Understanding and auditing Cybersecurity: Challenges for auditors and IT risk professionals

Date 20 – 21 Qershor 2019 Time: 09:00 – 17:00 Location – Tirana Course director: Komitas Stepanyan, PhD, CRISC, CRMA, CobIT Cert.

Introduction

Cybersecurity has become a pressing issue for virtually all industries so the need for businesses

to understand the threat landscape and have an effective plan in place to respond to cyberattacks

has grown exponentially in just the past several years. In today's interconnected and digital

business environment, organizations need to think about and address the vulnerabilities

introduced by insecurely architected systems. Organizations, and we as a society, are more

vulnerable than ever before. The most adequate quote used by of cybersecurity is “It's not if, but

when”.

According to PwC Global Economic Crime Survey 2018, cybercrime together with asset

misappropriation and consumer fraud, are the most frequently reported crimes across industries.

The Cost of Cyber Crime Study produced on a yearly basis by HP and Ponemon Institute states

that companies experienced 99 successful attacks (intrusions) per year (a 46 percent increase in

just four years) in 2015. As per Trend Micro’s report, ransomware has almost doubled in the first

half of 2016 with a 172% percent growth in comparison to the past year – meanwhile even the US

Police have paid ransom to get their data back from cybercriminals. Their colleagues from the City

of London Police say banks are obscuring the true amount of money lost to cyber-attacks,

preferring to write off cyber incidents as losses. Finally, Cybersecurity Ventures predicts

cybercrime will cost $6 trillion annually by 2021.

Do we need more reasons to prioritize CYBERSECURITY in our organizations?

Course objective

The course aims to present cybersecurity risks and challenges as well as problems and solutions

for understanding and auditing cybersecurity in the digital world.

After the course participants will learn about fundamental challenges of cybersecurity, how to

assess cybersecurity maturity and identify vulnerabilities; how to effectively mitigate cybersecurity

risks; which is the main role and main tasks of IT security professionals, internal auditors and

other relevant actors in this context.

Participants will be able to learn about putting cybersecurity in their organisations’ business

context. We will talk about threats such as ransomware as well as solutions and defenses such

as inventorying organisations’ digital assets, frameworks of cybersecurity, and many other tools

and techniques in order to arm them with additional knowledge of how to implement and assess

controls and how they can be add value in the fight against the cybercrime.

Target audience

Auditors and IT professionals seeking a foundational understanding of Cybersecurity.

Content

DAY 1

1. Introduction and course agenda

2. Cybersecurity challenges

o Digital era

o Why Cybersecurity is matter?

o IoTs; Social networks; Public Wifi; Cloud; BYOD; Ransomware

o Proposed solutions

3. Cybersecurity Frameworks

o IT/Cybersecurity Frameworks:

3

o Cobit,

o NIST

o FFIEC Cybersecurity maturity assessment tool

o How to link Cybersecurity inherent risk to maturity level of the organization?

o How to use for annual planning and audit engagement phases

o Three lines of defense model for addressing Cybersecurity

4. Case Study – Cybersecurity Maturity Assessment

DAY 2

5. Main controls for Cyber Security

o Firewall

o Permission management

o Privileged users management

6. Auditing BCP

7. Cyber resilience: Are you willing to give assurance?

8. Audit of System Hardening

o Patch management

o Configuration management based on Cobit

o Configuration analysis during the audit: tools you can easily use

o Logging: How to analyze and what to look during log analyses?

9. Case Study (group work) – Auditing IT Governance

4

INSTRUCTOR BIO

The trainer for this course is Komitas Stepanyan, Deputy Head of Internal Audit, Central Bank

of Armenia. He has 20 years of experience working as a network and system administrator,

information security professional, internal Audit consultant and cybersecurity consultant.

Komitas has conducted and has led several technical Assistance and capacity-building missions

covering a diverse range of countries and topics, including cybersecurity risk management,

cybersecurity regulation and supervision, IT fraud examination in Africa, Asia and Pacific for

international organisations such as The World Bank and for International Monetary Fund. He

is a chair of cybersecurity sub-group in Alliance of Financial Inclusion (AFI) and currently

working on a development of Policy Framework for Cybersecurity Risk.

He is one of the key players in Central bank of Armenia, who pushes forward IT/Cybersecurity

Governance agenda in Central Bank of Armenia. He is trussed adviser for the board and top

management on cyber security issues.

In recent years, Komitas is actively engaged in international knowledge sharing opportunities,

as a speaker and a trainer such as IIA International Conference, Anaheim, USA, 2019, FinSAC

Conference on Fintech, 2019, World bank, Vienna, CyberCentral, Prague 2019, 2nd Annual

Excellence in Corporate IT Audit, 2017, Berlin/Speaker, Chairman and many others.

Komitas has a PhD in the field of applied physics and is a holder of several international

certificates: Certified in Risk and Information Systems Control (CRISC- issued by ISACA) and

Certification in Risk Management Assurance (CRMA) and Cobit Foundation Certificate

(CobitF - issued by ISACA).

5

IMPORTANT FINANCIAL DATA

Cost per participant: AIIA Members 340 € (VAT included)

Non-members 389 € (VAT included)

Price includes course attendance, educational material, lunch and coffee breaks.

Payment* can be made by bank transfer or direct deposit by using the following account info:

Account Holder: Albanian Institute of Internal Auditors Nr.llog: 0010039700

Swift: SGSBALTX IBAN: AL43 2021 1123 0000 0000 1003 9700

Raiffeisen Bank Albania

Contact us for quotes related to more than two participants from the same organization or

other information: info@aiia.al

* Important: The transferred amount must include the entire amount as stated above. No

shortfalls due to exchange fee/or other administration charges may arise. Albanian Institute

of Internal Auditors has to receive the amount that is stated in your invoice.

6

REGISTRATION FORM

Understanding and auditing Cybersecurity:

Challenges for auditors and IT risk professionals

20 – 21 Qershor 2019, Tiranë, Albania.

Full name

Position

Company name

VAT No.

Contact Tel.

Email

Address

Cancellation Policy:

Places on AIIA Training courses are limited so we therefore operate a cancellation policy regarding refund. 1. In case of cancellation of a training event by AIIA or related partner, we will endeavour to inform all participants 10

days before the course is due to take place, although please be aware that this is not always possible. All course fees paid will be reimbursed in full, but we are unable to reimburse any other costs that may have been incurred, including flights, accommodation etc.

2. No refund will be made for: a. Bookings cancelled less than three weeks before the event, except in exceptional circumstances and then only

at the discretion of Albanian Institute of Internal Auditors.

b. Non-attendance on the course.

3. For bookings cancelled three or more weeks before a course is due to start, 100% per cent of course fees paid will

be refunded to the applicant.

• I confirm all the data I provided is true and accurate. • I confirm that I read the training program and I agree to have such content delivered during the course.

Name Surname Signature

Date, location