Advanced IT Audit School
Overview
This course covers the building blocks of IT audit and security, including identity and access management, web-based e-commerce application threats, vulnerabilities, and standards associated with privacy issues and intellectual property concerns. It places special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and enables participants to walk away with tools, techniques, and checklists for discovering and testing web and application server security.
It also covers auditing database management systems within the context of robust but practical enterprise architecture and governance models and reviews web services and service-oriented architectures, including SOAP, ReST, SOA, and ESB. Participants will also review safeguard concepts and best practices for secure mobile and wireless applications.
Why you should take this course
For users with an intermediate knowledge of this topic, and are searching for a deeper understanding of its evolving complexities.
Here are the topics we'll cover.
-
Identity and Access Control Management (I&ACM) Architecture
- Fundamental Principles of Information Security
- Making the Business case for Information security
- Distributed computing Control and Security Risks
- Defining an Identity and Access Management (I&AM) Architecture
- Access control Models and Architectures
- Security Audit Log Management ain Multi-Tiered Applications
- TCP/IP Network Application Services Security
- Risk Analysis
- Enterprise Directory services
- Client/Server and Middleware Security for Multi-Tiered Applications
- Locating Control Points in Multi-Tiered Applications
- Security Awareness
- Application Security Audit
-
Web Application Architectures
- Web Application Control Points
- HTTP Protocol and State Management
- Fundamentals of Cryptography
- Secure Sockets Layer Encryption (TLS)
- Web 2.0
- Web Application Security Threats and Vulnerabilities
- Audit Checklists: Encryption, Single Sign-On
- Security and Audit Tools
-
Auditing Web (HTTP) Servers
- Web Server/Application Security Control Points
- Internet Web Servers – Present and Past
- Configuring the Web Server
- Web Server Security Features
- Remote Authoring and Development
- Web Application Firewalls and Intrusion Prevention Systems
- Sources of Additional Information – Web Server Checklists
- Security and Audit Checklists: Web Server/Application, Server Operating System
- Security and Audit Tools
-
Secure Application Design, Testing, and Audit
- Web Application Development Technologies
- Active Web Page Code Security: SSI, CGI, ASP, ASP.NET
- Mobile Code Security: Java, ActiveX, VBScript, JavaScript, AJAX, Flash
- Common Security Vulnerabilities in Application Software
- Common Web Application Attacks
- Secure Application Design Security and
- Audit Checklist
- Web Application Testing Tools
-
Auditing Application (Middleware) Servers
- Application/Middleware Servers
- Microsoft .NET Framework / ASP.NET Core
- Jakarta EE (formerly Java Platform Enterprise Edition)
- Documentation available at docs.oracle.com)
- Jakarta EE Application Deployment Archives
- Supplemental Jakarta EE Information
-
Auditing Database Management Systems
- Managing Information
- Program-Centric Model
- Database Management Systems (DBMS)
- Database Risks
- Database Terminology
- Hierarchical and Relational Databases
- Database Audit Procedures
- Database Management Systems (DBMS) Terminology
- Structured Query Language (SQL)
- Security Risks Associated with DBMS Systems
- Connection and Authentication for DBMS Systems
- User Accounts, Roles, and Privileges
- Database Object Protection Methods: Access Control, Encryption
- Database Audit Logging Options
- Transaction Logs and Recoverability
- Sample DBMS Data Collection
- Security and Audit Checklists: DBMS
- Sources of Security and Audit Tools
- Bundled Stored Procedures
-
Web Services and Service Oriented Architectures (SOA)
- Web Services Definitions and Architectures
- SOAP Web Services Architecture, Standards and Security
- ReST (Representational State Transfer)
- Service Oriented Architecture (SOA)
- Enterprise Service Bus (ESB)
- Web Services Security and Audit Tools
- Web Services Security and Audit Tools
-
Mobile Application Security and Audit
- Mobility Maturity Assessment
- Data Flow
- Securing Data at Rest and in Motion
- Securing Hosted Systems
- Provider Contracts / Service Level Agreements
- Risk Management
- Information Security Policies, Organization and Human Resources
- Asset Management
- Containers and Containerization
- Checklist for Secure Mobile and Wireless Application Best Practices
- Surveying and Profiling Mobile Devices and Associated Risk
- Key Control Points and Associated Risks in Remote Access and Mobile Applications
- Checklist for Secure Mobile and Wireless Application Best Practices
-
Laws and Standards Affecting IT Audit
- Organizational Liabilities
- Computer Fraud and Abuse Laws
- Sarbanes-Oxley Act
- Intellectual Property Laws
- Electronic Commerce
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Computer Crime
- Incident Response
- Selected Standards: ISO, CIS
- Selected US Information Security Laws: SOX, FISMA, HIPAA, State Laws, Others
-
Internet of Things
- Definition
- Threats, Vulnerabilities, Risks
- Audit Checklist
Learning Style
Level
Who this course is for
NASBA Certified CPE
Field of Study
Length of course
Advanced Preparation
Here are the learning objectives we'll cover
- Expand knowledge of IT terminology associated with complex business applications.
- Identify key multi-tiered application building blocks and associated risks.
- Develop methodology to locate, document, and test control points and associated security safeguards for complex applications.
- Expand application audit tool kit knowledge with checklists, information resources, and automated tools to improve IT application audit effectiveness and efficiency.