Course Description
Many important CyberSpace controls are related to the protection of valuable information assets and increasingly demanding regulatory compliance requirements. In this highly practical and intensive workshop, you will cover the essential background information, resources, tools, and techniques necessary to plan and launch a wide range of hard-hitting, cost-effective CyberSecurity audits that should be performed by internal and external auditors, Information Security professionals, and IT staff. You will explore not only management and administrative controls, but also the fundamentals of important logical security controls for protecting valuable information assets and associated CyberSpace resources. You will receive a variety of invaluable checklists, matrices, and other worksheet tools.
Learning Objectives
- Gain familiarity with the major CyberSecurity drivers, including risk and regulatory compliance
- Classify and assess the significance of common and emerging threats to CyberSecurity
- Identify key CyberSecurity controls and how they affect the confidentiality, integrity, and availability of information assets
- Learn to view and assess CyberSecurity controls from an architectural perspective covering administrative, physical, and technical controls
Course Outline
Building a Business Case for CyberSecurity
- Defining Cybersecurity
- Business Drivers and Strategies for Cybersecurity
- Defining the CyberSecurity/Information Technology Landscape
CyberSecurity Risks and Compliance
- Defining the Elements of Risk Management
- CyberSecurity Risks to Your Enterprise
- CyberSecurity Risk Analysis
- CyberSecurity Risk Frameworks
- Information Classification
- Notable CyberSecurity Incidents and…Lessons Learned
- CyberSecurity Regulatory Compliance
Governance of CyberSecurity
- Defining CyberSecurity Strategy
- CyberSecurity Organizational Structure
- CyberSecurity Governance
- Administrative Controls Supporting CyberSecurity
- CyberSecurity Policies
- CyberSecurity in Contracts and Agreements
- Security Knowledge Transfer: Awareness, Training, Education
Operational CyberSecurity Controls
- Remote Access and Virtual Private Networks
- Configuration, Change, and Problem Management
- Intrusion Detection/Prevention Systems (IDS/IPS)
- Incident Response
- Business Continuity Planning (BCP)/Disaster Recovery Planning (DRP)
Enterprise CyberSecurity Controls
- Enterprise Identity and Access Control Management
- Directory Services
- Cryptography and Public Key Infrastructure Controls (PKI)
- Enterprise Mobility Management (EMM)
- Web Application Security
- Systems Development Life Cycle (SDLC) Management, including DevOps and DevSecOps
Planning and Scoping CyberSecurity Audits and Follow-up Procedures
- Using a security architecture model as a framework for CyberSecurity audits
- Defining the scope and objectives for different types of CyberSecurity audits
- Locating and evaluating useful public CyberSecurity baselines and checklists
- Tools and techniques for assessing CyberSecurity controls
- Practical approaches to audit corrective action plans
Communicating to Senior Management
- Effectively Communicating CyberSecurity Risks to Senior Management
- CyberSecurity Metrics
- Board of Directors – A Dozen CyberSecurity Guideposts
Additional Information
Who Should Attend
Audit Management
IT Auditors
Operational Auditors
Information Security Managers, Analysts, and Architects
IT Management
IT Architects
System Administrators
Application Developers and Analysts
Compliance Officers
Consultants
Learning Level
Intermediate
Delivery
Group-Live
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
Introduction to IT Auditing (AA01)
or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 3 days
CPE Credits: 24