Internal Audit Training, IT Audit Training Courses, Information Security Training - CPE Interactive

Continuing Professional Education for Audit, Assurance, & Info Security

Course Description

Many important CyberSpace controls are related to the protection of valuable information assets and increasingly demanding regulatory compliance requirements. In this highly practical workshop, you will cover the essential background information, resources, tools, and techniques necessary to plan and launch a wide range of hard-hitting, cost-effective CyberSecurity audits that should be performed by internal and external auditors, Information Security professionals, and IT staff. You will explore not only management and administrative controls, but also the fundamentals of important logical security controls for protecting valuable information assets and associated CyberSpace resources. You will receive a variety of invaluable checklists, matrices, and other worksheet tools.

Learning Objectives

  • Gain familiarity with the major CyberSecurity drivers, including risk and regulatory compliance
  • Classify and assess the significance of common and emerging threats to CyberSecurity
  • Identify key CyberSecurity controls and how they affect the confidentiality, integrity, and availability of information assets
  • Learn to view and assess CyberSecurity controls from an architectural perspective covering administrative, physical, and technical controls

Course Outline

Building a Business Case for CyberSecurity

  • Business drivers
  • Role of the audit in the CyberSecurity cycle
  • Threats, vulnerabilities, and associated risks

Planning and Scoping CyberSecurity Audits and Follow-up Procedures

  • Using a security architecture model as a framework for CyberSecurity audits
  • Defining the scope and objectives for different types of CyberSecurity audits
  • Locating and evaluating useful public CyberSecurity baselines and checklists
  • Tools and techniques for assessing CyberSecurity controls: manual and automated
  • Practical approaches to audit corrective action plans

The CyberSecurity Organization Structure

  • Positioning CyberSecurity in the organization
  • Evaluating the effectiveness of the assignment of roles, responsibilities, and accountability, related to CyberSecurity
  • Evaluating the competency and training of individuals with information responsibilities

CyberSecurity Policies and Awareness

  • Assessing policies, standards, procedures, and baseline coverage
  • Assessing the level of qualified support and involvement in policy development
  • Outsourcing and contracts, including cloud computing
  • Testing the effectiveness of CyberSecurity awareness programs

Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP)

  • Differentiating between BCP and DRP
  • Business impact analysis (BIA)
  • Ongoing backup, redundancy, and disaster avoidance provisions
  • Evaluating the BCP and DRP plans , and plan maintenance and testing procedures

Physical and Media Security, and Environmental Controls

  • Walkthroughs and observations of physical security and associated controls
  • Physical security, media security, and environmental controls checklist

Enterprise Security

  • Evaluating the organization’s CyberSecurity architecture and its relevance to the business and IT
  • Centralized vs. decentralized CyberSecurity administration
  • CyberSecurity through Directory services
  • Public key infrastructure (PKI)

Application Security

  • Locating key CyberSecurity control points in complex applications
  • Web application CyberSecurity
  • Benchmarks for secure design, testing, and quality assurance

Network Security*

  • Identifying CyberSecurity control points in complex networks
  • Evaluating deployment and administration of network CyberSecurity safeguards

Server Security*

  • Defining proper baselines for system CyberSecurity
  • Evaluating system CyberSecurity administration and separation of duties for servers
  • Virtualization: good news and bad news

Workstation Security*

  • Assessing desktop and mobile workstation insecurity
  • Pros and cons of bring your own device (BYOD)
  • Creative techniques for testing workstation CyberSecurity on-site and remotely

*included in 3-day course

Additional Information

Who Should Attend

Audit Management
IT Auditors
Operational Auditors
Information Security Managers, Analysts, and Architects
IT Management
IT Architects
System Administrators
Application Developers and Analysts
Compliance Officers
Consultants

Learning Level

Intermediate

Delivery

Group-Live

Field

Auditing

Advanced Preparation

None

Recommended Prerequisites

Introduction to IT Auditing (AA01)
or equivalent training. A basic understanding of IT audit controls and terminology is assumed.

Session Duration

Online: N/A

On Site: 2 or 3 days

CPE Credits: 16 or 24