(Instructor-led; 3 Days)



Similar documents
Certified Information Security Manager (CISM)

Certified Information Systems Auditor (CISA)

Domain 1 The Process of Auditing Information Systems

CESG Certification of Cyber Security Training Courses

Table of Contents. Auditor's Guide to Information Systems Auditing Richard E. Cascarino Copyright 2007, John Wiley & Sons, Inc.

Table of Contents. Introduction. Audience. At Course Completion

Introduction to Cyber Security / Information Security

Bellevue University Cybersecurity Programs & Courses

Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Information Security Program CHARTER

Security Controls What Works. Southside Virginia Community College: Security Awareness

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

OVERVIEW. In all, this report makes recommendations in 14 areas, such as. Page iii

Section 1 CREDIT UNION Member Information Security Due Diligence Questionnaire

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

Network & Information Security Policy

ISO COMPLIANCE WITH OBSERVEIT

Security aspects of e-tailing. Chapter 7

Supplier Security Assessment Questionnaire

---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---

CISA TIMETABLE (4 DAYS)

EUCIP - IT Administrator. Module 5 IT Security. Version 2.0

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

INFORMATION SYSTEMS. Revised: August 2013

ISO 27002:2013 Version Change Summary

External Supplier Control Requirements

University of Sunderland Business Assurance Information Security Policy

IT Audit in the Cloud

Effective Software Security Management

MS Information Security (MSIS)

^H 3RD EDITION ITGOVERNANCE A MANAGER'S GUIOE TO OATA SECURITY ANO DS 7799/IS ALAN CALDER STEVE WATKINS. KOGAN PAGE London and Sterling, VA

Acceptance Page 2. Revision History 3. Introduction 14. Control Categories 15. Scope 15. General Requirements 15

I n f o r m a t i o n S e c u r i t y

Security and Privacy Controls for Federal Information Systems and Organizations

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Master of Science in Information Systems & Security Management. Courses Descriptions

Certification for Information System Security Professional (CISSP)

Securing Data on Microsoft SQL Server 2012

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

ISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters

ISO Controls and Objectives

University of Pittsburgh Security Assessment Questionnaire (v1.5)

PRINCIPLES AND PRACTICE OF INFORMATION SECURITY

SECURITY. Risk & Compliance Services

Secure Code Development

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:

Chapter 1 The Principles of Auditing 1

NERC Cyber Security. Compliance Consulting. Services. HCL Governance, Risk & Compliance Practice

Module 1: e- Learning

COPYRIGHTED MATERIAL. Contents. Acknowledgments Introduction

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

MS-55096: Securing Data on Microsoft SQL Server 2012

PCI Policy Compliance Using Information Security Policies Made Easy. PCI Policy Compliance Information Shield Page 1

IT General Controls Domain COBIT Domain Control Objective Control Activity Test Plan Test of Controls Results

Securing the Service Desk in the Cloud

Newcastle University Information Security Procedures Version 3

CH ENSA EC-Council Network Security Administrator Detailed Course Outline

Information Security Specialist Training on the Basis of ISO/IEC 27002

BMC s Security Strategy for ITSM in the SaaS Environment

DUUS Information Technology (IT) Incident Management Standard

InfoSec Academy Application & Secure Code Track

Computer Security. Principles and Practice. Second Edition. Amp Kumar Bhattacharjee. Lawrie Brown. Mick Bauer. William Stailings

Cyber Security solutions

Implementing Cisco IOS Network Security v2.0 (IINS)

Information Security Management Systems

The Next Generation of Security Leaders

AUSTIN INDEPENDENT SCHOOL DISTRICT INTERNAL AUDIT DEPARTMENT TRANSPORTATION AUDIT PROGRAM

Does it state the management commitment and set out the organizational approach to managing information security?

GFSU Certified Cyber Crime Investigator GFSU-CCCI. Training Partner. Important dates for all batches

Information Security Program

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Hengtian Information Security White Paper

Evaluate the Usability of Security Audits in Electronic Commerce

Central Agency for Information Technology

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

Security + Certification (ITSY 1076) Syllabus

Third Party Security Requirements Policy

F G F O A A N N U A L C O N F E R E N C E

How To Manage Security On A Networked Computer System

Zurich Security And Privacy Protection Policy Application

Ohio Supercomputer Center

INFORMATION TECHNOLOGY SECURITY STANDARDS

Governance and Management of Information Security

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

Information Security Policy

Building Reference Security Architecture

MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY

Information Security Program Management Standard

Computer Hacking Forensic Investigator v8

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

LINUX / INFORMATION SECURITY

Transcription:

Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days)

Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of Core Information Security Principles 1. Information security management 2. Developing and maintaining senior management commitment C. Security governance program initiation 1. Defining information security governance program goals 2. Defining roles and responsibilities a) Board of Directors b) Senior Management c) Steering Committee d) Chief Information Security Officer 3. Determining the Information Security Function Charter a) Strategic Alignment b) Risk Management c) Business Process Assurance d) Value Delivery e) Resource Management f) Performance Management 4. Defining Information Security Strategy a) Goals b) Objectives c) Business Purpose 1

5. Defining Security Objectives a) Frameworks (1) COBIT (2) Capability Maturity Model (3) BS ISO/IEC 17799 Standard (4) GAISP b) Risk Appetite / Risk Assessment / Risk Objectives D. Overview of Developing an Information Security Strategy Determining resources and constraints 1. Developing policies, standards, procedures, and guidelines 2. Integration into information security architecture 3. Developing and implementing strategically aligned controls 4. Understanding process countermeasures 5. Understanding strategy constraints E. Overview of Other Information Security Program Considerations 1. Personnel 2. Skills 3. Awareness and training 4. Audits 5. Compliance enforcement 6. Threat analysis 7. Vulnerability assessment 8. Risk assessment 9. Business Impact Assessment (1) Outsourced security providers 2

Module II. Risk Management A. Core Concepts of Risk Management 1. Purpose and goals 2. Implementing risk management 3. Roles and responsibilities 4. Key concepts 5. The risk management process 6. Operational risk overview B. Information Resource Evaluation 1. Business impact assessment 2. Information asset classification C. Monitoring and Reporting Risk Module III. Information Security Program Management A. Control versus Function B. Key Management Components C. Planning for Risk Management D. Developing Standards-Driven Security Baselines E. Information Technology Risks and Controls 1. Identifying Information Technology Risks a) Business Risk b) Audit/Assessment Risk c) Security Risk d) Continuity Risk e) Assessing Information Technology Risks 3

2. COBIT f) Threats and Vulnerabilities g) Risk Indicators and Risk Measurement a) Executive Overview b) Background c) The COBIT Framework - Setting the Scene for Implementation d) The Framework s Principles e) Summary Table - High-Level Control Objectives f) Guide to Using the Framework g) High-Level Control Objectives 3. Systems Reliability Assurance 4. Documenting Information Technology Controls a) Internal Control Narratives b) Flowcharts c) Internal Control Questionnaires 5. Monitoring Information Technology Risks and Controls Module IV. IT Deployment Risks A. Introduction B. Developing Strategic Plans 1. Professional Guidance 2. IT Function Scorecard 3. IT Security Planning COBIT Guidelines a) 11 IT Planning Processes defined by COBIT 4

4. IT Planning Risk Indicators C. Managing Development Projects 1. Core Principles of Project Management 2. Project Planning Lifecycles 3. Project Planning Risk Indicators D. Acquiring Software Applications 1. Software Acquisition Risks to Avoid E. Developing Software Applications 1. Conducting a Feasibility Study 2. Considering Additional Systems Development Issues 3. Software Development Risk Indicators F. Changing Software Applications 1. System/Software Change Risk Indicators G. Implementing Software Applications 1. Implementation Strategies 2. Implementation Planning 3. Other Implementation Issues 4. Implementation Risk Indicators 5

Module V. IT Management Risks A. Introduction B. Organizing the IT Function 1. Locating the IT Function 2. Designing the IT Function 3. IT Steering Committee 4. Organizational Policies and Procedures C. Financing the IT Function 1. Funding IT Operations 2. Acquiring IT Resources D. Staffing the IT Function 1. Hiring 2. Rewarding 3. Terminating E. Directing the IT Function 1. Administering the Workflow 2. Managing the Computing Environment 3. Handling Third-Party Services a) Third Party Services Key Issues 4. Assisting Users and Help Desk Risk Indicators F. Controlling the IT Function 1. Reviewing and Auditing Security Controls 2. Auditing Information Controls Best Practices a) Information Controls 6

b) Process Controls c) Database Controls d) Output Controls 3. Continuity Controls Best Practices a) Data Availability b) Disaster Recovery Controls Module VI. IT Networks and Telecommunications Risks A. Introduction B. Network and Telecommunications Technologies 1. Steps for Reviewing Network Infrastructure Security 2. Wireless Networks Risk Indicators C. IT Network and Telecommunications Systems Risks 1. Social Engineering 2. Physical Infrastructure Threats 3. Programmed Threats and Malicious Code 4. Denial of Service Attacks 5. Software Vulnerabilities D. IT Network and Telecommunications Security 1. Network Security Administration Responsibilities 2. Authentication a) Identification and Authentication b) Authorization and Accountability 3. Encryption a) Symmetric v. Asymmetric Algorithms 7

b) Symmetric Cryptography c) Asymmetric Cryptography (1) Encryption Flow d) Public Key Cryptography (1) Example: Using Diffie-Hellman e) Public Key Infrastructure (PKI) Hashing Algorithms f) Digital Signatures 4. Firewalls and Firewall Risk Indicators 5. Virtual Private Networks 6. Network and Telecommunications Security a) Penetration Testing 7. Secure Passwords (1) ISO 17799: 9.5.4 Password Security Guidelines 8

Module VII. Information Security: Business Continuity, Disaster Recover, and Incident Response A. Incident Response, Business Continuity, and Disaster Recovery Overview B. Risk Assessment C. Business Impact Analysis 1. BIA Data collection methods 2. Critical success factors / Business process matrix 3. Key performance indicators 4. Process flows 5. Outputs and deliverables 6. Activity categorization 7. Desk review 8. Questionnaires 9. Interviews D. Managing and Internally Promoting the BIA Project 1. Workshops 2. Financial justification for Business Continuity and Information Security Management 3. Compliance and legal requirements 4. Designing an Impact Matrix E. Integrating Information Security with Business continuity and service-level agreements F. Vital Materials and Backup G. Integrating Information Security with Business Continuity Strategy Options 9

1. Continuous processing 2. Distributed processing 3. Alternate sites 4. Off-site storage 5. Reciprocal Agreements 6. Option Comparison H. Contractual Arrangements for Recovery Services (Outsourcing) I. Integrating Information Security with Emergency Response J. Information Security and Incident Response 1. Catching the Criminal The Basics of Computer Forensics 2. Recognizing the Signs of an Incident 3. Preparing for Incidents 4. Developing a Computer Incident Response Policy 5. The Computer Security Incident Response Team 6. The Incident Reporting Process 7. Assessment and Containment a) Recovery operations b) Damage analysis and determination c) Shutdown procedures while preserving evidence d) NIPC recommendations for victims 8. Building and Incident Response/Forensics Toolkit K. Addressing Incident Law Enforcement Considerations 1. Reporting Security Breaches to Law Enforcement 2. Information Sharing Issues in Computer Crime Investigations 10

3. The Role of the U.S. National Infrastructure Protection Center 4. Understanding Disclosure and Recovery L. Forensic Preparation and Preliminary Response 1. Preparing Operating Systems for Data Collection a) The significance of log files b) Centralized logging 2. Time Synchronization 3. Time Stamping 4. Identifying Network Devices 5. Collecting Data from Memory a) Selecting the right memory dump options b) Using dumpchk.exe to view the Windows memory.dmp file c) Performing memory dump on UNIX systems 6. Imaging Hard Drives 7. Evidence Collection Chain-of-Custody Procedures 11

Module VIII. Legal and Ethical Risks A. Introduction B. Code of Ethics C. Regulatory and Legal Issues 1. Legal Contracts a) Employment contracts b) Confidentiality agreements c) Discovery agreements D. Intellectual Property (Copyright and patent issues for the Information Security Manager) E. Information Security Compliance Issues 1. Sarbanes-Oxley Act of 2002 a) Auditing standards for Sarbanes-Oxley b) Corporate governance issues of Sections 302 and 404 (1) Sarbanes-Oxley action items 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information