|What to bring:
It is day 1.
You are charged with securing your company. You have limited resources;
management that wants to see progress; and a very complex problem to
solve. Just where do you begin?
Whether you are starting
from scratch, working within an existing framework, or investigating
what an Information Security program could mean for your company,
creating a comprehensive Information Security program can be a daunting
task, full of complex questions.
- How do you break down
an organization into meaningful, and manageable, pieces?
- Where do you
concentrate your efforts and limited resources?
- How do you drill down
into the detail without leaving gaps elsewhere?
- How do you develop
audits that are relevant and provide meaningful information?
- Which of the 1000's of
policies, guidelines, procedures, standards and controls do you actually
need and how do you get the employees to accept and follow them?
- How do you decide
which countermeasures are actually relevant to your needs and how do you
ensure that they mesh together?
- How do you manage
everything once it is implemented?
- And, perhaps most
importantly, how do you get the business to support all of your efforts
and keep that support for ongoing and future initiatives?
This course aims to
answer these questions and many more by providing a practical,
step-by-step approach to securing an entire enterprise.
What you will learn:
Understanding the Business
two days students will gain an understanding of:
- How understanding your
company will guide you in prioritizing and targeting your efforts.
- How to determine what
makes your company of value and the systems and processes that allow it
to realize that value.
- Other aspects of your company that should be taken into account in developing your risk analysis - e.g. legal status, business model, industry type, culture, business practices, etc.
- How to identify and
use the storage and flow of information as a means of providing you with
the 'scope' for your risk analysis.
- How to identify 'real'
and 'virtual' perimeters.
- Understanding the
differences between the 'bricks and mortar' and 'clicks and data'
- Understanding the
effects on your company's perimeter of business practices and
relationships as well as information systems.
- How executive and
senior management support is crucial to the success of your Information
- How to communicate to
senior and executive management what you are trying to do, why you are
trying to do it and what role they need to play for it to be successful.
- How to develop understanding and support within
- How to maintain that
support once you have it.
- How auditing forms the
basis of your risk analysis.
- How to use attack maps
as a way of designing relevant audits.
- How deep you need to
drill when auditing specific areas.
- When and how to use
other peoples audits effectively.
Monitoring and Review
- How to use risk
analysis as the basis for the assessment, design, development and
implementation of relevant countermeasures.
- Looking at how to
develop policies, guidelines, procedures, standards and controls and
use them to form the basis of effective countermeasures.
- Appreciating the role
of different countermeasures as a means of providing defense in depth.
implementing your countermeasures.
- The importance of
monitoring and review.
- Approaches to
monitoring and review.
- How to use it as a
means of measuring success and as the basis for continual improvement.
- Its importance in
securing continued support.
This course is primarily intended for Information Systems Security Professionals who want to develop an understanding of how to approach securing an entire enterprise. It is also aimed at providing a solid framework for your existing skills, allowing you to apply them successfully within any commercial environment.
This course would also be useful for people wanting to move from an operational to a strategic security role and would like to understand the different skillsets involved and for people who would like to know what the implications of implementing an Information Security program actually are.
Length: 2 day
Cost: US $2000 before July 3, 2003 or US $2200 after July 3, 2003
NOTE: this is a two day course. A Certificate of
Completion will be offered.
Conacher has over 6 years experience in formal Information
Security roles. This time has been spent with the Fortune 500 companies
BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE
Systems Airbus and Intel Corporation. He has also worked for the
Information Risk Management consultancy practice of 'Big 5' firm KPMG
LLP where he specialized in 'High-Tech' companies. Chris' time in
Information Security has seen him working in England, France, Germany,
Greece, Russia and the USA. His specialties include the development,
deployment and review of corporate information security programs; the
secure integration of Mergers & Acquisitions; data protection in
disaster recovery planning; and information security business impact
analysis. Chris has a strong understanding of the strategic business
impact of information security and works to align information security
to complement corporate operating models. He is also an experienced
trainer, project manager and has held numerous speaking engagements to
internal and external clients and professional groups.