Computerized applications are the lifeblood of modern businesses, being both an enabler and a significant risk. Effective IT security and audit programs must ensure that these business enablers operate on a solid software infrastructure foundation to minimize risks and to improve compliance with many challenging regulatory requirements. In this highly practical, hands-on seminar, we identify the major software infrastructure building block control points used to design, operate, and secure modern distributed business applications. We also pinpoint major threats, risks and industry best practice controls associated with different distributed application configuration scenarios.
Special emphasis is placed on software security best practices and IT audit procedures for important technical and administrative controls including: security baselines, separation of duties, least privilege, identity management, logical access control, configuration management, change control, and software integrity.
To reinforce the concepts presented in the class, we guide attendees through a series of practical, repeatable hands-on IT audit and security assessment exercises targeted at each of the major software infrastructure building blocks including: operating systems (Windows Server, Unix/Linux) and associated system software, web servers (Apache, Microsoft IIS), and database management systems (Microsoft SQL Server, Oracle).
We will provide the opportunity to use a wide array of built-in/bundled, open source, and low-cost commercial software tools to ensure widespread applicability and affordability when the student goes back to the office to apply the lessons learned in real life. We will also expose the attendees to relevant network security and IT audit tools in the commercial marketplace that their organization may already own or may consider purchasing in the near future.
All exercises are documented, highlighting the security and IT audit objective(s) and evidence gathering and analysis procedures and can be easily incorporated into work programs to meet different IT audit and security assessment project requirements. Attendees will also receive valuable checklists/work programs along with copious references for supportive information and audit tools.