CPE:32
Price: $2063.00
Overview
In this practical four-day seminar, attendees will immerse themselves in a risk and compliance approach to IT auditing to protect the confidentiality, integrity and availability of information assets throughout an enterprise. We will discuss how you can use common frameworks and standards as an overall framework for planning IT audits.
To help arrive at organization-specific risk and compliance IT auditing benchmarks, we will identify authoritative sources for audit program requirements associated with major US and international government and industry legislation, standards, and frameworks.
We will concentrate on determining risk and compliance levels in such critical management and technical areas as IT governance, information security, operating systems, database management systems, network perimeter security, cloud computing, encryption, Internet of Things, change management and business continuity planning.
The COVID-19 pandemic has resulted in many employees working from home. The transition from working in the office to working at home was abrupt with minimal time to establish a strategy for a secure telecommuting environment. We will review the short-term and long-term control challenges and establish a strategy to address the key risk areas.
Who Should Attend
Senior IT Auditors, Technologists and Information Security Managers and Analysts
Prerequisites
- IT Auditing and Controls (ITG101)
- IT Audit School (ITG121) or equivalent experience. Familiarity with standard IT technologies, tools and controls is assumed.
What You’ll Learn
You will learn how to perform IT risk assessments, key audit and security frameworks, IT controls, database management systems, change management, network security, cloud computing, IoT and business continuity and disaster recovery.
Objectives
1. Risk Assessment and Audit Planning
IT Threats, Risks and Exposures
Risk Definition
IT Risk Assessment
IT Infrastructure Risks
Dealing with Risks
Information Classification
IT Risk Assessment Resources
2. Audit and Security Resources
COSO and GAO Green Book
COBIT®
IIA GTAGs
NIST Cybersecurity Framework
Center for Internet Security 20 Controls
ISO 27001, ISO 27002 Security Standards
FISMA - Federal Information Security Modernization Act
DOD Checklists / STIGs
European Union – General Data Protection Regulation
California Consumer Privacy Act
OWASP - Open Web Application Security Project
Payment Card Industry (PCI) - Data Security Standard
3. Logical Security
Social Media and Social Engineering
User Access Controls
User Identification and Authentication
Authorization and User Access Controls
Single Sign-On
Privileged Access Monitoring
Log Management / Threat Detection
Distributed Applications / Middleware
Virtualization / Hypervisors
Vulnerability Assessments
Terminations and Transfers
Audit Considerations
4. Database Management Systems (DBMS)
Database Management System Concepts
DBMS Security Safeguards
DBMS Risks and Controls
SQL Injection Attacks
DBMS Audit Considerations
5. Change Management
Change Management
Patch Management
Security Configuration Management (SCM)
Audit Considerations
6. Network Perimeter Security
Network Security Resources
Network Risk Analysis
Threat and Vulnerability Management
Ransomware Attacks
OSI Network Protocol Model
Firewalls and Perimeter Security
Intrusion Detection Systems (IDS / IPS)
Virtual Private Networks (VPNs)
Wireless
Audit Considerations
7. Cloud Computing
Cloud Security Incidents
What is a Cloud?
Cloud Essential Characteristics
Cloud Service Models
Cloud Deployment Models
Security Upside
Security Downside
Cloud Security Organizations
CSA – Cloud Security Alliance
FedRAMP
Reviewing Contractual Agreements
Right to Audit
SSAE-18, SOC1, SOC2, SOC3 Reports
Audit Considerations
8. Encryption … Demystified
Encryption Concepts
Encryption Key Management
Symmetric Key Encryption
Asymmetric Key Encryption
Digital Signatures
HTTPS / TLS
Public Key Infrastructure (PKI)
Certificate Authorities (CAs)
Key Management Audit Steps
9. Internet of Things
Defining Internet of Things / IoT
Why Companies Use IoT
Addressing IoT Risks, Security & Controls
Code of Practice for Consumer IoT Security
NIST 8228 - Considerations for Managing IoT Cybersecurity and Privacy Risks
IoT Security Foundation
OWASP Top 10 IoT Risks
CIS 20 Controls – IoT Mapping
Additional Resources & Standards
10. Business Continuity and Disaster Recovery Planning
Disaster Recovery Planning (DRP)
Business Continuity Planning (BCP)
Business Impact Analysis (BIA)
Recovery Point Objectives (RPO)
Recovery Time Objectives (RTO)
Application Recovery Priority
Continuity Plans and Procedures
11. IT Governance
Defining IT Governance
IT Governance Risks
IT Governance Components
Information Security Governance
IIA - IT Governance Audit Considerations
ISACA - IT Governance Audit Considerations
Information Security - Audit Considerations
12. Impact of COVID-19 on Enterprise Security Controls
Identifying immediate, short-term and long-term information security risks
Risks with employees and auditors working remotely from home
Potential security concerns for home working environments
Developing an audit plan for addressing COVID-19 security control risks
Why You Should Attend
You should attend because the IT environment is evolving, and this course provides a comprehensive overview of current topics of interest to auditors and practitioners.
ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.
