Skepticism over Clustering and Mirroring as Backup and Recovery Solutions

I recently came across a control in a client’s processes that threw up a red flag and will definitely get a bit more attention from me during our audit. The control mentioned Clustering and Mirroring as part of their Backup and Recovery solution:

Control Statement:
Data mirroring is implemented at the primary data center for backup […]
By |2020-01-17T21:27:12+00:00January 29th, 2015|Cyber Risk Management, IT Audit & Compliance|3 Comments

Designing an Effective Information Security Training

The most vulnerable asset in any company isn’t the network or the application – it is the people. People, being the imperfect beings we are, may forget passwords, forget to lock computers, or fall victim to social engineering hacks. Studies repeatedly show that adults willingly open malicious emails, give away personal information over the […]

Advice for Taking the CISA Exam

This past December I took the ISACA CISA exam and I’m pleased to announce that last week, I got my confirmation letter stating that I passed in the top 10 percentile of fellow test takers!

With the test passed and the experience still very fresh on my mind, I felt I should take the opportunity share my experience and any advice to […]

By |2020-01-17T21:27:14+00:00January 22nd, 2015|IT Audit & Compliance|29 Comments

I.T. Auditors are Worthless: How to Establish Credibility with the I.T. Guy (or Gal)

“I.T. Auditors don’t know anything about I.T.” – Anonymous Client

On the first day of almost every project I have ever been involved with I have had to overcome the perception that as an “Auditor” (I prefer Consultant because I’m usually there to do a lot more than just audit) I lack any understanding of technology. From a client’s […]

By |2020-01-17T21:27:15+00:00January 19th, 2015|IT Audit & Compliance|6 Comments

Block Unwanted Internet Traffic with a HOSTS File

One of the most common questions I am asked by my less-than-tech-savvy friends and colleagues  is “How do you keep your computer from getting viruses?”

In reality, there are a lot of things you can do to avoid getting computer viruses. Perhaps the most effective is educating yourself about how viruses are actually spread and changing your browsing habits. Then there is the plethora of […]

By |2020-01-17T21:27:15+00:00January 15th, 2015|Cyber Risk Management|4 Comments

Google’s Data Centers: Speaking of Physical and Environmental Security

My previous posts on physical and environmental security controls covered a gamut of security measures to protect data and facilities. Then I ran across this video from Google’s data center and it looks like they have more than a few of those controls in place.

BONUS: Here’s a link to Google’s presentation on “

Pen Testing: Malicious File Execution

What is a Malicious File Execution Vulnerability?

Malicious file execution vulnerabilities (also called File Inclusion Vulnerabilities) is a vulnerability that occurs due to user input or uploads to websites not being properly handled or poor data validation by the website/web application.

Web applications that are poorly designed or coded may automatically run or parse input that is inputted from a user. If […]

By |2020-01-17T21:27:18+00:00January 8th, 2015|Cyber Risk Management|5 Comments