EnterprisesPartnerships

Individuals

CertificationsCPEs

Products

ITProAuditProPractice Labs & TestsCyberSkillsInsightsPrivate bootcamps
Learning HUBS
  1. <HOME>
  2. Course Catalog>
  3. Advanced IT Audit School - ITG341

Advanced IT Audit School - ITG341

Overview

This course covers the building blocks of IT audit and security, including identity and access management, web-based e-commerce application threats, vulnerabilities, and standards associated with privacy issues and intellectual property concerns. It places special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and enables participants to walk away with tools, techniques, and checklists for discovering and testing web and application server security.

It also covers auditing database management systems within the context of robust but practical enterprise architecture and governance models and reviews web services and service-oriented architectures, including SOAP, ReST, SOA, and ESB. Participants will also review safeguard concepts and best practices for secure mobile and wireless applications.

Learning Options

Below are the available learning options for this course:

Enterprise Solutions

Tailored Experience

Bring this course to your organization at your convenience. ACI Learning can deliver this instructor-led course for your team at a chosen location or virtually. Alternatively, choose the topic(s) you need and ACI will craft a training solution to keep your team future-proof.

Customize your training

NASBA Certified CPE

32 Credits

Auditing

Why you should take this course

For users with an intermediate knowledge of this topic, and are searching for a deeper understanding of its evolving complexities.

Who should take this course

IT, Internal and External Auditors; IT Audit Managers, Information Security Managers, Analysts with 5+ years of experience, or those tasked with auditing web servers, application services, Database Management Systems, and enterprise architecture.

Prerequisites

  • Intermediate IT Audit School (ITG241)
  • Network Security Essentials (ASG203)
  • or equivalent experience

1.    Identity and Access Control Management (I&ACM) Architecture

    Fundamental Principles of Information Security

    Making the Business case for Information security

    Distributed computing Control and Security Risks

    Defining an Identity and Access Management (I&AM) Architecture

    Access control Models and Architectures

    Security Audit Log Management ain Multi-Tiered Applications

    TCP/IP Network Application Services Security

    Risk Analysis

    Enterprise Directory services

    Client/Server and Middleware Security for Multi-Tiered Applications

    Locating Control Points in Multi-Tiered Applications

    Security Awareness

    Application Security Audit 


2.    Web Application Architectures

    Web Application Control Points

    HTTP Protocol and State Management

    Fundamentals of Cryptography

    Secure Sockets Layer Encryption (TLS)

    Web 2.0

    Web Application Security Threats and Vulnerabilities

    Audit Checklists: Encryption, Single Sign-On

    Security and Audit Tools


3.    Auditing Web (HTTP) Servers

    Web Server/Application Security Control Points

    Internet Web Servers – Present and Past

    Configuring the Web Server

    Web Server Security Features

    Remote Authoring and Development

    Web Application Firewalls and Intrusion Prevention Systems

    Sources of Additional Information – Web Server Checklists

    Security and Audit Checklists: Web Server/Application, Server Operating System

    Security and Audit Tools


4.    Secure Application Design, Testing, and Audit

    Web Application Development Technologies

    Active Web Page Code Security: SSI, CGI, ASP, ASP.NET

    Mobile Code Security: Java, ActiveX, VBScript, JavaScript, AJAX, Flash

    Common Security Vulnerabilities in Application Software

    Common Web Application Attacks

    Secure Application Design Security and 

    Audit Checklist

    Web Application Testing Tools


5.    Auditing Application (Middleware) Servers

    Application/Middleware Servers

    Microsoft .NET Framework / ASP.NET Core 

    Jakarta EE (formerly Java Platform Enterprise Edition)

    Documentation available at docs.oracle.com)

    Jakarta EE Application Deployment Archives

    Supplemental Jakarta EE Information


6.    Auditing Database Management Systems

    Managing Information

    Program-Centric Model

    Database Management Systems (DBMS)

    Database Risks

    Database Terminology

    Hierarchical and Relational Databases

    Database Audit Procedures

    Database Management Systems (DBMS) Terminology

    Structured Query Language (SQL)

    Security Risks Associated with DBMS Systems

    Connection and Authentication for DBMS Systems

    User Accounts, Roles, and Privileges

    Database Object Protection Methods: Access Control, Encryption

    Database Audit Logging Options

    Transaction Logs and Recoverability

    Sample DBMS Data Collection

    Security and Audit Checklists: DBMS

    Sources of Security and Audit Tools

    Bundled Stored Procedures


7.    Web Services and Service Oriented Architectures (SOA)

    Web Services Definitions and Architectures

    SOAP Web Services Architecture, Standards and Security

    ReST (Representational State Transfer) 

    Service Oriented Architecture (SOA)

    Enterprise Service Bus (ESB)

    Web Services Security and Audit Tools

    Web Services Security and Audit Tools


8.    Mobile Application Security and Audit

    Mobility Maturity Assessment

    Data Flow

    Securing Data at Rest and in Motion

    Securing Hosted Systems

    Provider Contracts / Service Level Agreements

    Risk Management

    Information Security Policies, Organization and Human Resources

    Asset Management

    Containers and Containerization

    Checklist for Secure Mobile and Wireless Application Best Practices

    Surveying and Profiling Mobile Devices and Associated Risks

    Key Control Points and Associated Risks in Remote Access and Mobile Applications

    Checklist for Secure Mobile and Wireless Application Best Practices


9.    Laws and Standards Affecting IT Audit

    Organizational Liabilities

    Computer Fraud and Abuse Laws

    Sarbanes-Oxley Act

    Intellectual Property Laws

    Electronic Commerce

    General Data Protection Regulation (GDPR)

    California Consumer Privacy Act (CCPA)

    Computer Crime

    Incident Response

    Selected Standards: ISO, CIS

    Selected US Information Security Laws: SOX, FISMA, HIPAA, State Laws, Others


10.    Internet of Things 

    Definition

    Threats, Vulnerabilities, Risks

    Audit Checklist


  • Expand knowledge of IT terminology associated with complex business applications.
  • Identify key multi-tiered application building blocks and associated risks.
  • Develop methodology to locate, document, and test control points and associated security safeguards for complex applications.
  • Expand application audit tool kit knowledge with checklists, information resources, and automated tools to improve IT application audit effectiveness and efficiency.

ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.