Subject Computer Security Audit and Assurance L,T,P,J,C

Code: 2,0,0,4,3
Objective
of the  To introduce the need for audit and assurance in computer security
course  To Computer assisted audit tool and techniques
 To Audit process and conduct information system audit

Expected After successfully completing the course the student will be able to
Outcome
1) Describe the need for audit and assurance for IT systems.
2) Describe and use the tools and techniques for IT system audit.
3)Understand audit reports and plan to improve IT security
4)Describe IT security standards from ISO, NIST

Module Topics L Hrs SLO

1 Foundation for IT Audit and Assurance
Assurance Services, Need for Assurance, Characteristics of
Assurance Services, Types of Assurance Services, E-Commerce 3 2
and Electronic Funds Transfer, Future of electronic payment
system.
2 Audit Process
Audit Standards, Types of Auditors and their functions- Internal
Audit Function and External Auditor. 4 2,9
Audit Plan, Developing an Audit Schedule, Audit Budget,
Preliminary Review, Audit Findings, Analysis, Re-examination,
Verification, Recommendations, Communication Strategy.
3 Conducting Information System Audit
Standards, Practices and Guidelines, Information Gathering
3 5,9
Techniques, Vulnerability, System Security Testing,
Development of Security Requirements Checklist.
4 Computer Assisted Audit Tools and Techniques
Auditor Productivity Tools- Data and Resource Management,
Flowcharting Techniques- Flowcharting as an analysis tool,
5 5,9
Developing Audit Data Flow Diagrams, Appropriateness of
flowcharting techniques, Computer assisted tools for operational
reviews, Web Analysis tools.
5 Managing IT Audit
Evaluating IT Audit Quality, Criteria for assessing the audit- 4 2,5
Criteria for assessing the auditor, Best Practices in IT Audit
 Planning, IT Governance: Performance Measurement, Metrics
and Management, Metric Reporting and Independent Assurance.
6 Security and Service continuity
Security Standards- ISO 27002 and National Institute of
Standards and Technology, Information Security Controls- 4 2,9
Security Architecture, Information Security Policy, Information
Owner Responsibilities, Third-Party Responsibilities.
7 Virtual Application Security and ERP security
Intranet/Extranet Security, Identity Theft,
E-Commerce Application Security as a strategic and structural
problem, Planning and Control Approach to E-Commerce 5 2,9
Security Management, Internet Security and Mobile Computing
Security, ERP Data Warehouse-Data Warehouse integrity
checklist, ERP-Security features of the basic component.
8 Recent Trends 2 2
Project # Generally a team project [5 to 10 members] 60 5,9,17
# Concepts studied in XXXX should have been used [Non
# Down to earth application and innovative idea should have been attempted Contact
# Report in Digital format with all drawings using software package to be hrs]
submitted. [Ex. 1. Design of a traffic light system using sequential circuits
OR 2. Design of digital clock]
# Assessment on a continuous basis with a min of 3 reviews.

Projects may be given as group projects

ISO standard 27002

NIST standard
Audit for ERP system
Firewall – MAC, Routing, Application layer
Audit tools
Web analysis tools
Computer security act
Compare audit report of two different type of industry bank, Manufacturing

Text Books
1. Information Technology Control and Audit, Fourth Edition, Sandra Senft,Frederick
Gallegos,Aleksandra Davis, CRC Press,2012
Reference Books
1. Information System Audit and Assurance, D P Dube, V P Gulati, Tata Mc-Graw Hill ,
 2008.
2. Micheal E.Whitman, Herbert J.Mattor, “Principles of Information Security”, Course
Technology, Delmar Cengage Learning, Fourth Edition, 2012.
3. Jennifer L. Bayuk, Jason Healey, Paul Rohmeyer and Marcus Sachs, “Cyber Security
Policy Guidebook”, John Wiley & Sons, Kindle Edition, 2012

Knowledge areas that contain topics and learning outcomes covered in the course

Knowledge Area Total Hours of Coverage

CE:SPR1 (Public Policy) 3

CS: IAS / Security policy and governance

CE:SPR6 (Privacy and civil liberties) 4

CS: IAS / Fundamental concepts in security
CS: SP/ Privacy and civil liberties

CE:NWK5(Data Security and Integrity) 8

CS: IAS / Network security

CE:NWK9(Security issue and firewall) 4

CS:IAS / Web security

CE:OPS6(Security and protection) 9

CS: IAS / Platform security

Body of Knowledge coverage

KA Knowledge Unit Topics Covered Hours

CE:NWK5 Data Security and  Assurance Services, Need for Assurance, 1

Integrity Characteristics of Assurance Services,
CS: IAS Network security Types of Assurance Services

CE:OPS6 Security and  Control and Audit: A Global concern, E- 1

protection Commerce and Electronic Funds Transfer,
CS: IAS Platform security Future of electronic payment system

CE:SPR1 Public Policy  Computer Fraud and Abuse Act, Computer 1

CS: IAS Security policy and Security Act, Electronic Communications
governance Privacy Act.

CE:SPR1 Public Policy  Audit Standards, Types of Auditors and 2

their functions- Internal Audit Function and
CS: IAS Security policy and External Auditor.
governance  Audit Plan, Developing an Audit Schedule,
Audit Budget, Preliminary Review, Design
Audit Procedures, Fieldwork and
Implementing audit methodology

CE:SPR6 Privacy and civil  Substantive testing, Documenting Results- 2

liberties Audit Findings, Analysis, Re-examination,
CS: IAS Fundamental Verification, Recommendations,
concepts in security Communication Strategy.

CS: SP Privacy and civil

liberties

CE:OPS6 Security and Conducting Information System Audit 3

protection Standards, Practices and Guidelines, Information
Gathering Techniques, Vulnerability, System
CS: IAS
Platform security Security Testing, Development of Security
Requirements Checklist, Conducting IS Audit for
banks, Audit framework for the bank.

CE:NWK5 Data Security and Computer Assisted Audit Tools and Techniques 2
Integrity Auditor Productivity Tools-Audit Planning and
Tracking-Documentation and Presentations-Data
CS: IAS Network security
and Resource Management, Flowcharting
Techniques- Flowcharting as an analysis tool,
Defining critical data

CE:NWK5 Data Security and Developing Audit Data Flow Diagrams, 3

Integrity Appropriateness of flowcharting techniques,
CS: IAS Network security Computer assisted tools for operational reviews,
Web Analysis tools. Exploiting the TCP/IP holes.

CE:OPS6 Security and Managing IT Audit 2

protection Evaluating IT Audit Quality, IT Audit and Auditor
CS: IAS Platform security Assessment form, Criteria for assessing the audit-
 Criteria for assessing the auditor, Best Practices in
IT Audit Planning, IT Auditing Trends, Educating
the next generation on IT Audit and Control
Opportunities.

CE:SPR6 Privacy and civil IT Governance: Performance Measurement, 2

liberties Metrics and Management, Metric Reporting,
CS: IAS Fundamental Independent Assurance, Control Framework.
concepts in security
CS: SP Privacy and civil
liberties

CE:OPS6 Security and Security and Service continuity 3

protection Security Standards- ISO 27002 and National
CS: IAS Platform security Institute of Standards and Technology, Information
Security Controls-Security Architecture.

CE:NWK5 Data Security and Return on Investments (ROI) in security, - 1

Integrity Information Security Policy, Information Owner
CS: IAS Network security Responsibilities, Third-Party Responsibilities.

CE:NWK5 Data Security and Virtual Application Security and ERP security 1
Integrity Recommendation to IT Auditors, Security and IT
CS: IAS Network security Professionals, Intranet/Extranet Security, Identity
Theft.

CE:NWK9 Security issue and E-Commerce Application Security as a strategic 2

firewall and structural problem, Information Security
CS: IAS Web security Management Systems, Planning and Control
Approach to E-Commerce Security Management,
Internet Security and Mobile Computing Security.

CE:NWK9 Security issue and ERP Data Warehouse-Data Warehouse integrity 1

firewall checklist-Example of Security and Controls in SAP
CS: IAS Web security
CE:NWK9 Security issue and ERP-Establishing Security and Controls in SAP, 1
firewall ERP-Security features of the basic component.
CS: IAS Web security

Total hours 28

Where does the course fit in the curriculum?

This course is a
 Program elective Course.
 Suitable from 2nd semester onwards.

What is covered in the course?

Part I: This section focusses on various assurance services and policies.

Part II: This section briefs about various audit standards and managing audit process using
various tools and techniques.

Part III: This section discusses about developing audit data flow diagrams and flowcharting
techniques.

Part IV: This section briefs about security and service continuity and responsibilities of owner
and third party.

Part V: This section discusses about virtual application security and ERP security.

What is the format of the course?

This Course is designed with 2 hours of lecture every week, 60 minutes of video/reading
instructional material per week and 60 non-contact hours for project component. Generally this
course should have the combination of lectures, in-class discussion, case studies, guest-lectures,
mandatory off-class reading material, quizzes.

How are students assessed?

  Students are assessed on a combination group activities, classroom discussion, projects,
and continuous, final assessment tests.

 Additional weightage will be given based on their rank in developing novel application
projects.

 Students can earn additional weightage based on certificate of completion of a related

MOOC course.

Session wise plan

Sl. Class Lab Topic Covered levels of Refere Remarks

No. Hour Hour mastery nce
Book
1 1 Assurance Services, Need for Familiarity 1
Assurance, Characteristics of
Assurance Services, Types of
Assurance Services,
2 2 Control and Audit: A Global Familiarity 1
concern, E-Commerce and
Electronic Funds Transfer,
Future of electronic payment
system, Computer Fraud and
Abuse Act, Computer Security
Act, Electronic Communications
Privacy Act.
3 1 Audit Standards, Types of Familiarity 1
Auditors and their functions-
Internal Audit Function and
External Auditor.
4 1 Audit Plan, Developing an Audit Usage 1,2
Schedule, Audit Budget,
Preliminary Review,
5 2 Design Audit Procedures, Usage 1,2
Fieldwork and Implementing
audit methodology, Substantive
testing, Documenting Results-
Audit Findings, Analysis, Re-
examination, Verification,
Recommendations,
Communication Strategy.
6 1 Standards, Practices and Familiarity
Guidelines, Information
Gathering Techniques,
7 2 Vulnerability, System Security Usage 1
Testing, Development of
Security Requirements
Checklist, Conducting IS Audit
for banks, Audit framework for
the bank
8 2 Auditor Productivity Tools- Usage 1
Audit Planning and Tracking-
Documentation and
Presentations-Data and Resource
Management,
9 3 Flowcharting Techniques- Usage 1
Flowcharting as an analysis tool,
Defining critical data-
Developing Audit Data Flow
Diagrams, Appropriateness of
flowcharting techniques,
Computer assisted tools for
operational reviews, Web
Analysis tools.
Exploiting the TCP/IP holes.
10 2 Evaluating IT Audit Quality, IT Familiarity 1
Audit and Auditor Assessment
form, Criteria for assessing the
audit-Criteria for assessing the
auditor, Best Practices in IT
Audit Planning, IT Auditing
Trends, Educating the next
generation on IT Audit and
Control Opportunities
11 2 IT Governance: Performance Usage 1
Measurement, Metrics and
Management, Metric Reporting,
Independent Assurance, Control
Framework
12 2 Security Standards- ISO 27002 Familiarity 1
and National Institute of
Standards and Technology,
Information Security Controls-
Security Architecture,
13 2 Return on Investments (ROI) in Familiarity 1
security, - Information Security
Policy, Information Owner
Responsibilities, Third-Party
Responsibilities.
14 1 Recommendation to IT Auditors, Usage 1
Security and IT Professionals,
Intranet/Extranet Security,
Identity Theft.
15 2 E-Commerce Application Familiarity 1
Security as a strategic and
structural problem, Information
Security Management Systems,
Planning and Control Approach
to E-Commerce Security
Management, Internet Security
and Mobile Computing Security.
16 2 ERP Data Warehouse-Data Familiarity 1
Warehouse integrity checklist-
Example of Security and
Controls in SAP ERP-
Establishing Security and
Controls in SAP, ERP-Security
features of the basic component.
17 2 Recent Trends Familiarity
30
Hours
(2
Credit
hours
/week
15
Week
s
sched
ule)