ACL: Add a Custom View to a Table

Adding a custom view to an ACL table comes in handy when you want to 1) change the order of the fields in an ACL table, or 2) view a select number of fields.

You can add a custom view manually or via script. We’ll tackle the script version first.

This post is in response to Les’ question about reordering fields in a table.

Continue reading →

Evaluating Risk in the Dark

When you evaluate the risk of a vulnerability, do you do it in the dark?

Or do you take into account other factors that might affect the risk?

What if one of the factors is an existing audit issue that has not been remediated?

Continue reading →

Master List of CISA Articles

To make these posts easier to find (and link to), here’s a list of all the CISA-related posts on this blog, in alphabetical order.
I’ll add other CISA posts as they are written.

Continue reading →

How to be an Irritating Auditor

If you need to read about how to be an irritating auditor, you obviously haven’t been auditing very long. According to most auditees, that quality comes with the territory, right? I hope not!

Continue reading →

FREE CISA Glossary

ISACA has a free glossary of IT, audit, and security terms that is not only helpful in studying for the CISA exam, but is a good reference guide for new and experienced auditors.

Continue reading →

UnNeighborly Security

I recently ran into some unneighborly security. It happens all the time to those of us who know how to build, upgrade, secure, and troubleshoot hardware and software.

I’m over at my neighbor’s house and he says, “Hey, you work with computers, so can you take a look at mine?”

There goes the afternoon.

Continue reading →

How to Audit User Access

When checking system access, make sure you look at all the different items that affect the user’s access. For example, the user might need one or more of the following:

• Application ID
• Application role or group
• Membership in an Active Directory (AD) or UNIX Group
• Access to the application’s share and/or folder on the server
• Database ID
• Database role, including access permissions (read/write)
• Other permission (from a home-grown application code or enterprise identify management system)

Continue reading →

CISA vs. CIA Certification

If you’re an IT auditor (or want to be one) and don’t have any audit certifications, which certification should you get, the CISA or the CIA? If you want to get both, which one do you get first?

Full disclosure: I have the CISA, but not the CIA. Back when it was 4 exams, I studied for all the exams except the financial exam, but ended up not taking any of the exams. I also have the CISSP.

Continue reading →

IT Admin vs. IT Auditor

IT admins and IT auditors often don’t see eye-to-eye, and they don’t usually think their goals are similar.

The IT auditor just has to work a little harder to convince the IT admin of that. I’ve worn both hats, so I know it can be done.

Continue reading →

Compare Multiple Fields with Excel vlookup (Easy)

When you need to determine whether several fields in 2 Excel documents (or tabs) match, all you need to do is combine the fields in each document into one value and then compare the 2 values using vlookup.

You could do this many ways, but if you’re new to Excel formulas,  I think this way is easier to configure and understand. I’m assuming you’re familar with the basics of Excel and vlookup already.

If you are not familiar with vlookup, you might want to review this first, as my post does not teach you vlookup, just another way to use it.

Continue reading →

If Your Password Disappears, Look 4 it

If you enter a password into a login box and your password disappears, look for it!

I’m serious, because it happened again today. Not to me, but to my colleague.

Continue reading →

ACL: How to Add a Computed Field

If you’ve been wondering how to add a computed field to an existing ACL table, you’re at the right place. I’ll take you through it step-by-step.

In ACL tip: What is a Computed Field?, I defined computed fields and provided 2 examples. I suggest you read that post before you dive into this one. That post also explains expressions and functions, which you need to understand when creating computed fields. Both that post and this one are long ones, complete with graphics. You might want to print them both out first…

In this post, I’ll show you how to add the c_Region field that is described in the computed field post. It’s not as hard as it looks.

Continue reading →

Twitter Hacked Again, Change Password

Twitter said that it was hacked again on Friday, 2/1/13, and attackers gained access to 250,000 accounts and passwords.

Twitter says the passwords were encrypted, the intrusion was limited, and and everyone’s taxes are going down soon (okay, I was kidding about the last one). It’s always hard to sort out what is true and how much of the truth is told, so regardless of what Twitter says, change your password.

Continue reading →

Why U Should Question Security Questions

Every once in a while I question security controls, and the latest one I questioned was security questions.

I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).

No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.

Continue reading →

New IT Auditor Needs Help!

A new IT auditor needs some help dealing with database patching issues and how far you need to dive into technology during an IT audit.

Take a moment to read his comment and add your thoughts. I’ve put in my 2 cents. Let’s get a good discussion going.

I think any auditor can chime in, as audit scope and audit limitations are not unique to IT audit.

Dinesh’s comment appears in What IT Auditors Ought to Know – and Don’t!