Video Pod (VOD) Cast IT IS Audit Security & Training, Surveillance & Reconnaissance Process

Agenda

What you will learn

1

Video Pod (VOD) Cast the IS Audit Process

- risk-based auditing

- developing the audit strategy

- planning and executing the audit

2

IT Governance VODCast

- organization and management structure

- IT strategy and planning

- risk management practices

- IT governance practices

- international IT standards and guidelines

3

VODCast IS Operations

- centralized/decentralized  environments

- problem and incident management

- technical support

- quality assurance (QA)

- segregation of duties

4

VODCast Hardware Infrastructure

- hardware acquisition, contracts,  and inventories

- equipment maintenance/utilization

5

 VODCast Software Infrastructure

- operating systems

- database management system (DBMS)

- system software controls

6

VODCast Network Devices

- network interface cards

- wiring hubs

- wireless access points

- bridges

- switches

- routers

- gateways

- device security

7

VODCast Encryption

- types of encryption

- digital signatures and certificates

8

VODCast Business Application Systems

- objectives of application audits

- auditing the transaction life cycle

- auditing the business application  components

- planning and executing application  audits

9

VODCast System Development Life Cycle

- audit’s role on development  projects

- business risks of development  projects

- project governance practices

- traditional system development life  cycle

- rapid application development

- system testing and acceptance

- cutover and implementation

10

VODCast Project Management

- project management risks

- budgeting and scheduling

- auditing project management

11

VODCast Disaster Recovery and Business  Continuity Planning

- disasters and disruptive events

- business continuity planning steps

- business impact analysis (BIA)

- disaster recovery strategies

- testing the recovery plan

- continuity plan maintenance 

12

VODCast Disaster Recovery and Business Continuity Planning

- disasters and disruptive events

- disaster recovery and business continuity planning

- business impact analysis (BIA)

- recovery time objectives (RTO)

- disaster recovery strategy

- business continuity strategy

- disaster recovery sites

- disaster recovery teams

- off-site storage

- data backup and recovery

- telecommunications networks

- testing the recovery plan

- continuity plan maintenance

- contract requirements

- audit steps

13

VODCast Planning and Executing General Control Reviews

- risk assessment

- audit strategy and planning

- planning memo

- key documents needed for the audit

- audit programs

- testing controls

- audit work papers

- audit report

14

VODCast Technology Roadmap: Networks

- host-based environments

- LANs and WANs

- new risks

- unauthorized access to applications and data

- denial-of-service attacks

- in-house vs. outsourced network management

15

 VODCast Introduction to the Internet

- understanding Internet terms and concepts

- how the Internet works

- perimeter controls: firewalls

- security vulnerabilities

- TCP/IP security issues

- assessing Internet-related risk

16

VODCast Application Controls

- business application risks

- performing risk assessment

- principles of audit trail design

- business applications auditing

- functional approach to applications auditing

- the transaction and its life cycle

- data verification

- elements of computer processing

- data storage and retrieval

- output processing

- evaluating application and transactional risk

17

VODCast Automated Testing Tools

- functional testing and historical data evaluation

- data retrieval and analysis software

- audit software packages

- testing techniques

*************************************

Using VODCast CAATs to Improve Audit Productivity  

How to Use VODCast Computer-Assisted Audit Techniques to Extract and Analyze Critical System Data and Achieve S-OX Compliance

18

VODCast Data Representation

- introduction to system concepts

- data format and field characteristics

- variable and fixed records

- tables: rows and columns

- types of files

- programs

- transactions/menus/pages

- processing types

-- on-line

-- batch

-- background

-- services

-- applets

- security capabilities over: fields, records, tables, files, and programs

19

 How to Assess VODCast Vulnerabilities

- using MBSA

- skill and training approaches

**************************************

20

How to Audit Automated VODCast Business Applications

A Step-by-Step Guide to Auditing How VODCast Applications Transaction Activity, Controls, and Procedures are Managed

21

Introduction to Business VODCast Systems Applications

- different types of automated business applications VODCast audits: SDLC, acquired systems, post implementation

- objectives of applications audits

- audit challenges in today's environment

- Audit's role

22

General Flow of an Application Audit

- the business environment

- the technical environment

- data risk assessment

- transactional flow

- test process

23

VODCast Business Process vs. Transaction

- defining the business VODCast process: enterprise wide and interfacing

- defining a VODCast transaction

-- transaction-based VODCast application auditing

-- VODCast transaction life cycle: origination, authorization, input, processing,  output, report distribution, reconciliation, error identification

24

VODCast Components of a Business Application

- VODCast transaction origination

- VODCast input

- VODCast processing

- VODCast output

- VODCast e-commerce transactions

- VODCast audit impacts

25

VODCast Data Input and Processing Models

- VODCast characteristics and controls

  -- VODCast batch input - batch processing

26

VODCast Documenting Application Controls and Procedures

- VODCast auditor tools

  -- VODCast narratives

  -- VODCast questionnaires

- VODCast diagramming

  -- VODCast flowcharts

  -- VODCast architecture and dataflow diagrams

27

VODCast Building Blocks

- VODCast microprocessors

- VODCast primary, secondary, and tertiary memory

- VODCast mass storage

- VODCast controllers

- VODCast network interface devices

28

Networks

- VODCast elements of a data communications network

- VODCast differentiating between LANs, WANs, and VANs

- VODCast bridge/routers/switchers

- risk assessment

29

 VODCast Operating Systems: Workstation

- defining the operating system

- differences between DOS, Windows 9x, Windows NT/Windows 2000, Windows Server  2003, Unix & Mac

30

VODCast Operating Systems: Server

- architectures of major operating systems

  --Windows NT/Windows 2000/Server 2003

  -- Novell NetWare

  --Unix

- security functionality

  -- authentication

  -- authorization

  -- administration

  -- auditing

- maintenance

  -- service packs and hot fixes

  -- testing

  -- distribution

***********************************************************************

31

VODCast Securing and Auditing Your WiFi Networks  Hands-On  

Reducing the Risks in Wireless Technology

VODCast Wireless Network Protocols and Applications

- business drivers for using VODCast wireless technology

- understanding VODCast Personal Area Networks (PANs): Bluetooth (802.15), Infrared

- VODCast through the IEEE 802.11 jungle and other WLAN candidate protocols

- VODCast Internet cafés and other WLAN offerings for mobile users

- VODCast wireless technology “on the go”: cellular voice and data networks, wireless WAN technologies, Wireless Application Protocol (WAP), Wireless JAVA Messaging Service (WJMS)

 VODCast Operating Characteristics and Security Features of Wireless LANs (802.11)

- VODCast architectures for wireless LANs

- VODCast broadcast and reception obstacles

-- VODCast channel saturation

-- supportive VODCast WLAN configuration features contributing to better security: SSID, broadcast controls, DHCP, event-logging and alerts, management interfaces

-- first generation WLAN security features/issues: open vs. shared access, shared keys, WEP, MAC addresses

-- VODCast WLAN security enhancements: WPA, 802.11i (WPA2), certification of wireless product compliance with WPA and WPA2 specifications

32

VODCast Strategies and Tactics for Securing Wireless LANs

- VODCast WLAN policies and standards

-- VODCast enterprise/large campus applications

-- VODCast small/home office

-- VODCast Mobile users

33

VODCast Tools and Techniques for Locating Wireless Backdoors

- defining VODCast WLAN audit objectives

- building a toolkit for detecting rogue and authorized VODCast WLANs

- VODCast technology convergence

-- VODCast WLAN and VoIP

-- VODCast wireless PAN, WAN, and LAN

-- VODCast wireless interfaces on routers, switches, and other wired interconnection devices

********************************************

34

VODCast Auditing Application Systems Development  

A Step-by-Step Guide to Auditing VODCast Applications Development

35

VODCast Technical Environments and Their Impact on Applications Systems Development

- VODCast application systems development

- client/server development

- prototyping

- RAD rapid-fire development

- Web-based development

37

The Impact of Sarbanes-Oxley on VODCast Application Systems Development

- VODCast meeting new internal control and documentation requirements

- VODCast testing controls

- VODCast fraud detection measures

- VODCast compliance issues

- VODCast defining “as of” dates for compliance

38

Web-Based Applications Systems Development: Unique Challenges and Auditor Responses

- indexing

- security and privacy

- Internet security flaws to beware of

- authentication

- interfaces

- firewalls

39

VODCast Rapid Application Development: Unique Challenges and Auditor Responses

- VODCast converting end-user needs into software specifications

- VODCast user resistance to testing

- VODCast what you see is what you get

40

VODCast Auditing Training

- VODCast training technical staff

- VODCast vendor-provided, in-house, and online training

- VODCast train-the-trainer programs

- VODCast overcoming resistance to change

41

VODCast Post-Implementation Reviews

- VODCast critiquing results

- VODCast who and what to evaluate

42

Application Software Inventory Control

- software licenses

- contract management

- consolidated purchases

- multiple location and site compatibility

43

VODCast Auditing Project Management

- VODCast project manager skills

- VODCast project oversight and delegation of responsibilities

*********************************************

44

VODCast Continuous Auditing: Making the Change -

VODCast Control Evaluation and Monitoring

 What You Will Learn

 Vodcast Continuous Auditing (CA)

- Vodcast differences between continuous and traditional auditing

- continuous auditing vs. assurance vs. ongoing monitoring

45

Selling the Vodcast CA Process

- establishing a Vodcast business case

- identifying Vodcast champions

- ensuring Vodcast timing is right

- determining Vodcast return on investment

45

- making a business case for Vodcast continuous auditing

- why this is a Vodcast business issue

-- a Vodcast phased approach

-- Vodcast example areas

- Vodcast success factors

- Vodcast |timing issues

*****************************************

46

Vodcast Internal Audit Quality Assessment Reviews 

How to Conduct a Vodcast Peer Review Using the IIA Standards

Vodcast Internal Auditing Standards Requiring Peer Reviews/Assessments

- the Vodcast IIA Standards (Red Book)

- Vodcast Government Accountability Office (Yellow Book)

46

What Is a Vodcast Peer/Quality Assessment Review?

- Vodcast objectives

- Vodcast scope

- the Vodcast approach

47

Vodcast Review Methodologies for Internal Auditing

- IIA Vodcast (Red Book)

-Vodcast  National State Auditors Association (Yellow Book)

- Vodcast National Association of Local Government Auditors (Yellow Book)

- Vodcast President’s Council on Integrity and Efficiency (Yellow Book)

- Vodcast other alternative methodologies (Red and Yellow Book)

47

The New IIA Professional Practices Framework

- definition of internal auditing

- Practice Advisories

- Vodcast Quality Program Assessments

-Vodcast: Internal Assessments

-Vodcast: External Assessments

*********************************************

48

Using Vodcast Fraud Risk Assessment to Build Fraud Audit Programs  

Developing and Implementing Effective Vodcast Fraud Prevention Strategies

48

Vodcast Fraud Prevention Programs

- Vodcast need for tone at the top

- managing the Vodcast cost of fraud

- Vodcast fraud awareness program

- Vodcast human resources’ role

-Vodcast internal auditor’s role

49

Vodcast Auditing Outsourced Operations -

Developing a Vodcast Audit Strategy That Will Protect Your Organization's Interests

49

 The Decision Making Process: To  Outsource Vodcast or Not to Outsource

- business drivers and benefits of  outsourcing Vodcast

- justifying the decision: assumptions and mechanics 

- Vodcast SOX considerations

50

Defining the Vodcast RFP

- assigning responsibility for developing the Vodcast RFP

- evaluating selection criteria for qualified Vodcast vendors

****************************************

50

Vodcast Information Technology and the Law -

A Plain-English Guide to Complying with Vodcast, the Law and Reducing Your Liability

51

Vodcast General Liability

-- Vodcast failure to adhere to "reasonable" standard of care; failure to  maintain "reasonable" level of security

-- Vodcast duties to employees, system users, customers, vendors, other users of the  Net, regulatory agencies

- Vodcast duties by contract

-- Vodcast vendors/suppliers

-- Vodcast general duty of “due care”

-- Vodcast duty of good faith and to protect privacy,

52

Vodcast Product Liability

- Vodcast duty to protect privacy

- Vodcast duty to protect reputation

- Vodcast downstream liability

52

Vodcast Trademark Law

- Vodcast enforcing and protecting trademarks

Vodcast Trade Secret

- defining Vodcast trade secrets

- Vodcast Economic Espionage

- duty to protect Vodcast trade secrets

53

Vodcast Electronic Workplace

- Vodcast monitoring employees

- Vodcast privacy rights

- Vodcast eavesdropping laws

- Vodcast telecommuting

- Vodcast intrusion detection

53

Vodcast Laws and Regulations That Impact E-Security

- Gramm-Leach-Bliley Act

- HIPAA

- Sarbanes-Oxley

- Bank Secrecy Act

- General Negligence Law

- California Data Privacy Law

- Know-Your-Customer Rules

- USA Patriot Act

54

Vodcast Computer Crimes

- Vodcast Computer Fraud and Abuse

- Vodcast computer theft

- Vodcast forgery and fraud

- Vodcast  false impersonation

- Vodcast unlawful access

- Vodcast phishing, Web bots, spyware, and spam

- Vodcast viruses, worms Trojan Horses, and malware

55

Vodcast Computer Forensics

- Vodcast electronic evidence

- Vodcast authenticating evidence

56

 Vodcast Privacy Principles

- Vodcast data collection principle

- Vodcast informed consent

- Vodcast opt in vs. opt out

- Vodcast duty to protect

- Vodcast defining personal information

- Vodcast EU and foreign laws

 Vodcast Handling

- Vodcast retention and destruction policies

- Vodcast responding to law enforcement or civil demands for information

- enforcing Vodcast policies

- Vodcast training and awareness

 ****************************************

58

 General Controls in a Web-Based Operating Environment

Vodcast Web-Based Operating Environments

- Vodcast Web-based commerce strategies

- Vodcast the Internet

- the Vodcast master

- involved Vodcast departments

59

The Vodcast Web Site

- Vodcast site architecture

- Vodcast hosting strategies

-- Vodcast ASP

-- Vodcast in-house

-- Vodcast ISP

- Vodcast Web site performance

- Vodcast Web site security

- Vodcast administration

60

Tying It All Together: Vodcast Business Process Integration (BPI)

- Vodcast Enterprise Application Integration (EAI)

- Vodcast data synchronization

- Vodcast Web services

62

Vodcast Disaster Recovery

- Vodcast data reliability

- Vodcast Web site reliability

63

 Vodcast Emerging Technologies

- Vodcast VoIP

- Vodcast streaming

- Vodcast watermarks

- Vodcast biometrics

**********************************************

64

Security and Audit of Vodcast TCP/IP and Web Technology

Protecting and Testing the Foundation of Today's Web-Enabled World

Defining the Vodcast TCP/IP Protocol Stack

- Vodcast network address management: hard-coded IP addresses and Dynamic Host Configuration Protocol (DHCP)

- Vodcast Media Access Control (MAC) addresses

- Vodcast Domain Name System: DNS security and audit

- routing concepts

-- high-level review of routing protocols: interior and exterior routing protocols

-- security implications of different types of routing procedures: dynamic, static, and source routing

66

Defining the Web Environment

- building blocks and key control points within the web environment

- Web client/server software configurations: do's and don'ts

- common Web security threats and issues

- Hypertext Transfer Protocol (HTTP)

- key features of the Uniform Resource Locator (URL)

- risks associated with URL special character and code sets

67

Web Session/Transaction Security

- making sense of SSL, and other Web cryptographic security protocols

- peer-to-peer (P2P) application security

-- XML/P2P building blocks and security features

-- instant messaging

-- Internet file sharing services: Kazaa, eDonkey, Napster

-- techniques for bypassing firewalls

-- best practices for securing and auditing P2P applications

68

 Vodcast Security and Audit of TCP/IP Applications

- file transfer protocol (FTP)

- trivial FTP

- network file systems (NFS)

- Internet e-mail: SMTP, POP3, IMAP, and proprietary protocols

 ********************************************************

70

Securing and Auditing Your Vodcast Web Site

Security Risk Analysis and Countermeasures for Protecting Vodcast Web Servers, Browsers, and E-Commerce Transactions 

Web Technologies

- Vodcast Web communications: TCP/IP, HTTP, HTTPS

- Vodcast Web content: HTML, JavaScript, Java, ActiveX

- Vodcast server-side technologies: CGI, ASP, PHP, JSP

- Vodcast session cookies

- connecting to databases: ODBC, JDBC

- ASP.NET

- J2EE

- Web services

71

Web Site Architecture

- architectural overview

- relevant security policies for Web sites

- network security controls: firewalls, DMZs, high availability

- host system security

- Web server configuration

- content management

- content-specific access controls: Basic, SSL, authentication

- intrusion detection

72

Vodcast IIS Security

- significant Vodcast IIS exploits: directory traversal, CodeRed, Nimda, file  disclosure,

74

Vodcast WebDAV

- Vodcast Windows Server security: users, file systems, registry, Microsoft Baseline  Security Analyzer

- key security features of IIS

- IIS lockdown tool

- URLScan

- IIS administration tool

- IIS access controls

- application security

75

 Web Application Security

- why applications are insecure

- Web script security issues

- attacks on authentication systems: sessions

- malicious input: command injection, cannonicalization attacks, SQL injection,  buffer overflow

- controlling the application environment: process privileges,

- protecting data with encryption

76

 Browser Security

- Web browser functionality: Netscape Communicator, Microsoft Internet Explorer

- recent Web browser security vulnerabilities and exploits

- mobile code security: Java, JavaScript, ActiveX, VBScript

- plug-in security

- privacy issues: cookies, adbots, browser information transmitted in http  headers

- leveraging security configuration settings for Internet Explorer Web browsers

- benefits of personal firewalls and other add-on security features

- enterprise management of Web browser security

- selecting tools and services for testing the security of Web browsers

78

Web Site Audit Tools

- using Google to map applications

79

Summary of Vodcast Best Practices

- network security controls

- Web host install

- Web service configuration and maintenance

- content and application security

- transaction security

- browser security