IT General Controls

Training Duration: 3 days

Training Delivery Method: On-site, instructor-led course; or online, instructor-led course

Prerequisites: IT controls professionals and IT auditors

What Problem Does This Training Help Solve?

Learn theory, practice, and implementation of IT general controls from control professional’s perspective and auditing of general controls from assurance professional’s perspective

Who Should Attend? IT professionals and auditors entrusted with implementation and auditing of general controls respectively

Course Material: Content-rich manual /course handouts consisting of about 500 foils

Course Syllabus:

The following topics will be discussed from control, audit, and assurance perspective:

  • IT general controls- theory of controls,  Preventive, Detective, Corrective, Compensating, Deterrent, difference between GCC and GACC, DET and OET
  • Control objectives and controls, Controls for centralized and distributed processing
  • Related frameworks and models: COBIT, ISO 27002, ITIL, CMM
  • IT Processes, control objectives, and controls
  • Policies, standards, procedures, and guidelines
  • SOD (separation of duties) and R&R
  • Regulatory requirements and controls: SOX, EuroSOX, HIPPA
  • Logical Access Controls: Identification, Authentication, Authorization, Data classification and ownership, MAC, DAC, and RBAC, SSO, Security administration, Security monitoring, Audit trails and detective controls
  • Physical Controls, Environmental controls
  • Hardware controls, Acquisition, Contracts, Maintenance agreements- Preventive maintenance
  • Software Operating System Controls, Initial software generation, Patch management, Threats and risks,
  • DBMS, Centralized database, Distributed database, Access controls and views, DB administration Controls, Audit trails
  • Network Perimeter Security, Points of entry, Internet, dial-in modems, wireless, fax modems
  • War dialing and war driving
  • OSI, TCP/IP, Firewalls, their architecture, and implementations, DMZ, Honeypot and honeynets
  • Threats coming from the Internet, 32 common attacks and controls
  • Change Management, Policy, Standards, Procedures, Scheduled, emergency, out-of-cycle
  • Change request, review, approval, testing, scheduling, user notification, implementation, backout provision, Change management for executables, Source code integrity,
  • Vendor software, Acquisition process, RFI, RFP, agreement, and controls, Security, Escrow agreement with a third party
  • BC/DR audit, BIA, RTO, RPO, MTD, Risk assessment, Recovery strategies, Awareness and training, BC implementation, Remote storage of data and documents, Alignment with Change management, Hot site, cold site, warm site, split processing, PR training in emergency situations, ICS for emergency response, BC plan testing and optimization, Backups- full, incremental, differential, and synthetic, Five Components of recovery