Description
The COVID-19 pandemic has resulted in many employees working from home. The transition from working in the office to working at home was abrupt with minimal time to establish a strategy for a secure telecommuting environment. As a result, there is solid evidence of a significant increase in cyberattacks focused on employees working from home in order to penetrate enterprise networks.
During this two-day seminar we will review the short-term and long-term security and control challenges and discuss a strategy to address the key risk areas.
Audit’s charter is to assess risk and provide an independent opinion to Management and Board of Directors. Enterprise information security risks have significantly increased due to COVID-19. Should Audit alter their 2020-21 audit plans to instead address this new information security risk environment?
Specific control references to globally recognized security & control resources will be included in the discussion of control focus areas.
What You Will Learn:
- Describe and assess the top security threats and exposures caused by the COVID pandemic
- Identify key frameworks and other resources with useful information to help protect organizations
- Examine workplace dynamics impacting work from home risks and control
- Assess core IT Infrastructure controls, cloud computing, change management practices and network security protocols
- Evaluate the governance implications of the new COVID world caused by increasing work from home arrangements
Prerequisite: IT Auditing and Controls (ITG101) or IT Audit School (ITG121) or equivalent experience. Familiarity with IT technology and IT control terminology and concepts is assumed
Advanced Preparation: None
Learning Level: Intermediate
Field: Auditing
Delivery Method: Group Live
What you will learn
- COVID-19 related security threats, risks and exposures
- Identifying immediate, short-term and long-term information security risks
- Review of recent security incidents including increased phishing, ransomware attacks and targeting home work environments
- Risks with employees and auditors working remotely from home
- Review of potential security concerns for home working environments including authentication, VPNs, encryption, computer access protection, etc.
- Risks associated with videoconferencing and file sharing tools and services
- Risk of attacks on internet facing web applications / servers
- Risk of increased employee fraud and abuse
- NIST Cybersecurity Framework
- Center for Internet Security 20 Controls
- FISMA – NIST 800-53
- OWASP - Open Web Application Security Project
- Advantages of working from home
- Risks of working from home
- Determining appropriate WFH controls
- WFH security awareness training
- Company provisioned, centrally managed PC for WFH employees
- Virtual desktop (VDI) environments
- End point patch management
- End point security
- Virtual Private Networks (VPNs)
- Wireless
- Determining the optimal / secure meeting option
- Google Meet
- GoToMeeting
- Microsoft Teams
- Skype (Microsoft)
- WebEx Meetings / Teams (Cisco)
- Zoom
- Others
- Establishing timing baseline for returning to office locations
- Defining what the “New World” will look like
- Assessing risks with returning to office locations
- Will employees still be working from home?
- Determining long term risks
- Social media and social engineering risks
- User access risks and controls
- Authentication and authorization controls
- Addressing potential employee fraud and abuse
- Privileged access monitoring
- Log management / threat detection
- Distributed applications / middleware
- Vulnerability assessments
- Database risks and controls
- Addressing SQL injection attacks
- Change Management
- Patch Management
- Security Configuration Management (SCM)
- Network risk analysis
- Establishing network hardware / software inventory
- Ransomware attacks
- End point security
- Threat and vulnerability management
- Firewalls and perimeter security
- DMZ and web server / application security
- Intrusion Detection Systems (IDS / IPS)
- Assessing cloud computing risks in the new world
- Defining IT Governance
- IT Governance risks
- IT Governance components
- Information Security Governance
- IIA - IT Governance Audit Considerations
- ISACA - IT Governance Audit Considerations