Introduction
- Trainers
- Purpose of this course and applicability
- Audience
- Internal Audit in the Organizational Structure
- Auditors’ Authorities
- A sample best practice:
Information Systems Governance
- Information Systems Governance Components
- Information Systems Strategic Planning
- Information Systems Governance Structures
- Key Governance Roles and Responsibilities
- Information Systems Committees
- Information Systems Policy and Guidance
- Documentation
- Ongoing Monitoring
- Information Systems Governance Challenges and Keys to Success
Portfolios, Projects, and Operations
System Development Life Cycle
- Initiation Phase
- Development/Acquisition Phase
- Implementation Phase
- Operations/Maintenance Phase
- Disposal Phase
- Security Activities within the SDLC
Awareness and Training
- Awareness and Training Policy
- Components: Awareness, Training, Education, and Certification
- Awareness
- Training
- Education
- Certification
- Designing, Developing, and Implementing an Awareness and Training Program
- Designing an Awareness and Training Program
- Developing an Awareness and Training Program
- Implementing an Awareness and Training Program
- Monitoring Compliance
- Evaluation and Feedback
- Managing Change
- Program Success Indicators
- Incident Management
Performance Measures and SLA (internal / vendor)
- Metric Types
- Metrics Development and Implementation Approach
- Metrics Program Implementation
Information Technology Contingency Planning
- Step 1: Develop Contingency Planning Policy Statement
- Step 2: Conduct Business Impact Analysis
- Step 3: Identify Preventive Controls
- Step 4: Develop Recovery Strategies
- Step 5: Develop IT Contingency Plan
- Step 6: Plan Testing, Training, and Exercises
- Step 7: Plan Maintenance
Risk Management
- Step 1 – System Characterization
- Step 2 – Threat Identification
- Step 3 – Vulnerability Identification
- Step 4 – Risk Analysis
- Control Analysis
- Likelihood Determination
- Impact Analysis
- Risk Determination
- Step 5 – Control Recommendations
- Step 6 – Results Documentation
- Risk Mitigation
- Evaluation and Assessment
Security Violations
Incident Response
- Preparing for Incident Response
- Preparing to Collect Incident Data
- Preventing Incidents
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
- Knowledge Management
- SLA and Monitoring
Change Management
- Change Initiation
- Change CAB approval
- Change Plan
- Change Impact Analysis
- Change Resources
- Change Role back Plan
- Emergency Change
- Change Finalization
- Retrospective Change
Configuration Management
- CMDB
- Baseline
- Configuration Changes
- Configuration Management Process
Procurement and Asset Management
Business Continuity Management
Network
- Boundaries of the Organization Digital Structure
- Physical Boundaries and Security
- Firewall
- IDS/ IPS
- IP Ranges
- Access
- Log / Audit Trail
- Settings
- Server Room
- Spare Management
Application
- Responsibilities of Access Grantors
- Credentials Propagation
- Levels of Access
- View of Pages
- View/ Edit/ Delete of Categories
- View/ Edit/ Delete of Sub-Categories
- Requesting Access
- Access Review
- Access Revoke
- Code Hardening
- Maintenance
- Versioning
- Patch
- User Friendly Design
Operating Systems controls
- Responsibilities of Access Grantors
- Credentials Propagation
- Levels of Access
- Level
- Intranet
- Domains
- Work groups
- Internet
- USB/ CD
- Outgoing Emails
- High Level Access
- Local Admin
- Domain Admin/ Enterprise Admin
- Privilege
- Read
- Edit/ Update
- Delete
- Password Policy
- Remote Access
- Requesting Access
- Access Review
- Access Revoke
- In house Systems
- Temp Systems
- Vendor Systems
- gusts Systems
- Authorized Applications
- Patch Management
- Audit Trails
- Generation
- Access
- Retention
- Review
- Generation
- Actual OS
- Virtual OS
- Test/ Restore
- Access
- Retention
- Redundancy
- Folders
- SharePoint
Database Controls
- Responsibilities of Access Grantors
- Credentials Propagation
- Levels of Access
- Login / Account/ Database
- Privilege
- Read
- Edit/ Update
- Delete
- Password Policy
- Requesting Access
- Access Review
- Access Revoke
- Database in the Domain
- Patch Management
- Audit Trails
- Generation
- Access
- Retention
- Review
- Generation
- Actual OS
- Virtual OS
- Test/ Restore
- Access
- Retention
- Redundancy
Sources of Data/ Raw Data
APM
- RACI
- Mandate
- Auditing Process Background
- Objectives
- Risks and Control Criteria
- Scope
- Scope Exceptions
- Review Approach
- Reporting
- Key Audit Team Contacts
Opening Meeting
- Scope
- Initial Documents
- Auditee Contact People
Audit Plan
- Risks
- Best Practices
- Actual Business Practices
- Adequacy Check
- Audit Test
- Test Result
- Residual Risk
Execution of testing
- Communication
- Info Request/ Gathering
- Evidences
- Analysis
- Intervals of Information
- Info generators vs Info users
- Analysis Tools
- Involvement of Managers
- Test Result Documentation
- Completeness and accuracy
- Referencing and Evidence
Report
- Drafting
- Management Exit Meeting
- Describing
- Action Plan
- Scheduling
- Higher Manager (CEO) Exit Meeting
- Describing Major Items
- Review and Confirmation of Action Plan
- Review and Confirmation of Scheduling
- Report Finalization
- Reporting to Board of Directors
Follow Up
