Information Security Management Systems. Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer

Similar documents
Cryptographic and Security Testing Laboratory. Deputy Laboratory Director, CST Laboratory Manager

Security Controls What Works. Southside Virginia Community College: Security Awareness

ISMS Implementation Guide

Introducing atsec information security. Helmut Kurth, Sal la Pietra and Staffan Persson

Certified Information Security Manager (CISM)

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

COBIT 5 Implementation Certification Course

Benchmark of controls over IT activities Report. ABC Ltd

ITIL Foundation Certification Course

(Instructor-led; 3 Days)

HKCAS Supplementary Criteria No. 8

Information Security Management Systems

ISO Laboratory Quality Management. ISO Course Descriptions.

Information Security Program CHARTER

AN OVERVIEW OF INFORMATION SECURITY STANDARDS

Enabling Compliance Requirements using ISMS Framework (ISO27001)

National Accreditation Board for Certification Bodies. Accreditation Criteria

ESKITP6034 IT Disaster Recovery Level 4 Role

ISO Information Security Management Services (Lot 4)

ESKITP6036 IT Disaster Recovery Level 5 Role

Client information note Assessment process Management systems service outline

CRISP Technologies Inc.

MANAGEMENT DEVELOPMENT COURSES

How to Lead the People in a Program Based Environment

Information security PROVIDING PERSONAL AND PROFESSIONAL DEVLOMENT FOR IT LEADERS

GCERT BALTIC JSC. Tel.: Vilnius, Lithuania GCERT BALTIC JSC. ISO certification and training

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Certified Software Quality Assurance Professional VS-1085

Governance and Management of Information Security

Information Management Advice 35: Implementing Information Security Part 1: A Step by Step Approach to your Agency Project

Hans Bos Microsoft Nederland.

Achieving Governance, Risk and Compliance Requirements with HISP Certification Course

ITIL v3 Service Manager Bridge

IA Metrics Why And How To Measure Goodness Of Information Assurance

Introducing atsec information security. Chief Executive Officer, Director of Strategy and Business Devlopment

Measuring Continuity Planning Program. Performance

EXAM PREPARATION GUIDE

The silver lining: Getting value and mitigating risk in cloud computing

Information Security Specialist Training on the Basis of ISO/IEC 27002

In the first three installments of our series on Information Security

Audit of the UNESCO Data Center. Internal Oversight Service. Contributors: Sameer Pise Prashant Sharma. IOS/AUD/2010/09 Original: English.

Certifying Information Security Management Systems

Using Information Shield publications for ISO/IEC certification

The Final Quality Gate: Software Release Readiness. Nancy Kastl, CSQA Kaslen Group, Inc. (630)

ISO Information Security Management Systems Foundation

IT Audit in the Cloud

Information Security Risk Management

State of Oregon. State of Oregon 1

ISO 9001 Quality Management System Lead Auditor Training (IRCA)

Columbus City Schools Office of Internal Audit

A Proposed Information Technology Audit Framework For Microfinance Kumasi

NSW Government Digital Information Security Policy

IT Governance, Risk and Compliance (GRC) : A Strategic Priority. Joerg Asma

Director, IT Security District Office Kern Community College District JOB DESCRIPTION

Sound Transit Internal Audit Report - No

Think like an MBA not a CISSP

How to gain and maintain ISO certification

EDUCORE ISO Expert Training

A Flexible and Comprehensive Approach to a Cloud Compliance Program

ISO/IEC Information Security Management. Securing your information assets Product Guide

IT Governance Implementation Workshop

Competency Unit: Exemplar Global SCY Security Management Systems Auditing

The Information Security Management System According ISO The Value for Services

Validating Enterprise Systems: A Practical Guide

The Value of Vulnerability Management*

State of West Virginia Office of Technology Policy: Information Security Audit Program Issued by the CTO

Introduction Auditing Internal Controls in an IT Environment SOx and the COSO Internal Controls Framework Roles and Responsibilities of IT Auditors

SECURITY. Risk & Compliance Services

Understanding Management Systems Concepts

Program Overview and 2015 Outlook

BC54: Preparing for a SAS 70 Audit

Certified Information Systems Auditor (CISA)

NATIONAL CREDIT UNION ADMINISTRATION OFFICE OF INSPECTOR GENERAL

Disaster Recovery Plan (Business Continuity) Template

NSW Government Digital Information Security Policy

INFORMATION SYSTEMS. Revised: August 2013

Are You Prepared to Successfully Pass a PCI-DSS and/or a FISMA Certification Assessment? Fiona Pattinson, SHARE: Seattle 2010

Better secure IT equipment and systems

Presentation on COBIT Education

-Blue Print- The Quality Approach towards IT Service Management

Domain 1 The Process of Auditing Information Systems

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

An Overview of ISO/IEC family of Information Security Management System Standards

08/10/2013. Data protection and compliance. Agenda. Data protection life cycle and goals. Introduction. Data protection overview

Information Security Measurement Roles and Responsibilities

Securing the Microsoft Cloud

Information System Audit Guide

BUSINESS PROCESS MANAGEMENT and IT. Helping Align IT with Business

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

Project Management (PMI Based)

Creating Business Value with Effective, Pervasive Cloud Security and Cloud Enablement Services

The Future of Best Practices in IT Service Management - ITIL Version 3 Explained

Smart Open Services for European Patients Open ehealth initiative for a European large scale pilot of patient summary and electronic prescription

Governance Simplified

Microsoft s Compliance Framework for Online Services

Outsourcing and Information Security

List of courses offered by Marc Taillefer

In the launch of this series, Information Security Management

Magnolia Migration Services

Feature. Developing an Information Security and Risk Management Strategy

Transcription:

Information Security Management Systems Chief Operating Officer, Director of Strategy and Business Development, Chief Information Security Officer atsec information security, 2013

ISO/IEC 27001 and related topics Services offered by atsec - Overview Where we can help you You need information You need advice You need support You don't have an ISMS We educate you about what is an ISMS, about the world of security standards and how they can support your business We check your readiness for ISO/IEC 27001. We develop a plan for implementing an ISMS and calculate the costs. You are implementing an ISMS We train your people on how to implement an ISMS and its various components We help you developing methods and strategies for risk management, auditing, training and other strategic processes of an ISMS. We design and implement all required components of an ISMS: documents, process, technology, organization. We support you preparing for a certification and guide through the certification audits, You operate an ISMS We train your experts on internal audits and risk assessments We help you improving security know how and awareness of your staff We support you when you need to extend the scope of yours ISMS. We help you integrating the ISMS in your operational processes - and your other management systems. We coach your staff during the pilot phase. We do independent reviews and audits. We check the efficiency of your security controls atsec information security, 2013 2

ISO/IEC 27001 and related topics Services offered by atsec - Overview Information and Training Readiness Assessment and ISMS Design General Information, Introduction to the world of security standards Implementation and auditing Awareness trainings, audit preparation Readiness Assessment ISMS Design Extensions of Existing Security Management Systems ISMS Implementation Audits and Certification Policies, Methods, and Processes Risk Assessment Implementation of Security Controls Integration Into IT Management Processes Coaching ISMS operation Internal Audits Independent Audits / Dry Run Audit Certification atsec information security, 2013 3

Information and Training Subject Level Duration Information Security Standards Overview Basic 3-6 hours ISO/IEC 27001 Introduction Basic 1 day ISO/IEC 27001 Implementation Advanced 2 days Auditing Advanced 2 days IT Continuity Management / Disaster Recovery Advanced 2days Information Security Awareness Basic 2-4 hours All training can be adapted to individual requirements atsec information security, 2013 4

Information Security Standards Overview Contents Overview on standards important when designing and implementing information security controls Audience Management, Project Managers, Security Staff Required Knowledge None Recommended Length Half day / 1 Day What is a standard and why should one use it? Which standards exist? Which standard for which task? A look at particular security standards: Origin, status, development, objectives, elements Certification: benefits, procedure How to implement standards: a project plan Questions and answers atsec information security, 2013 5

ISO/IEC 27001 Introduction Contents Overview of the ISO/IEC 27001 standard Audience Management, Project Managers, Security Staff Required Knowledge None Recommended Length 1 Day What is an information security management system? What you should know about ISO/IEC 27001 Major requirements of the standard Required security controls an overview Certification: benefits, procedure How to implement ISO/IEC 27001 Questions and answers atsec information security, 2013 6

ISO/IEC 27001 Implementation Contents How to proceed when implementing an information security management system Audience Security Staff Required Knowledge Basic understanding of ISO/IEC 27001 Recommended Length 2 Days What is an information security management system? ISO/IEC 27001 Recap How to prepare a project plan Efforts and costs Major steps when implementing an ISMS Work products: required documents, processes, security organization etc. Roll out, integration in operating processes, training Certification atsec information security, 2013 7

Auditing Contents How to prepare and conduct compliance audits Audience Auditors, CISO Required Knowledge Basic understanding of ISO/IEC 27001 Recommended Length 2 Days or 5 Days to become a certified lead auditor; this training is offered by accredited partners Objectives of audits and certificates Audit plan Initiation, planning and preparation of an audit Step 1: What can/should be done before starting the audit Step 2: Desktop audit Step 3: System audit Analysis of results Reporting Next steps atsec information security, 2013 8

Information Security Awareness Contents Awareness training for people who work in an area which is governed by an ISMS Audience Staff Required Knowledge None Recommended Length 2 hours ½ Day Importance of information security objectives and goals Information Security Management - Overview Policies and regulations Personal responsibilities Question and answers NOTE: This training is usually referring to the customer s own ISMS: its policies, documentation, processes and implemented security controls. atsec information security, 2013 9

Readiness Assessment & ISMS DESIGN Subject Duration Readiness Assessment ISMS Design Extension of existing ISMS 2 days 1-3 weeks Varies All training can be adapted to individual requirements atsec information security, 2013 10

Readiness Assessment Deliverables GAP Analysis Project Plan Calculation Presentation Workshop Recommended Length 2 Days+ Survey of the status quo: documentation, processes, technology GAP analysis: which required parts of an ISMS are missing or insufficient? Project Plan: specification of required tasks and resulting deliverables Calculation: effort and other costs. What can be done by the customer? Which task require special skills? Workshop: presentation of results atsec information security, 2013 11

ISMS Design Deliverables Scope Initial Risk Assessment Recommended Length 1-3 Weeks Certification Strategy Process Improvements Integration with other management systems Review of other regulatory or legislative requirements Workshop: presentation of results atsec information security, 2013 12

Extension of ISMS Scope Deliverables GAP Analysis Project Plan Calculation Presentation Workshop Recommended Length 1 Days+ Survey of the status quo: documentation, processes, technology GAP analysis: which required parts of the extended ISMS are insufficient or need to be performed? Project Plan: specification of required tasks and resulting deliverables Calculation: effort and other costs. What can be done by the customer? Which task require special skills? Workshop: presentation of results atsec information security, 2013 13

Readiness Assessment & ISMS DESIGN Subject Duration Policies, Methods, and Processes 2 days Risk Assessment 1 Week + Implementation of Security Controls ISMS Integration Coaching ISMS operation Varies Varies Varies All durations are specific to each project atsec information security, 2013 14

Policies Method and Process Deliverables Policies, Guidelines Process descriptions and workflows Workplace descriptions Training material Recommended Length Variable Depending on the project plan: design and implementation of all required components of an ISMS, e.g. Documents like policies and guidelines Processes, roles and workplace description Methods like risk assessment methodology Concepts like training and audit plans Other topics as required atsec information security, 2013 15

Risk Assessment Content Risk Identification Vulnerability Analysis Threat Analysis Risk Assessment Risk Treatment Planning Deliverables Risk Assessment Report SOA Risk Assessment for any kind of IT system and supporting device (personnel, facilities, technical infrastructure, third party services) Risk Identification Vulnerability Analysis Threat Analysis Risk Assessment Risk Treatment Planning Based on the customer s own method and tools or on atsec s own approach. We have the method, metrics and tools. atsec information security, 2013 16

Security Controls Deliverables Specifications RFI / RFO Technical documentation Operative security controls Design of technical security controls based on current technologies and products Evaluation of products, request for information, request for offer Installation and configuration Training the operational staff Documentation atsec information security, 2013 17

ISMS Integration Content Integration analysis Deliverables Miscellaneous Survey of existing Management System(s) Processes and work flows Methods and reporting procedures Integration of ISMS processes into existing IT management, Quality management Corporate risk management Crisis/disaster management Audit, training, documentation systems atsec information security, 2013 18

Coaching IT Operations Deliverables Miscellaneous Coaching the security staff during the pilot phase of the operational ISMS Corrective actions resulting from observations from the ISMS operations Corrective actions from audits (dry run, certification audits) Supporting the installation and operation of security controls atsec information security, 2013 19

Independent / Dry-run Audit Deliverables Audit report A dry run audit is an audit which is executed under the conditions of a certification audit in order to verify the readiness for certification. Preparation, e.g., agreeing the schedule Desktop Audit: checking documents, processes, plans etc. Implementation (System) Audit Preparing the report Final workshop to discuss the results atsec information security, 2013 20

Audit Support Deliverables Audit Planning Selection of Auditor Audit Preparation Support during audit atsec does not provide certification services Selection of the certification body and the auditor Audit planning Audit Preparation Briefing the staff Collecting material like documents / records Participation in audit interviews, site visits etc. in order to support the customer s staff Handling findings from audits atsec information security, 2013 21

Corporate Certification Strategy For companies where formal certification of products is a key marketing or customer requirement, atsec assists with Determining the strategy for gaining and maintaining compliance for a variety of certifications including both product and organizational IT security Synchronizing certification and re-certification with the product release cycle Helping customers develop efficient development processes for one or more products saving money and time. atsec information security, 2013 22

Commitment to Quality atsec ensures all internal processes are certified with the leading international standards ISO 9001 for quality ensures ALL internal business processes meet recognized standards, mature and improve. covers everything from back-office processes to lessons learned ISO/IEC 27001 for information security ensures that information and IP entrusted to us stays safe at all time ISO 17025 for laboratory services ensures our formal laboratory procedures are world-class atsec information security, 2013 23

Why do business with atsec? atsec delivers results on time and at a fair price atsec provides unique synergies: Experience with many compliance schemes ISO/IEC 27001 FISMA SOX, COBIT etc atsec has global reach atsec employs experts with internationally-recognized track records atsec leads the industry contributing to development of standards advising schemes and programs about the state-of-the-art for information security atsec information security, 2013 24

Find out much more at www.atsec.com atsec s thought leadership at http://atsec-information-security.blogspot.com/ 25

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information