Course Description
CyberSecurity controls for the protection of valuable and/or sensitive information assets are motivated by identified risks and increasingly demanding regulatory compliance requirements. This highly practical workshop will cover the essential background information, resources, tools, and techniques necessary to plan and launch cost-effective assessments of enterprise CyberSecurity programs that should be performed by internal and external auditors, CyberSecurity professionals, and IT management. You will explore how to benchmark the overall governance and management of an enterprise CyberSecurity program. Special emphasis will be placed on domestic and international legislative and industry CyberSecurity frameworks and compliance targets. You will receive a variety of invaluable checklists, matrices, and other worksheet tools.
In this seminar, we will discuss:
- Defining the two major CyberSecurity and audit drivers: risk and compliance
- Risk frameworks and models
- Compliance targets: important laws, standards and frameworks affecting CyberSecurity and IT Audit – ISO, NIST, GAO, NSA, DISA, ISACA, PCI-DSS
- Defining the scope of CyberSecurity audits: an architectural, top down approach
- Who’s steering the ship?… CyberSecurity governance, management, and organizational controls
- Spreading the word: CyberSecurity policies, standards, procedures, baselines, and awareness
Learning Objectives:
- Gain familiarity with the major CyberSecurity drivers and benchmarks, including risk and regulatory compliance
- Classify and assess the significance of common and emerging threats to CyberSecurity
- Identify key CyberSecurity controls and how they affect the confidentiality, integrity, and availability of information assets
- Learn how to identify and assess enterprise CyberSecurity controls from a top-down architectural perspective
Course Outline
Building a Business Case for CyberSecurity
- Identifying business drivers and strategies for CyberSecurity
- Defining the role of the audit in an enterprise CyberSecurity program
- Threats, vulnerabilities, and associated risks to CyberSecurity
Planning and Scoping CyberSecurity Audits and Follow-up Procedures
- Using a security architecture model as a framework for CyberSecurity audits
- Defining the scope and objectives for different types of CyberSecurity audits
- Locating and evaluating useful public CyberSecurity baselines and checklists
- Tools and techniques for assessing CyberSecurity governance and management controls
- Practical approaches to audit corrective action plans
The CyberSecurity Organization Structure
- Positioning CyberSecurity in the organization
- Evaluating the effectiveness of the assignment of roles, responsibilities, and accountability, related to CyberSecurity governance, management, and administration
- Evaluating the competency, training, and certification of individuals with CyberSecurity responsibilities
CyberSecurity Policies and Awareness
- Assessing governance through policies, standards, procedures, and baseline coverage
- Assessing the level of qualified support and involvement in policy development
- Outsourcing and contracts, including cloud computing
- Testing the effectiveness of CyberSecurity awareness programs
Additional Information
Who Should Attend
- Audit Management
- IT Auditors
- Operational Auditors
- Internal Control Professionals
- Information Security Professionals
Learning Level
Intermediate
Delivery
Group-Live or Group-Internet Based
Field
Auditing
Advanced Preparation
None
Recommended Prerequisites
Introduction to IT Auditing (AA01) or equivalent training. A basic understanding of IT audit controls and terminology is assumed.
Session Duration
On Site: 1 day
CPE Credits: 8