There are many options to consider and there is not an ideal
INTRODUCCTION solution that satisfies to a broad class of situations, as each situ Given the importance and sensitivity that have computer ation is unique. systems and the environment of these, it is extremely The goal of physical security is to convince potential attack important to keep them safe and prevent any unwanted ers that the likely costs of an attack exceeds the value of doing intrusions, either physical or logical. That is why there the attack, i.e., that the consequences of an attack cannot over operational security, that security is applied to the logical and come widely gain. The combination of security features in lay physical operations of a system. This work will cover various ers, establishes the presence of territoriality. areas of the discipline. The initial layer of security for a campus, building, Office o r physical space implements the prevention of crime through e I. PHYSICAL SECURITY nvironmental design to deter threats. Some of the most commo n examples are also the most basic: warning signs, fences, barr Physical security is a series of measures designed to deny iers for vehicles, limiting of height vehicles, points of restricte physical access to a building, area or information to d access and lighting. unauthorized personnel. Also defined as the Guide on how Access control includes doors and locks. The locks are a pro design structures to withstand hostile attacks. Physical security blem in large communities of users, forcing the adoption of ele can be as simple as a door secured with a padlock or as ctronic access control. Electronic access control handles easily elaborate as multiple barriers, armed guards or biometric large amounts of users, controlling individual users by cycles access. of life, dates and access points Security entails costs and really never can be perfect or For example, a user's access rights could allow access from complete, in other words, security can reduce, but may not 7: 00 a.m. to 7: 00 p.m. from Monday to Friday and it expires i completely eliminate the risks. Bearing in mind that the n 90 days. Another form of access control includes the use of p controls are imperfect, physical security applies the principle olicies, processes and procedures to manage the entry into the of defense in depth with the appropriate combinations of restricted zone. An example of this is the deployment of securi overlapping and complementary controls. Controls physical ty personnel that checks for entry authorized by default points. access to protected plants are usually a: This form of access control is usually supplemented with earli Deter potential intruders (e.g., warning signs and marks of er forms of control of access (i.e., mechanical and electronic a perimeter); ccess control), or simple devices, such as physical passes. Distinguish authorized personnel of unauthorized (for The next layer is composed of alarms or intrusion detection example, use of cards or badges of step and keys) systems. It is less a preventative measure and more an activato Delay, thwart and prevent attempts of intrusion (e.g., r of response. Intrusion detection has a high incidence in false strong walls, locks, doors and safes); alarms. Detect, monitor and register intrusions (e.g., intrusion The last layer is composed of video surveillance systems. S alarms and closed-circuit television systems), and ecurity cameras can be a deterrent in many cases, but its real p Give appropriate responses to incidents (for example, ower comes from verification of incidents and historical analy security guards and police). sis. For example, if the alarms are activated and there is a cam era, this could be used to verify the alarm. In cases where the a Security engineering identifies the following elements of ph ttack occurred and there is a camera, the recorded video can be ysical security: reviewed. Although the closed circuits of television are comm Obstacles to frustrate trivial attacks and delay serious attac on, they are fast becoming obsolete as more video systems use ks transmission over networks. Detection systems, such as the of monitoring, alarms, guar Advances in information technology are transforming video ds, cameras, etc., to enable the attacks are noted. systems in the analysis of video. For example, once an image Security response to repel, catch or frustrate attacks detect ed is digitized can be turned into data that sophisticated algorithms can be processed. As it increases the speed and In a well- accuracy of automated analysis, video system could move designed system, these features should complement each other from a tracking system to an intrusion detection or access . control system. There are four layers of physical security: Design of the environment II. ACCESS CONTROLS Mechanical and electronic access control Access control refers to exercise control on who can interact Intrusion detection (with appropriate response procedures) with a resource. Often, but not always, this implies an authorit Identification of staff (authentication) y that makes the control. The resource can be a particular build Run: If the file is a program, the subject can do that progra ing, group of buildings or an information system. m running. Access control is, in fact, an everyday phenomenon. A lock Accountability uses components of the system such as records on a door of a vehicle is essentially a form of access control. A and logs to associate a subject with its actions. The recorded in PIN at an ATM at a bank system is another means of access c formation must be sufficient to give the subject a user control. ontrol. The possession of access control is of paramount impor Records are important for: tance when people try to protect important, confidential or sen Detect security breaches sitive information and equipment. Security incidents recreation. In computer security, access control includes authentication, authorization, and auditing. It also includes measures such as III. BIOMETRICS physical devices, such as biometric scanners, locks and bolts o Biometrics is the automatic recognition of individuals f metal, hidden routes, digital signatures, encryption, social ba depending on their biological characteristics and behavior. rriers, and monitoring by humans and automated systems. Examples of biometric features include fingerprint, face, iris, In any access control model, entities that can carry out actio palma, retina, geometry of the hand and voice. ns in the system are called subject, and the bodies representing Biometric recognition form a strong bond between a person the resource to which access may be necessary to control are and his identity as the biometric characteristics cannot be called objects. Subjects and objects should be considered both easily shared, lost, or duplicate. Therefore, biometric as software entities, rather than as human users: any human us recognition is intrinsically more resistant to attacks by social er can only have an effect on the system through the bodies of engineering (e.g., phishing) and higher than the two software which they control. conventional methods of recognition, i.e. passwords and Although some systems equate subjects with the user ID, so tokens. Biometric recognition requires that the user is present that all processes started by a user by default has the same aut at the time of authentication, you can also deter users from hority, this level of control not sufficiently specific to satisfy t making false statements repudiation. Due to these he principle of minimum privileges, and arguably is responsibl characteristics, the biometric recognition has been widely e for the prevalence of malware in such systems. recognized as a component of natural, reliable and Access control models used by current systems tend to fall i irreplaceable of any identity management system. Biometrics nto one of two classes: those based on the capabilities and thos is integrating more and more in the authentication of multiple e based on access control lists. A model based on skills, the ten security applications that require precise and reliable answers ure of a reference or capacity of an object provides access to t to the following questions: "Is the person who claims to be?", he object; access is transmitted to a third party through the tran "Who is this person?" and "Is this person someone on a watch smission of this capacity in a secure channel. A model of acces list?". Please note that is supposed to respond to the above s control based on a subject access to an object depends on if t questions, the identity of a person has already been created or heir identity is in a list associated with him; access airs by edit established. ing the list. A biometric system is a computer system that implements Access control systems provide essential identification and biometric recognition algorithms. A typical biometric system authentication, authorization and accountability services wher consists of detection, extraction of characteristics and e: comparison. Biometric (e.g. fingerprint sensor) sensors Identification and authentication determine who can log in capture or scan biometric traits of an individual to produce its to a system, and the Association of users with the types digital representation. A check of the quality is usually done to of software that are able to control, as a result of a. rar. ensure that the acquired sample biometric can be reliable. Authorization determines what a subject can do Feature extraction module discards unnecessary and unrelated Accountability identifies what a subject (or all subjects ass to the samples acquired information and extracts relevant and ociated with a user) did. discriminatory information called characteristics that are Authorization determines what a subject can do in the syst usually used for the match. Accordingly, the biometric sample em. corresponds to the information stored in the database to Most modern operating systems define sets of permissions that establish the identity associated with the query. are variations or extensions of three basic types of access: Generally speaking, a biometric system has two stages of Read: the subject can: operation: registration and recognition. The inscription refers or read the contents of the file to the phase in which the system stores certain information of or list the contents of the directory biometric reference of the person in a database. This reference Write: the subject can change the contents of a file or direc information may be in the form of a template (extracted from tory with the following tasks: the biometric sample characteristics or parameters of a or Add mathematical model that best characterizes the learned or create features) or the biometric sample itself (for example, the face or delete or image of the footprint). In many applications, some data or change the name of the file about the person (name, ID, etc.) are also stored together with the biometric reference. When there is no personal The impersonation generally means the creation of some identification information available (for example, traces of kind of character and play the role. The simplest is the role unknown taken from the scene of the crime), the reference is better. Sometimes, this could mean simply call and say: usually labelled with an identifier generated by the system for "Hello, am Joseph technical support and need your password". future recognition. At the stage of recognition, the system Other times, the hacker will study a real person in an analyzes the user biometric features, extracts traits, and organization and will wait until the person is out of town to compares them with the biometric reference stored in the impersonate him over the phone. database information. A high score of similarity between the query and the data of reference results in the identification of V. DISASTER RECOVERY the user. Disaster recovery and business continuity planning processe s that help organizations prepare for the perturbadores- IV. SOCIAL ENGINEERING si events are events could include a hurricane or, simply, a po It is the set of psychological techniques and social skills wer outage caused by a backhoe in the parking lot. The partici used consciously and many times to obtain information from pation of CSOs in this process can vary from monitoring the pl third parties. an, to provide information and support, to put the plan into acti The basic objective of social engineering is to gain on during an emergency. unauthorized access to systems and information of these in Disaster recovery is the process by which to resume activiti order to commit fraud, intrusion into the network, industrial es after a destructive event. The event can be something very b espionage, identity theft, or simply to disrupt the system or ig - network. Typical goals include telephone companies and such as an earthquake or terrorist attacks on the World Trade services of automatic answering, corporations and institutions Center, or something small, like a malfunction caused by a co financial, military and Government agencies and hospitals. mputer virus software. It is difficult to find good real-life examples of social Given the human tendency to look for the positive side, man engineering attacks. Targeted organizations either do not want y business executives are likely to ignore "disaster recovery", to admit that they have been victims (after all, to admit a because disasters appears to be a case unlikely. "Business cont violation of fundamental security not only it is shameful, it can inuity planning" suggests a more comprehensive approach to e damage the reputation of the Organization) or the attack was nsure that you can continue to make money, not only after a na not well documented so that no one is really sure whether tural disaster, but also in the case of small interruptions includi there was a social engineering attack or not. ng the disease or the departure of key employees, the associate Organizations are attacked through engineering because it is d supply chain problems or other challenges that companies fa an easiest way to gain illicit access compared to other more ce from time to time. technical. Even for technicians, it is often much easier simply The details can vary widely, depending on the size and the s to take the phone and ask someone for their password. And cope of a company and the way of doing business. For some c many times, that is what will make a hacker. ompanies, issues such as the logistics of supply chain are the Social engineering attacks are carried out at two levels: the most important and are the focus in the plan. For others, the in physical and the psychological. Firstly, we will focus on the formation technology can play a more central role, and the pla physical environment of these attacks: the place of work, n of BC / DR can have more than one focus on the recovery of phone, garbage, and even online. In the workplace, the hacker systems. For example, the plan in a global manufacturing com can just walk through the door, as in the movies, and is pany would restore critical mainframe with the vital data in a s intended to be a worker of maintenance or consultant who has ite backup from four to six days of an event harmful, obtain a access to the organization. The intruders then walks through mobile central unit with 3,000 phones within two days, recove the Office unless he or she is some passwords out there and ring the company of more than 1,000 local area with a view to comes out of the building with sufficient information to the need of the enterprise networks, and establish a temporary exploit the network in your home more later that night. call center to 100 officers in a nearby training centre. Another technique to obtain the authentication information is As it systems have become increasingly more critical for the be there and see an employee to write your password. proper functioning of a company, and you could say that the e Hackers teach social engineering from a psychological conomy as a whole, the importance of ensuring the continuity perspective, with an emphasis on how to create the perfect of the operation of those systems, or the quick recovery of syst environment for the psychological attack. The basic methods ems, has increased. of persuasion are: impersonation, compliment, conformity, It is estimated that the largest companies spend between 2% diffusion of responsibility and friendship. Regardless of the and 4% of their it budget on disaster recovery planning, in ord method used, the main objective is to convince the person that er to avoid larger losses in the event that the company can not information that the social engineer is a person that they can continue working due to the loss of the data and it infrastructur trust and give sensitive information to disclose. It is important e. Of the companies that had a significant loss of business data to never ask for too much information at once. , 43% never again open, close to 51% in two years, and only 6 % will survive in the long term. As a result, the preparation for the continuation or the recov tegy most appropriate for each system. An important note here ery of systems should be taken very seriously. This implies a si , however is that the business ultimately defines the it budget a gnificant investment of time and money in order to ensure a m nd therefore the RTO and RPO metrics have to fit in with the a inimum of losses in the case of a destructive event. vailable budget. Although the majority of the business unit hea ds would like without data loss and zero time loss, the cost ass Classification of disasters ociated with this level of protection can make desired practical Disasters can be classified into two broad categories. high availability solutions. The first is the natural disasters such as floods, hurricanes, t ornadoes or earthquakes. Whereas the prevention of a natural VI. ADMINISTRATION OF PRIVILEGES disaster is very difficult, measures such as good planning, whi The term system administrator "can also be used to describe ch includes mitigation measures can help to reduce or avoid lo a privilege of security that is assigned to a user or users from a sses. given computer, server, network or other system of TI." The second category is man- The level of access of the system administrator allows the made disasters. These include spills of hazardous materials, th user can have access to, and to carry out functions of the high e lack of infrastructure, or bio- level of system configuration. terrorism. In these cases, monitoring and mitigation planning h This level of user privileges that is more commonly known ave inestimable value to avoid or reduce losses from these eve within a computer or system of TI as "Administrator" (without nts. the adjective of "system"). Superuser or root may also be called. Control measures in the recovery plan For example, a team may have a user called Control measures are measures or mechanisms that can redu "Administrator" or "Root", which has a sufficient level of ce or eliminate various threats to organizations. The different t safety to install the software, or give other users access to the ypes of measures can be included in the BCP / DRP. system. Alternatively, a user of a system can be assigned to a Disaster recovery planning is a subset of a broader process "Administrators" group, whose members gives them the same known as business continuity planning and should include pla privileges as the administrator user. These users can be nning for the resumption of the applications, data, hardware, c referred to as systems administrators, it refers only to the ommunications (such as the creation of networks) and other it privilege level of the system, rather than the work function. infrastructure. (BCP) business continuity plan includes the pla For security reasons, the name of a user administrator or nning of it not the related aspects such as key personnel, facilit group of administrators of security changes often at the local ies, communication of crisis and the protection of reputation, a level to make it less easy to guess, in order to reduce the nd should refer to the recovery plan (DRP) disaster for related vulnerability of the system to access by hackers. infrastructure recovery / continuity. This article focuses on pla A superadministrador has unlimited access to the control nning in relation to the infrastructure for it disaster recovery. T panel of the administrator of the system and carry out all the he types of measures: actions of administrator. Administrators with restricted access can perform all the actions that appear on the screens of the 1. The preventive measures - Control Panel for which they have authorization. these controls are intended to prevent an event occurs. A manager of systems, systems administrators, systems 2 Measures of detectives - administrator or the administrator is a person employed to these controls are aimed at detecting or discovering unwanted maintain and operate a computer system and/or network. The events. system administrators can be members of an information 3. Corrective measures - technology (IT) or electronics and communication in the these controls are intended to correct or restore the system aft Department of engineering. er a disaster or an event. The duties of a system administrator are wide-ranging, and These controls must be always documented and tested regul vary greatly from one organization to another. System arly. administrators tend to be charged with the installation, support and maintenance of the servers or other computer systems, and Strategies planning and responding to service outages and other Before selecting a recovery strategy disaster, a disaster reco problems. Other tasks may include sequences of commands or very planner should refer to the plan of your organization's bus programming of light, project management for systems related iness continuity that must indicate the key metrics of the objec projects, supervision or training computer operators, and be tive of recovery point (RPO) and Recovery Time Objective (R the Adviser of computer problems beyond the knowledge of TO) for various business processes (for example, the process r technical support staff. To carry out their work well, a system un payroll, generate an order)(, etc.) The indicators established administrator must demonstrate a mixture of technical skills for business processes then underlying TI and the infrastructu and responsibility. re systems that support these processes should be assigned. Many organizations staff other jobs related to the Once the RTO and RPO parameters have been assigned to it administration of the system. In a larger company, all these infrastructure, the DR Planner can determine the recovery stra can be positions separated within a computer or of the services ional audit and Council rules of the Federation International of of information (SI) Department. In a smaller group that can be Accountants shared by a few Admins, or even a single person. Internal Auditors are employed by the organization audit. A manager of database (DBA) maintains a database syste They carry out various audit procedures, relating mainly to the m, and is responsible for the integrity of the data and the effici procedures on the effectiveness of internal controls in the com ency and the performance of the system. pany financial information. Due to the requirements of the sect A network administrator maintains the network infrastruct ion 404 of the Sarbanes Oxley Act of 2002 for the managemen ure, such as switches and routers, and diagnoses problems wit t to also assess the effectiveness of their internal controls over h these or with the behavior of the networked computers. financial reporting (as also required by the external auditor), in A security administrator is a specialist in computer securit ternal auditors are used to make this assessment. Despite the in y and network, including the administration of General device ternal auditors are not considered independent of the company s security such as firewalls, as well as consulting on security carried out the audit procedures for Auditors internally of the c measures. ompanies listed are required to report directly to the Board of A web administrator maintains web server (like Apache or Directors, or a Sub- IIS) services that enable access internal or external Web sites. Committee of the Board of Directors, and not the management The tasks include the management of multiple sites, the Securi , in order to reduce the risk of Internal Auditors will be under ty Administration and configuration of necessary components pressure to produce favourable evaluations. and software. Responsibilities may also include change manag Most commonly used auditing internal standards are those o ement software. f the Institute of Internal Auditors Technical support staff respond to individual difficulties w Auditors consultants are external staff hired by the compan ith computer systems users, give instructions and training som y to carry out an audit following the company auditing standar etimes, and diagnose and solve common problems. ds. This differs from the of the external auditor, which follows A computer operator carried out routine maintenance and its own rules of audit. The level of independence is therefore s maintenance, how to change the tape backup or replacement o omewhere between the internal auditor and the external audito f units failed in a RAID. These tasks often require physical pre r. The auditor consultant can work independently or as part of t sence in the room with the computer, and while less skilled tha he audit team that includes internal auditors. Auditors consulta n sysadmin tasks require a similar confidence level, since the o nts are used when the company lacks sufficient experience to perator has access to sensitive data, possibly. audit certain areas, or simply to the increase in staff when staff A mail administrator is the administrator of a mail server. are not available. In some organizations, a person may begin as a member of t he staff of technical support or an operator of the computer, th Quality Auditors can be consultants or employed by the en obtain work experience to be promoted to a position of syst organization. em administrator. Quality audits are carried out to verify compliance with stan VII. AUDITS dards through the review of objective evidence. A system of q The general definition of an audit is the evaluation of a pers uality audits can check the effectiveness of a quality managem on, organization, system, process, company, project or product ent system. This is part of the certifications such as ISO 9001. . The term commonly refers to accounting audits, but there are Quality audits are essential to verify the existence of objective also similar concepts in project management, management of evidence showing compliance with the processes necessary to the quality, management of water and energy conservation. assess success with processes is implemented, for judging the The auditors of the financial statements can be classified int effectiveness of achieving the defined target levels, providing o two categories: evidence on the reduction and elimination of problem areas an External auditor / auditor of accounts is an independent fir d are a hands - m hired by the client, subject to audit, to express an opinion on in the management tool to achieve continuous improvement i whether the financial statements of the company are free of si n an organization. gnificant errors, whether due to fraud or error. For companies l To benefit the Organization, quality auditing should not isted on the stock exchange, the external auditors also may be only report actions reputations and corrective, but also necessary to express an opinion on the effectiveness of interna highlight areas of good practice and provide evidence of l controls over financial reporting. The external auditors may a conformity. In this way, other departments may share lso be hired to perform other procedures agreed, related or not information and amend their working practices as a result, also to the financial statements. Most importantly, the external audi the improvement of continuous improvement. tors, although committed and paid by the company which audi Audit computers is A process Llevado a Cabo Por ted, are regarded as independent auditors. professionals specially trained and that consists in grouping Most used external standards are NAGA EE audit.UU. of th and evaluating evidence to determine if the Nations United e American Institute of certified public accountants and the int system of safeguarding the asset business information, ernational auditing standards of ISA, developed by the internat maintains the integrity of the data, held an effectively the fine of the Organization, banking efficiently resources, and holita complies with the laws and regulations established. They used to remove the confidential files of the customers, is a detect as systematic use of resources and the flow of clear threat behind the bright chrome exterior. information within an organization and to determine what is Then, what steps take companies to protect themselves critical information for the fulfilment of its mission and against the risks associated with these devices? objectives, identifying needs, the duplication, cost, value and The greatest threat to the integrity of a company's it security barriers, impeding efficient information flows. is not a pirate sinister trying to enter into the corporate Audit consists mainly in study the mechanisms of control of network, but employees and partners, with easy access to that are implanted in the company or organization, business information. determining if the same child appropriate and meet certain With media devices removable, such as MP3 players, digital goals or strategies, establishing the changes that should be cameras, PDAs, common in enterprises, the uncontrolled use made for the achievement of the themselves. Service control of them carries a number of risks, from the factor of simple mechanisms can management, preventive, detection, discomfort of the network that is used to store personal files corrective or recovery to A contingency. and the risks associated with theft of software, the The objectives of the audit computer son: consequences of an attack deliberate to the network. The storage device is also an easy way for malware to The analysis of the efficiency of computing systems propagate within the network, a user without realizing it can Verification of compliance of the regulations in this field infect the network with a virus that has been transferred from The revision of the effective management of the computer your home PC by using a device. resources. It is a worrying fact that around 80% of computer security Computer audit serves paragraph improve certain incidents occur within an organization, and however it is characteristics in the company as: estimated that 80% of security pass still goes outdoor in the Performance defenses of the perimeter such as firewall, antivirus, intrusion Reliability detection and content filtering. Companies need a formal Effectiveness monitoring mechanism in place in order to protect critical Profitability databases for data and business systems and the theft of Security intellectual property. Privacy If you decide to prohibit USB devices. This is a difficult Usually you can develop in one or combination of the proposition, and there is no foolproof method. Windows 2003 following areas: to lock access to the USB port, but critically, will also leave Corporate governance for USB keyboards, mice and other legitimate USB devices Administration of the systems life cycle used - a movement which may not be popular with employees. Delivery and support services Not enough to disable USB ports is therefore, it is not the Safety and protection answer, since it inevitably have an adverse effect on the Continuity and disaster recovery plans productivity of the business and the flexibility. The need for guidelines and tools standard for the exercise It is important to have a policy of acceptable use (AUP) of audit Informatics has promoted the creation and instead, so that employees are aware of what they can and can development of practices as best COBIT, ITIL and COSO. not use in the workplace.
Currently certification from ISACA for be CISA Certified
Information Systems Auditor of is one of the most recognized CONCLUSIONS and backed by certification international standards that the In this work we learned about different components and selection process of the United Nations consists fairly elements of operational safety, such as physical security, extensive initial examination and the need to keep updated access control, privilege management, among others. We have accumulating hours (points), par, lose the certification. also learned about their importance to both business and personal level. Every computer system must have sufficient VIII. DEVICE REMOVABLE. security to be operational, otherwise it would be exposed to Handheld USB devices have been a blessing for anyone serious hazards that can cause major damage. who wants to take information from a PC to another, but its ease of use has also created a new type of headache for security firms. The recent explosion in sales of devices such as REFERENCES USB, iPods and PDAs reports say that they are a view [1] Task Committee. Structural design for physical security: state of common in most of the Office. the practice. SEI ASCE: Reston, Virginia, 1999. [2] Anderson, Ross. Security engineering: a guide to building Where is the danger on an iPod, you can ask. Certainly is dependable distributed systems. Wiley: New York, 2001. more offensive on an iPod the often unreliable choice of music [3] Harris, Shon, All-in-one CISSP Exam Guide, 3ra Edicin, that comes from him? But if we take into account that these McGraw Hill Osborne, Emeryvill: California, 2005. small devices of portable media with the same ease can be [4] Norman, Thomas, Integrated Security Systems Design, Elsevier Butterworth-Heinemann: Boston, 2007. [5] Jain, A., Hong, L., Biometric identification. Comm. ACM: New Jersey, 2000. [6] Bolle, R. M., Connell, J. H., Pankanti, S. Ratha, N. K., & Senior, A. W., Guide to biometrics. Springer: New York, 2003. [7] Anderson, Ross, Security engineering: a guide to building dependable distributed systems, Wiley: Indianapolis, 2008 [8] Hoffer, Jim, Backing Up Business - Industry Trend or Event. Nelson Publishing: Pensilvania, 2001 [9] Gregory, Peter, CISA certified information systems auditor all-in- one exam guide. McGraw-Hill: New York, 2010. [10] Frisch, Aeleen. Essential system administration, O'Reilly: California, 2002. [11] Easttom, Chuck, Essential Linux administratio : a comprehensive guide for beginners, Course Technology/Cengage Learning: Boston, 2012. [12] Burgess, Mark, Principles of network and system administration. Wiley: New Jersey, 2004. [13] Limoncelli, Tom, The practice of system and network administration. Addison-Wesley: Boston, 2002. [14] McKenna, Francine, Auditors and Audit Reports: Is The Firms "John Hancock" Enough?, Forbes: New York, 2011. [15] Cutting, Thomas, How to Survive an Audit. PM Hut: Montreal, 2009.