methodology Apply to Organization’s IT Risk Management Kun Tao (Quincy) Cal Poly Pomona Author Note This paper was prepared for GBA 577 Advanced IS Auditing, taught by Professor Manson. March 2014 Page 1 of 26 Risk-Based IT Audit Table of Contents Abstract .......................................................................................................................................... 3 Introduction .................................................................................................................................... 4 Methodology................................................................................................................................... 6 Risk-based auditing methodology: Risk assessment...................................................................... 6 IT Risk Management................................................................................................................... 7 IT Risk Control Framework........................................................................................................ 8 Identifying assets...................................................................................................................... 13 Determining criticality and confidentiality levels......................................................................14 Threat and vulnerability identification................................................................
Words: 6057 - Pages: 25