Information Technology (IT) Controls are integral to the protection of our business and personal lives. They are comprised of tactics such as utilizing strong passwords, encrypting laptops and backing up files. In this course you will learn about policies, procedures and controls that entities should implement to protect corporate assets, company trade secrets, and customer and employee identity and financial information. This course takes you through a variety of controls you can implement to protect your organization’s assets, brand and image. We delve into understanding the principles behind IT General Computer Controls. Lastly, we discuss simple controls that can be implemented, critical monitoring that should be performed, and important training that needs to occur.
Business reliance on technology and the associated risks are reshaping how we audit and what we assess. Attempting to scope an operational audit without drilling into business technology is nearly impossible in today’s business landscape. In turn, conducting an IT audit without factoring business processes delivers limited assurance to the board of directors, and value to the enterprise. Every internal auditor today must have a general understanding of technology and the vulnerabilities, threats and risks that face our enterprises each day to effectively plan and execute any audit engagement. We will explore critical aspects of the IT environment including the importance of data governance and data management, the Scenario-based Risk Assessment process commonly used by IT Risk Managers and will walk through many of the most common technologies and associated vulnerability, threats, risks and controls using common business language and using common applications as our examples. We will have several discussions examining various documents to allow attendees to apply the knowledge learned during the session. By the end of this session attendees will have a better understanding on how to plan, scope and conduct an IT General Controls audit.
- Recognize Information Technology (IT) risks
- Explore the primary types of IT Controls
- Identify IT Controls that mitigate specific risks
- Explore practices to assist with IT control implementation
- ITGC Audit Templates
- ITGC System Summary
- ITGC Overview Diagram
- ITGC SOD (Segregation of duties)
- ITGC Questionnaire
- ITGC Report
Risk Management
- Risk Assessment
- Risk Treatment
- Risk Mitigation
- Threat/Vulnerability/Impact
- What is Control Testing?
Governance
- Policy
- Procedure
- Guidelines
- Standards
Change Management Business Process
- Change Authorization
- Change Approval
- Risk Control Matrix (RCM) of Change Management
- Critical/Emergency Changes and how to handle those?
- SoD – Segregation of Duties
- Version Management/Source Code Management
- What are Production, test and development environments? What is the difference?
- UAT/System testing/Integrated testing
- Post Implementation Review
Identity And Access Management Business Process
- Provisioning Controls
- De-Provisioning Controls
- Privilege Controls testing
- SoD – Segregation of Duties
- Firefighter user accounts
- SSO – Single sign-on
- Password Management
- Authentication vs Authorization
- How does governance play a role?
- Enterprise Management
- Logical Access
- Remote Access Management
- Direct Database Access
- SoD – Segregation of Duties
- Access Recertified
Project Management
- Unapproved Projects and the risk associated with it.
- Project Charter
- SoW – Statement of Work
- Ineffective Project Planning
- Ineffective Project Monitoring
- Project plans and risk associated with it.
Physical And Environmental Security
- Site Facility design consideration.
- Perimeter Security
- Internal Security
- Facilities Security
- Data Centre Security
- Unmitigated Environmental Threats
- Inappropriate Access
- Inappropriate Environmental Controls
- Access Recertification
IT Service Operations
- ITSCM Objectives
- BIA
- IT Service Continuity Planning
- Availability Monitored
- Backup Management
- Back up Integrity Verification
- Offsite Storage
- BCP and DR Plan
- BCP Training
- Batch jobs/job scheduler
- Handing of failed jobs
- Incident Management
- Problem Management
ERP Applications General Security Settings
- General Security Aspects
- Objectives
- CIA – Confidentiality, Integrity and Availability
- General Security Threats
- Network Security Breaches
- Handling of Electronic Media
- Security Requirements / Configurations
- Malicious Code Monitored
- Data Classification
- Hard Copy Management
- Patch Management
IT Service Delivery
- Robust IT Service Delivery Model
- Governance
- Organization
- Operational Process
- Performance Management
- Service Delivery Model Process
- SLA – Service Level Agreements
Geetha Murugesan- Information Risk Management Consultant
Geetha is an IT Governance, IT security, IT risk management and IT professional with over twenty-five plus years’ experience. She has offered consulting, implementation, and advisory services to various organizations in the banking, telecom, health care,
manufacturing, government, and insurance sectors while working for a largest Indian IT software company. She is a regular on-site trainer for conducting training through ISACA HQ for certification exam like CRISC and CISA for various multinationals for the last 7 years. She is a Global volunteer with ISACA Global.
Prior to her consulting experience, for over a decade she was with the largest Indian software giant Tata Consultancy Services; she has held the role of “Head IT” in several multinational organizations like Shell, Coca-Cola, GE Capital, and P&G providing overall leadership in planning, developing, and implementing information technology strategy aligned to global IT strategy in the cost-effective manner.
Geetha is a CISA, CRISC, CGEIT and CDPSE. She is also an ISO 27001 Lead Auditor, ISO 22301 Lead Auditor, ISO 9000 LA, ISO 31000 Risk Manager, CSA Star, Certified COBIT 2019 Foundation: COBIT 5.0 Foundation, Implementation and Assessor.
Participation Fee :
Members |
Rs. 8,000 + 18% GST |
Non-Members |
Rs. 9,000 + 18% GST |
Bank Details for NEFT |
Account No. |
10996680930 |
IFSC CODE |
SBIN0000300 |
Bank Name |
State Bank of India |
Branch Address |
Mumbai Main Branch |
Cheque /Demand Draft should be drawn in favor of “BOMBAY CHAMBER OF COMMERCE AND INDUSTRY”
(Batch size 20 participants only)
Contact Details :
Revati Khare || Assistant Director – Information & Communication Technology Committee
Email : international@bombaychamber.com
Tel. (D) + 91 22 6120 0231; (M) + 91 9892029473