Assessing IT General Controls

On-Demand - 12 CPE

Internal and external auditors in today's complex organizations must understand information systems and be able to function within a technical environment. This on-demand class provides the important concepts of information technology you need to know in order to address key IT infrastructure risks. 

During this class you will examine the IT general controls to assess the confidentiality, integrity and availability of protection over your information assets. The session will concentrate on determining risks in critical IT infrastructure areas and the key controls that can reduce those enterprise risks.

This class is designed for IT Auditors, Financial and Business Auditors, Internal and External Auditors, and Audit Management.

Topics covered in this 12-CPE class will include:

IT Risks                                                                                                 

·      IT Risk Definition                                                                        

·      Information Security Objectives                                                

·      Data Breach Commonalities                                                     

·      Defense in Depth                                                                       

·      Security & Control Resources                                                  

o  IIA Global Technology Audit Guides (GTAGs)                  

o  ISACA COBIT                                                                        

o  NIST Cybersecurity Framework (CSF)                               

o  Center for Internet Security (CIS) Controls                        

Performing Integrated Audits

·      Defining Integrated Auditing

·      Scoping Integrated Audits

·      Business and Application Controls

·      Integrated Audits - Challenges

·      COSO – Principle-11

IT Operations                                                                                       

·      IT Asset Management                                                                

·      IT Vulnerability Management                                                    

·      Incident Response Management                                              

·      Malware / Ransomware

Access Management                                                                         

·      User Identification and Authentication                                     

·      Single Sign-On                                                                           

·      Authorization Controls                                                               

·      Separation of Duties                                                                 

·      Controlling Privileged Access                                                   

·      Audit Trail & Review                                                                 

·      Log Management                                                                       

Change, Patch & Configuration Mgt

·      Change Management                                                                

·      Patch Management                                                                    

·      Security Configuration Management                                        

Network Perimeter Security                                                             

·      Network Risks                                                                            

·      Firewalls                                                                                      

·      Demilitarized Zone (DMZ)                                                         

·      Intrusion Detection / Prevention Systems                              

·      Protecting Sensitive Information / Encryption                         

Web Application Risks                                                                      

·      Web Application Risks                                                               

·      Web Applications / Web Servers / DMZ                                  

·      OWASP Top-10 Web Application Security Risks                  

·      Web Application Vulnerability Scanning                                  

Cloud Computing                                                                               

·      Cloud Security Incidents                                                            

·      Defining Cloud Characteristics                                                 

·      Cloud Benefits and Risks                                                          

·      Cloud Security Organizations- CSA, FedRamp                    

·      Assessing Cloud Controls

Middleware, API, EDI                                                                         

·      Middleware                                                                                  

·      API - Application Programming Interface                                

·      EDI - Electronic Data Interchange                                           

Assessing Systems Development Projects

·      Software Development Risks                                                   

·      Audit's Primary Objectives                                                        

·      Staffing the Audit                                                                        

·      Traditional / Waterfall Development Model                             

·      Agile Development Model                                                         

·      Assessing Project Management                                               

·      Assessing System Implementation Plans                                                                                                      

Disaster Recovery Planning

·      Business Impact Analysis (BIA)

·      Recovery Time Objective (RTO)

·      Recovery Point Objective (RPO)

·      Disaster Recovery Strategy

·      Disaster Recovery Strategy Components

 NOTE: This course material is covered in the 24-CPE Assessing IT Risks & Controls on-demand learning class. If you have taken the 24-CPE Assessing IT Risks & Controls course, please view our other course offerings for new materials.