Premier Home Page

Home | Training | Solutions |Contact Us

t: +44(0)20 7729 1811

 
About Us | IT Training | Financial Training | Management Training | Course Dates | Delegate Information
 
 
 

 

Accommodation

If required, Premier will be happy to arrange hotel accommodation.


BANK INFORMATION RISK MANAGEMENT - COURSE AGENDA

Bank Information Risk Management
Course Venue
: London EC2

4 Ravey Street
London EC2A 4QP
t: +44(0)20 7729 1811
f:+44(0)20 7729 9412
information@premiercs.co.uk

Day 1:

Module 1: Information Risk and Security

  • The meaning of ‘Security’
  • The meaning of ‘Risk’
  • Measuring and prioritising business risk
  • Information security as a business enabler
  • Adding value to the core product
  • Empowering customer
  • Protecting relationships and leveraging trust

Module 2: Information Risk Management Strategy
Enterprise security architecture (ESA)

  • Managing complexity
  • Reference architectures
  • Why strategic information risk programmes fail and how to avoid failure
  • The holistic approach

The SABSA model and methodology

Developing enterprise security architectures

  • The owner’s view
  • The architect’s view
  • The designer’s view
  • The builder’s view
  • The tradesman’s view
  • The facilities manager’s view
    The inspector’s view

The SABSA development process

  • Strategy and concept phase
  • Design phase
  • Implementation phase
  • Operational phase management and measurement

Module 3: A Systems Approach to Information Security
The role of systems engineering
Basic systems design concepts

  • The system boundaries and its environment
  • Sub-system decomposition
  • Control Systems

Security system case study

  • Equities market trading system design

Advanced systems modeling techniques

  • Business process analysis
  • Dependency tree modeling
  • Finite state machine modelling

 

Module 4: Aligning Information Risk Management with Business
Return on Investment for information security.
The need for metrics
Measurement approaches

  • Scorecards
  • Business drivers and traceabiligy
  • Business attributes profiling
  • Setting up a metrics framework
  • Maturity modeling applied to information security
  • Risk Reporting

Major Case Study Workshop: This comprises a series of interview notes with seven key executives from a fictitious global financial services firm. Delegates will use these interview notes to build a Business Attributes Profile for the business requirements for information risk management and security.

DAY 2
Module 5: Managing the Information Risk Programme

Selling the benefits of information risk management to senior management

  • Getting sponshorship and budget
  • Building the team
  • Programme planning and management
  • Collecting the information you need
  • Getting consensus on the conceptual security architecture
  • Architecture governance, compliance and maintenance
  • Long-term confidence of senior management

Module 6: Business Drivers for Information Risk Management

  • Business needs for information security
  • Security as a business enabler
  • Ditgital business security
  • Operational continuity and stability
  • Safety-critical dependencies
  • Business goals,.success factors and operational risks
  • Business processes and their need for security and control
  • Organisation and relationships affecting business security needs
  • Location and time dependence of business security needs

Module 7: Risk Assessment and Operational Risk Management

  • The components of risk
  • Qualative risk assessment
  • Risk appetite
  • Cost-benefit analysis for risk control and residual risk
  • Regulatory drivers for operational risk management
  • The complexity of operational risk management
  • Risk mitigation and control
  • Risk-based security reviews
  • Risk financing
  • The risk management dashboard

Workshop: Assets at Risk. Extending the Business Attributes Profile
Delegates will use the Business Attributes profikle developed in an earlier workshop to carry out a high-level risk assessment for the case study firm.

Module 8: Security Policy Management

  • The meaning of security policy
  • Influencing behavious through policies
  • Structuring the content of security policy
  • Policy hierarchy and architecture
  • Corporate security policy
  • Security policy principles
  • Information classification
  • System classification
  • Certificate authority and registration authority policies
  • Application system security policies
  • Platform security policies
  • Network security policies
  • Other information security policies

Module 9: Security Organisation

  • Roles and Responisbilities
  • Governance structures
  • Security culture development
  • Outsourcing strategies and their relation to security policy

Workshop: Developing a Security Policy
Delegates will build on the earlier workshop activity to develop an outline corporate security policy for the case study firm.

Module 10: Conceptual Security Models

  • Conceptual thinking
  • The Business Attributes Profile
  • Control Objectives
  • Technical security strategies and architectural layering
  • Security entity model and trust framework
  • Security domain model
  • Security lifetimes and deadlines
  • Assessing the current state of your security architecture

Module 11: Logical Security Models and Management

  • Business information model
  • Security services
  • Application and system security services
  • Security management services
  • Entity schema and privilege profiles
  • Security domains and security associations
  • Security processing cycle
  • Security improvements programme

DAY 3
Module 12: Cryptographic Techniques and other Security Mechanisms

  • Business data model and file security mechanisms.
  • Database security mechanisms
  • Security rules, practices and procedures
  • Mapping security mechanisms to security services
  • Cryptographic mechanisms and their uses
  • Encryption
  • Data integrity mechanisms
  • Public key certificates
  • Digital signatures mechanisms
  • Authentication exchange mechanisms
  • Cryptographic key management
  • Cryptographic services architecture
  • Strength of cryptographic mechanisms
  • Future of cryptographic mechanisms

Module 13: Access Control and Authentication

Unique entity naming
Registration
Public key certification
Credentials certification
Directory services

  • Information model
  • Service naming model
  • Service functional model
  • Service security model

Authorisation services
Entity authentication
Use authentication
Device authentication
Communication security services

  • Session authentication
  • Message origin authentication
  • Message integrity protection
  • Message replay protection
  • Message content confidentiality
  • Non-repudiation
  • Traffic flow confidentiality

Module 14 - Network Security

Network security police
Network security concepts
Network security services

  • Network domains

Network security mechanisms

  • Firewall architectures

Network security components

Module 15 - Application Security

  • Application security police
  • Application security concepts
  • Application security services
  • Appliation security mechanisms
  • Application security components

Module 16 - Assurance Management

  • Assurance of operational continuity
  • Organisations security audits
  • System security audits
  • System assurance strategy
  • Functional testing
  • Penetration testing

Module 17 - Security Administration and Operations

  • Manging the people
  • Managing physical and environmental security
  • Managing IT operations and support
  • Access control management
  • Compliance management
  • Security-specific operations
  • Managed security services
  • Product evaluation and selection
  • Business continuity management

Case Study: Calculation of risk appetite

Case Study: Development of metrics and application to business units

Case Study: Consideration of personal risk appetite

Case Study: Review of board structures

Case Study: Development of a risk register

Case Study: Key roles in the area and a comparison to global standards