Skip to main content

Advanced IT Audit School

Back to Course Schedule
Date(s): May 13, 2025 - May 15, 2025
Time: 8:00AM - 4:30PM
Registration Fee: $499.00
Cancellation Date: May 08, 2025
Location: JOHN M. KEEL LEARNING CENTER
City:
Map to Facility: http://www.sao.texas.gov/Training/map.pdf
Local Hotels:
Parking Info:

Parking for SAO, Professional Development courses is in Garage B (1511 San Jacinto Blvd.). The Garage signage may read 1511 San Jacinto or Garage B. The elevator in Garage B is not reliable. If you are unable to walk the stairs, please contact the professionaldevelopment@sao.texas.gov for alternate parking arrangements. Handicapped parking is free at the meters around the downtown area.

A course coordinator will email you a parking permit prior to the course start date. A permit must be displayed or you will be ticketed.


Course Description

This course covers the building blocks of IT audit and security, including identity and access management, web-based e-commerce application threats, vulnerabilities, and standards associated with privacy issues and intellectual property concerns. It places special emphasis on discovering best practices and standards for auditing web (HTTP) servers and application servers and enables participants to walk away with tools, techniques, and checklists for discovering and testing web and application server security.

It also covers auditing database management systems within the context of robust but practical enterprise architecture and governance models and reviews web services and service-oriented architectures, including SOAP, ReST, SOA, and ESB. Participants will also review safeguard concepts and best practices for secure mobile and wireless applications.


Potential CPE Credits: 24.0
Technical Hours: This class meets 24.0 CPE credits of technical training in compliance with Texas Admin. Code Rule 523.102.

Instruction Type: Live
Experience Level: ADVANCED
Category: Information Technology

Course Objectives

Upon completion of this course, participants will be able to:

  • Expand knowledge of IT terminology associated with complex business applications.

  • Identify key multi-tiered application building blocks and associated risks.

  • Develop methodology to locate, document, and test control points and associated security safeguards for complex applications.

  • Expand application audit tool kit knowledge with checklists, information resources, and automated tools to improve IT application audit effectiveness and efficiency.

 

 Detailed Course Outline

 Lecture Format due to volume of content. Agenda items can be removed or deprioritized for a more interactive learning experience.

  • Identity and Access Control Management (I&ACM) Architecture

    • Fundamental Principles of Information Security

    • Making the Business case for Information security

    • Distributed computing Control and Security Risks

    • Defining an Identity and Access Management (I&AM) Architecture

    • Access control Models and Architectures

    • Security Audit Log Management ain Multi-Tiered Applications

    • TCP/IP Network Application Services Security

    • Risk Analysis

    • Enterprise Directory services

    • Client/Server and Middleware Security for Multi-Tiered Applications

    • Locating Control Points in Multi-Tiered Applications

    • Security Awareness

    • Application Security Audit

  • Web Application Architectures

    • Web Application Control Points

    • HTTP Protocol and State Management

    • Fundamentals of Cryptography

    • Secure Sockets Layer Encryption (TLS)

    • Web 2.0

    • Web Application Security Threats and Vulnerabilities

    • Audit Checklists: Encryption, Single Sign-On

    • Security and Audit Tools

  • Auditing Web (HTTP) Servers

    • Web Server/Application Security Control Points

    • Internet Web Servers – Present and Past

    • Configuring the Web Server

    • Web Server Security Features

    • Remote Authoring and Development

    • Web Application Firewalls and Intrusion Prevention Systems

    • Sources of Additional Information – Web Server Checklists

    • Security and Audit Checklists: Web Server/Application, Server Operating System

    • Security and Audit Tools

  • Secure Application Design, Testing, and Audit

    • Web Application Development Technologies

    • Active Web Page Code Security: SSI, CGI, ASP, ASP.NET

    • Mobile Code Security: Java, ActiveX, VBScript, JavaScript, AJAX, Flash

    • Common Security Vulnerabilities in Application Software

    • Common Web Application Attacks

    • Secure Application Design Security and

    • Audit Checklist

    • Web Application Testing Tools

  • Auditing Application (Middleware) Servers

    • Application/Middleware Servers

    • Microsoft .NET Framework / ASP.NET Core

    • Jakarta EE (formerly Java Platform Enterprise Edition)

    • Documentation available at docs.oracle.com)

    • Jakarta EE Application Deployment Archives

    • Supplemental Jakarta EE Information

  • Auditing Database Management Systems

    • Managing Information

    • Program-Centric Model

    • Database Management Systems (DBMS)

    • Database Risks

    • Database Terminology

    • Hierarchical and Relational Databases

    • Database Audit Procedures

    • Database Management Systems (DBMS) Terminology

    • Structured Query Language (SQL)

    • Security Risks Associated with DBMS Systems

    • Connection and Authentication for DBMS Systems

    • User Accounts, Roles, and Privileges

    • Database Object Protection Methods: Access Control, Encryption

    • Database Audit Logging Options

    • Transaction Logs and Recoverability

    • Sample DBMS Data Collection

    • Security and Audit Checklists: DBMS

    • Sources of Security and Audit Tools

    • Bundled Stored Procedures

  • Web Services and Service Oriented Architectures (SOA)

    • Web Services Definitions and Architectures

    • SOAP Web Services Architecture, Standards and Security

    • ReST (Representational State Transfer)

    • Service Oriented Architecture (SOA)

    • Enterprise Service Bus (ESB)

    • Web Services Security and Audit Tools

    • Web Services Security and Audit Tools

  • Mobile Application Security and Audit

    • Mobility Maturity Assessment

    • Data Flow

    • Securing Data at Rest and in Motion

    • Securing Hosted Systems

    • Provider Contracts / Service Level Agreements

    • Risk Management

    • Information Security Policies, Organization and Human Resources

    • Asset Management

    • Containers and Containerization

    • Checklist for Secure Mobile and Wireless Application Best Practices

    • Surveying and Profiling Mobile Devices and Associated Risk

    • Key Control Points and Associated Risks in Remote Access and Mobile Applications

    • Checklist for Secure Mobile and Wireless Application Best Practices

  • Laws and Standards Affecting IT Audit

    • Organizational Liabilities

    • Computer Fraud and Abuse Laws

    • Sarbanes-Oxley Act

    • Intellectual Property Laws

    • Electronic Commerce

    • General Data Protection Regulation (GDPR)

    • California Consumer Privacy Act (CCPA)

    • Computer Crime

    • Incident Response

    • Selected Standards: ISO, CIS

    • Selected US Information Security Laws: SOX, FISMA, HIPAA, State Laws, Others

  • Internet of Things

    • Definition

    • Threats, Vulnerabilities, Risks

    • Audit Checklist

 


Prerequisites

Network Security Essentials, Intermediate IT Audit School or equivalent experience.


Instructors

Robert Clark

Rob Clark, Jr., Chief Audit & Compliance Officer for Howard University, is a nationally recognized authority in internal audit, risk management, compliance and with over 30 years of industry experience. He is a highly rated and engaging speaker and instructor with a gift of being able to connect with his audience in an impactful way.  He has created numerous audit classes through ACI Learning and is frequently requested instructor. 

He joined Howard in July 2020 and has been leading the internal audit and compliance team to implement best practices. Prior to HU, he served as the Chief Audit & Compliance Officer at Clark Atlanta University. Prior to that he served as the Chief Audit Executive at Georgia Tech and the University of Nebraska, and Audit Manager at Massachusetts Institute of Technology.

He has held leadership positions as President of the Association of College and University Auditors (ACUA); President and now Board Member of the Institute of Internal Auditors (IIA)- Atlanta Chapter.  He has served as a teaching faculty member of the IIA, the College Business Management Institute (CBMI), ACI Learning, and has been a highly sought-after speaker for dozens of organizations such as ACUA, The IIA, AGA, DCSHRM, NACUBO, EDUCAUSE, The Chronicle of Higher Education, Office of Inspectors General, SACUBO, Federal Reserve, and many others.

He holds professional designations as a Certified Internal Auditor, Certified Compliance and Ethics Professional, Certified Information Systems Auditor, and Certified Business Manager.?  He is a Board Member of the National Speakers Association – GA; a Certified Virtual Presenter through eSpeakers; a CTM through Toastmasters; and has performed stand-up comedy at the Punchline Comedy Club, Laughing Skull, and numerous other engagements.  

Although he spent over 20 years in Georgia, he still never developed a taste for grits. 


Additional Information



Back to Course Schedule

Internal Links

Related Sites

Contact Us

1501 North Congress Ave.
Austin, TX 78701
Phone: (512) 936-9500
Fax: (512) 936-9400
Email: auditor@sao.texas.gov
Public Information Requests