I consulted with a company that implemented a new GRC package, and unfortunately they are using an application designed for GRC to do audit workpapers.
That wasn’t the only move that was questionable…
Tag Archives: vendor
Don’t Use GRC app to do Workpapers!
Filed under Audit, Security, Security Scout, Technology
Vendor Provides Access, No Questions Asked
During an audit, I had a vendor provide me with access to data I shouldn’t have, no questions asked. I didn’t ask for the access, I just needed some information for my audit.
The audit involved checking some vendor software to determine whether it is patched by IT on a regular basis. I obtained from IT a screenshot of the version number of software that was installed, but needed to know the last couple of versions released by the vendor. The admin was going to send me the URL because he said I probably wouldn’t find it the info on the vendor’s site. After a couple days of waiting for the URL, I took matters into my own hands and went to the vendor’s website.
Filed under Audit, Case Files, Security, Security Scout
Top 10 Reasons NOT to Virtualize
Trend Micro’s Dave Asprey has posted 10 reasons not to virtualize.
I generally disagree with all of them (as I’ll explain later), but I think he missed the REAL #1 reason not to virtualize…
Filed under Technology, Top 10
ACL Tutorials on YouTube
Free ACL tutorials are available on YouTube, along with a lot of videos with talking heads. The tutorials walk you through how to do a couple tests, but I found the video resolution to be rather poor. Maybe it’s my equipment, maybe it’s the result of a company trying to adapt some tutorials they already have to another delivery method.
Filed under ACL, Data Analytics, Free, How to...
5 Security Steps for Non-Big Businesses
Lenny Zeltser suggest 5 steps that mid-market organizations can take down the security path:
- Identify key data flows
- Understand user interactions
- Examine the network perimeter
- Assess the servers and workstations
- Look at the applications
Filed under Security
Fun CPEs for CISSPs
Don Donzal, who created www.ethicalhacker.net and ChicagoCon (link now appears defunct), lists 10 ways for CISSPs to earn CPEs (Continuing Professional Education credits) and having fun doing it. Check out his entire article here. He wrote it in 2005, but it hasn’t aged much.
NOTE: I crossed through some of the links to now-defunct sites….remember, this was written in 2009….
ITauditSecurity 