Re: Where is the head and tail?

---

• From: "crazy frog crazy frog" <i.m.crazy.frog@xxxxxxxxx>
• Date: Wed, 28 Feb 2007 20:50:00 +0530

---

first thing is you need to learn the basic concepts of finanace.as ur
dealing with this kind of application,hence risk factor is very
high.once you have the grasp over the subject you can go for code
review and auditing.

On 2/27/07, Harshal Mehta <mehtaharshal@xxxxxxxxx> wrote:

Hi Wali,



> How should I start? Well, I can start to outline Change Management
> procedures that would be followed. Segregation of duties between various
> levels of developers, quality assurance, app admin etc. That's generic.

I suggest you should understand the basic working of the application.
Its not require to have a full understanding of the accounting or
finance.You should just have a fair knowledge of the flow of the
information.
Then you can start with the listing of the security procedures like

Change Management - How changes are made, who all are authorized to
make the changes, who reviews the changes, is there a fall back
procedure for the changes made, whether records are maintained for the
changes made and so on.
Backup Management - How regularly backup is taken , who is
responsible for backup, type of backup, where is backup is stored.
Privilege Management - What privilege levels are defined, are they
required for the daily operations, privilege access matrix.

> Then what? I am a novice when it comes to accounting and finance. Should I
> define workflows within dept. of accounting? Should I sit with accountants
> and other users and get deep into various things they do and then look
> deeply inside each module of this finance application in order to study
> General Ledgers, Journal Vuchers, Accounts recievables/payables etc. That
> would take months!!

Then you can start with the real application audit like checking in for:

Administrative privileges
Logging
Database vulnerabilities
A detailed understanding of the subject is not required, but should
have knowledge of the critical information and the threats to it. Then
you can design a checklist which will help you in auditing the
application.

I think this would help.......



Harshal Mehta

Information Security Analyst
ISO 27001 IA CEH cVa ITIL
NII Consulting
Mobile: +91 9819066601
Website: www.niiconsulting.com

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your
enterprise with BigFix, the single converged IT security and operations
engine. BigFix enables continuous discovery, assessment, remediation,
and enforcement for complex and distributed IT environments in real-time
from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

--
---------------------------------------
http://www.secgeeks.com
get a blog on secgeeks :)
register here:-
http://secgeeks.com/user/register
rss feeds :-
http://secgeeks.com/node/feed
Submit you security articles,send them to secgeek@xxxxxxxxxxxx

http://www.newskicks.com
Submit and kick for new stories from all around the world.
---------------------------------------

---------------------------------------------------------------------------
This list is sponsored by: BigFix

If your IT fails, you're out of business - or worse. Arm your enterprise with BigFix, the single converged IT security and operations engine. BigFix enables continuous discovery, assessment, remediation, and enforcement for complex and distributed IT environments in real-time from a single console.
Think what's next. Think BigFix.

http://ad.doubleclick.net/clk;82309979;15562032;o?http://www.bigfix.com/ITNext/
---------------------------------------------------------------------------

---

• References:
  • Re: Security Simplification
    • From: Henry Troup
  • RE: Security Simplification
    • From: Herb Steck
  • Where is the head and tail?
    • From: WALI
  • Where is the head and tail?
    • From: Harshal Mehta

• Prev by Date: Re: Hacking Book / Information
• Next by Date: Re: Web Services Security
• Previous by thread: Where is the head and tail?
• Next by thread: FW: Security Simplification
• Index(es):
  • Date
  • Thread

---

Relevant Pages Where is the head and tail? ... Backup Management - How regularly backup is taken, ... Privilege Management - What privilege levels are defined, ... define workflows within dept. of accounting? ... Arm your enterprise with BigFix, the single converged IT security and operations engine. ... (Security-Basics) RE: General question ... We live in a market economy. ... Pure economic reality. ... Founder of 2 security companies and still manager of risk and security with a hand on approach. ... BigFix ... (Security-Basics) RE: Security Simplification ... Subject: Security Simplification ... BigFix ... engine. ... BigFix enables continuous discovery, assessment, remediation, ... (Security-Basics) Re: Hacking Book / Information ... hacking but never got myself to do it but now I am going to get serious ... Engineering and Architecting but not security. ... engine. ... BigFix enables continuous discovery, assessment, remediation, ... (Security-Basics) Re: General question ... network and servers got paid more than you the security ... Information Security Manager ... entities other than the intended recipient is prohibited. ... BigFix ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)