Overview
This course covers the building blocks of IT audit and security, including identity and access management, web-based e-commerce application threats, vulnerabilities, and standards associated with privacy issues and intellectual property concerns. It places special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and enables participants to walk away with tools, techniques, and checklists for discovering and testing web and application server security.
It also covers auditing database management systems within the context of robust but practical enterprise architecture and governance models and reviews web services and service-oriented architectures, including SOAP, ReST, SOA, and ESB. Participants will also review safeguard concepts and best practices for secure mobile and wireless applications.
Learning Options
Below are the available learning options for this course:
Enterprise Solutions
Tailored Experience
Bring this course to your organization at your convenience. ACI Learning can deliver this instructor-led course for your team at a chosen location or virtually. Alternatively, choose the topic(s) you need and ACI will craft a training solution to keep your team future-proof.
Customize your trainingNASBA Certified CPE
Auditing
Why you should take this course
For users with an intermediate knowledge of this topic, and are searching for a deeper understanding of its evolving complexities.
Who should take this course
IT, Internal and External Auditors; IT Audit Managers, Information Security Managers, Analysts with 5+ years of experience, or those tasked with auditing web servers, application services, Database Management Systems, and enterprise architecture.
Prerequisites
- Intermediate IT Audit School (ITG241)
- Network Security Essentials (ASG203)
- or equivalent experience
1. Identity and Access Control Management (I&ACM) Architecture
• Fundamental Principles of Information Security
• Making the Business case for Information security
• Distributed computing Control and Security Risks
• Defining an Identity and Access Management (I&AM) Architecture
• Access control Models and Architectures
• Security Audit Log Management ain Multi-Tiered Applications
• TCP/IP Network Application Services Security
• Risk Analysis
• Enterprise Directory services
• Client/Server and Middleware Security for Multi-Tiered Applications
• Locating Control Points in Multi-Tiered Applications
• Security Awareness
• Application Security Audit
2. Web Application Architectures
• Web Application Control Points
• HTTP Protocol and State Management
• Fundamentals of Cryptography
• Secure Sockets Layer Encryption (TLS)
• Web 2.0
• Web Application Security Threats and Vulnerabilities
• Audit Checklists: Encryption, Single Sign-On
• Security and Audit Tools
3. Auditing Web (HTTP) Servers
• Web Server/Application Security Control Points
• Internet Web Servers – Present and Past
• Configuring the Web Server
• Web Server Security Features
• Remote Authoring and Development
• Web Application Firewalls and Intrusion Prevention Systems
• Sources of Additional Information – Web Server Checklists
• Security and Audit Checklists: Web Server/Application, Server Operating System
• Security and Audit Tools
4. Secure Application Design, Testing, and Audit
• Web Application Development Technologies
• Active Web Page Code Security: SSI, CGI, ASP, ASP.NET
• Mobile Code Security: Java, ActiveX, VBScript, JavaScript, AJAX, Flash
• Common Security Vulnerabilities in Application Software
• Common Web Application Attacks
• Secure Application Design Security and
• Audit Checklist
• Web Application Testing Tools
5. Auditing Application (Middleware) Servers
• Application/Middleware Servers
• Microsoft .NET Framework / ASP.NET Core
• Jakarta EE (formerly Java Platform Enterprise Edition)
• Documentation available at docs.oracle.com)
• Jakarta EE Application Deployment Archives
• Supplemental Jakarta EE Information
6. Auditing Database Management Systems
• Managing Information
• Program-Centric Model
• Database Management Systems (DBMS)
• Database Risks
• Database Terminology
• Hierarchical and Relational Databases
• Database Audit Procedures
• Database Management Systems (DBMS) Terminology
• Structured Query Language (SQL)
• Security Risks Associated with DBMS Systems
• Connection and Authentication for DBMS Systems
• User Accounts, Roles, and Privileges
• Database Object Protection Methods: Access Control, Encryption
• Database Audit Logging Options
• Transaction Logs and Recoverability
• Sample DBMS Data Collection
• Security and Audit Checklists: DBMS
• Sources of Security and Audit Tools
• Bundled Stored Procedures
7. Web Services and Service Oriented Architectures (SOA)
• Web Services Definitions and Architectures
• SOAP Web Services Architecture, Standards and Security
• ReST (Representational State Transfer)
• Service Oriented Architecture (SOA)
• Enterprise Service Bus (ESB)
• Web Services Security and Audit Tools
• Web Services Security and Audit Tools
8. Mobile Application Security and Audit
• Mobility Maturity Assessment
• Data Flow
• Securing Data at Rest and in Motion
• Securing Hosted Systems
• Provider Contracts / Service Level Agreements
• Risk Management
• Information Security Policies, Organization and Human Resources
• Asset Management
• Containers and Containerization
• Checklist for Secure Mobile and Wireless Application Best Practices
• Surveying and Profiling Mobile Devices and Associated Risks
• Key Control Points and Associated Risks in Remote Access and Mobile Applications
• Checklist for Secure Mobile and Wireless Application Best Practices
9. Laws and Standards Affecting IT Audit
• Organizational Liabilities
• Computer Fraud and Abuse Laws
• Sarbanes-Oxley Act
• Intellectual Property Laws
• Electronic Commerce
• General Data Protection Regulation (GDPR)
• California Consumer Privacy Act (CCPA)
• Computer Crime
• Incident Response
• Selected Standards: ISO, CIS
• Selected US Information Security Laws: SOX, FISMA, HIPAA, State Laws, Others
10. Internet of Things
• Definition
• Threats, Vulnerabilities, Risks
• Audit Checklist
- Expand knowledge of IT terminology associated with complex business applications.
- Identify key multi-tiered application building blocks and associated risks.
- Develop methodology to locate, document, and test control points and associated security safeguards for complex applications.
- Expand application audit tool kit knowledge with checklists, information resources, and automated tools to improve IT application audit effectiveness and efficiency.
ACI Learning is registered with the National Association of State Boards of Accountancy (NASBA) as a sponsor of continuing professional education on the National Registry of CPE Sponsors. State boards of accountancy have final authority on the acceptance of individual courses for CPE credit. Complaints regarding registered sponsors may be submitted to the National Registry of CPE Sponsors through its website: www.nasbaregistry.org.