IT knowledge is complex, expires quickly, and developing expertise in IT audit, beyond basics, is challenging. This course is designed to lift your understanding of IT audit to the next level. Most importantly, it will focus on what is ‘doable’ by any auditor approaching the field of IT Audit and will be driven by delegates’ interests and prior experience.
Who should attend?
Internal auditors who have attended the ‘IT Audit – Basecamp’ course or those who have equivalent knowledge.
What will I learn?
Upon completion you will be able to:
- understand the value of hardening operating systems and operating environments and be able to review configuration, vulnerability, patch and fix regimes
- deploy analytical software products, tools and techniques to find system weaknesses or evaluate security
- analyse and evaluate critical control processes within systems
- analyse and evaluate key control architectures for data, in and between networks and for database systems.
The programme will be driven by delegates’ interests and will draw topics from the following content:
The bedrock – operating systems and operating environments – preventing problems before they begin
- hardening of key software – what should be reviewed?
- configuring applications/services – what should be reviewed?
- configuring server-side applets/scripts – what should be reviewed?
- configuring the user community – what should be reviewed?
- vulnerability, patching and fixing systems – what should be reviewed?
- penetration testing – what should be reviewed?
- possible internal audit led penetration tests.
Tools and strategies for auditors – letting software do the work
- validation of security in systems – ways to go about it
- verification of software version and builds – how to go about it
- inventory, software base and licensing – how to go about it
- is your organisation configuring best practice security? How would you know?
- locating weaknesses in applications, tools and techniques – ways to go about it
- automated exploit testing, tools and techniques – how to go about it.
Networks, data control and database technologies – auditing key control structures
- the big three – confidentiality, integrity and accountability
- identifying data domains, domain-based planning – what should be reviewed?
- deliver assurance between domains – what should be reviewed?
- identifying and defining data assets and ownership – what should be reviewed?
- reviewing the inter-domain interfaces for hazards and risks
- determine inter-domain data asset protection requirements – define protection attributes
- defining advanced control architectures using formal methods
- encryption what type of encryption?
- roles and role-based access control – what should be reviewed?
- tokenisation – what should be reviewed?
- biometrics – new forms of access control
- how databases function with respect to data
- data instances, data dictionaries and thesaurus, data ACLs – what should be reviewed?
- ERP on top of databases – what should be reviewed?
- what can be audited within database systems.
CPE competency areas covered
- Business acumen
- Governance, risk and control
14 CPE points
Member: £1175 + VAT
Non-member: £1390 + VAT
SAVE £200 when you book 3 months in advance for a face to face course