Black Hat USA 2003

Note: if the class is overfilled, then you will be wait-listed. You will be contacted should this occur.


Black Hat USA Training 2003
Caesars Palace, Las Vegas, NV, July 28-29, 2003

All course materials, lunch and two coffee breaks will be provided. A Certificate of Completion will be offered for each student.

Course Length: 1 day

Cost: US $1900 before July 3, 2003 or US $2100 after July 3, 2003
NOTE: this is a one day course. A Certificate of Completion will be offered.


course description
One Day Course
Monday, July 28

Information Security Policies & The Implications For Your Business

Chris Conacher
What to bring:
Just yourself!


Information Security is about using security methodologies to identify risks within an organization and propose counter measures to manage those risks. Though most people would agree with this statement many do not realize that this is only part of the equation.

Firstly, unless you are lucky enough to have an unlimited budget and resources, all risk management must ultimately be decided upon by the business in relation to the actual cost of the realized risk, the cost of managing the risk and any benefit derived from managing the risk. Such decisions are usually beyond the realm of Information Security and firmly in the domain of Executive and Senior Management.

Secondly, it is rare that actions taken to improve security only affect the security of an organization. It is crucial in creating effective Information Security that the total impact of any security measure be anticipated and dealt with effectively. Failure to do so can often lead to security measures being unworkable or misunderstood to the point that they are ignored or deliberately circumvented.

These additions to the equation require all parties to understand that effective and useful security requires the support and involvement of much more than just a company's Information Security personnel.

This course aims to take this idea as it relates to Information Security Policies. Policies are something that every employee, including the officers of the company, sign up for and yet very few people understand what goes into the policy development process, who is making the decisions, what the basis for the decisions are and what are the far reaching implications for the business as a whole. This is especially worrying as unworkable and unenforceable policies can do far more than just damage the security of an organization. They can leave it open to legal action, impair its competitiveness, damage employee morale and undermine the information security process as a whole. To be successful, the policy development process must be understood as something that requires the involvement of key business decision makers of which Information Security is only one.

This course aims to provide an understanding of the need for this multi-disciplinary involvement, an understanding of where this involvement fits into the policy development lifecycle and a methodology that provides a means of implementing this development lifecycle into your organization.

What you will learn:
Students will gain an understanding of:

  • The critical impact that Information Security Policies can have on an organization beyond those related to security
  • The roles that Executive and Senior Management must play in the creation of successful Information Security Policies
  • Basic methodologies for successful policy creation and deployment

Students will also cover many general topics in support of the core information including:

  • The positive and negative impact that Information Security Policies can have on an organization including:
    • Legal liability
    • Legal rights
    • Performance of due diligence
    • Protection of Intellectual Property
    • Business strategy/competitiveness
    • Internal and external business relationships
    • Employee culture/morale and work practices
  • The role of Information Security, Executive and Senior Management and other business personnel in policy development
  • Organizational strategies
  • Basic Information Security Policy development methodologies looking at assessment, design, implementation and monitoring

Who Should Attend?
This course is primarily intended for Executive and Senior Management who want to gain a greater understanding of how Information Security Policies can impact their organization and how they should be involved in the development and support of those policies. It will, however, be of use to anyone involved in the development of Information Security Policies within an organization

Course Length: 1 day

Cost: US $1900 before July 3, 2003 or US $2200 after July 3, 2003
NOTE: this is a one day course. A Certificate of Completion will be offered.



Chris Conacher has over 6 years experience in formal Information Security roles. This time has been spent with the Fortune 500 companies BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE Systems Airbus and Intel Corporation. He has also worked for the Information Risk Management consultancy practice of 'Big 5' firm KPMG LLP where he specialized in 'High-Tech' companies. Chris' time in Information Security has seen him working in England, France, Germany, Greece, Russia and the USA. His specialties include the development, deployment and review of corporate information security programs; the secure integration of Mergers & Acquisitions; data protection in disaster recovery planning; and information security business impact analysis. Chris has a strong understanding of the strategic business impact of information security and works to align information security to complement corporate operating models. He is also an experienced trainer, project manager and has held numerous speaking engagements to internal and external clients and professional groups.

Black Hat Logo
(c) 1996-2007 Black Hat