Course Description
In this 3-day seminar you will examine the IT general control areas that must be addressed to ensure the confidentiality, integrity, and availability of your information assets.
You will explore critical aspects of the IT environment, including IT governance, IT infrastructure controls, information security, physical security, disaster recovery, change management and network perimeter security.
You will learn how to develop strategies for assessing the key controls in your information systems infrastructure.
In addition, you will focus on the common elements of IT compliance challenges, paying particular attention to general computer controls.
You also will examine some of the common compliance requirements of Sarbanes-Oxley, the Model Audit Rule, the payment card industry, state privacy laws, and other familiar compliance regulations, as well as how general computer and other automated controls provide a foundation for compliance.
And because IT organizations are adopting IT governance frameworks such as ITIL at staggering rates, you will also cover ITIL v3, its components, and its objectives.
AGENDA1. Risk-Based Audit Planning for IT General Controls - introduction to IT general controls
- the relationship between general and application controls
- risks/controls
- centralized vs. distributed environments
- Sarbanes-Oxley and IT Controls
2. The Role of Governance, Risk, and Compliance (GRC) - GRC defined
- evolution of governance
- common concepts of oversight
- approaches to risk management
- IT risk management
- history of compliance
- methodologies for addressing the “Regulators”
3. ITIL Version 3: An Introduction - what is ITIL
- the ITIL vocabulary
- ITIL components and their objectives
- Service Strategy
- Service Design
- Service Transition
- Service Operation
- Continual Service Improvement
4. COBIT 4.1 - where COBIT came from and its intent
- the current release of COBIT: an analysis
- impact of COBIT on IT
- uses of COBIT from a different perspective: IT, internal audit, external parties
5. Common Compliance Regulations - Sarbanes-Oxley (SOX)
- Model Audit Rule (MAR)
- Payment Card Industry (PCI)
- Health Insurance Portability and Accountability Act (HIPAA)
- state privacy laws
- reconciling IT general controls to compliance requirements
6. Hardware/Software Infrastructure - COBIT control objectives
- hardware infrastructure
- centralized vs. distributed
- hardware acquisition, contracts, and inventories
- equipment maintenance/utilization
- hardware audits
- software infrastructure: operating systems
- components
- risks/exposures
- patch management
- operating system audits
- software infrastructure: database management
- components
- restart/recovery/reliability
- database advantages/concerns
- distributed databases
- database administration controls
- database audits
- system software audit steps
7. Logical Access Controls- COBIT control objectives
- access control components
- authentication: passwords, tokens, biometrics
- authorization of user access rights
- managing user accounts
- access control systems
- audit trail
- security monitoring
- remote access
- sensitive data on PCs and workstations
- security administration
- single sign-on (SSO) authentication
- access control best practices
8. Physical and Environmental Controls - COBIT control objectives
- physical security objectives, risks, and exposures
- physical security controls
- environmental exposures and risks
- environmental controls
9. Network Perimeter Security- COBIT control objectives
- network security threat/risk analysis
- network security strategy
- data communication software
- OSI Model
- TCP/IP
- firewalls / DMZ
- intrusion detection systems
- remote access / wireless access
- Internet risks
10. Change Management - COBIT control objectives
- change management risks
- translation from source code to executable modules
- change management process
- change requests
- testing changes
- implementation approval
- program migration
- contingency plans
- system documentation
- executable and source code integrity
- emergency changes
- vendor-supplied source code
- library / change control software
- distribution systems version control
- audit steps
11. Disaster Recovery and Business Continuity Planning - COBIT control objectives
- disasters and disruptive events
- disaster recovery and business continuity planning
- business impact analysis (BIA)
- recovery time objectives (RTO)
- disaster recovery strategy
- business continuity strategy
- disaster recovery sites
- disaster recovery teams
- off-site storage
- data backup and recovery
- telecommunications networks
- testing the recovery plan
- continuity plan maintenance
- contract requirements
- audit steps
12. Automated Tools for IT and Testing- the significance of automated controls
- selected automated vendor tool sets
- leveraging solutions IT has already implemented
- using IT audit tools
- GRC tools
13. Planning and Executing General Control Reviews- risk assessment
- audit strategy and planning
- planning memo
- key documents needed for the audit
- audit programs
- testing controls
- audit workpapers
- audit report
Who Should Attend:
IT, Financial, Operational, Business Applications, and External Auditors; Audit Managers and Directors; others who have compliance responsibilities.
Prerequisite: None
Learning Level: Basic
Advance Preparation: None
Dates & TimesClasses start on the date(s) posted herein, and run from 8:30am to 5pm daily, except for the last day of class, which ends at 1pm.