Foundations of Auditing Information Systems Day 1 The Business of Auditing Information Systems During the first day of the

e course students will begin to be exposed to the business of auditing information systems and their role in such an effort. Students will learn the business purpose and value of information system audits, as well as understand the role of an auditor and the types of audits that could be performed. In addition, students will have the opportunity to consider audit and information security frameworks, which could serve as a foundation for audit programs or as a foundation for information assurance controls. Topics:
y What is an Information Systems Audit and Why Do One? o Define Audit Scope o Sample Information Systems Audits o Business Drivers for Audits o Internal Controls o Risk Management o Information Systems Governance Roles of Auditors o Audit Cycle o Management of Audit Function o Practical Audit Responsibilities o Critical Business Skills for Auditors Types of Audits o Determining who Performs an Audit o Internal Audits/External Audits o Control Self Assessments (CSAs) o Determining the Business Purpose of an Audit o Typical IS Audit Scopes o Governance Controls o Technical Controls Audit Frameworks o Business Drivers for Frameworks o Audit Frameworks: COBIT, ISO 2700, Consensus Audit Guidelines (CAG) o Government Frameworks: NIST 800-53A, DIACAP, FISMA, FISCAM o Non-Audit Standards Used for Audits Hands-on Exercises with the Following Audit Tools: o OpenVAS & Nessus for vulnerability assessment o PTA Professional and SOMAP ORICO for practical threat risk analysis o Nipper for automating assessments of network devices o WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools o Microsoft BSA for vulnerability scanning and misconfigurations o LYNIS for UNIX vulnerability scanning o Nmap/ Zenmap for system and application o W3AF FOR web application scanning

Day -2 Practical Concepts for Auditing Information Systems On this day students will continue their understanding of the foundational concepts of auditing information systems and begin to learn more about practical steps for performing and managing an audit. In addition, students will begin to examine the process of examining information assurance controls and the logistics necessary to effectively evaluate systems. Auditors will be confronted with the importance of auditing systems in light of regulatory guidance and how compliance plays a part in the audit process. Auditors will also be exposed to vulnerability and penetration testing concepts. Topics:
y Project Management for Auditors o Characteristics of audits vs. characteristics of projects o Programs vs. Projects o The Project Management Process o Project Charters, WBSs, Project Scheduling / Cost o Critical Path & Diagrams, Crashing Projects o Project Management Offices The Information Systems Audit Process o Initiating an Audit o Planning an Audit o Audit Scripts and Checklists o Executing an Audit o Audit Fieldwork o Monitoring & Controlling an Audit o Closing an Audit Data Collection Methodologies o Types of Audit Evidence o Work Papers o Data Collection, Data Destruction o Sampling Methodologies o Security of Audit Evidence o Audit Management Tools Regulations and Compliance o Compliance vs. Assurance o Business Value of Compliance Audits o Developing a Compliance Program o Auditing for Compliance - Policies o Auditing for Compliance - Controls o Banking / Financial Industry Standards, PCI DSS o HIPAA, HITECH Act o NERC Critical Infrastructure Protection o European Standards o ISO 27000 Series Standards, ITIL Auditing, Vulnerability Testing & Penetration Testing o Business Purpose of Vulnerability Assessments o Penetration Testing and Business Purpose o Assessment & Audit Programs

o Tools of the Trade o Vulnerability Management Lifecycle o Process for Penetration Testing o Penetration Testing Tools o Incorporating Results into Risk Reports o Remediation Plans Hands-on Exercises with the Following Audit Tools: o OpenVAS & Nessus for vulnerability assessment o PTA Professional and SOMAP ORICO for practical threat risk analysis o WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools o Microsoft BSA for vulnerability scanning and misconfigurations o LYNIS for UNIX vulnerability scanning o Nmap/ Zenmap for system and application o W3AF FOR web application scanning

Day -3 Auditing & Governance, Risk and Compliance (GRC) The third day of the course will introduce students to the importance of governance, risk, and compliance (GRC) concepts in the context of information system audits. This will lead students into an understanding of the relationship between business goals and information system controls used to manage risk. Formal risk management tools, frameworks, and techniques will be discussed and students will be exposed to available risk management programs during this day. Topics:
y Introduction to Governance, Risk, & Compliance (GRC) Audits o Elements of IT GRC o IT Governance Frameworks o COBIT o GTAG 15: Information Security Governance Connecting Business Objectives with Policy & Technology Controls o Business, Strategy, & Risk o General Framework and Business Goals o Strategy - An Auditor's Role o Policy Creation, Review, and Legal Review o Policies and Procedures - An Auditor's Role o Controls & Asset Classification o Policies & Risk Management Risk Management for Auditors o Risk Management Defined o Business Purpose of Risk Management o Elements of Risk: Threat, Vulnerability, Likelihood o Risk Management vs. Risk Assessment o Risk Management Process Formal Risk Management Models & Tools o Formal vs. Ad hoc Models o Variety & Scope of Available Models o Choosing the Right Risk Model o OCTAVE o FAIR: Factor Analysis of Information Risk o Microsoft STRIDE & DREAD o GAIT: Guide to the Assessment of IT Risk o FMECA: Failure Mode, Effects, and Criticality Analysis o Deductive Cause-Consequence Analysis o Hands-on Exercises with the Following Audit Tools:  OpenVAS & Nessus for vulnerability assessment  PTA Professional and SOMAP ORICO for practical threat    

risk analysis Nipper for automating assessments of network devices WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools Microsoft BSA for vulnerability scanning and misconfigurations LYNIS for UNIX vulnerability scanning

 

Nmap/ Zenmap for system and application W3AF FOR web application scanning

Day - 4 Auditing Technical Controls and Network Devices On this day, students will learn the importance of auditing technical controls as a part of an overall audit and assurance program. Students will be exposed to a model for evaluating technical controls and how they fit into the bigger picture of control audits. Students will have the opportunity to perform examples of technical control assessments and will have the chance to try their skills by learning practically how to audit network devices - including configuration files and network access control lists. Topics:
An Introduction to Auditing Technology Controls y y y y y

Importance of Information System Controls Governance Information System Controls Technical Information System Controls: Network, Operating Systems, Application Controls Role of the Auditor Anatomy of a Technical Assessment

Utilizing Scripts and Audit Checklists y y y y y y y y y

Tools of the Audit Trade Danger of Scripts & Checklists, Value of Scripts & Checklists Foundation of Audit Checklists Creating Audit Checklists, Parts of a Checklist Audit Subject and Scope Definition Control Objectives & Testing Procedures Compliance Criteria Technical vs. Paperwork Audits Creating Audit Scripts

An Introduction to Auditing Network Devices y y y y y

Auditing Network Devices Network Device Audit Process Device Configuration Files Auditing Network Access Controls Network Device Configuration Audit Tools

An Introduction to Auditing Networks y y y y y

Determine the Audit Scope The Audit Process Technical Assessments Non-technical Audit Evidence Types of Border Devices

Hands-on Exercises with the Following Audit Tools: y y y y y y y y

OpenVAS & Nessus for vulnerability assessment PTA Professional and SOMAP ORICO for practical threat risk analysis Nipper for automating assessments of network devices WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools Microsoft BSA for vulnerability scanning and misconfigurations LYNIS for UNIX vulnerability scanning Nmap/ Zenmap for system and application W3AF FOR web application scanning

Day 5 - Auditing Operating Systems: Windows, Unix During this day of the course, students will continue their exploration of technical assurance controls. Specifically students will spend the day learning practical steps for auditing both Microsoft Windows and various flavors of Unix operating systems. Students will walk away from this day of the course with practical skills which will enable them to follow a repeatable process for auditing operating systems and the skills to identify risks in these systems. These skills will then be leveraged to consider how control audits of any system may be performed. Topics:
An Introduction to Auditing Operating Systems y y y y y

Common Operating System Audits System Baselines How to Complete an Operating System Audit Data Gathering Tips / Philosophies General System Baseline Tools

Auditing User Accounts, Groups, & Permissions y y y y y

Baselines to Request Auditing User Accounts Auditing Groups & Group Memberships Auditing User Rights Assignments Permission Types to Audit

Understanding Operating System Security Configurations y y y y y

Federal Desktop Core Configuration (FDCC) System Services, Security Policies Application Security Settings Microsoft Baseline Security Analyzer Security Content Automation Protocol

Vulnerability Management & Audit Scripts y y y y y y

Host Vulnerability Scanning Practical Vulnerability Management Testing Methods (Open vs. Commercial) Free or Open Source Scanning Tools Choosing a Scanning Tool Vulnerability Validation Tools

Hands-on Exercises with the Following Tools: y

OpenVAS & Nessus for vulnerability assessment

y y y y y y y

PTA Professional and SOMAP ORICO for practical threat risk analysis Nipper for automating assessments of network devices WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools Microsoft BSA for vulnerability scanning and misconfigurations LYNIS for UNIX vulnerability scanning Nmap/ Zenmap for system and application W3AF FOR web application scanning

Day - 6 Auditing Application Systems The final day of this course will begin by examining the relationship between business goals and the application systems that are often used to enable those goals. Students will have the opportunity to learn practical skills for how to audit an application system from both a governance and technical control perspective. Students will be given hands-on opportunities to perform an assessment on application systems in order to be prepared to perform these audits in the real world. In addition, students will be provided resources for further study in the audit field and next steps for furthering their careers in the profession. Topics:
An Introduction to Auditing Applications y y y y

Why Audit Business Applications Focus of an Application Audit Information Security Controls Scope of an Application Audit

Understanding an Application y y y y y y y y y

Software from a Business Perspective Evaluating Functional and Legal Requirements Methods of Discovery Application Flowcharting Business Rule Mapping & Data Transaction Mapping Application Interfaces & Application Interface Engines Site Mapping Database Schema Review Application Modeling

Reviewing an Application's Development Cycle y y y y y y y y y

The Role of the Assessor Quality Assurance Teams Application Testing Software Protecting Source Code Conducting Code Reviews Application Maintenance Change Management Systems Development Lifecycle (SDLC) Software Maturity Models

Auditing an Application Step-by-Step y y

General Application Audit Process Application System Baselines

y y y y y y y

Data Maintenance Controls & Authentication Controls File Integrity Assessment Data Leakage Prevention & Credential Storage Protections Automated Vulnerability Scanning Automated Code Review & Manual Code Review Tools for "White Box" and "Black Box" Testing Web Application, Database Assessment Tools

Hands-on Exercises with the Following Tools: y y y y y y y y

OpenVAS & Nessus for vulnerability assessment PTA Professional and SOMAP ORICO for practical threat risk analysis Nipper for automating assessments of network devices WINAUDIT & NEWT PROFESSIONAL for OS Data Gathering Tools Microsoft BSA for vulnerability scanning and misconfigurations LYNIS for UNIX vulnerability scanning Nmap/ Zenmap for system and application W3AF FOR web application scanning