(Instructor-led; 3 Days)

Transcription

1 Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days)

2 Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of Core Information Security Principles 1. Information security management 2. Developing and maintaining senior management commitment C. Security governance program initiation 1. Defining information security governance program goals 2. Defining roles and responsibilities a) Board of Directors b) Senior Management c) Steering Committee d) Chief Information Security Officer 3. Determining the Information Security Function Charter a) Strategic Alignment b) Risk Management c) Business Process Assurance d) Value Delivery e) Resource Management f) Performance Management 4. Defining Information Security Strategy a) Goals b) Objectives c) Business Purpose 1

3 5. Defining Security Objectives a) Frameworks (1) COBIT (2) Capability Maturity Model (3) BS ISO/IEC Standard (4) GAISP b) Risk Appetite / Risk Assessment / Risk Objectives D. Overview of Developing an Information Security Strategy Determining resources and constraints 1. Developing policies, standards, procedures, and guidelines 2. Integration into information security architecture 3. Developing and implementing strategically aligned controls 4. Understanding process countermeasures 5. Understanding strategy constraints E. Overview of Other Information Security Program Considerations 1. Personnel 2. Skills 3. Awareness and training 4. Audits 5. Compliance enforcement 6. Threat analysis 7. Vulnerability assessment 8. Risk assessment 9. Business Impact Assessment (1) Outsourced security providers 2

4 Module II. Risk Management A. Core Concepts of Risk Management 1. Purpose and goals 2. Implementing risk management 3. Roles and responsibilities 4. Key concepts 5. The risk management process 6. Operational risk overview B. Information Resource Evaluation 1. Business impact assessment 2. Information asset classification C. Monitoring and Reporting Risk Module III. Information Security Program Management A. Control versus Function B. Key Management Components C. Planning for Risk Management D. Developing Standards-Driven Security Baselines E. Information Technology Risks and Controls 1. Identifying Information Technology Risks a) Business Risk b) Audit/Assessment Risk c) Security Risk d) Continuity Risk e) Assessing Information Technology Risks 3

5 2. COBIT f) Threats and Vulnerabilities g) Risk Indicators and Risk Measurement a) Executive Overview b) Background c) The COBIT Framework - Setting the Scene for Implementation d) The Framework s Principles e) Summary Table - High-Level Control Objectives f) Guide to Using the Framework g) High-Level Control Objectives 3. Systems Reliability Assurance 4. Documenting Information Technology Controls a) Internal Control Narratives b) Flowcharts c) Internal Control Questionnaires 5. Monitoring Information Technology Risks and Controls Module IV. IT Deployment Risks A. Introduction B. Developing Strategic Plans 1. Professional Guidance 2. IT Function Scorecard 3. IT Security Planning COBIT Guidelines a) 11 IT Planning Processes defined by COBIT 4

6 4. IT Planning Risk Indicators C. Managing Development Projects 1. Core Principles of Project Management 2. Project Planning Lifecycles 3. Project Planning Risk Indicators D. Acquiring Software Applications 1. Software Acquisition Risks to Avoid E. Developing Software Applications 1. Conducting a Feasibility Study 2. Considering Additional Systems Development Issues 3. Software Development Risk Indicators F. Changing Software Applications 1. System/Software Change Risk Indicators G. Implementing Software Applications 1. Implementation Strategies 2. Implementation Planning 3. Other Implementation Issues 4. Implementation Risk Indicators 5

7 Module V. IT Management Risks A. Introduction B. Organizing the IT Function 1. Locating the IT Function 2. Designing the IT Function 3. IT Steering Committee 4. Organizational Policies and Procedures C. Financing the IT Function 1. Funding IT Operations 2. Acquiring IT Resources D. Staffing the IT Function 1. Hiring 2. Rewarding 3. Terminating E. Directing the IT Function 1. Administering the Workflow 2. Managing the Computing Environment 3. Handling Third-Party Services a) Third Party Services Key Issues 4. Assisting Users and Help Desk Risk Indicators F. Controlling the IT Function 1. Reviewing and Auditing Security Controls 2. Auditing Information Controls Best Practices a) Information Controls 6

8 b) Process Controls c) Database Controls d) Output Controls 3. Continuity Controls Best Practices a) Data Availability b) Disaster Recovery Controls Module VI. IT Networks and Telecommunications Risks A. Introduction B. Network and Telecommunications Technologies 1. Steps for Reviewing Network Infrastructure Security 2. Wireless Networks Risk Indicators C. IT Network and Telecommunications Systems Risks 1. Social Engineering 2. Physical Infrastructure Threats 3. Programmed Threats and Malicious Code 4. Denial of Service Attacks 5. Software Vulnerabilities D. IT Network and Telecommunications Security 1. Network Security Administration Responsibilities 2. Authentication a) Identification and Authentication b) Authorization and Accountability 3. Encryption a) Symmetric v. Asymmetric Algorithms 7

9 b) Symmetric Cryptography c) Asymmetric Cryptography (1) Encryption Flow d) Public Key Cryptography (1) Example: Using Diffie-Hellman e) Public Key Infrastructure (PKI) Hashing Algorithms f) Digital Signatures 4. Firewalls and Firewall Risk Indicators 5. Virtual Private Networks 6. Network and Telecommunications Security a) Penetration Testing 7. Secure Passwords (1) ISO 17799: Password Security Guidelines 8

10 Module VII. Information Security: Business Continuity, Disaster Recover, and Incident Response A. Incident Response, Business Continuity, and Disaster Recovery Overview B. Risk Assessment C. Business Impact Analysis 1. BIA Data collection methods 2. Critical success factors / Business process matrix 3. Key performance indicators 4. Process flows 5. Outputs and deliverables 6. Activity categorization 7. Desk review 8. Questionnaires 9. Interviews D. Managing and Internally Promoting the BIA Project 1. Workshops 2. Financial justification for Business Continuity and Information Security Management 3. Compliance and legal requirements 4. Designing an Impact Matrix E. Integrating Information Security with Business continuity and service-level agreements F. Vital Materials and Backup G. Integrating Information Security with Business Continuity Strategy Options 9

11 1. Continuous processing 2. Distributed processing 3. Alternate sites 4. Off-site storage 5. Reciprocal Agreements 6. Option Comparison H. Contractual Arrangements for Recovery Services (Outsourcing) I. Integrating Information Security with Emergency Response J. Information Security and Incident Response 1. Catching the Criminal The Basics of Computer Forensics 2. Recognizing the Signs of an Incident 3. Preparing for Incidents 4. Developing a Computer Incident Response Policy 5. The Computer Security Incident Response Team 6. The Incident Reporting Process 7. Assessment and Containment a) Recovery operations b) Damage analysis and determination c) Shutdown procedures while preserving evidence d) NIPC recommendations for victims 8. Building and Incident Response/Forensics Toolkit K. Addressing Incident Law Enforcement Considerations 1. Reporting Security Breaches to Law Enforcement 2. Information Sharing Issues in Computer Crime Investigations 10

12 3. The Role of the U.S. National Infrastructure Protection Center 4. Understanding Disclosure and Recovery L. Forensic Preparation and Preliminary Response 1. Preparing Operating Systems for Data Collection a) The significance of log files b) Centralized logging 2. Time Synchronization 3. Time Stamping 4. Identifying Network Devices 5. Collecting Data from Memory a) Selecting the right memory dump options b) Using dumpchk.exe to view the Windows memory.dmp file c) Performing memory dump on UNIX systems 6. Imaging Hard Drives 7. Evidence Collection Chain-of-Custody Procedures 11

13 Module VIII. Legal and Ethical Risks A. Introduction B. Code of Ethics C. Regulatory and Legal Issues 1. Legal Contracts a) Employment contracts b) Confidentiality agreements c) Discovery agreements D. Intellectual Property (Copyright and patent issues for the Information Security Manager) E. Information Security Compliance Issues 1. Sarbanes-Oxley Act of 2002 a) Auditing standards for Sarbanes-Oxley b) Corporate governance issues of Sections 302 and 404 (1) Sarbanes-Oxley action items 12