YG Entertainment (YGE) is a company dedicated to producing and distributing video clips specializing in hip-hop music. Born in the internet era, the company has actively supported laptops and tablets, so staff can easily work remotely. They can access the company databases through the internet and provide online information to customers. This decision to support remote work has increased productivity and high morale among employees who were allowed to work up to two (2) days a week from home. Based on written procedures and a training course, employees learn security procedures to avoid the risk of unauthorized access to company data. Employees’ access to the company data includes using log-on IDs and passwords to the application server through a virtual private network (VPN). Initial passwords are assigned by the security administrator. When the employee logs on for the first time, the system forces a password change to improve confidentiality. Management is currently considering ways to improve security protection for remote access by employees. YGE ask its information system (IS) auditor to review its new VPN implementation to accommodate the increase in remote work. The auditor discovers that the organization needed to enable remote access to one of its servers for remote maintenance purposes. The firewall policy did not allow any external access to the internal systems. Therefore, it was decided to install a modem on that server and activate the remote access service to permit dial-up access. To mitigate any vulnerabilities associated with dial-up modems, a policy has been implemented to manually power the modem only when the third party requests access to the server and is powered off by the company’s system administrator when the access is no longer needed. Because more and more systems are being maintained remotely, the company asks an IS auditor to evaluate the current risk of the existing solution and propose the best strategy for addressing future connectivity requirements.

Required:

explain answer

a. When an employee notifies the company that he/she has forgotten his/her password, what should be done FIRST by the security administrator?

b. What is the MOST significant risk that the IS auditor should evaluate regarding the existing remote access practice?

c. What control may be implemented to prevent an attack on the internal network initiated through an internet VPN connection?

d. What test is MOST important for the IS auditor to perform as part of the review of dial-up access controls?