This four-day event will guide you through the basics of establishing and managing an information security program in today’s business environment. This class will cover internal and external threats, effective security policies, contingency planning, legislation, regulations, employee privacy issues, awareness programs and more. You will learn about emerging security architectural issues and technologies to assist you, how they can affect computer security in your organization, and what you can do to provide a secure environment as technologies evolve.
Participants will learn the components of a comprehensive strategy, covering such critical areas as planning and managing a security program, getting the business more involved with information security, developing an enterprise security architecture, establishing identity and access control management and network perimeter protection, ensuring physical protection of your business and computing facilities, and complying with the legal and regulatory aspects of information security. The agenda will focus on risk analysis and business impact analysis (BIA) as tested methodologies for measuring the level of security risk and prioritizing information risk reduction in your organization. You are invited to bring your own information risk analysis evaluation criteria and targets, and explore how you can make best use of today’s techniques.
In addition, if you audit the security environment, this course will help you identify the essential elements that need to be developed and in place for your organization to maintain effective controls. Throughout the seminar videos, real-life scenarios and case studies will reinforce learning. You will leave this pragmatic course with a blueprint for building an effective information security program or for measuring an existing one.
This course is available on-site at your location, or offered through open enrollment 8/17/20 - 8/20/20.
Learning Objectives
- 1 Defining the Information Security Business Case, defining and delineating the attributes of an information security program, assessing threats to information security and areas of vulnerability, global legal and regulatory requirements for data protection and privacy, international requirements like SOX, Basel III and others, current concerns in information security, defining an enterprise information security architecture, changing views on Information security, impact of Cloud, Dark Data, etc, NIST, CERT, FIRST, DISA and other great resources for information security.
- 2 Security Management/Strategic Components, defining the information security department charter, organizing for success: roles and responsibilities, the security management cycle, risk assessment and management, strategic steps to security management, overall management vs. day-to-day administration, gaining management and organizational support, security policies, standards, and procedures, information classification and valuation, creating awareness programs, metrics, maturity models, and return on security investment, useful standards/guidelines for information security: ISO, IETF, COBIT, NIST FISMA, NSA DISA, OWASP, ISF, SANS.
- 3 Legislation and Standards, privacy protection laws, PCI DSS, anti-hacker legislation, emerging international security standards, common methods of identity theft, emerging law, best practice protections to prevent loss of privacy.
- 4 Creating a Strong Foundation Through Policy, examining your environment and business drivers to create effective policies, tips for quickly creating policies: printed and Internet resources, tools and techniques for examining your computing environment, case study/class exercises: developing organizational policies.
- 5 Information Risk Analysis, the risk analysis cycle and its components, identifying assets in an information risk analysis, determining asset values, how the information risk management process fits into the information protection program, integrating risk management into an enterprise-wide process, partners in the information risk management process and their specific roles, types of information risk analysis: quantitative vs. qualitative approach, software tools for performing the information risk analysis process, identifying asset categories including IT, business processes, or business functions, defining information risk analysis targets and scope, the information owner's role in the information risk analysis process, risk management, arriving at an ?acceptable level of risk?, uncovering information vulnerabilities, case studies and opportunities to assess your own risk processes.
- 6 Business Impact Analysis (BIA), business impact analysis process: components and definitions, BIA as the key to a successful data security program, partners in the business impact process and the role each one plays.
- 7 Detecting Computer Crime, Accidents and Errors, recognizing a computer crime/accident: identifying red flags, gathering and protecting evidence, creating a computer crime task force do and do not.
- 8 Physical, Hardware and Environmental Security, physical security, hardware security, media security, environmental controls in the distributed environment.
- 9 Awareness Tools, methods for selecting effective tools, techniques, and trinkets, gaining management support, video examples and cost-effective sources for awareness.
- 10 Business Continuity Planning (BCP), roles and responsibilities, defining the BCP management process, using the business impact analysis (BIA), redundancy, backup, and fault tolerance, system and organization-wide recovery, plan management and testing, levels of preparedness, testing your plan.
- 11 The Basics of Cryptography, understanding Symmetric and Asymmetric cryptography, Crypto uses to protect data, Future of Confidentiality, Integrity and Identity/Authentication controls.
- 12 The Future of Information Security in the Organization, management support, relating security to the business, nurturing the security and audit relationship, funding, staffing and know-how, keeping current, 12-point plan for success.