|What to bring:
It is day 1. You are charged with securing your company. You have limited resources, management that wants to see progress and a very complex problem to solve. Just where do you begin?
Whether you are starting from scratch, working within an existing framework, or investigating what an Information Security program could mean for your company, creating a comprehensive Information Security program can be a daunting task.
- How do you break down an organization into meaningful, and manageable, pieces?
- Where do you concentrate your efforts and limited resources?
- How do you drill down into the detail without leaving gaps elsewhere?
- How do you develop audits that are relevant and provide meaningful information?
- Which of the 1000's of policies, guidelines, procedures, standards and controls do you actually need and how do you get the employees to accept and follow them?
- How do you decide which countermeasures are actually relevant to your needs and how do you ensure that they mesh together?
- How do you manage everything once it is implemented?
- And, perhaps most importantly, how do you get the business to support all of your efforts and keep that support for ongoing and future initiatives?
This course aims to answer these questions and many more by providing a practical, step-by-step approach to securing an entire organization.
What you will learn:
two days students will gain an understanding of:
Understanding the Business
- How understanding your company will guide you in prioritizing and targeting your efforts.
- How to determine what makes your company of value and the systems and processes that allow it to realize that value.
- Other aspects of your company that should be taken into account in developing your risk analysis - e.g. legal status, business model, industry type, culture, business practices, etc.
- How to identify and use the storage and flow of information as a means of providing you with the 'scope' for your risk analysis.
- How to identify 'real' and 'virtual' perimeters.
- Understanding the differences between the 'bricks and mortar' and 'clicks and data' business worlds.
- Understanding the effects on your company's perimeter of business practices and relationships as well as information systems.
- How executive and senior management support is crucial to the success of your Information Security program.
- How to communicate to senior and executive management what you are trying to do, why you are trying to do it and what role they need to play for it to be successful.
- How to develop understanding and support within your company.
- How to maintain that support once you have it.
- How auditing forms the basis of your risk analysis.
- How to use attack maps as a way of designing relevant audits.
- How deep you need to drill when auditing specific areas.
- When and how to use other peoples audits effectively.
- How to use risk analysis as the basis for the assessment, design, development and implementation of relevant countermeasures.
- Looking at how to develop policies, guidelines, procedures, standards and controls and use them to form the basis of effective countermeasures.
- Appreciating the role of different countermeasures as a means of providing defense in depth.
- Successfully implementing your countermeasures.
Monitoring and Review
- The importance of monitoring and review.
- Approaches to monitoring and review.
- How to use it as a means of measuring success and as the basis for continual improvement.
- Its importance in securing continued support.
Who Should Attend?
This course is primarily intended for Information Systems Security Professionals who want to develop an understanding of how to approach securing an entire organization. It is also aimed at providing a solid framework for your existing skills, allowing you to apply them successfully within any commercial environment.
This course would also be useful for people wanting to move from an operational to a strategic security role and would like to understand the different skillsets involved and for people who would like to know what the implications of implementing an Information Security program actually are.
ISC2 CISSP/SCCP CPE Credits
Students are eligible to receive 16 Continuing Professional Education (CPE) credits upon completion of class. Black Hat will automatically forward your information to ISC2.
Course Length: 2 day
Cost: US $1800 on or before July 1, 2005 or US $2000 after July 1, 2005
NOTE: this is a two day course. A Certificate of Completion will be offered.
Conacher has over 6 years experience in formal Information
Security roles. This time has been spent with the Fortune 500 companies
BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE
Systems Airbus and Intel Corporation. He has also worked for the
Information Risk Management consultancy practice of 'Big 5' firm KPMG
LLP where he specialized in 'High-Tech' companies. Chris' time in
Information Security has seen him working in England, France, Germany,
Greece, Russia and the USA. His specialties include the development,
deployment and review of corporate information security programs; the
secure integration of Mergers & Acquisitions; data protection in
disaster recovery planning; and information security business impact
analysis. Chris has a strong understanding of the strategic business
impact of information security and works to align information security
to complement corporate operating models. He is also an experienced
trainer, project manager and has held numerous speaking engagements to
internal and external clients and professional groups.