What you'll learn:
- We have designed the course in such a way that it simulates on-the job kind of training.
- This course is primarily designed for the beginners/freshers in information system audit and hence we will start from basic aspects of IS audits.
- After completion of this training program, you will be able to independently handle the IS audits.
- For effective and efficient audit program, we have bifurcated Information System audits into 12 step processes.
We assure you that this is not a theory class. Except for this introduction, there will be no other PPTs.
We have designed the course in such as a way that it simulates on-the job kind of training. This course is primarily designed for the beginners/freshers in information system audit and hence we will start from basic aspects of IS audits.
We assure you that after completion of this training program, you will be able to independently handle the IS audits.
For effective and efficient audit program, we have bifurcated Information System audits into 12 step processes. For your easy understanding we have designed exclusive video for each step.
For each step we will guide you about data requirements, audit procedure, evidence to be evaluated and how to write the audit report.
Also, you can download readymade templates from resource section of this course.
Step-wise Audit Program:
Step 1 is about checking the information security policy. In this step, as an auditor you need to check:
o availability of the policy,
o whether policy is approved by appropriate authority?
o whether policy is updated at periodic interval and other aspect with respect to policy?
We will discuss in detail about how to audit and validate these controls in our step 1 video.
Step 2 is about auditing the controls related to applications. In this step, as an auditor you need to check:
o whether application is appropriately categorized?
o Whether each application is owned by dedicated owner?
o How many factors of authentication is applied?
o Whether user access review in conducted for each application at periodic level?
We will discuss in detail about how to audit and validate these controls in our step 2 video.
Step 3 is about auditing the controls related to database. We check
o whether database is appropriately categorized?
o Whether each database is owned by dedicated owner?
o Whether Operating system is updated? Organization should not be using end of life/end of support OS.
o Whether backup arrangement is appropriate?
We will discuss in detail how to audit and validate these controls in our step 3 video.
Step 4 is about auditing the controls related to datacenter. You need to check
o whether datacentre is audited at periodic interval?
o Whether SLA is available for external datacentre?
o Whether secondary datacentre is at offsite location?
Step 5 is about auditing the controls related to network devices. You need to check
o Whether device is owned by dedicated owner?
o Whether device configuration is reviewed at period interval?
Step 6 is about auditing the controls related to endpoint devices like computers, laptops, tablets, mobile etc. You need to check
o Whether asset inventory is maintained and updated?
o Whether end point device is owned by dedicated owner?
o Whether anti-virus is installed for all the devices?
Step 7 is about auditing the controls related to email. You need to check
o whether SPF is enabled? Don’t worry about technical terms. We will simplify the same while discussing the step 7.
o whether DMARC is enabled?
o whether attachments are scanned before downloading?
Step 8 is about auditing the controls related to outsourcing. You need to check
o Whether service level agreement is available for the outsourced services?
o whether service provider is audited at periodic interval?
Step 9 is about auditing the controls related to desktop security You need to check
o Whether operating system is updated and licensed?
o Whether anti-virus is installed and signatures are updated?
o Various user restrictions are implemented?
o Use of latest browsers.
Step 10 is about auditing the controls related to BCP and Incident management. You need to check
o Whether Business Continuity Policy & Incident Management policy is available?
o Whether Business Continuity plan is tested at periodic interval?
Step 11 is about auditing the controls related to users. You need to check
o Whether users are trained at periodic interval on information security?
o whether background verification is conducted for new hires?
These 11 steps cover almost all the important and critical information security requirements. As a step 12, you need to review all other checkpoints as required by the objective of audit.