IT Auditing – the next steps *updated*
July 22 @ 9:00 am - July 23 @ 5:00 pm BST
One event on 14th September 2017 at 9:00am
One event on 15th March 2018 at 9:00am
One event on 27th September 2018 at 9:00am
One event on 7th March 2019 at 9:00am
One event on 22nd July 2019 at 9:00am
One event on 11th November 2019 at 9:00am
One event on 19th March 2020 at 9:00am
IT knowledge is complex, expires quickly, and developing expertise in IT auditing, beyond basics, is challenging. This course is designed to lift your understanding of IT audit to the next level. Most importantly, it will focus on what is ‘doable’ by any auditor approaching the field of IT Audit and will be driven by delegates’ interests and prior experience.
Who should attend?
Internal auditors that have attended the ‘IT Audit – Basecamp’ course or those who have equivalent knowledge.
What will I learn?
Upon completion you will be able to:
- Understand the value of hardening operating systems and operating environments and be able to review configuration, vulnerability, patch, and fix regimes;
- Deploy analytical software products, tools, and techniques to find system weaknesses or evaluate security;
- Examine and evaluate critical control processes within systems; and
- Analyse and evaluate key control architectures for data, in and between networks and for database systems.
The course is accompanied by an extensive indexed manual that has full course text, examples and practical work.
Course programme – the programme will be driven by delegates’ interests and will draw topics from the following content
The bedrock – operating systems and operating environments – preventing problems before they begin
- Hardening of key software, what should be reviewed?
- Configuring applications/services, what should be reviewed?
- Server-side applets/scripts, what should be reviewed?
- Configuring the user community, what should be reviewed?
- Vulnerability, patching and fixing systems, what should be reviewed?
- Penetration testing, what should be reviewed?
Tools and strategies for auditors – letting the software do the work
- Validation of security in systems, ways to go about it
- Verification of software version and builds, how to go about it
- Inventory, software base and licensing, how to go about it
- Is your organisation configuring best practice security? How would you know?
- Locating weaknesses in applications – tools and technique, ways to go about it
- Automated exploit testing – tools and technique, how to go about it
Networks, data control and database technologies – auditing key control structures
- The big three – confidentiality, integrity, and accountability
- Identifying data domains – domain-based planning, what should be reviewed?
- Deliver assurance between domains, what should be reviewed?
- Identifying and defining data assets and ownership, what should be reviewed?
- Reviewing the inter-domain interfaces for hazards and risks
- Determine inter-domain data asset protection requirements – define protection attributes
- Defining advanced control architectures using formal methods
- Encryption what type of encryption?
- Roles and role-based access control, what should be reviewed?
- Tokenisation, what should be reviewed?
- Biometrics – new forms of access control
- How databases function with respect to data
- Data instances, data dictionaries and thesaurus, data ACLs, what should be reviewed?
- ERP on top of databases, what should be reviewed?
- What can be audited within database systems
Presented by: Mindgrove Ltd
Duration: Two full days
All the courses in this section are created, designed and presented by the staff of Mindgrove UK.