Advanced IT Audit School

IT Audit

Overview

This course covers the building blocks of IT audit and security, including identity and access management, web-based e-commerce application threats, vulnerabilities, and standards associated with privacy issues and intellectual property concerns. It places special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and enables participants to walk away with tools, techniques, and checklists for discovering and testing web and application server security.

It also covers auditing database management systems within the context of robust but practical enterprise architecture and governance models and reviews web services and service-oriented architectures, including SOAP, ReST, SOA, and ESB. Participants will also review safeguard concepts and best practices for secure mobile and wireless applications.

Why you should take this course

For users with an intermediate knowledge of this topic, and are searching for a deeper understanding of its evolving complexities.

Here are the topics we'll cover.

  1. Identity and Access Control Management (I&ACM) Architecture

    • Fundamental Principles of Information Security
    • Making the Business case for Information security
    • Distributed computing Control and Security Risks
    • Defining an Identity and Access Management (I&AM) Architecture
    • Access control Models and Architectures
    • Security Audit Log Management ain Multi-Tiered Applications
    • TCP/IP Network Application Services Security
    • Risk Analysis
    • Enterprise Directory services
    • Client/Server and Middleware Security for Multi-Tiered Applications
    • Locating Control Points in Multi-Tiered Applications
    • Security Awareness
    • Application Security Audit

  2. Web Application Architectures

    • Web Application Control Points
    • HTTP Protocol and State Management
    • Fundamentals of Cryptography
    • Secure Sockets Layer Encryption (TLS)
    • Web 2.0
    • Web Application Security Threats and Vulnerabilities
    • Audit Checklists: Encryption, Single Sign-On
    • Security and Audit Tools

  3. Auditing Web (HTTP) Servers

    • Web Server/Application Security Control Points
    • Internet Web Servers – Present and Past
    • Configuring the Web Server
    • Web Server Security Features
    • Remote Authoring and Development
    • Web Application Firewalls and Intrusion Prevention Systems
    • Sources of Additional Information – Web Server Checklists
    • Security and Audit Checklists: Web Server/Application, Server Operating System
    • Security and Audit Tools

  4. Secure Application Design, Testing, and Audit

    • Web Application Development Technologies
    • Active Web Page Code Security: SSI, CGI, ASP, ASP.NET
    • Mobile Code Security: Java, ActiveX, VBScript, JavaScript, AJAX, Flash
    • Common Security Vulnerabilities in Application Software
    • Common Web Application Attacks
    • Secure Application Design Security and
    • Audit Checklist
    • Web Application Testing Tools

  5. Auditing Application (Middleware) Servers

    • Application/Middleware Servers
    • Microsoft .NET Framework / ASP.NET Core
    • Jakarta EE (formerly Java Platform Enterprise Edition)
    • Documentation available at docs.oracle.com)
    • Jakarta EE Application Deployment Archives
    • Supplemental Jakarta EE Information

  6. Auditing Database Management Systems

    • Managing Information
    • Program-Centric Model
    • Database Management Systems (DBMS)
    • Database Risks
    • Database Terminology
    • Hierarchical and Relational Databases
    • Database Audit Procedures
    • Database Management Systems (DBMS) Terminology
    • Structured Query Language (SQL)
    • Security Risks Associated with DBMS Systems
    • Connection and Authentication for DBMS Systems
    • User Accounts, Roles, and Privileges
    • Database Object Protection Methods: Access Control, Encryption
    • Database Audit Logging Options
    • Transaction Logs and Recoverability
    • Sample DBMS Data Collection
    • Security and Audit Checklists: DBMS
    • Sources of Security and Audit Tools
    • Bundled Stored Procedures

  7. Web Services and Service Oriented Architectures (SOA)

    • Web Services Definitions and Architectures
    • SOAP Web Services Architecture, Standards and Security
    • ReST (Representational State Transfer)
    • Service Oriented Architecture (SOA)
    • Enterprise Service Bus (ESB)
    • Web Services Security and Audit Tools
    • Web Services Security and Audit Tools

  8. Mobile Application Security and Audit

    • Mobility Maturity Assessment
    • Data Flow
    • Securing Data at Rest and in Motion
    • Securing Hosted Systems
    • Provider Contracts / Service Level Agreements
    • Risk Management
    • Information Security Policies, Organization and Human Resources
    • Asset Management
    • Containers and Containerization
    • Checklist for Secure Mobile and Wireless Application Best Practices
    • Surveying and Profiling Mobile Devices and Associated Risk
    • Key Control Points and Associated Risks in Remote Access and Mobile Applications
    • Checklist for Secure Mobile and Wireless Application Best Practices

  9. Laws and Standards Affecting IT Audit

    • Organizational Liabilities
    • Computer Fraud and Abuse Laws
    • Sarbanes-Oxley Act
    • Intellectual Property Laws
    • Electronic Commerce
    • General Data Protection Regulation (GDPR)
    • California Consumer Privacy Act (CCPA)
    • Computer Crime
    • Incident Response
    • Selected Standards: ISO, CIS
    • Selected US Information Security Laws: SOX, FISMA, HIPAA, State Laws, Others

  10. Internet of Things

    • Definition
    • Threats, Vulnerabilities, Risks
    • Audit Checklist

Learning Style

Instructor Led

Level

Advanced

Who this course is for

IT, Internal and External Auditors; IT Audit Managers, Information Security Managers, Analysts with 5+ years of experience, or those tasked with auditing web servers, application services, Database Management Systems, and enterprise architecture.

NASBA Certified CPE

32 credits

Field of Study

Auditing

Length of course

32h

Prerequisites

Network Security Essentials Intermediate IT Audit School
or equivalent experience

Advanced Preparation

None
Start Learning Today
Stay ahead of the curve and future-proof your business with training programs designed for you.
Contact Sales

Here are the learning objectives we'll cover

  • Expand knowledge of IT terminology associated with complex business applications.
  • Identify key multi-tiered application building blocks and associated risks.
  • Develop methodology to locate, document, and test control points and associated security safeguards for complex applications.
  • Expand application audit tool kit knowledge with checklists, information resources, and automated tools to improve IT application audit effectiveness and efficiency.

Attendance policy for on-site and online instructor-led training

Students are expected to arrive on time for classes with the proper materials and attitude. An overall attendance rate of 100% is expected to fully absorb the materials and to complete labs. If you have an expected absence, please email support@acilearning.com or your instructor ahead of time. The number of CPEs awarded will be equivalent to the number of hours attended.

ACI Learning is registered with NASBA

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: https://www.nasbaregistry.org/