The RMC Advisors: IT

IT

02/28/2012

COSO Framework Draft Update

The Committee of Sponsoring Organizations of the Treadway Commission (COSO) recently updated its Internal Control Integrated Framework (Framework) to ensure it remains relevant in the changing business environment. A Draft for Public Exposure is currently available on COSO’s website.

Key items of the Framework have not changed in the updated version including the core definition of internal control, the three control objectives, and the five components of internal control. If your Company already has an effective internal control system, you will not need to make any significant updates under the updated Framework.

The updated Framework includes codification of the internal control concepts introduced in the original Framework. The codification occurs within the five (5) categories of control environment, risk assessment, control activities, information and communication and monitoring activities. The following is a summary of the seventeen (17) internal controls principles.

Continue reading "COSO Framework Draft Update" »

Posted at 04:27 PM in ERM - Enterprise Risk Management, Fraud Risk Management, Have You Heard?, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security | Permalink | Comments (3)

03/29/2011

Fourth Annual TRENDS Symposium – June 3, 2011

Join McKonly & Asbury on Friday, June 3, 2011 for our fourth annual TRENDS symposium focusing on accounting and audit issues for the insurance industry. The session provides 6.5 CPE credits, which includes 1 tax credit and 1 ethics credit. McKonly & Asbury is an approved continuing professional education program sponsor through the Pennsylvania State Board of Accountancy.

We have an exciting array of speakers and topics planned, based on comments we received from previous participants.

Legislative Update - Patricia Vance, Pennsylvania State Senator and member of the Pennsylvania Banking & Insurance Committee.
Insurance Department Update - Stephen Johnson, Deputy Insurance Commissioner, and David DelBiondo, Director, Bureau of Financial Examinations.
Tax Update – McKonly & Asbury Tax Group
Business/Professional Ethics – Elaine Nissley, MBA, CISA, PMP, CCSA, CRISC, Principal, McKonly & Asbury Risk Management Services Group.
Cloud Computing & Social Media: Risks and Controls - Samuel BowerCraft, MIS, CISA, Senior Manager, McKonly & Asbury Risk Management Services Group.
Reinsurance –Jane Taylor, FCAS, MAAA, JD, Consulting Actuary, Huggins Actuarial Services.
Safeguarding Confidential Data – John Dormuth, MSIM, CPCU, ARM, Account Executive, McConkey Insurance & Benefits.

Sponsored by McKonly & Asbury and McConkey Insurance & Benefits, the symposium will take place at the Radisson Penn Harris Hotel & Convention Center at 1150 Camp Hill Bypass in Camp Hill, PA on June 3rd!

Agenda and Details

June 3 (Friday)
Registration starts at 7:30am
The seminar will run from 8:00am to no later than 4:00pm.
Radisson Penn Harris Hotel & Convention Center (Camp Hill)

The cost to attend is $50, which includes a continental breakfast and lunch.

To register, please contact Erin Hench at ehench@macpas.com or by calling 717-972-5814.

Posted at 12:37 PM in About Us, ERM - Enterprise Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security, Social Media | Permalink | Comments (3)

08/16/2010

Security and Fraud Prevention Seminar

McKonly & Asbury will be hosting a Security and Fraud Prevention Seminar on Friday, September 24, 2010, at the Sheraton Harrisburg/Hershey on Lindle Road in Harrisburg, PA. The seminar will begin at 8:00am and conclude at 3:30 pm, with lunch provided at noon. There is a $35 registration fee and CPE credits are available.

At this seminar, you'll learn more about...

Current trends in cyber crime and identity theft, along with a discussion of the methods you can use to protect yourself from being a victim.
Resources available to prevent attacks on our critical infrastructure and how to report suspicious activity and crime.
The components of fraud, identification of red flags, and other fraud prevention tips related to financial institutions.
Banking fraud concerns for businesses and options for minimizing risk.
Practical security and the 10 Tips for Success.
Mortgage fraud.

Speakers include:

Scott Sutherland, Special Agent of the FBI

David Clark, Special Agent of the FBI

Julie Krause, Regional Sales Manager - Treasury Management at M&T Bank

Tom Strause, Partner with Financial Outsourcing Solutions

David Hammarberg, IT Director with McKonly & Asbury

Samuel BowerCraft, Senior Manager with McKonly & Asbury

Agenda:

8:00am - 8:30am: Registration
8:30am - 8:35am: Welcome (Scott Heintzelman, McKonly & Asbury)
8:35am - 10:00am: IT Security Topic (Scott Sutherland, FBI)
10:00am - 10:15am: Break
10:15am - 11:15am: Practical Security: 10 Tips for Success (David Hammarberg & Samuel BowerCraft, McKonly & Asbury)
11:15am - 12:00pm: Banking Fraud Concerns for Businesses (Julie Krause, M&T Bank)

12:00pm - 1:00pm: Lunch

1:00pm - 1:45pm: Financial Institution Fraud (Tom Strause, Financial Outsourcing Solutions)
1:45pm - 2:00pm: Break
2:00pm - 3:25pm: Mortgage Fraud (David Clark, FBI)
3:25pm - 3:30pm: Closing (Scott Heintzelman, McKonly & Asbury)

If you would like to register, please contact Melissa Roberson at mroberson@macpas.com or by calling 717-761-7910.

Posted at 10:11 AM in Fraud Risk Management, Internal Audit, Internal Audit & Controls, IT, Risk & Internal Controls, Security | Permalink | Comments (1)

06/08/2010

Keeping Watch & Monitoring IT

More and more new technology is released into working environments each day, whether it be intentional installations of servers and software, or unintentional releases of viruses and malware. Given all the possibilities of what might and can occur, vigilance over what is going on is more important than ever.

Historically, keeping watch has been an extremely important duty. Sentries would be placed at key locations at all hours to look for invaders, storms, fires, and friends approaching a castle. Depending on what the sentry saw, he would alert different groups of people to respond appropriately to the threat or the opportunity that was presented.

The success in these situations is to cut response times (and downtime), and improve customer satisfaction. This also helps to cut costs, as preventing major problems and attacks is almost always better than repairing the aftermath of the issue.

Today, the analogy to IT is quite similar, but the methods have changed. You can’t use a person to track all the events on a network, there are too many systems, and too many transactions per second for this to be viable. Instead, we need to take a risk based approach by putting sentries on watch at the most important areas. If we don’t, then the risk of invaders, fire, or other catastrophe increases, as does the risk that we won’t discover the problem until after it is far too late.

Step 1: The first step is to identify everything you want to monitor. Areas to consider will be specific to your business but may include: firewall and network attacks, changes to systems, changes to logical access/user access, bandwidth usage, hard drive usage, server utilization, backup tape usage, database utilization, printer usage, and/or login times.

Step 2: Identify the areas of your network that you are able to monitor. If you can track attacks on your network, that is something worth noting. If your current system cannot track attacks on your network, that is also worth noting.

Step 3: Compare the list of things you want to monitor to the things you can monitor. You now have to decide what you will be monitoring in the short term (items you want to monitor and can monitor) and make decisions about items you want to monitor in the future (those you want to monitor but cannot monitor now). Further decisions must be made on how you will monitor these items (the criteria). Monitoring hard drive space is a good idea, but how often will you check it, and what is the threshold for concern? 90% usage? 91%?

Moving ahead with monitoring of your IT investment will help to streamline and optimize your environment, and provide you with increased return on your investment (ROI). Depending on the assessment, you may find that you can use existing tools, or conversely that you need a special monitoring tool. Either way, by evaluating your environment, deciding what needs to be monitored, and posting sentries, you will be safer and better prepared for whatever may come your way.

“Never neglect details. When everyone's mind is dulled or distracted the leader must be doubly vigilant.”- Colin Powell

By: Samuel BowerCraft

Posted at 02:42 PM in ERM - Enterprise Risk Management, IT, Risk & Internal Controls, SOX | Permalink | Comments (0)

05/20/2010

Security Zen –Backing Up to Move Forward

The world of information technology is filled with information; emails, files, spreadsheets, reports, databases, pictures, websites, and more. Everywhere you look there is information that was made by and is used by us, our colleagues, our friends and family. And just as we protect our prized possessions at home by locking the front door or installing an alarm system, we need to protect the electronic data that is important to us.

Data backup is one of the easiest concepts in the information technology world; let’s make a copy! You copy the data you have to another place so that should the unthinkable happen, the primary data is altered or corrupted or deleted, you have the copy and can use it, and you can move ahead; brilliant! However, as easy as this concept is, there are some fundamental steps to take to in order to ensure you have a copy of the information when you need it.

Identify Your Data: If you don’t know what data you have, how can you know what data you should be backing up? This process takes far less time than recreating everything you lost.

Have business owners make a list of all the data sources they rely on: file folders, application data, databases, etc.
For each source, identify if you need to back it up, i.e. yes, or no.
For each item you need to backup, indicate how frequently it should be backed up. Daily? Weekly? Monthly?

Setup Your Backups: With the listing you made in step #1, you can hand the plan to the IT department and they will quickly and efficiently setup the backup system to ensure the right things are backed up. Since you included IT in step #1 for their areas, they won’t feel left out.
Backup the Data: Backups will now take place magically, but there are still items that need to happen to reduce your stress.
Confirm Successful Backups: There are two parts to this process, and frequently only the first part is done.

Part one: Check the backup software daily to see if the backup was completed and successful. This is a good start, and will catch some problems. However, as we know, sometimes computers don’t tell us everything and we discover issues later, so to be sure of the backups we do…
Part two: Check the backup media. Backups don’t really help us unless we can restore from the media (tape, CD, server, etc.). This is why it is STRONGLY encouraged that backups are tested by restoring from the media. Select a tape and see if you can pull files from it, or the database you use for your general ledger, etc. If you can’t get files from your backups, then your tapes are good for very little, save perhaps propping up a couch with a missing leg. This will also help you to check for hardware failures of your backup device.

Store Backups Somewhere Else, Securely: While it is nice to have things where they are easy to access, backup media should not reside in the same building as your datacenter or servers (in general). What happens when that building catches fire? You will lose your primary data and the copy in a glorious blaze and despair will set in. So, keep the tapes somewhere else, properly stored (not in a damp basement or with your dog’s toys) and keep them locked up where they reside. Backup tapes are good for restoring, but they also contain all your company’s information, so lock them up.

By taking these steps you will dramatically reduce the backup failures you have in your environment, helping you to have more peace of mind as you and your company move ahead.

Written by: Samuel BowerCraft

Continue reading "Security Zen –Backing Up to Move Forward" »

Posted at 11:33 AM in Internal Audit & Controls, IT, Security, SOX | Permalink | Comments (0)

04/02/2010

Breaking News in Information Security

87576588 This week there is breaking news in the world of information security that you will read about in this and 50 different blogs. It is ground-breaking stuff that will astonish and astound you, and more than likely you will read it and be amazed. AMAZED I say!

What is this revelation in the world of security? What could so many be writing about this week? It is this:

Security of information is mostly about doing the basics.

If you read 50 articles on information security, you will discover a common thread among them all: in one way or another they are talking about limiting rights, locking things up, reviewing access rights, and limiting exceptions to the rules. While this is not rocket science, it does take time to complete, and more importantly, the effort to do it.

The most surprising part is that this is not new stuff. Last week while perusing a text1, I found the following security principles regarding coding and IT: Seven Design Principles of Computer Security:

Continue reading "Breaking News in Information Security" »

Posted at 10:12 AM in ERM - Enterprise Risk Management, Internal Audit & Controls, IT, Security | Permalink | Comments (0)

02/08/2010

Security Zen – Fraud and Controls – Closing the Door

Why Worry?

When we talk about security, we talk about keeping things safe… safe from harm, safe from hurt, safe from loss. In business, this means addressing risk in many areas from many perspectives: technology, people, inventory, weather, etc. Whatever the perspective may be, we want to prevent loss in the most time effective way we can. Preventing all loss would require spending all of our time working on prevention, and not much else would get done.

Continue reading "Security Zen – Fraud and Controls – Closing the Door" »

Posted at 08:00 AM in Fraud Risk Management, IT, Security | Permalink | Comments (0)

01/25/2010

Security Zen – Excellence

The New Year is upon us and what has changed? Not too much, save the decade, some news, and the hope that Spring will be here soon and we will have some brighter weather. This is usually a time when resolutions are made to “Be more fit” or “Give more to charity” or “Call my mother more than once a month”. New eras usually bring new goals, and while these are not a bad idea, they have a tendency to not stick.

I have proposed a new resolution for my life, and will carry it forward in the blog, work, life, and every aspect I can. I challenge you to join me in my resolution. I say “challenge” because it will not be easy, it will be difficult… but it will be worth every effort and drop of sweat. Here it is:

“Do all things with excellence.”

Continue reading "Security Zen – Excellence" »

Posted at 07:10 PM in IT, Security | Permalink | Comments (0)

12/08/2009

The Secret to Secret Passwords

Let's face it, in today's busy world the last thing most people want to do is create a password that is difficult to remember or worse, difficult to type! We have plenty to do and the last thing anyone wants to do is make it harder to login.

However, no one likes having their identities stolen, either! That is exactly what happens when someone else knows your password. In my experience I have found two things to be true: one is that people in general will share their password with you at work (this is less true in recent years). The other is that no one will tell you their PIN number for their debit card! The question is this: why will a person share their work password and not their PIN number? The answer: because their money is not at work.

Continue reading "The Secret to Secret Passwords" »

Posted at 09:09 PM in IT | Permalink | Comments (1)

11/17/2009

Security Zen – Why is Security Important?

Security

Zen Aspect: Right Understanding

Understanding what Information Technology is and why it is important is, for the most part, straightforward. We have a goal, let’s use technology to achieve that goal so that we do something better and become more productive. What is needed next is to protect that asset.

Continue reading "Security Zen – Why is Security Important?" »

Posted at 10:04 PM in IT, Security | Permalink | Comments (0)

The RMC Advisors

Categories

Archives

IT