Tag Archives: uppercase

Why U Should Question Security Questions

Capital letters, security questionsEvery once in a while I question security controls, and the latest one I questioned was security questions.

I’m talking about those questions that financial sites like banking and credit card sites ask you when you log in. Not the ones used to reset your password (although this post applies to them too).

No, this won’t be a rant about the stupid questions that sites give you to chose from, such as your mother’s maiden name or what is your favorite color. I gave up questioning those issues long ago.

Continue reading

Leave a comment

Filed under Security, Security Scout

Plan to Test the Test Plan

Always test the test plan and make sure it actually tests the control or risk being assessed. And make sure the tester (especially when you are observing the tester rather than performing the test yourself) actually follows the test plan.

During a segregation of duties (SOD) test for an expense report approval system, an auditor was observing a client perform a test.  The client was supposed to enter his user ID into the Approver field to demonstrate that he could not approve his own expense report.

Continue reading

2 Comments

Filed under Audit