(Instructor-led; 3 Days)

(1)

© Copyright 2003-2006 Certified Tech Trainers, Inc. (www.certifiedtechtrainers.com). All rights reserved. Certified Tech Trainers and the Certified Tech Trainers logo are registered trademarks or service marks of Certified Tech Trainers, Inc. All other trademarks are trademarks of their respective owners.

I

n

f

o

r

m

a

t

i

o

n

S

e

c

u

r

i

t

y

M

a

n

a

g

e

r

:

A

r

c

h

i

t

e

c

t

u

r

e

,

P

l

a

n

i

n

g

,

a

n

d

G

o

v

e

r

n

a

n

c

e

(Instructor-led; 3 Days)

(2)

1

Module I.

Information Security Governance

A. Introduction to Information Security Governance B. Overview of Core Information Security Principles

1. Information security management

2. Developing and maintaining senior management commitment

C. Security governance program initiation

1. Defining information security governance program goals

2. Defining roles and responsibilities

a) Board of Directors b) Senior Management c) Steering Committee

d) Chief Information Security Officer

3. Determining the Information Security Function Charter

a) Strategic Alignment b) Risk Management

c) Business Process Assurance d) Value Delivery

e) Resource Management f) Performance Management

4. Defining Information Security Strategy

a) Goals b) Objectives

(3)

2

5. Defining Security Objectives

a) Frameworks (1) COBIT

(2) Capability Maturity Model

(3) BS ISO/IEC 17799 Standard

(4) GAISP

b) Risk Appetite / Risk Assessment / Risk Objectives D. Overview of Developing an Information Security Strategy Determining resources and constraints

1. Developing policies, standards, procedures, and guidelines

2. Integration into information security architecture

3. Developing and implementing strategically aligned controls

4. Understanding process countermeasures

5. Understanding strategy constraints

E. Overview of Other Information Security Program Considerations

1. Personnel

2. Skills

3. Awareness and training

4. Audits

5. Compliance enforcement

6. Threat analysis

7. Vulnerability assessment

8. Risk assessment

9. Business Impact Assessment

(4)

3

Module II.

Risk Management

A. Core Concepts of Risk Management

1. Purpose and goals

2. Implementing risk management

3. Roles and responsibilities

4. Key concepts

5. The risk management process

6. Operational risk overview

B. Information Resource Evaluation

1. Business impact assessment

2. Information asset classification

C. Monitoring and Reporting Risk

Module III.

Information Security Program Management

A. Control versus Function

B. Key Management Components C. Planning for Risk Management

D. Developing Standards-Driven Security Baselines E. Information Technology Risks and Controls

1. Identifying Information Technology Risks

a) Business Risk

b) Audit/Assessment Risk c) Security Risk

d) Continuity Risk

(5)

4 f) Threats and Vulnerabilities

g) Risk Indicators and Risk Measurement 2. COBIT

a) Executive Overview b) Background

c) The COBIT Framework - Setting the Scene for

Implementation

d) The Framework’s Principles

e) Summary Table - High-Level Control Objectives f) Guide to Using the Framework

g) High-Level Control Objectives

3. Systems Reliability Assurance

4. Documenting Information Technology Controls

a) Internal Control Narratives b) Flowcharts

c) Internal Control Questionnaires

5. Monitoring Information Technology Risks and Controls

Module IV.

IT Deployment Risks

A. Introduction

B. Developing Strategic Plans

1. Professional Guidance

2. IT Function Scorecard

3. IT Security Planning COBIT Guidelines

(6)

5

4. IT Planning Risk Indicators

C. Managing Development Projects

1. Core Principles of Project Management

2. Project Planning Lifecycles

3. Project Planning Risk Indicators

D. Acquiring Software Applications

1. Software Acquisition Risks to Avoid

E. Developing Software Applications

1. Conducting a Feasibility Study

2. Considering Additional Systems Development Issues

3. Software Development Risk Indicators

F. Changing Software Applications

1. System/Software Change Risk Indicators

G. Implementing Software Applications

1. Implementation Strategies

2. Implementation Planning

3. Other Implementation Issues

(7)

6

Module V.

IT Management Risks

A. Introduction

B. Organizing the IT Function

1. Locating the IT Function

2. Designing the IT Function

3. IT Steering Committee

4. Organizational Policies and Procedures

C. Financing the IT Function

1. Funding IT Operations

2. Acquiring IT Resources

D. Staffing the IT Function

1. Hiring

2. Rewarding

3. Terminating

E. Directing the IT Function

1. Administering the Workflow

2. Managing the Computing Environment

3. Handling Third-Party Services

a) Third Party Services Key Issues

4. Assisting Users and Help Desk Risk Indicators

F. Controlling the IT Function

1. Reviewing and Auditing Security Controls

2. Auditing Information Controls Best Practices

(8)

7 b) Process Controls

c) Database Controls d) Output Controls

3. Continuity Controls Best Practices

a) Data Availability

b) Disaster Recovery Controls

Module VI.

IT Networks and Telecommunications Risks

A. Introduction

B. Network and Telecommunications Technologies

1. Steps for Reviewing Network Infrastructure Security

2. Wireless Networks Risk Indicators

C. IT Network and Telecommunications Systems Risks

1. Social Engineering

2. Physical Infrastructure Threats

3. Programmed Threats and Malicious Code

4. Denial of Service Attacks

5. Software Vulnerabilities

D. IT Network and Telecommunications Security

1. Network Security Administration Responsibilities

2. Authentication

a) Identification and Authentication b) Authorization and Accountability

3. Encryption

(9)

8 b) Symmetric Cryptography

c) Asymmetric Cryptography

(1) Encryption Flow

d) Public Key Cryptography

(1) Example: Using Diffie-Hellman

e) Public Key Infrastructure (PKI) Hashing Algorithms f) Digital Signatures

4. Firewalls and Firewall Risk Indicators

5. Virtual Private Networks

6. Network and Telecommunications Security

a) Penetration Testing

7. Secure Passwords

(10)

9

Module VII.

Information Security: Business Continuity,

Disaster Recover, and Incident Response

A. Incident Response, Business Continuity, and Disaster Recovery Overview

B. Risk Assessment

C. Business Impact Analysis

1. BIA Data collection methods

2. Critical success factors / Business process matrix

3. Key performance indicators

4. Process flows

5. Outputs and deliverables

6. Activity categorization

7. Desk review

8. Questionnaires

9. Interviews

D. Managing and Internally Promoting the BIA Project

1. Workshops

2. Financial justification for Business Continuity and Information

Security Management

3. Compliance and legal requirements

4. Designing an Impact Matrix

E. Integrating Information Security with Business continuity and service-level agreements

F. Vital Materials and Backup

G. Integrating Information Security with Business Continuity Strategy Options

(11)

© Copyright 2003-2006 Certified Tech Trainers, Inc. (www.certifiedtechtrainers.com). All rights reserved. Certified Tech Trainers and the Certified Tech Trainers logo are registered trademarks or service marks of Certified Tech Trainers, Inc. All other trademarks are trademarks of their respective owners. 10 1. Continuous processing 2. Distributed processing 3. Alternate sites 4. Off-site storage 5. Reciprocal Agreements 6. Option Comparison

H. Contractual Arrangements for Recovery Services (Outsourcing) I. Integrating Information Security with Emergency Response J. Information Security and Incident Response

1. Catching the Criminal – The Basics of Computer Forensics

2. Recognizing the Signs of an Incident

3. Preparing for Incidents

4. Developing a Computer Incident Response Policy

5. The Computer Security Incident Response Team

6. The Incident Reporting Process

7. Assessment and Containment

a) Recovery operations

b) Damage analysis and determination

c) Shutdown procedures while preserving evidence d) NIPC recommendations for victims

8. Building and Incident Response/Forensics Toolkit

K. Addressing Incident Law Enforcement Considerations

1. Reporting Security Breaches to Law Enforcement

(12)

11

3. The Role of the U.S. National Infrastructure Protection Center

4. Understanding Disclosure and Recovery

L. Forensic Preparation and Preliminary Response

1. Preparing Operating Systems for Data Collection

a) The significance of log files b) Centralized logging

2. Time Synchronization

3. Time Stamping

4. Identifying Network Devices

5. Collecting Data from Memory

a) Selecting the right memory dump options

b) Using dumpchk.exe to view the Windows memory.dmp file c) Performing memory dump on UNIX systems

6. Imaging Hard Drives

(13)

12

Module VIII.

Legal and Ethical Risks

A. Introduction B. Code of Ethics

C. Regulatory and Legal Issues

1. Legal Contracts

a) Employment contracts b) Confidentiality agreements c) Discovery agreements

D. Intellectual Property (Copyright and patent issues for the Information Security Manager)

E. Information Security Compliance Issues

1. Sarbanes-Oxley Act of 2002

a) Auditing standards for Sarbanes-Oxley

b) Corporate governance issues of Sections 302 and 404