CISA Resource - CCCURE When I studied for the CISA in 2005, I found one of the best resources in addition to ISACA training materials could be found at: http://www.cccure.org/ Here is a synopsis of available material for the CISA:

• CISA quizzes
• CISA discussion forum
• jobs and jobs discussion forum

In addition it helps the accountants who are going for the technical certification get trained in IT security, forensic IT / fraud related investigations, hacking, hardware, software, penetration testing, and much more technical framework.

Additional certifications supported on this site include the CISSP, GCWS, and other IT related certifications..

Check this site out. I credit this site with helping me pass the technical side of the CISA.

Tool to Copy the Contents of a Directory http://www.novell.com/coolsolutions/tools/14782.html This tool came in pretty handy when I wanted to develop a spreadsheet of all the files and directories on our corporate shared drive to manage our departmental records. In this day in age where electronic records and shared drives replace filing cabinets. Thought this was a great tool to pass to new employees in our department.

IT SECURITY TIP Use Google's cached mode to avoid spyware. As the network administrator at a small firm, I've been fighting spyware and spam for years. At first I had to rely on http://www.techguy.org/, which provides legitimate links to free anti-spyware programs. One day I needed one of those programs in a hurry. I did a Google search and clicked on the first link I found in the Google hit list. The link took me to a "hijacked" website. Pop-ups immediately came up on my pc. Fortunately I knew how to stop them before anything was downloaded [When a popup is showing on your desktop — don't click on it! Right click on the Windows Taskbar item and choose Close]. Since then, I never clicked on the first Google hit link again. I always use the Google "cached" link to check the link first. Source: SANS Tip of the Day

Review of Intuit's Quickbooks Vs. Microsoft new Office Accounting 2007 http://www.smallbizresource.com/document.asp?doc_id=113153 for more details Quick and dirty of this review is that MS office Accounting is cheaper and better for those who don't need handholding. However, he thinks it is too new and "raw" and can't match the level of support offered by Quickbooks. So currently for 2007 I am going to vote for Quickbooks.

Sorry for the delayed posts, but due to a job relocation from Indianapolis to Baltimore in December of 2006 I have been busy! December Jobless Claims - supplied by Vault.com Weekly Jobless Claims (Seasonally Adjusted), Week Ending 12/09 (reported 12/14) 304,000 Weekly Jobless Claims Change from Previous Week (seasonally adjusted) -20,000 Payroll Employment (Nonfarm Jobs Created or Lost), November +132,000 Unemployment Rate, November 4.5 percent

Retirement Limit Numbers 2006-2007

Qualified Retirement Plans	2006	2007
401k, 403B, SEP (pre-tax)	15,000	15,500
Over 50 Catchup	5,000	5,000
415 defined benefit plan ceiling	175,000	180,000
Combined Employer/employee limit for all defined contribution plans	44,000	45,000
Compensation Limit sxn 401, 404	220,000	225,000
Compensation Limit sxn 408, SEP, SIMPLE, IRA	220,000	225,000
SIMPLE pre-tax contribution limit	10,000	10,500
Over 50 Catchup	2,500	2,500

Reportable Fringe Benefits 2006 by Employers on the W-2 Cash - Bonus, Severance, Vacation Pay Non Cash Gifts - ex) Seasons sport tickets, gift certificates/cards that can be converted to cash, property (electronics, jewelry, etc)

Tool for Private Employers to Manage Group Health Plans The Department of Labor Employee Benefits Security Administration Website

Developing Tax Planning Worksheet I recently got a newsletter from Deloitte on Tax Planning guide for next year. It is a useful thing to read to develop the tax planning worksheet you might need. Deloitte tax guide 2007 Check it out and download it. From there, you can tweak your own practice's worksheet. Also good reading to refresh on new laws (pension act of 2006) and impact on planning next year for non taxation accountants. Has some important reading on some of the upcoming changes in laws (with the congress going from republican to democrat) and possible impacts for planning purposes. A lot of the tax cuts are temporary so it will be good information to keep clients posted - especially in the upper brackets.

IRS Adjusts Limits to Adjust for Inflation Changes on 2007 taxes - You will file it in 2008 1. The new standard deduction for married couples filing a joint income tax return will rise $400 to $10,700. 2. The deduction for singles and married individuals filing separately will go up $200 to $5,350 and for heads of household up $300 to $7,850. 3. The value of each personal and dependency exemption, available to most taxpayers, will increase $100 from the 2006 level of $3,300. 4. Tax bracket thresholds will also shift as a result of inflation. The taxable-income threshold separating the 15-percent bracket from the 25-percent bracket for a married couple filing a joint return will go from $61,300 in 2006 to $63,700. 5. Additionally the income limits to retirement savings contributions (ROTH, 401K, etc) will also rise for the first time in 2007 due to inflation.

If Travel Allowances Exceed Federal Per Deim Rates.... Revenue Ruling 2006-56 tells employers that if they routinely pay per diem allowances in excess of the federal per diem rates, but do not track the allowances and do not require the employees either to actually substantiate all the expenses or pay back the excess amounts, and do not include the excess amounts in the employee's income and wages, then the entire amount of the expense allowances is subject to income tax and employment tax.

Powerpoint Presentation Tips I went to this great blog on presentation tips. Check it out. http://connectingdots.typepad.com/ppt/

ERASE BAD ONLINE REP!!! http://www.wired.com/news/technology/0,72063-0.html This article details what to do if you have an embarrassing web presence. What was cool in high school is very uncool for when you want to get hired and your employer googles you! http://www.reputationdefender.com/ - This company will do the job inexpensively. Check it out.

Current Developments in Sarbanes Oxley WSJ - NOV 11, 2006 "Business Wins It's Battle to Ease a Costly Sarbanes-Oxley Rule" By Kara Scannel & Deborah Solomon The Mandate: "Companies must first review their own financial systems to ensure accuracy before having them tested by outside auditors" As companies are currently spending an average of $3.8 M to comply each year, this is good. With auditor fees surging 63% since SOX went into effect, this will help many companies cut a little of the cost.

CANAUDIT TRAINING - NETWORK SECURITY I attended a training on network security yesterday by Canaudit. It was quite excellent. I will be posting links to pertinent websites as I complete my own "lab" (I am going to play with some of the new tools the instructor emailed me.) and test out the audit tools. Some topics covered include: 1. Perimeter Audits - Network Security etc. 2. Database Audits - Specifically Oracle Audits 3. Windows Audits/Unix Audits 4. Mainframe Audits The training was interesting and I will definitely practice some of the skills. As far as relevance to current work - I expect to utilize it when we probably hire contractors to do the bulk of the tech work. Currently, we are not doing much with these. In my organization, do more with business type IT audits and SAS 70 reviews. Also review the Systems Development Lifecycle Reviews. On a sidebar, the mainframe audits information intrigued me a bit. I would use Wikipedia as the resource to look up what the major mainframes are. RACF, AS/400, etc.

GAO investigates Securities and Exchange Commission (SEC) Source: http://www.nytimes.com/2006/10/27/business/27sec.html?_r=5&oref=login&ref=business&pagewanted=print You will likely have to login for a free account to the NY Times but the article is quite interesting. Senator Grassley, Chairman of the Senate Finance Committee, asked the GAO to review the SEC. The GAO is the organization that investigates government agencies for Congress usually at congressional request or query. It is know as the General Accountability Office. http://www.gao.gov The GAO is reviewing the SEC's enforcement division and compliance division. “Congress needs an independent analysis of whether the institutions that are responsible for protecting investors are keeping up in a fast-changing marketplace,” Mr. Grassley said yesterday in a statement. “It’s been a long time since there’s been this kind of thorough review. The integrity of our financial markets and, in turn, the well-being of individual investors depends on checkpoints that stop insider trading and manipulation." This is occuring at the same time as an inquiry into the insider-trading case of Pequot Capital Management. PCM is a $7B Hedge Fund. Hedge funds are becoming increasingly significant in the news due to their very nature. These are large funds (minimum entrypoint for most popular funds is $1-25 Million). Hedge funds are very lightly regulated but do impact all the major world markets. Currently they control more than $1.2 Trillion in assets by NY Times numbers. More details on hedge funds at http://www.nedra.org/NEDRA%20News/NNewsSpring2003article.html

SAS 70 Audits What is it? SAS 70 is an international standard created by the AICPA for reviewing internal controls of outsourced functions at the service organization. It is beneficial to the service company to get a positive SAS 70 audit report and opinion so that they don't have to repeatedly have auditors from all their various clients reviewing their internal controls. SAS 70 is also based on an earlier standard SAS 55 and the Treadway Commission's COSO Framework. SAS 70 audits apply for executing transactions (there's a need for accountability) and also for recording transactions. There's 2 types of reports: 1. TYPE 1 - description of controls. 2. TYPE 2 - description and testing of controls, Over 6 months of data, and auditor does the testing. SAS 70 assessments provide help in articulating the controls, examining the controls' effectiveness, and also risk mitigation. SAS 70 are NOT good for finding fraud however. Exceptions are noted in the SAS 70 report and also in their opinion letter depending on severity. More Information For more information, click on any or each of the interactive links below: http://www.sas70.com/ The compliance imperative: http://www.optimizemag.com/article/showArticle.jhtml?printableArticle=true&articleId=164902258 Auditor independence and SAS No. 70: http://www.cfoeurope.com/displayStory.cfm/2569824 SAS No. 70 in the Sarbanes-Oxley era: http://www.deloitte.com/dtt/cda/doc/content/us_assur_newlandscape.pdf Long tentacles of compliance: http://www.businessfinancemag.com/magazine/archives/article.html?articleID=14449&pg=3 A contrarian view of the usefulness of SAS No. 70 reports: http://www.systemexperts.com/tutors/sas70.pdf

Sarbanes Oxley Check out the Harvard Business Review Article: "The Unexpected Benefits of Sarbanes-Oxley" by Stephen Wagner and Lee Dittmar of Deloitte, which explains how companies are earning a return on their compliance investments. Go to a local library for this article.

When are Internal Controls More Harm than Help? I am an auditor so I am always advocating strong internal control environment. It is helpful to note however, the purpose and common sense approach to it. http://fscavo.blogspot.com/2005/08/sox-insanity-takes-hold-in-it.html - It is a blog that has great reading and applicability for an auditor looking to work with difficult clients. It allows me to empathize and also become aware of the concerns that they have. I would like to write excellent audit reports and find solutions that help achieve more return than hassle for the organization.

Before you Connect! http://www.cert.org/tech_tips/before_you_plug_in.html Before you connect your computer to the Internet follow the tips above. This is the best thing to do. Trust me. Especially if you don't want your neighbor stealing your bandwith! Or worse identity theft.

Productivity via free web tools I utilize 4 websites to manage my documents: 1. http://docs.google.com/ - You can keep word/excel files online, edit them, collaborate, and even convert to PDF. Can also publish directly from there onto a webpage. Just neat! Review: LOVE IT!!! I may never buy excel/word for personal use! 2. http://www.box.net/ - You get up to 1 GB free to put files on there at all times. Equivalent of a flash drive. Review: Pretty helpful. However it is occasionally down due to traffic volume. Secondly, you have to pay money to download a whole folder of material as opposed to multiple folder uploads. So if you want to download what you put up there, it's a file by file download! I didn't care for that. It's free for a single file download. 3. http://briefcase.yahoo.com/ - Keep Any type of file there. Review: Pretty helpful so far. Just very small space for free - 30MB 4. http://mybookmarks.com/ - Maintain all your bookmarks online, export to, and import from any computers you use. Review: Love it! I had different bookmarks on 4 different computers. Got them all in one place now.

Spotting a Counterfeit Credit Card

To make sure that a Visa or MasterCard is not a counterfeit, see that: 1. The signature panel (white strip of adhesive with the card owner's signature) has Visa or MasterCard printed many times and is not plain white (indicates a counterfeit) or damaged (indicates an alteration). 2. The numbers on the signature panel slant left and match the numbers on the front of the card. 3. Under ultraviolet light, a large MC is visible on MasterCards, a large dove on Visa cards. 4. The four-digit bank identification number (BIN) must be printed below and match exactly the first four digits of the embossed number or the card has been altered or is a counterfeit. 5. Visa's embossed account numbers begin with a 4 and contain 13 or 16 digits, MasterCard's with a 5 and contain 16 digits. 6. Microprinting is printing that appears to the naked eye to be a solid line, but under a magnifying glass is very small words or letters that are very difficult to recreate with normal printing. To make sure that an American Express card is not a counterfeit, make sure that: 1. The account number on the front should match the one on the back. 2. The Centurion's head in the helmet should be printed with a high degree of clarity and detail similar to the heads portrayed on U.S. currency. 3. The signature panel should have wavy black lines and should not be plain white (indicating a counterfeit card) or smudged (altered card). 4. The card member account number should be 15 digits and should begin with 34 or 37. 5. Under black light, the AMEX should appear and the Centurion should look phosphorescent.

Compensating Controls Management Question: How do you compensate for for access control violations? Auditor Answer: a. Backups b. RAID c. Fault Tolerance d. Business Continuity Planning e. Insurance

Major Legal Systems in the World 1. Common Law — began in England — based on tradition, past practices, and legal precedents set by courts through interpretation — innocent until proven guilty — United States, United Kingdom, Australia, and Canada 2. Civil Law or Code Law — fractured into separate national systems around the time of French Revolution — guilty until proven innocent — France, Germany, Quebec 3. Socialist Legal Systems — based on concepts of economic, political and social policies of the state — communist and socialist countries 4. Islamic and other Religious Law — law of the clergy, of belief systems, religions, and secret societies — special rights to clergy over common people

Types of Biometric Scanning Systems Fingerprints: Are made up of ridge endings and bifurcations exhibited by the friction ridges and other detailed characteristics that are called minutiae. Palm Scan: The palm has creases, ridges and grooves throughout it that are unique to a specific person. Hand Geometry: The shape of a person’s hand (the length and width of the hand and fingers) measures hand geometry. Retina Scan: Scans the blood-vessel pattern of the retina on the backside of the eyeball. Iris Scan: Scan the colored portion of the eye that surrounds the pupil. Signature Dynamics: Electrical signals of speed and time that can be captured when a person writes a signature. Keyboard Dynamics: Captures the electrical signals when a person types a certain phrase. Voice Print: Distinguishing differences in people’s speech sounds and patterns. Facial Scan: Takes attributes and characteristics like bone structures, nose ridges, eye widths, forehead sizes and chin shapes into account. Hand Topology: Looks at the size and width of an individual’s hand and fingers.

Types of Incidents Source: http://www.cert.org/encyc_article/tocencyc.html#WhyCare Incidents can be broadly classified into several kinds: the probe, scan, account compromise, root compromise, packet sniffer, denial of service, exploitation of trust, malicious code, and Internet infrastructure attacks. Probe A probe is characterized by unusual attempts to gain access to a system or to discover information about the system. One example is an attempt to log in to an unused account. Probing is the electronic equivalent of testing doorknobs to find an unlocked door for easy entry. Probes are sometimes followed by a more serious security event, but they are often the result of curiosity or confusion. Scan A scan is simply a large number of probes done using an automated tool. Scans can sometimes be the result of a misconfiguration or other error, but they are often a prelude to a more directed attack on systems that the intruder has found to be vulnerable. Account Compromise An account compromise is the unauthorized use of a computer account by someone other than the account owner, without involving system-level or root-level privileges (privileges a system administrator or network manager has). An account compromise might expose the victim to serious data loss, data theft, or theft of services. The lack of root-level access means that the damage can usually be contained, but a user-level account is often an entry point for greater access to the system. Root Compromise A root compromise is similar to an account compromise, except that the account that has been compromised has special privileges on the system. The term root is derived from an account on UNIX systems that typically has unlimited, or "superuser", privileges. Intruders who succeed in a root compromise can do just about anything on the victim's system, including run their own programs, change how the system works, and hide traces of their intrusion. Packet Sniffer A packet sniffer is a program that captures data from information packets as they travel over the network. That data may include user names, passwords, and proprietary information that travels over the network in clear text. With perhaps hundreds or thousands of passwords captured by the sniffer, intruders can launch widespread attacks on systems. Installing a packet sniffer does not necessarily require privileged access. For most multi-user systems, however, the presence of a packet sniffer implies there has been a root compromise. Denial of Service The goal of denial-of-service attacks is not to gain unauthorized access to machines or data, but to prevent legitimate users of a service from using it. A denial-of-service attack can come in many forms. Attackers may "flood" a network with large volumes of data or deliberately consume a scarce or limited resource, such as process control blocks or pending network connections. They may also disrupt physical components of the network or manipulate data in transit, including encrypted data. Exploitation of Trust Computers on networks often have trust relationships with one another. For example, before executing some commands, the computer checks a set of files that specify which other computers on the network are permitted to use those commands. If attackers can forge their identity, appearing to be using the trusted computer, they may be able to gain unauthorized access to other computers. Malicious Code Malicious code is a general term for programs that, when executed, would cause undesired results on a system. Users of the system usually are not aware of the program until they discover the damage. Malicious code includes Trojan horses, viruses, and worms. Trojan horses and viruses are usually hidden in legitimate programs or files that attackers have altered to do more than what is expected. Worms are self-replicating programs that spread with no human intervention after they are started. Viruses are also self-replicating programs, but usually require some action on the part of the user to spread inadvertently to other programs or systems. These sorts of programs can lead to serious data loss, downtime, denial of service, and other types of security incidents. Internet Infrastructure Attacks These rare but serious attacks involve key components of the Internet infrastructure rather than specific systems on the Internet. Examples are network name servers, network access providers, and large archive sites on which many users depend. Widespread automated attacks can also threaten the infrastructure. Infrastructure attacks affect a large portion of the Internet and can seriously hinder the day-to-day operation of many sites.

Basic Encryption Techniques Asymmetric key-based algorithms This method uses one key to encrypt data and a different key to decrypt the same data. You have likely heard of this technique; it is sometimes called public key/private key encryption, or something to that effect. Symmetric key-based algorithms, or block-and-stream ciphers. Using these cipher types, your data is separated into chunks, and those chunks are encrypted and decrypted based on a specific key. Stream ciphers are used more predominantly than block ciphers, as the chunks are encrypted on a bit-by-bit basis. This process is much smaller and faster than encrypting larger (block) chunks of data. Hashing (creates a digital summary of a string or file) This is the most common way to store passwords on a system, as the passwords aren't really what's stored, just a hash that can't be decrypted.

Received Intuit's Lacerte tax preparation evaluation software. I hope to get it in my computer and play with it a bit and then let you guys know what I think. Tax preparation from home is something I would like to be able to do on weekends and this would be a great way to learn how to do it easily. Unfortunately each module of this software is a bit pricey so I may have to choose what type of returns I can do. I think the total business cost of the software is 10-15K. The evaluation version has the following tax library forms: 1040 - individual : Federal, All States, key Cities 1065 - Partnership: Federal, All States 1120, 1120 S Corp. - Corporation: Federal, All States Consolidated Corporation - Federal, Various States 1041 - Fiduciary: Federal, All States 706 - Estate : Federal; NY 990 - Exempt Organization: Federal, CA, IL, NY 5500 - Benefit: Federal Also obtained EA certification training materials to update me on tax changes and test my knowledge before the upcoming tax season. Currently the plan is to work under a CPA for two tax seasons then go solo.

Discussions on Lean Six Sigma is a subject applicable to large business organizations . Beginning with Lean 6. I would recommend for the novice business person to take the Six Sigma for dummies book. As my readings progress I will have more tidbits. This is an introduction on the topic. Goal is to develop a training website. But for now, I am organizing these initial tidbits and summaries on this blog. Any questions, or comments please don't hesitate to post. I will get back to you within a week as I am usually traveling for my job during the week. Lean 6 is a process improvement tool and a problem-solving method that large organizations can use and do (in the case of my workplace) to better manage the human capital. One of the main ideas of all these process improvement disciplines is that an organization becomes a learning organization. Even large organizations can regain some of the advantages of more nimbler smaller companies by improving efficiencies and checking on underutilzation of employees. (Idle capacity may be good in manufacturing, but most service-based organizations in America could use some lean.) The purpose of this method is to lower costs and increase revenue on a continuous basis. There is a focus on increasing simplicity and minimizing errors across the organization. It is a process that has extensive rigor for the organization that chooses to implement it. There is an initial cost in time and money when an organization transitions to it. There is a thorough inspection of all the business processes, standard operating procedures, and a review of every position. It then establishes objectives and measures performance to require accountability from all units. An example of what one can achieve with Sigma would be to look at my current favorite company, General Electric. The decision to implement 6 Sigma allowed them to save $7-10 billion in five years.

Now word for the week - Market Capitalization This is the word people talk about when they are speaking of large cap, mid-cap, small cap companies on the stock exchange. GE is an example of a large cap company. It is a simple term. It basically means the market value of all the outstanding shares. stock price X shares outstanding = market capitalization.

The weekend has been really great. Got in some reading. Highly recommend the book "Oracle Bones". Have begun reading it and it is giving me insight into Chinese culture - especially modern day China. Something new I have learnt through the book is that Chinese people are very diverse ethnically speaking. Anyways - it's a good read. Have begun setting up my design website this week. If any netizan wants to check it out, it is at http://reachesha.googlepages.com for now. I may move it if I actually start selling stuff to a more interesting site. Currently only have modern art oriented design prints up. I will likely start getting my jewelry photographed and then put it up online. One of my challenges is on how to photograph the jewelry well. There's going to be a learning curve for that.