The risk of SQL forms within the Oracle Applications- How did that Happen?
|
|
- Dennis Payne
- 5 years ago
- Views:
Transcription
1 The risk of SQL forms within the Oracle Applications- How did that Happen? Alfredo Pantaleon, Sr. Principal- GRC Services, KBACE Jeffrey Hare, CPA CISA CIA - ERP Seminars March 26,
2 Presenter Alfredo Pantaleon, Sr. Principal- GRC Services, KBACE: Formerly with Logical Apps and KPMG/BearingPoint, Alfredo has over 10 years experience in ERP Integrations for several Fortune 50 Corporations, including Oracle, KPMG, Bearing Point, GE, Motorola, CBS, Michelin, BMW, etc., and Public Sector and Government Agencies such as FAA, DHHS, DOT, etc. as a results driven project management professional. Mr. Pantaleon has served clients in industries including High Technology, Telecommunications, Manufacturing, and Security. With a deep understanding of Oracle technologies and the integration of business processes, corporate governance and a strong financials background, Alfredo provides both functional and technical leadership to any size of operations, both domestic and international. 2
3 Agenda Introductions Objective Survey Findings Risks Scenarios Recommendations Q&A Closing 3
4 KBACE Corporate Overview KBACE maximizes the value that Oracle s clients derive from their software investment and goes to market with Oracle to augment the generation of new license opportunities. Incorporated in 1998 Privately held, employee owned, cash-flow positive since inception Headquartered in Nashua, NH with national presence Maintain significant portfolio of Oracle install base clients Specialize solely on the Oracle E-Business Suite & related technology Multiple LOBs Professional Services Support Services Analytics Advanced Technologies Education KBACE runs our business on the Oracle E-Business Suite Release 12 4
5 Professional Services Oracle Application Consulting Practices Financials Supply Chain Manufacturing Projects CRM Advanced Technology Human Capital Management (HCM) Data Services Governance Risk and Compliance (GRC) Development centers in Nashua, NH and Bangalore India Worldwide Certified Advantage Partner Participated with Oracle on Accelerator and Methodology development Currently partnering with Oracle on Fusion validation 5
6 Objective Oracle s E-Business Suite has unique risks that need to be evaluated when designing application security and controls. We will look at one of the highest risk areas in Oracle s E-Business Suite, forms that allow SQL statements to be embedded in them. This presentation will address the following: Overview of SQL forms and the related risks Examples of how SQL forms can be used to manipulate data and commit fraud Best practices related to SQL forms Strategies to monitor access to and activity in SQL forms 6
7 SQL Forms Survey- Awareness of SQL forms risks? I was not aware of the risk 32.6% 0% 9% I have read about SQL forms, but didn't/don't understand the risks 13.0% My company is aware of the risks, but have chosen not to address them 4.3% 22% 4% 4% 11% 4% 13% 33% My company is aware of the risks, but feels monitoring software is too expensive 10.8% My company has put a third party trigger or log-based solution to monitor them 4.3% My company uses Oracle's Sys Admin audit trail to m onitor the activity 4.3% My company requires all SQL form activity to go through IT Change Management 21.7% My company reconciles actually activity to our Change Managem ent approvals 0.0% Other 8.6% 7
8 SQL Forms Survey- How long as Oracle EBS customer? 3% 5% 5% 3% We are not yet live with the system 5.1% 20% We have been live less than 1 year 2.5% We have been live 2-4 years 20.5% We have been live 5 or more years 64.1% 64% Other 2.5% No Responses 5.1% 8
9 SQL Forms Survey- Number of Oracle users? 3% 13% 5% 11% % % Over
10 Risks What type of risks are exposed when users have access to SQL forms? Override of change management process Fraud - employees, consultants Data theft Unauthorized changes to security References Metalink note Best Practices for Securing the E-Business Suite Additional information available in the internal control repository (ICR). 10
11 Scenarios Fraudulent bank account updates for the purpose of misdirecting funds payment to a supplier Reset of SYSADMIN login for the propose of unapproved access and system updates The objective of the following scenarios is to show limited examples of how fraud may be committed. These methods shows are not meant to inspire their use for any activities that may be illegal or unethical. The examples shown are for presentation purposes only and do not outline the full business processes or controls that in place around those processes. 11
12 Scenario 1- Fraudulent Bank Account Update A Supplier has contacted procurement about payments they have not received. Through some reporting it has been found that payments were made however there is some inconsistency in the system. The bank account looks as though it had been changed and then changed back however there are no records of this being approved. Cause- An oracle alert SQL form was used to update the bank account from behind the scenes and then update it back. 12
13 Unapproved Alert is created The select statement itself does not matter as long as it returns 1 row. A clever person could go so far as fire the trigger when the payment is created with the victim bank account and update the bank account record. This is being done as on demand however someone could make it much more intelligent using the event tab 13
14 Unapproved Alert is created There are a couple setups needed for triggers but they are fairly simple and flexible. Alerts are powerful since they can launch programs, sql statements and pl/sql. It should be noted that normal users don t usually have access to create alerts. Create an action set, add an action Select a action type Notice SQL or OS Script Call a pl/sql package or write sql statements 14
15 Take a look at the Bank account BEFORE Bank accounts are not defined per vendor but are defined as bank accounts records and then assigned to other pieces of data. They are used on vendors, vendor sites and payments as an example. This will be the bank account show on the vendor site. This is the value seen on payment and transactions The bank account number is the victim. This is important because it is not usually seen on the transaction, the name is. 15
16 A payment is created A payment is created using the victim bank account. The bad guy could have an alert set to see this or just know what day payments are made so the alert can fire. The trick is to update the account after the payment record is created. Another note is that this type of fraud would likely be directed at electronic payments. The bank account number shows here in the LOV but not on the form. 16
17 The unapproved Alert is fired The alert may be manually initiated to update the account. The smart perpetrator may goes as far as changing the account back after the EFT is completed so it will be tougher for someone to catch what has happened. The alert is raised which will update the records. The last updated date and last updated by will not change. It will look as if the last person changed the record. 17
18 Bank account AFTER payment and back again If someone were to review the bank account record the account number would be different. The last updated date and last update by would not show any different from before. The perpetrator could then update again and effectively wipe away some of the tracks! The bank account number Update by dgeryol at 6:41:02 pm The bank account number changed Updated by dgeryol at 6:41:02 pm 18
19 Scenario 2- Reset of SYSADMIN login Upon routine audit of the system the system admin could not login to the SYSADMIN account. The audit reports also showed a high number of logins by the SYSADMIN user and updates to key profile options. There was no record of approval for any changes by this user and profile options are not normally updated with this login. Cause- A quality plan from the Oracle Quality application was used to reset the SYSADMIN password so that illegal logins and updates could be made. 19
20 SYSADMIN login- Normal Admin personnel may use the SYSADMIN application user for certain admin tasks. The password is tightly controlled SYSADMIN NORMALLY HAS KEYS TO THE KINGDOM TYPE RESPONSBILITIES 20
21 Oracle Quality- not just for Quality Control, but Quality Access! Oracle Quality is a powerful application used in areas like receiving and manufacturing to help capture data related to quality, measurement, specifications and other similar data. The data entry into plans can translate into automated reporting, notifications and updates to areas of the system. Setup is normally where you will find the function to create plans however many have this function available for creating adhoc plans. 21
22 Create a QA plan A fraudulent QA plan is created with minimal information. These plans can be deleted once they are done being used. This removes many traces of what has been done. A bogus QA plan is created Actions.access to GOLD 22
23 Create the condition and pick the event Once a plan is created you need only define your action condition that triggers your action. You then just pick your method to execute. This sets up a condition or trigger value Here are my choices to do damage Operating System scripts and SQL scripts 23
24 Create the action details (sql entry) Using the details window you can write a sql statement or call pl/sql procedures to do your bidding. EXECUTING A STANDARD ORACLE PACKAGE TO UPDATE A USERS PASSWORD WITHOUT KNOWING THE EXISTING PASSWORD. 24
25 Enter a QA result to initiate the plan illegal update To execute the plan a simple entry must be made into the fraudulent plan with the trigger condition. Entering QA results is a fairly standard function 25
26 Entering the trigger condition initiates an update When the trigger condition is entered and saved a periodic alert is run. This is really the only indicator that something has been done. The alert itself is not really traceable since we can delete our trail! TRIGGER CONDITION INITIATED THE PERIODIC ALERT 26
27 USER MAKES ILLEGAL LOGIN AS SYSADMIN The offending user now logins in as SYSADMIN with the password that was set. welcome123 27
28 Recommendations Conduct a thorough analysis of the system to identify SQL forms (see references) and also control risks on master data and system setup forms. Review users that have access to any 2 of the following 3 risk areas; system setups, master data, transaction forms. If there are no system controls there should be well documented manual and closely monitored manual controls. System controls are recommended and should cover the following; Segregation of Duties Change Control System Auditing or Monitoring 28
29 Best Practices Segregation of duties It is not all about transaction forms. If users do not need to see data such as bank accounts, do not let them. This will mitigate people from seeing temptation. Do not allow end users to have access to SQL forms. These are meant to be configured as part of the system and not as a day to day production task. An overall risk assessment should highlight those with access to these areas and SQL forms Change Control Do not allow sensitive information or master data to get changed without a good change process. Master data management can be a great success to an organization, or a great risk. Changes to system setups such as SQL forms should be under change control System Auditing or Monitoring Audit key data for setups and master data Review audit reports regularly to reconcile approved activity to actual activity Mediate conditions that led to any unauthorized activity 29
30 Record History (row who?) Limitations Advanced Oracle Auditing Pro Cons Alerts Pro Cons Triggers / Logs Pro Cons Monitoring Strategies 30
31 Q&A Any questions that we do not get to will be addressed via Please all other questions to the presenter directly This is was an actual Webinar and can be replayed at: Services Tab Webinars 31
32 Thank You Alfredo Pantaleon, Sr. Principal - GRC Services, KBACE apantaleon@kbace.com (561)
Oracle Buys Automated Applications Controls Leader LogicalApps
Oracle Buys Automated Applications Controls Leader LogicalApps To strengthen Oracle s Governance, Risk and Compliance Suite with Real-time Policy Enforcement October 26, 2007 Disclaimer The following is
More informationsecurity FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name.
security FRAUD PREVENTION Business Checklist Safeguard your money, your credit and your good name. Security for Your Business Mitigating risk is a daily reality for business owners, but you don t have
More informationFulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation Solutions
Public Sector Best Practices that Protect the Citizens against Financial Losses, Waste and Fraud Using Advanced Controls FulcrumWay Leading Provider of Enterprise Risk Assessment Mitigation and Remediation
More informationMIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD)
MIS 5121: Business Process, ERP Systems & Controls Week 9: Security: User Management, Segregation of Duties (SOD) Edward Beaver Edward.Beaver@temple.edu ff Video: Record the Class Discussion v Something
More informationDefinition of Internal Control
Definition of Internal Control - To address and limit potential risks - designed, implemented and maintained by those charged with governance to provide reasonable assurance about the achievement of the
More informationUNIVERSITY OF RWANDA VACANCY ANNOUNCEMENT
UNIVERSITY OF RWANDA VACANCY ANNOUNCEMENT The University of Rwanda informs the public that it would like to recruit qualified administrative staff to fill the following positions: N o Job Title Minimum
More informationThe Future of IT Internal Controls Automation: A Game Changer. January Risk Advisory
The Future of IT Internal Controls Automation: A Game Changer January 2018 Risk Advisory Contents Introduction 01 Future Operating Models for Managing Internal Controls 02 Summary 07 Introduction Internal
More informationKENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT)
KENYA SCHOOL OF GOVERNMENT EMPLOYMENT OPORTUNITY (EXTERNAL ADVERTISEMENT) 1. DIRECTOR, LEARNING & DEVELOPMENT - LOWER KABETE Reporting to the Director General, Campus Directors will be responsible for
More informationBest Practices Guide to Electronic Banking
Best Practices Guide to Electronic Banking City Bank & Trust Company offers a variety of services to our customers. As these services have evolved over time, a much higher percentage of customers have
More informationAchieving effective risk management and continuous compliance with Deloitte and SAP
Achieving effective risk management and continuous compliance with Deloitte and SAP 2 Deloitte and SAP: collaborating to make GRC work for you Meeting Governance, Risk and Compliance (GRC) requirements
More informationA Global Look at IT Audit Best Practices
A Global Look at IT Audit Best Practices 2015 IT Audit Benchmarking Survey March 2015 Speakers Kevin McCreary is a Senior Manager in Protiviti s IT Risk practice. He has extensive IT audit and regulatory
More informationFRAUD-RELATED INTERNAL CONTROLS
GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. THE NEED FOR INTERNAL CONTROLS Example... 1 Threats to an Organization s Internal Control Environment...
More informationIdentity Theft Prevention Policy
Identity Theft Prevention Policy Purpose of the Policy To establish an Identity Theft Prevention Program (Program) designed to detect, prevent and mitigate identity theft in connection with the opening
More informationPeopleSoft Pivot Grids A through Z!
PeopleSoft Pivot Grids A through Z! Session ID: 101480 Prepared by: Millie Babicz, SpearMC Consulting @SpearMC Agenda About Us Pivot Grid Overview Pivot Grid Wizard Use of Pivot Grid in Work Centers 2
More informationWeb Cash Fraud Prevention Best Practices
Web Cash Fraud Prevention Best Practices Tips on what you can do to prevent Online fraud. This document provides best practices to avoid or reduce exposure to fraud. You can use it to educate your Web
More informationHyperion Application Access Control Governor Blueprint for Oracle GRC Applications
Hyperion Application Access Control Governor Blueprint for Oracle GRC Applications Providing organizations the ability to enforce Segregation of Duties across Hyperion Applications
More informationRed Flag Policy and Identity Theft Prevention Program
Unified Government of Wyandotte County and Kansas City, Kansas Adopted: 5/11/2011 Red Flag Policy and Identity Theft Prevention Program Authority: The Mayor and the Board of Commissioners are responsible
More information[Utility Name] Identity Theft Prevention Program
[Utility Name] Identity Theft Prevention Program Effective beginning, 2008 Minnesota Municipal Utilities Association Sample Red Flag policy I. PROGRAM ADOPTION The [Utility Name] ("Utility") developed
More informationPrivacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information
Privacy Statement Introduction Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information about how IT Support (UK) Ltd handle personal information.
More informationAdviser Central Help Guide
Instruction guide for Adviser Central Users AMP Limited ABN 49 079 354 519 Contents Overview... 4 What is Adviser Central?... 4 Getting Started... 5 Access to Adviser Central... 5 Logging on... 5 To launch
More informationSeattle University Identity Theft Prevention Program. Purpose. Definitions
Seattle University Identity Theft Prevention Program Purpose The purpose of the program is to establish an Identity Theft Prevention Program designed to detect, prevent and mitigate identity theft in connection
More informationOverview Bank IT examination perspective Background information Elements of a sound plan Customer notifications
Gramm-Leach Bliley Act Section 501(b) and Customer Notification Roger Pittman Director of Operations Risk Federal Reserve Bank of Atlanta Overview Bank IT examination perspective Background information
More informationCLICK TO EDIT MASTER TITLE STYLE Fraud Overview and Mitigation Strategies
Fraud Overview and Mitigation Strategies SUNTRUST TEAM: DOUG HICKMAN SENIOR VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS SPECIALTY PRACTICE JAMES BERNAL ASSISTANT VICE PRESIDENT FOUNDATIONS AND ENDOWMENTS
More information10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS
10 KEY WAYS THE FINANCIAL SERVICES INDUSTRY CAN COMBAT CYBER THREATS WHITE PAPER INTRODUCTION BANKS ARE A COMMON TARGET FOR CYBER CRIMINALS AND OVER THE LAST YEAR, FIREEYE HAS BEEN HELPING CUSTOMERS RESPOND
More informationPhire Frequently Asked Questions - FAQs
Phire Frequently Asked Questions - FAQs Phire Company Profile Years in Business How long has Phire been in business? Phire was conceived in early 2003 by a group of experienced PeopleSoft professionals
More informationManaging IT Risk: What Now and What to Look For. Presented By Tina Bode IT Assurance Services
Managing IT Risk: What Now and What to Look For Presented By Tina Bode IT Assurance Services Agenda 1 2 WHAT TOP TEN IT SECURITY RISKS YOU CAN DO 3 QUESTIONS 2 IT S ALL CONNECTED Introduction All of our
More information1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7
1 Copyright 2011, Oracle and/or its affiliates. All rights reserved. Insert Information Protection Policy Classification from Slide 7 ORACLE PRODUCT LOGO 20. oktober 2011 Hotel Europa Sarajevo Platform
More informationPeopleSoft Finance Access and Security Audit
PeopleSoft Finance Access and Security Audit City of Minneapolis Internal Audit Department September 20, 2016 1 Contents Page Background... 3 Objective, Scope and Approach... 3 Audit Results and Recommendations...
More informationHidden Security Threats in Oracle E-Business Suite
Hidden Security Threats in Oracle E-Business Suite March 14, 2013 Jeffrey T. Hare, CPA CISA CIA Industry Analyst, Author, Consultant ERP Risk Advisors Stephen Kost Chief Technology Officer Integrigy Corporation
More informationebusiness Suite goes SOA
ebusiness Suite goes SOA Ulrich Janke Oracle Consulting Safe Harbor Statement The following is intended to outline our general product direction. It is intended for information purposes only, and may not
More informationTHE CORPORATE CON: INTERNAL FRAUD AND THE AUDITOR
THE CORPORATE CON: INTERNAL FRAUD AND THE AUDITOR GLOBAL HEADQUARTERS THE GREGOR BUILDING 716 WEST AVE AUSTIN, TX 78701-2727 USA TABLE OF CONTENTS I. INTRODUCTION Video Supplement... 1 Course Objectives
More informationIntroduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?
Introduction Controlling Information Systems When computer systems fail to work as required, firms that depend heavily on them experience a serious loss of business function. M7011 Peter Lo 2005 1 M7011
More informationHow Cyber-Criminals Steal and Profit from your Data
How Cyber-Criminals Steal and Profit from your Data Presented by: Nick Podhradsky, SVP Operations SBS CyberSecurity www.sbscyber.com Consulting Network Security IT Audit Education 1 Agenda Why cybersecurity
More informationOracle Database Auditing
By Craig Moir craig@mydba.co.za http://www.mydba.co.za August 2012 Version 1 WHY AUDIT? Allows organizations to enforce the trust-but-verify security principle. Satisfying compliance regulations. Enables
More informationHow To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation
How To Establish A Compliance Program Richard E. Mackey, Jr. Vice president SystemExperts Corporation Agenda High level requirements A written program A sample structure Elements of the program Create
More informationImproving Data Governance in Your Organization. Faire Co Regional Manger, Information Management Software, ASEAN
Improving Data Governance in Your Organization Faire Co Regional Manger, Information Management Software, ASEAN Topics The Innovation Imperative and Innovating with Information What Is Data Governance?
More informationFairWarning Mapping to PCI DSS 3.0, Requirement 10
FairWarning Mapping to PCI DSS 3.0, Requirement 10 Requirement 10: Track and monitor all access to network resources and cardholder data Logging mechanisms and the ability to track user activities are
More informationTaking Mobile Banking Corporate
Universal Banking Solution System Integration Consulting Business Process Outsourcing It s ironic that in a world that has gone mobile, corporate treasurers and CFOs are still tethered to their desks because
More informationConnected Query. PS NW RUG May 12, 2015
Connected Query PS NW RUG May 12, 2015 11/24/2015 2014 SpearMC Consulting 1 Agenda About SpearMC What is Connected Query Why it s Cool! Demo of Connected Query Other CQ Content 2 2014 SpearMC Consulting
More informationBYOD WORK THE NUTS AND BOLTS OF MAKING. Brent Gatewood, CRM
THE NUTS AND BOLTS OF MAKING BYOD Mobile technology is changing at an astonishing rate, and employees are increasingly using their personally owned devices for business purposes sanctioned or not. Organizations,
More informationA practical guide to IT security
Data protection A practical guide to IT security Ideal for the small business The Data Protection Act states that appropriate technical and organisational measures shall be taken against unauthorised or
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More information( Utility Name ) Identity Theft Prevention Program
***DRAFT*** ( Utility Name ) Identity Theft Prevention Program Implemented as of, 2008 *** This document is intended to give guidance to municipal utilities in their understanding of the FTC Red Flag Rule.
More informationChapter 08. Consideration of Internal Control in an Information Technology Environment. McGraw-Hill/Irwin
Chapter 08 Consideration of Internal Control in an Information Technology Environment McGraw-Hill/Irwin Copyright 2012 by The McGraw-Hill Companies, Inc. All rights reserved. Nature of IT Based Systems
More informationBeyond the Basics with nvision and Query for PeopleSoft 9.2
Beyond the Basics with nvision and Query for PeopleSoft 9.2 Session ID: 101180 Prepared by: Millie Babicz Managing Director SpearMC Consulting @SpearMC Welcome and Please: Silence Audible Devices Note
More informationGovernance, Risk, and Compliance: A Practical Guide to Points of Entry
An Oracle White Paper January 2010 Governance, Risk, and Compliance: A Practical Guide to Points of Entry Disclaimer The following is intended to outline our general product direction. It is intended for
More informationThe BUSINESS of Fraud. Don t let it put you out of business. AFFILIATE LOGO
The BUSINESS of Fraud. Don t let it put you out of business. Veenindra J. Singh, First Vice President, Treasury Management Consultant California Bank & Trust 300 Lakeside Drive, Suite 800 Oakland, Ca 94612
More informationInvestigator Site OC RDC PDF User Guide
Investigator Site OC RDC PDF User Guide Version 1.0 Page 1 of 40 TABLE OF CONTENTS Accessing OC RDC Steps for Access 3 Logging On 4 Change Password 4 Laptop and System Security 5 Change Study 5 Navigating
More informationCybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City
1 Cybersecurity A Regulatory Perspective Sara Nielsen IT Manager Federal Reserve Bank of Kansas City The opinions expressed are those of the presenters and are not those of the Federal Reserve Banks, the
More informationAuditing in an Automated Environment: Appendix E: System Design, Development, and Maintenance
Accountability Modules Auditing in an Automated Environment: Agency Prepared By Initials Date Reviewed By Audit Program - System Design, Development, and Maintenance W/P Ref Page 1 of 1 Procedures Initials
More informationCybersecurity Risk Mitigation: Protect Your Member Data. Introduction
Cybersecurity Risk Mitigation: Protect Your Member Data Presented by Matt Mitchell, CISSP Knowledge Consulting Group Introduction Matt Mitchell- Director Risk Assurance 17 years information security experience
More informationWelcome to the In The Know monthly webinar - our main focus is What s new in QuickBooks Online this month.
1 Hello and Welcome, I am Wesley and I ll be your host today. Welcome to the In The Know monthly webinar - our main focus is What s new in QuickBooks Online this month. I and have been taking your support
More informationSTOCKTON UNIVERSITY PROCEDURE DEFINITIONS
STOCKTON UNIVERSITY PROCEDURE Identity Theft Prevention Program Procedure Administrator: Director of Risk Management and Environmental/Health/Safety Authority: Fair and Accurate Credit Transactions Act
More informationCybersecurity Session IIA Conference 2018
www.pwc.com/me Cybersecurity Session IIA Conference 2018 Wael Fattouh Partner PwC Cybersecurity and Technology Risk PwC 2 There are only two types of companies: Those that have been hacked, and those that
More informationPBX Fraud Information
PBX Fraud Information Increasingly, hackers are gaining access to corporate phone and/or voice mail systems. These individuals place long distance and international calls through major telecom networks
More informationContracting for an IT General Controls Audit
Contracting for an IT General Controls Audit Lori Schubert, C.P.A. Internal Audit Manager age Waukesha County (WI) lschubert@waukeshacounty.gov Overview of Presentation Description of Waukesha County Information
More informationSecurity In A Box. Modular Security Services Offering - BFSI. A new concept to Security Services Delivery.
Modular Security Services Offering - BFSI Security In A Box A new concept to Security Services Delivery. 2017 Skillmine Technology Consulting Pvt. Ltd. The information in this document is the property
More informationImproving Security in the Application Development Life-cycle
Improving Security in the Application Development Life-cycle Migchiel de Jong Software Security Engineer mdejong@fortifysoftware.com March 9, 2006 General contact: Jurgen Teulings, 06-30072736 jteulings@fortifysoftware.com
More informationSYMANTEC: SECURITY ADVISORY SERVICES. Symantec Security Advisory Services The World Leader in Information Security
SYMANTEC: SECURITY ADVISORY SERVICES Symantec Security Advisory Services The World Leader in Information Security Knowledge, as the saying goes, is power. At Symantec we couldn t agree more. And when it
More informationHKISPA Response to the Consultation Paper on the Proposals to Contain the Problem of Unsolicited Electronic Messages.
HKISPA Response to the Consultation Paper on the Proposals to Contain the Problem of Unsolicited Electronic Messages. Executive Summary The HKISPA welcomes the opportunity to respond to this Consultation
More informationTable of Contents. Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING
Table of Contents Preface xvii PART ONE: FOUNDATIONS OF MODERN INTERNAL AUDITING Chapter 1: Significance of Internal Auditing in Enterprises Today: An Update 3 1.1 Internal Auditing History and Background
More informationAgile Test Automation Framework - Overhauling the Challenges
Agile Test Automation Framework - Overhauling the Challenges By Merral Crasto Test Lead, IBM India Pvt Ltd. Email: mecrasto@in.ibm.com - 1 - Table of Contents Abstract...3 About IBM India Pvt Ltd...3 The
More informationTerms of Reference for the. IFMS Security review consultancy
Ministry of Finance Planning & Economic Development Terms of Reference for the IFMS Security review consultancy Table of Contents 1 Introduction... 1 1.1 Background... 1 1.2 The IFMS Environment... 1 1.3
More informationIdentity Theft Prevention Program. Effective beginning August 1, 2009
Identity Theft Prevention Program Effective beginning August 1, 2009 I. PROGRAM ADOPTION Christian Brothers University developed this Identity Theft Prevention Program pursuant to the Federal Trade Commission's
More informationUsing Security to Lock in Commercial Banking Customers
EXECUTIVE SUMMARY Webinar Using Security to Lock in Commercial Banking Customers Commercial banking is a market opportunity that financial institutions (FIs) should not ignore. Tens of billions of dollars
More informationSecuring Privileged Access and the SWIFT Customer Security Controls Framework (CSCF)
Securing Privileged Access and the SWIFT Customer Security Controls Framework (CSCF) A Guide to Leveraging Privileged Account Security to Assist with SWIFT CSCF Compliance Table of Contents Executive Summary...
More informationCITADEL INFORMATION GROUP, INC.
CITADEL INFORMATION GROUP, INC. The Role of the Information Security Assessment in a SAS 99 Audit Stan Stahl, Ph.D. President Citadel Information Group, Inc. The auditor has a responsibility to plan and
More informationPrevention of Identity Theft in Student Financial Transactions AP 5800
Reference: Fair and Accurate Credit Transactions Act (Pub. L. 108-159) The Board recognizes that some activities of the Shasta-Tehama-Trinity Joint Community College District, "District," are subject to
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More informationInformation Technology General Control Review
Information Technology General Control Review David L. Shissler, Senior IT Auditor, CPA, CISA, CISSP Office of Internal Audit and Risk Assessment September 15, 2016 Background Presenter Senior IT Auditor
More informationHow to Become a CMA (Certified Management Accountant) May 10, 2017
How to Become a CMA (Certified Management Accountant) May 10, 2017 Today s Moderator Featured Presenter Agenda The CMA Designation Institute of Management Accountants (IMA) Why get a CMA? CMA Requirements
More informationNTP Software VFM Task Service for Windows
NTP Software VFM Task Service for Windows Installation Guide Version 6.2 This guide provides quick instructions for the installation of NTP Software VFM Task Service, from an administrator s perspective.
More informationNTP Software VFM Administration Web Site for Azure
NTP Software VFM Administration Web Site for Azure Installation Guide Version 6.1 This guide provides quick instructions for the installation of NTP Software VFM Administration Web Site, from an administrator
More informationSALARY $ $72.54 Hourly $3, $5, Biweekly $8, $12, Monthly $103, $150, Annually
SALARY $49.72 - $72.54 Hourly $3,977.88 - $5,803.27 Biweekly $8,618.75 - $12,573.75 Monthly $103,425.00 - $150,885.00 Annually ISSUE DATE: 03/21/18 THE POSITION DIRECTOR OF CYBER SECURITY OPEN TO THE PUBLIC
More informationAuditing IT General Controls
Auditing IT General Controls Amanthi Pendegraft and Nadine Yassine September 27, 2017 Agenda Introduction and Objectives IT Audit Fundamentals IT General Controls Overview Access to Programs and Data Program
More information11G ORACLE DEVELOPERS Training Program
11G ORACLE DEVELOPERS Training Program Complete OCP Track Training Developers manage the industry's most advanced information systems and command some of the highest salaries. This credential is your first
More informationProtect Your Application with Secure Coding Practices. Barrie Dempster & Jason Foy JAM306 February 6, 2013
Protect Your Application with Secure Coding Practices Barrie Dempster & Jason Foy JAM306 February 6, 2013 BlackBerry Security Team Approximately 120 people work within the BlackBerry Security Team Security
More informationData Security at Smart Assessor
Data Security at Smart Assessor Page 1 Contents Data Security...3 Hardware...3 Software...4 Data Backups...4 Personnel...5 Web Application Security...5 Encryption of web application traffic...5 User authentication...5
More informationCybersecurity Overview
Cybersecurity Overview DLA Energy Worldwide Energy Conference April 12, 2017 1 Enterprise Risk Management Risk Based: o Use of a risk-based approach for cyber threats with a focus on critical systems where
More informationHeads of Internal Audit Webinar. Integrated Assurance. 24 July In partnership with
Heads of Internal Audit Webinar Integrated Assurance 24 July 2013 In partnership with WELCOME TO THE WEBINAR The audio for this webcast will be broadcast via your PC speakers you do not need to dial in.
More informationEndpoint Security for Wholesale Payments
Endpoint Security for Wholesale Payments 2018 CHICAGO PAYMENTS SYMPOSIUM EMILY CARON MANAGER, FMI RISK & POLICY FEDERAL RESERVE BOARD The views expressed in this presentation are those of the speaker and
More informationBest Practices (PDshop Security Tips)
Best Practices (PDshop Security Tips) For use with all versions of PDshop Revised: 12/29/17 PDshop.com / Copyright 2002-2018 All Rights Reserved. 1 Table of Contents Table of Contents... 2 Best Practices...
More informationSaving Time Amanda McPherson, CCBIA Vice President/Internal Audit Manager Colorado East Bank & Trust
Saving Time Amanda McPherson, CCBIA Vice President/Internal Audit Manager Colorado East Bank & Trust Life before ACL GRC Life before ACL GRC Where do I start? In the beginning Dry erase board Word documents
More informationSupplies Network & CompTIA Membership and Trustmark Initiative
Supplies Network & CompTIA Membership and Trustmark Initiative Welcome & Agenda Your hosts today: Miles Jobgen, Director, Trustmarks CompTIA Sarah Custer, MPS Solutions & Equipment Managed, SuppliesNetwork
More informationSailPoint IdentityIQ Integration with the BeyondInsight Platform. Providing Complete Visibility and Auditing of Identities
SailPoint IdentityIQ Integration with the BeyondInsight Platform Providing Complete Visibility and Auditing of Identities Table of Contents Executive Summary... 3 Identity and Access Management... 5 BeyondTrust
More informationSponsored by Oracle. SANS Institute Product Review: Oracle Audit Vault. March A SANS Whitepaper. Written by: Tanya Baccam
Sponsored by Oracle SANS Institute Product Review: Oracle Audit Vault March 2012 A SANS Whitepaper Written by: Tanya Baccam Product Review: Oracle Audit Vault Page 2 Auditing Page 2 Reporting Page 4 Alerting
More informationMax Security Solutions
Max Security Solutions Max Security Solutions Proactive Risk Management What we do Max Security provides comprehensive security and risk management solutions for the business sector, private clients and
More informationIPv6 Migration Framework Case of Institutions in Ethiopia
IPv6 Migration Framework Case of Institutions in Ethiopia Kidist Mekonnen Zemen Bank, Addis Ababa, Ethiopia kidistmt@yahoo.com Taye Abdulkadir HiLCoE School of Computer Science and Technology, Addis Ababa,
More informationIntroduction To IS Auditing
Introduction To IS Auditing Instructor: Bryan McAtee, ASA, CISA Bryan McAtee & Associates - Brisbane, Australia * Course, Presenter and Delegate Introductions * Definition of Information Technology (IT)
More informationPresident's Letter. March Meeting Details: Date: Wednesday, March 15, 2006
President's Letter I hope everyone had a safe and fun Mardi Gras season. It seems strange to be writing at the beginning of March. We typically have a February meeting scheduled, so we re running a little
More informationMeeting FFIEC Meeting Regulations for Online and Mobile Banking
Meeting FFIEC Meeting Regulations for Online and Mobile Banking The benefits of a smart card based authentication that utilizes Public Key Infrastructure and additional mechanisms for authentication and
More informationCFE Exam Review Course
CFE Exam Review Course Leading Excellence in Banking BIBF plays a vital role in the training and development of human capital in the Kingdom of Bahrain. Our commitment to excellence has strengthened our
More informationPowerful PeopleSoft 9.2 Composite & Connected Query
Powerful PeopleSoft 9.2 Composite & Connected Query Session ID: 101230 Prepared by: Randall Johnson Managing Director SpearMC Consulting @SpearMC Welcome and Please: Silence Audible Devices Note Fire Exits
More informationOn Audit of FOREX Transactions
Note On Audit of FOREX Transactions ADVANCES COMPLIANCE ADVANCES- FOREIGN: Is Branch in B or C category PCs and PCFCs FBP/FBN PCs: Given against LCs/confirmed orders Whether reported in stock statements
More informationNYDFS Cybersecurity Regulations: What do they mean? What is their impact?
June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston Agenda 1) Overview of the new regulations 2) Assessing
More informationA Framework for Managing Crime and Fraud
A Framework for Managing Crime and Fraud ASIS International Asia Pacific Security Forum & Exhibition Macau, December 4, 2013 Torsten Wolf, CPP Head of Group Security Operations Agenda Introduction Economic
More informationFINANCIAL INFORMATION FORUM 5 Hanover Square New York, New York 10004
FINANCIAL INFORMATION FORUM 5 Hanover Square New York, New York 10004 212-422-8568 Via Electronic Delivery August 3, 2018 Mr. Vas Rajan Chief Information Security Officer ThesysCAT, LLC 1740 Broadway New
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationHow to be a Great Production DBA
How to be a Great Production DBA Because Performance Matters Presented by: Jeff Garbus CEO Soaring Eagle Consulting, Inc. About Soaring Eagle Since 1997, Soaring Eagle Consulting has been helping enterprise
More informationSupplier User Guide for AL Oracle isupplier
Supplier User Guide for AL Oracle isupplier Version Date March 2017 TABLE OF CONTENTS Table of Contents... 2 OVERVIEW - ISUPPLIER... 4 Help & Support... 4 Definitions... 4 SYSTEM LOGIN & NAVIGATION...
More information