Description
“This course really de-mystifies the technical aspects of IT controls and risks to a non-IT specialist.”
- Senior VP and Director of Internal Audit, Bryn Mawr Trust Company
New regulations, increasing IT security threats and staff shortages challenge audit management to address the enterprise’s increasing IT risks. A week no longer passes that does not include more headlines of a large “cyberattack” or “cyberbreach”.
During this two day seminar we will analyze recent security breaches to put into perspective a strategy to help avoid devastating harm to the organization’s reputation from these headline-making security breaches.
This two-day seminar is designed to help audit management get up to speed on a wide range of technologies, meet the new challenges posed by technological change, and provide assurance that IT risks are being adequately addressed. Presented in straightforward language, this briefing will provide you with a comfortable working knowledge of IT terms and concepts; update you on new and emerging technologies affecting your business, and help you establish a strategic response to IT and cybersecurity risks.
Prerequisites: Fundamentals of Internal Auditing (OAG101) or equivalent experience
Advance Preparation: None
Learning Level: Intermediate
Field: Auditing
Delivery Method: Group Live
What you will learn
1. IT Risks
• update on recent security breaches
• data breach commonalities
• how hackers are hacking
• IT risk definitions
• information security objectives
• IT audit engagement strategies
• IT control categories
2. Basics of Information Technology - Battling the Buzzwords
• why learn about technology?
• defining cyberspace & cybersecurity
• Operating Systems (OS)
• mainframe & client/server technology
• middleware
• virtualization / virtual servers
• network environment
3. Logical Security Risks and Controls
• social media and social engineering
• components of access control
• user identification and authentication
• authorization and user access controls
• log management
• patch management
• vulnerability assessments
• systems administrator / privileged access
4. Network Risks and Controls
• what is a “network”?
• networking risks
• LANs & WANs
• network addressing
• encryption
• firewalls
• Intrusion Detection Systems (IDS / IPS)
• Virtual Private Networks (VPNs)
• wireless
• cloud computing
5. Database Risks and Controls
• Database Management Systems (DBMS)
• database terminology
• database risks
• relational databases
• database audit procedures
6. IT General Controls
• change management
• business continuity / disaster recovery
• physical security
• environmental exposures
7. Auditing System Development Projects
• business risks
• getting involved … how, when, who?
• audit’s coverage
• auditing waterfall and RAD Projects
• communicating audit’s roles and results
• audit staffing
• audit resources
8. Assessing IT Governance
• what is IT governance?
• IT governance risks
• determining the IT governance audit scope
• using COBIT® 2019 to assess IT governance
9. Audit and Control Frameworks and Standards
• IIA - Global Technology Audit Guides
• COBIT®
• ISO 27002 Security Standard
• NIST Cybersecurity Framework
• Center for Internet Security - 20 Critical Security Controls
• FISMA (NIST 800-53) - Federal Information Security Modernization Act