In this practical four-day seminar, attendees will immerse themselves in a risk and compliance approach to IT auditing to protect the confidentiality, integrity and availability of information assets throughout an enterprise. We will discuss how you can use common frameworks and standards as an overall framework for planning IT audits. To help arrive at organization-specific risk and compliance IT auditing benchmarks, we will identify authoritative sources for audit program requirements associated with major US and international government and industry legislation, standards, and frameworks. We will concentrate on determining risk and compliance levels in such critical management and technical areas as IT governance, information security, operating systems, database management systems, network perimeter security, cloud computing, encryption, Internet of Things, change management and business continuity planning. The COVID-19 pandemic has resulted in many employees working from home. The transition from working in the office to working at home was abrupt with minimal time to establish a strategy for a secure telecommuting environment. We will review the short-term and long-term control challenges and establish a strategy to address the key risk areas.
You should attend because the IT environment is evolving, and this course provides a comprehensive overview of current topics of interest to auditors and practitioners.
Senior IT Auditors, Technologists and Information Security Managers and Analysts
You will learn how to perform IT risk assessments, key audit and security frameworks, IT controls, database management systems, change management, network security, cloud computing, IoT and business continuity and disaster recovery.
1. Risk Assessment and Audit Planning IT Threats, Risks and Exposures Risk Definition IT Risk Assessment IT Infrastructure Risks Dealing with Risks Information Classification IT Risk Assessment Resources
2. Audit and Security Resources COSO and GAO Green Book COBIT® IIA GTAGs NIST Cybersecurity Framework Center for Internet Security 20 Controls ISO 27001, ISO 27002 Security Standards FISMA - Federal Information Security Modernization Act DOD Checklists / STIGs European Union – General Data Protection Regulation California Consumer Privacy Act OWASP - Open Web Application Security Project Payment Card Industry (PCI) - Data Security Standard
3. Logical Security Social Media and Social Engineering User Access Controls User Identification and Authentication Authorization and User Access Controls Single Sign-On Privileged Access Monitoring Log Management / Threat Detection Distributed Applications / Middleware Virtualization / Hypervisors Vulnerability Assessments Terminations and Transfers Audit Considerations
4. Database Management Systems (DBMS) Database Management System Concepts DBMS Security Safeguards DBMS Risks and Controls SQL Injection Attacks DBMS Audit Considerations
5. Change Management Change Management Patch Management Security Configuration Management (SCM) Audit Considerations
6. Network Perimeter Security Network Security Resources Network Risk Analysis Threat and Vulnerability Management Ransomware Attacks OSI Network Protocol Model Firewalls and Perimeter Security Intrusion Detection Systems (IDS / IPS) Virtual Private Networks (VPNs) Wireless Audit Considerations
7. Cloud Computing Cloud Security Incidents What is a Cloud? Cloud Essential Characteristics Cloud Service Models Cloud Deployment Models Security Upside Security Downside Cloud Security Organizations CSA – Cloud Security Alliance FedRAMP Reviewing Contractual Agreements Right to Audit SSAE-18, SOC1, SOC2, SOC3 Reports Audit Considerations
8. Encryption … Demystified Encryption Concepts Encryption Key Management Symmetric Key Encryption Asymmetric Key Encryption Digital Signatures HTTPS / TLS Public Key Infrastructure (PKI) Certificate Authorities (CAs) Key Management Audit Steps
9. Internet of Things Defining Internet of Things / IoT Why Companies Use IoT Addressing IoT Risks, Security & Controls Code of Practice for Consumer IoT Security NIST 8228 - Considerations for Managing IoT Cybersecurity and Privacy Risks IoT Security Foundation OWASP Top 10 IoT Risks CIS 20 Controls – IoT Mapping Additional Resources & Standards
10. Business Continuity and Disaster Recovery Planning Disaster Recovery Planning (DRP) Business Continuity Planning (BCP) Business Impact Analysis (BIA) Recovery Point Objectives (RPO) Recovery Time Objectives (RTO) Application Recovery Priority Continuity Plans and Procedures
11. IT Governance Defining IT Governance IT Governance Risks IT Governance Components Information Security Governance IIA - IT Governance Audit Considerations ISACA - IT Governance Audit Considerations Information Security - Audit Considerations
12. Impact of COVID-19 on Enterprise Security Controls Identifying immediate, short-term and long-term information security risks Risks with employees and auditors working remotely from home Potential security concerns for home working environments Developing an audit plan for addressing COVID-19 security control risks
Use the table below to select the time and location that works best for you.
ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.