Sister CISA CISSP:

IT audit


September 24, 2008  5:36 PM

FREE Tool – Changing Local Administratior Passwords On Your Domain



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, free tools, IT audit, Security, Tools & Tricks of the Trade, Tools for Auditing and Security

I just love VBS. And I love the folks that share their tools, AND give us a nice interface AND allow us to push a report to a .csv file. So a BIG thank-you should go out to Jeffrey Hicks, who has his own site, anjd a helpful

September 23, 2008  3:15 PM

Host vs. Network IDS



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, Microsoft Windows, Security, Security Devices, Tools & Tricks of the Trade

I've noticed a definite tendency for organizations to move to monitoring network traffic with their Intrusion Detection Systems. It's a lot easier than trying to update a host IDS service/agent and keeps the increased CPU at the monitor, where it belongs. Also, host agents are limited by what the...


September 19, 2008  7:37 PM

Auditing MS SQL – Roles, and Why They Matter



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database, Database security, Development, IT audit, Microsoft Windows, Security, SQL Server, Steps to an Easy Audit, Tools & Tricks of the Trade, Tools for Auditing and Security

SQL "Server" runs on top of MS Windows, and it has groups inside of it that are not seen on the Windows server or even the Windows Domain. That's why we have to check and make sure that inappropriate users don't have complete access to everything inside the database. Not everyone should be...


September 16, 2008  5:58 PM

FREE Tools for Auditing MS SQL Server



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database, Database security, free tools, IT audit, Microsoft Windows, PCI DSS, Security, SOX, SQL Server, Steps to an Easy Audit, Tools for Auditing and Security

There's a lot of really nice application tools to audit SQL databases out there. They have lots of bells and whistles and write out a really nice report with professional formatting. If you've got one of those, LUCKY YOU. But most of us Admins and Auditors have to scrounge for what we can find...


September 12, 2008  2:14 PM

Inside the Database Server – MS SQL



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Database, Database security, IT audit, Security, SQL Server, Tools for Auditing and Security

The first question to answer is: "Is the SQL system patched?" You or a DBA can confirm this inside Enterprise Manager (the software client that runs on SQL or from a remote installation of it) by right-clicking the primary database icon and selecting Properties. You can also run a query inside...


August 21, 2008  3:48 PM

How to Audit Databases: Part I



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

Databases are enormous, powerful repositories of data. They can hold payroll, HR personnel data (think social security numbers) stock prices, Accounts Receivable, Client Relationship Management, and customer information. Banks can't live without them. Most medium and many small sized businesses...


August 19, 2008  1:20 PM

I Can Make Your Database Lie to You



Posted by: Arian Eigen Heald
Admins and Auditors, Compliance, Data Breaches, Database, Database security, DataManagement, Identity theft, IT audit, Oracle, PCI DSS, SAP, SAS 70, Security, SOX, SQL Server

So many financial auditors, CEOs, CFOs and others rely on electronic data to understand the complexities of General Ledger, Accounts Payable, etc. In this era of SAP, ADP, electronic time clocks, etc., the one common denominator is the database underlying each application. Applications...


July 17, 2008  6:56 PM

SAS 70 Reports – Section One



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

Commonly, a SAS 70 Type 1 report contains three sections, and a Type 2 has five sections. That because a Type 2 tests the effectiveness of the controls that a Type 1 says are there. The first section, the "Independent Service Auditors' Report," is basically a letter by the service auditor (the...


July 15, 2008  6:34 PM

SAS 70 Reports – Reading What You’re Getting – From The First Page On



Posted by: Arian Eigen Heald
Admins and Auditors, IT audit, SAS 70, Security

So you have this report from the company you've outsourced a critical financial service to, and it looks like a lot of boilerplate with a chart of sorts at the end. What are all those sections for, and why should you care? First, determine that the company performing the report is a certified...


July 11, 2008  1:46 AM

“SAS 70″ – It Pays to Actually READ What You’re Getting



Posted by: Arian Eigen Heald
Compliance, IT audit, SAS 70, Security, SOX

When I do an audit and request that my client give me SAS 70 reports from his/her critical financial vendors, I am often amazed (or appalled) at what I get to read. My team performs about 20-25 SAS 70 Type IIs every year, and maybe 2 SAS 70 Type I exams. Why the big difference? Type II exams...


Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: