How To Perform An Information Security Audit

What you need to know to perform information security audits

What you'll learn

Understand how to properly plan engagements by determining their objectives, criteria and scope.

Know how to create working papers to document an audit and learn about different ways to staff an audit.

Learn how to collect engagement information and then analyze and evaluate it. Learn how to supervise engagements.

Learn how to communicate engagement results and the process of acceptance of risks. Learn how to monitor progress on the implementation status of internal audit

Know about which threats to information security should be assessed, including threats to the integrity of data, confidentiality and the availability of data.

Be able to evaluate privacy risks, risks from smart devices, insider threats, illicit software threats and cybersecurity threats amongst others.

Be able to evaluate risks by using the Asset-Threat-Vulnerability triangle.

Know about the different types of information security controls, including IT general controls.

Be able to put in place a solid governance over information security, such as by putting in place IT management and governance controls.

Be able to implement the segregation of IT duties and IT departmentalization, an information security framework and cybersecurity governance and policies.

Be able to apply the Three Lines of Defense Model in cybersecurity.

Learn about controls such as identity access management and authentication, encryption and firewalls, data privacy and protection controls.

Know about application and access controls, technical IT infrastructure controls, external connections controls and 3rd party information security controls.

Requirements

No prior experience or knowledge is required.

Description

We are glad to bring you a course to learn how to perform information security audits.This course is ideal for:IT and information security professionals who wish to learn techniques on how to assess the security of their information and the vulnerability of their information systems; and Auditors or others performing assessments who wish to learn more about performing information security audits.The course will give you the knowledge and tools necessary to perform information security audits, starting from how to plan them, how to perform and how to report on the results of the engagement. It will teach you about which threats to assess and which controls should be put in place.It is taught by Adrian Resag, an experienced and CISA certified information security auditor who has decades of experience evaluating information security, IT and ISO 27001 in many organizations.The course covers:Performing Information Security AuditsPlanning EngagementsUnderstand how to properly plan engagements by determining their objectives, criteria and scope. Know how to create working papers to document an audit and learn about different ways to staff an audit.Performing EngagementsLearn how to collect engagement information and then analyze and evaluate it. Learn how to supervise engagements.Communicating Progress and ResultsLearn how to communicate engagement results and the process of acceptance of risks. Learn how to monitor progress on the implementation status of internal audit recommendations.Information Security Threats and ControlsThreats to information securityKnow about which threats to information security should be assessed, including threats to the integrity of data, confidentiality and the availability of data.Be able to evaluate privacy risks, risks from smart devices, insider threats, illicit software threats and cybersecurity threats amongst others.Be able to evaluate risks by using the Asset-Threat-Vulnerability triangle.Controls over information securityKnow about the different types of information security controls, including IT general controls.Be able to put in place a solid governance over information security, such as by putting in place IT management and governance controls.Be able to implement the segregation of IT duties and IT departmentalization, an information security framework and cybersecurity governance and policies.Be able to apply the Three Lines of Defense Model in cybersecurity.Learn about controls such as identity access management and authentication, encryption and firewalls, data privacy and protection controls.Know about application and access controls, technical IT infrastructure controls, external connections controls and 3rd party information security controls.

Overview

Section 1: Information Security Threats and Controls

Lecture 1 Information Security

Lecture 2 Data Integrity, Confidentiality and Data Availability

Lecture 3 IT General Controls

Lecture 4 Segregation of IT Duties

Lecture 5 Question on Segregation of IT Duties

Lecture 6 Threats and Controls to Physical Security

Lecture 7 Question on Threats and Controls to Physical Security

Lecture 8 Question on Threats and Controls to Physical Security

Lecture 9 Identity Access Management

Lecture 10 Access and Authorization Controls - Risks

Lecture 11 Identity Access Management - Activities

Lecture 12 Authentication

Lecture 13 IT Departmentalization

Lecture 14 Question on IT Departmentalization 1

Lecture 15 Question on IT Departmentalization 2

Lecture 16 Types of Information Security Controls

Lecture 17 Encryption

Lecture 18 Firewalls

Lecture 19 Data Privacy and Protection

Lecture 20 Data Protection Framework

Lecture 21 Question on Data Protection Framework

Lecture 22 Smart Devices and Their Risks

Lecture 23 Question on Smart Devices and Their Risks

Lecture 24 Question on Data Protection Framework

Lecture 25 Asset-Threat-Vulnerability Triangle

Lecture 26 Cybersecurity Risks

Lecture 27 Cybersecurity Threats

Lecture 28 Question on Cybersecurity Threats 1

Lecture 29 Question on Cybersecurity Threats 2

Lecture 30 Question on Cybersecurity Threats 3

Lecture 31 Question on Cybersecurity Threats 4

Lecture 32 IT Management and Governance Controls Against Cybersecurity Threats

Lecture 33 Application and Access Controls

Lecture 34 Technical IT Infrastructure Controls

Lecture 35 External Connections Controls

Lecture 36 Verifying 3rd Party Information Security

Lecture 37 Illicit Software Use

Lecture 38 Insider Threat

Lecture 39 Question on Insider Threat

Lecture 40 Question on Data Privacy and Protection

Lecture 41 Cybersecurity Governance and Policies

Lecture 42 Information Security Framework

Lecture 43 The Three Lines of Defense Model in Cybersecurity

Lecture 44 Question on Cybersecurity Governance and Policies

Section 2: Performing Information Security Audits

Lecture 45 Engagement Planning

Lecture 46 Engagement Scope

Lecture 47 Engagement Objectives

Lecture 48 Questions on Engagement Objectives

Lecture 49 Coverage of Significant Risks

Lecture 50 Questions on Coverage of Significant Risks

Lecture 51 Engagement Work Programs

Lecture 52 Questions on Engagement Work Programs

Lecture 53 Workflow of an Engagement

Lecture 54 Audit Techniques for Gathering Information

Lecture 55 Walkthroughs

Lecture 56 Questions on Walkthroughs

Lecture 57 Interview Approaches and Skills

Lecture 58 Process Maps and Benchmarking

Lecture 59 Risk-Control Matrix

Lecture 60 Building a Risk-Control Matrix

Lecture 61 Engagement Supervision

Lecture 62 Performance Appraisals

Lecture 63 Supervision Best Practices

Lecture 64 Reviewing Working Papers

Lecture 65 Questions on Reviewing Working Papers

Lecture 66 Communicating Engagement Results

Lecture 67 Quality of Communications

Lecture 68 Communicating Progress

Lecture 69 Best Practices on Communicating Recommendations

Lecture 70 Communicating Recommendations

Lecture 71 Internal Audit Opinions

Lecture 72 Questions on Internal Audit Opinions

Lecture 73 Acceptance of Risk

Lecture 74 Monitoring Progress

Lecture 75 Questions on Monitoring Progress

Current or future IT and information security professionals who wish to learn techniques on how to assess the security of their information and the vulnerability of their information systems.,Auditors or others performing assessments who wish to learn more about performing information security audits.