...1. What is risk management? The process of identifying risk, as represented by vulnerabilities, to an organization’’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. Why is the identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? It is a starting point for the next step in the risk management process –– risk assessment. 2. According to Sun Tzu, what two key understandings must you achieve to be successful in battle? Know the enemy and know yourself. 3. Who is responsible for risk management in an organization? Each community of interest has a role to play in managing the risks that an organization encounters. Which community of interest usually takes the lead in information security risk management? information security community 4. In risk management strategies, why must periodic review be a part of the process? To verify the completeness and accuracy of the asset inventory, review and verify the threats to and vulnerabilities in the asset inventory, as well as the current controls and mitigation strategies. Must also review the cost effectiveness of each control and revisit decisions on deployment of controls. Managers at all levels must regularly verify the ongoing effectiveness of every control deployed. 5. Why do networking components need more examination from an information security perspective than from a systems development perspective? Networking...
Words: 817 - Pages: 4
...Homework #4 1. What is risk management? Why is the identification of risks, by listing assets and theirvulnerabilities, so important to the risk management process?Risk management is the process of identifying risk, as represented by vulnerabilities, toan organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level3. Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? Each community of interest has a role to play in managing the risks that an organization encounters and the information security community takes the lead in information security risk management. 6. What value does an automated asset inventory system have for the risk identificationprocess? The inventory listing is usually available in a database or can be exported to a database for custom information on security assets. Once stored, the inventory listing must be kept current, often by means of a tool that periodically refreshes the data. When you move to the later steps of risk management, which involve calculations of loss and projections of costs, the case for the use of automated risk management tools for tracking information assets becomes stronger. 9. What ’ s the difference between an asset ’ s ability to generate revenue and its ability togenerate profit? They both depend on a particular asset however some services may have large revenue clause...
Words: 336 - Pages: 2
...Chapter 4 1. Risk management is the process of identifying risk, as represented by vulnerabilities, to an organization’s information assets and infrastructure, and taking steps to reduce this risk to an acceptable level. 2. According to Sun Tzu, the two key understandings we must achieve to be successful in battle are Know Yourself and know the enemy. Know yourself First, you must identify, examine, and understand the information and systems currently in place within your organization. This is self-evident. To protect assets, which are defined here as information and the systems that use, store, and transmit information, you must know what they are, how they add value to the organization, and to which vulnerabilities they are susceptible. Once you know what you have, you can identify what you are already doing to protect it. Just because a control is in place does not necessarily mean that the asset is protected. Frequently, organizations implement control mechanisms but then neglect the necessary periodic review, revision, and maintenance. The policies, education and training programs, and technologies that protect information must be carefully maintained and administered to ensure that they remain effective. Know the Enemy Having identified your organization’s assets and weaknesses, you move on to Sun Tzu’s second step: Know the enemy. This means identifying, examining, and understanding the threats facing the organization. You must determine which threat aspects most...
Words: 963 - Pages: 4
...Radio Frequency Identification Uses in Inventory Management By: Jared Farnsworth, LAT In the fall of two thousand two I was introduced to radio frequency identification or RFID while I was doing my advanced individual training (AIT) for the military in Fort Lee, Virginia. At this time RFID was still in its infancy and not too many people were using RFID at this time. Not really too much was known about the benefits that it provided for inventory management either. The military was in the beginning stages of development and found it useful to link all of the databases at every military installation to make inventory control that much more reliable. Throughout my career in the military I used the RFID system quite a bit, mainly for inventory management. I used it for the control of medical equipment for the Army hospital that I was attached to. Everything had to be documented since all the supplies were highly vital to the proper running of the hospital. Other uses for the RFID system are for loss prevention, tracking inventory replenishment, managing work-in progress, and the removal of production waste through lean management. However certain problems do exist with the RFID system such as misuses and privacy issues. Over the next few paragraphs the benefits and problems with the RFID system will be discussed. “Theft and loss prevention and price markdown management are two of the most promising uses for radio frequency...
Words: 2687 - Pages: 11
...The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction ..................................................................................................................................................................... 3 CSC 1: Inventory of Authorized and Unauthorized Devices ............................................................................ 8 CSC 2: Inventory of Authorized and Unauthorized Software ....................................................................... 14 CSC 3: Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers ....................................................................................................................................... 19 CSC 4: Continuous Vulnerability Assessment and Remediation ................................................................. 27 CSC 5: Malware Defenses .......................................................................................................................................... 33 CSC 6: Application Software...
Words: 31673 - Pages: 127
...which forms high competition amongst existing players and drives down the potential profit due to price wars.1 Due to such environmental factors, Coke has distinctively chosen to streamline their spending to the areas of marketing and advertising, a primary business activity, in order to create value. By creating a recognized brand image and leveraging their secret recipe, Coke has become a product differentiator in which other companies cannot easily replicate. This is further evidenced through a DuPont analysis (see Exhibit 1), which indicates a growing profit margin (an indicator of product differentiation) despite a decreasing asset turnover. IT Strategy At Coke, there has been a recent shift in IT strategy that places information technology at the forefront of their business. The CIO has changed his attitude to become a “revenue-generating CIO” (“Driving the top line with technology,” n.d.), more driven towards making decisions based on how IT will transform the industry in order to increase performance of the company. Thus, Coke can be placed in the Strategic quadrant of Mcfarlen’s grid. In July 2010, the company began implementing a new Enterprise Performance Management (EPM) system to enhance its supply chain processes (“Things Go Better With Coke’s Supply Chain,” n.d.). It identified problems such as its new ventures and bottling partners having inconsistent reporting regulations, and ultimately inconsistent calculation of metrics1. Also, even when the same KPIs (Key Performance...
Words: 1074 - Pages: 5
...Due to security issues, you may not be allowed to practise all commands and programs of the practical-type questions with the university’s computers. So, interested students are encouraged to do this section on their own computers (if available). You will not be assessed for utilities/commands that cannot be practised on university computers. 1. (Review Question 1) What is risk management? Why is identification of risks, by listing assets and their vulnerabilities, so important to the risk management process? 2. (Review Question 3) Who is responsible for risk management in an organization? Which community of interest usually takes the lead in information security risk management? 3. (Review Question 4) In risk management strategies, why must periodic review be a part of the process? 4. (Review Question 5) Why do networking components need more examination from an information security perspective than from a systems development perspective? 5. (Review Question 6) What value does an automated asset inventory system have for the risk identification process? 6. (Review Question 8) Which is more important to the systems components classification scheme, that the list be comprehensive or mutually...
Words: 1581 - Pages: 7
...EAGLE PROGRAM APPROACH PAGE 1. INTRODUCTION 1.1 What is EAGLE?...........................................................................................................5 1.2 What is the Purpose of EAGLE? ...................................................................................6 1.3 Program Expectations and Timeline ..............................................................................6 1.4 Guidance Manual and Training Program.......................................................................7 2. OVERVIEW OF INTERNAL CONTROLS OVER FINANCIAL REPORTING 2.1 2.2 2.3 2.4 2.5 Introduction ....................................................................................................................8 Definition of Internal Control ........................................................................................8 COBIT..........................................................................................................................11 Responsibility for Internal Control System .................................................................13 Conclusion ...................................................................................................................14 3. TOP-DOWN, RISK-BASED APPROACH 3.1 3.2 3.3 3.4 3.5 Introduction ..................................................................................................................15 Risk Identification...........................................................
Words: 45404 - Pages: 182
...Solutions for Chapter 11 Audit of Acquisition and Payment Cycle and Inventory Review Questions: 11-1. Supply chain management involves the management and control of materials in the logistics process from the acquisition of raw materials to the delivery of finished products to the end user (customer). Supply-chain management involves contracts between buyers and suppliers that specify contract, delivery, and payment terms. In some cases, such as Wal-Mart, suppliers retain title to the goods until they are sold to the buyer’s customers. Wal-Mart’s suppliers have access to Wal-Mart’s inventory records and automatically restock inventory according to that contract. Wal-Mart pays their suppliers when the products are sold to its customers. General Motors has contracts with its suppliers that call for providing tires and other parts based on production schedules and paying suppliers based on the actual production of cars. 11-2. The major controls that a company such as General Motors will consider in such a partnering relationship include: • A contract specifying the requirements of each party to the contract. For example, the contract should specify the following major requirements of the supplier: o Penalties for failure to deliver products on time. o Quality control requirements, including inspection and testing to be done either by the supplier or the purchaser. Most contracts require intensive inspection by the supplier...
Words: 19271 - Pages: 78
...Accounting Information Systems CHAPTER 6 CONTROL AND ACCOUNTING INFORMATION SYSTEMS SUGGESTED ANSWERS TO DISCUSSION QUESTIONS 6.1 a. The "internal environment" refers to the tone or culture of a company and helps determine how risk consciousness employees are. It is the foundation for all other ERM components, providing discipline and structure. It is essentially the same thing as the control environment in the internal control framework. The internal environment also refers to management's attitude toward internal control, and how that attitude is reflected in the organization's control policies and procedures. At Springer's, several deficiencies in the control environment are apparent 1. Management authority is concentrated in three family members, so there are few, if any, checks and balances on their behavior. In addition, several other relatives and friends of the family are on the payroll. Since the company has a "near monopoly" on the business in the Bozeman area, there are few competitive constraints that might otherwise restrain prices, wages, and other business practices. Lines of authority and responsibility are loosely defined within the company, which would make it difficult to identify who might be responsible for any particular problem or decision. Management may have engaged in "creative accounting" to make its financial performance look better, which suggests a management philosophy that could encourage unethical behavior among employees. 2. 3. 4...
Words: 6258 - Pages: 26
...Chapter 2 IT Infrastructure and Support Systems IT at Work IT at Work 2.1 Western Petro Controls Costs with its Trade Management System For Further Exploration: Which processes are being automated and why? PetroMan is a comprehensive trading system that triggers buying and selling activities and integrates contract management, risk management, accounting, and pipeline scheduler. Using the PetroMan, the company can place bids and automatically capture a contract for refined products; and schedule and confirm deliveries in pipelines. PetroMan also handles the resale of fuels, including electronic invoicing and a credit module that checks and tracks a customer’s credit risk. This tracking is done by hedging large purchasing contracts by selling futures on the New York Mercantile (Commodities) Exchange. By hedging, the company protects itself against the risk of a large drop in oil prices. The software is plugged directly into the primary commodity exchanges--automating the process. Why is controlling risk important? By hedging, the company protects itself against the risk of a large drop in oil prices. The software is plugged directly into the primary commodity exchanges--automating the process. Does PetroMan provide Western Petro with a competitive advantage? Explain. Competitive advantage is defined as the strategic advantage one business entity has over its rival entities within its competitive industry. Achieving Competitive Advantage strengthens and positions...
Words: 10310 - Pages: 42
...1. Accounting is an information and measurement system that identifies, records, and communicates relevant, reliable, and comparable information about an organization's business activities. True False 2. Managerial accounting is the area of accounting that provides internal reports to assist the decision making needs of internal users. True False 3. The primary objective of financial accounting is to provide general purpose financial statements to help external users analyze and interpret an organization's activities. True False 4. The area of accounting aimed at serving the decision making needs of internal users is: Financial accounting. Managerial accounting. External auditing. SEC reporting. Bookkeeping. 5. External users of accounting information include all of the following except: Shareholders. Customers. Purchasing managers. Government regulators. Creditors. 6. Social responsibility: Is a concern for the impact of our actions on society. Is a code that helps in dealing with confidential information. Is required by the SEC. Requires that all businesses conduct social audits. Is limited to large companies. 7. A corporation: Is a business legally separate from its owners. Is controlled by the FASB. Has shareholders who have unlimited liability for the acts of the corporation. Is the same as a limited liability partnership. Is not subject to double taxation ...
Words: 2344 - Pages: 10
...Assignment One: Information Needs for the AIS Lindsay Bostick ACC 564 Accounting Information Systems Note: This assignment is submitted on April 15, 2016 to Dr. Ahmad Abudiab in fulfillment of a requirement for successful course completion. Introduction of Accounting Information Systems “Accounting is a data identification, collection, and storage process as well as an information development, measurement, and communication process. By definition, accounting is an information system, since an AIS collects, records, stores, and processes accounting and other data to produce information for decision makers (Romney, p. 10).” The accounting process controls what happens in other groups such as marketing, services, human resources, sales, IT, staff, customer service, organizational, and inventory. Decisions are only made if the accounting team allows them to. Funding needs to be budgeted and accounted for before any money is spent within those other teams. “An AIS can be a paper-and-pencil manual system, a complex system using the latest in IT, or something in between. Regardless of the approach taken, the process is the same. The AIS must collect, enter, process, store, and report data and information (Romney, p. 10).” It doesn’t matter if the accounting team uses software such as QuickBooks, an internal accounting system, or just an EXCEL spreadsheet to collect the information as long as it is timely and accurate. The company that...
Words: 1391 - Pages: 6
...HEALTHY BODY WELLNESS CENTER, OFFICE OF GRANTS GIVEAWAY HEALTHY BODY WELLNESS CENTER OFFICE OF GRANTS GIVEAWAY SMALL HOSPITAL GRANTS TRACKING SYSTEM INITIAL RISK ASSESSMENT PREPARED BY: WE TEST EVERYTHING LLC Jerry L. Davis, CISSP, Sr. Analyst EXECUTIVE SUMMARY .......................................................................................................... 4 1. INTRODUCTION..................................................................................................................... 7 Background ............................................................................................................................................................... 7 Purpose .....................................................................................................................................................................7 Scope ........................................................................................................................................................................7 Report Organization..................................................................................................................................................8 2. RISK ASSESSMENT APPROACH ........................................................................................ 9 2.1 2.2 Step 1: Define System Boundary ....................................................................................................................9 Step 2: Gather Information...
Words: 10420 - Pages: 42
...HEALTHY BODY WELLNESS CENTER, OFFICE OF GRANTS GIVEAWAY HEALTHY BODY WELLNESS CENTER OFFICE OF GRANTS GIVEAWAY SMALL HOSPITAL GRANTS TRACKING SYSTEM INITIAL RISK ASSESSMENT PREPARED BY: WE TEST EVERYTHING LLC Jerry L. Davis, CISSP, Sr. Analyst EXECUTIVE SUMMARY .......................................................................................................... 4 1. INTRODUCTION..................................................................................................................... 7 Background ............................................................................................................................................................... 7 Purpose .....................................................................................................................................................................7 Scope ........................................................................................................................................................................7 Report Organization..................................................................................................................................................8 2. RISK ASSESSMENT APPROACH ........................................................................................ 9 2.1 Step 1: Define System Boundary ....................................................................................................................9 2.2 Step 2: Gather Information...
Words: 10420 - Pages: 42