Course Description
CyberSecurity controls for the protection of valuable and/or sensitive information assets are motivated by identified risks and increasingly demanding regulatory compliance requirements. This highly practical workshop will cover the essential background information, resources, tools, and techniques necessary to plan and launch cost-effective assessments of enterprise CyberSecurity programs that should be performed by internal and external auditors, CyberSecurity professionals, and IT management. You will explore how to benchmark the overall governance and management of an enterprise CyberSecurity program. Special emphasis will be placed on domestic and international legislative and industry CyberSecurity frameworks and compliance targets. You will receive a variety of invaluable checklists, matrices, and other worksheet tools.
In this seminar, we will discuss:
- Defining the two major CyberSecurity and audit drivers: risk and compliance
- Risk frameworks and models
- Compliance targets: important laws, standards and frameworks affecting CyberSecurity and IT Audit – ISO, NIST, GAO, NSA, DISA, ISACA, PCI-DSS
- Defining the scope of CyberSecurity audits: an architectural, top down approach
- Who’s steering the ship?… CyberSecurity governance, management, and organizational controls
- Spreading the word: CyberSecurity policies, standards, procedures, baselines, and awareness
Learning Objectives:
- Gain familiarity with the major CyberSecurity drivers and benchmarks, including risk and regulatory compliance
- Classify and assess the significance of common and emerging threats to CyberSecurity
- Identify key CyberSecurity controls and how they affect the confidentiality, integrity, and availability of information assets
- Learn how to identify and assess enterprise CyberSecurity controls from a top-down architectural perspective
Course Outline
Building a Risk-based Business Case for CyberSecurity
- Business drivers and strategies for cybersecurity
- Threats, vulnerabilities, and associated risks to cybersecurity
- Incident response / resiliency
Defining the CyberSecurity Technology Landscape
- Digital transformation and de-perimeterization
- Prominent technologies and associated risks: cloud, mobility, Internet of Things (IoT), supply chain
CyberSecurity Regulatory Compliance
- Compliance challenges and objectives
- Privacy and personally identifiable information (PII)
- Financial security compliance laws and standards
- Data loss prevention (DLP)
Organizing for CyberSecurity
- Defining cybersecurity strategy and senior leadership
- CyberSecurity organizational structure
- Administrative practices supporting cybersecurity
- CyberSecurity staffing and training/skills issues
Communicating CyberSecurity to the Masses
- CyberSecurity policies, standards, baselines, and procedures
- Security knowledge transfer: awareness, training, education
- Contracts and written agreements
Planning CyberSecurity Audits and Risk Assessments
- Planning and scoping the audits
- CyberSecurity/CyberAudit standards and frameworks
- Tools and techniques for conducting effective CyberSecurity audits
Wrap-up Summary
- CyberSecurity success factors
- Sources of additional information
Additional Information
Who Should Attend
- Audit Management
- IT Auditors
- Operational Auditors
- Internal Control Professionals
- Information Security Professionals
Learning Level
Intermediate
Delivery
Group-Live
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
Introduction to IT Auditing (AA01) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 1 day
CPE Credits: 8