| Day 1:
Module 1: Information Risk and Security
- The meaning of ‘Security’
- The meaning of ‘Risk’
- Measuring and prioritising business risk
- Information security as a business enabler
- Adding value to the core product
- Empowering customer
- Protecting relationships and leveraging trust
Module 2: Information Risk Management Strategy
Enterprise security architecture (ESA)
- Managing complexity
- Reference architectures
- Why strategic information risk programmes fail and how to avoid failure
- The holistic approach
The SABSA model and methodology
Developing enterprise security architectures
- The owner’s view
- The architect’s view
- The designer’s view
- The builder’s view
- The tradesman’s view
- The facilities manager’s view
The inspector’s view
The SABSA development process
- Strategy and concept phase
- Design phase
- Implementation phase
- Operational phase management and measurement
Module 3: A Systems Approach to Information Security
The role of systems engineering
Basic systems design concepts
- The system boundaries and its environment
- Sub-system decomposition
- Control Systems
Security system case study
- Equities market trading system design
Advanced systems modeling techniques
- Business process analysis
- Dependency tree modeling
- Finite state machine modelling
Module 4: Aligning Information Risk Management with Business
Return on Investment for information security.
The need for metrics
Measurement approaches
- Scorecards
- Business drivers and traceabiligy
- Business attributes profiling
- Setting up a metrics framework
- Maturity modeling applied to information security
- Risk Reporting
Major Case Study Workshop: This comprises a series
of interview notes with seven key executives from a fictitious global
financial services firm. Delegates will use these interview notes to build
a Business Attributes Profile for the business requirements for information
risk management and security.
DAY 2
Module 5: Managing the Information Risk Programme
Selling the benefits of information risk management to senior management
- Getting sponshorship and budget
- Building the team
- Programme planning and management
- Collecting the information you need
- Getting consensus on the conceptual security architecture
- Architecture governance, compliance and maintenance
- Long-term confidence of senior management
Module 6: Business Drivers for Information Risk Management
- Business needs for information security
- Security as a business enabler
- Ditgital business security
- Operational continuity and stability
- Safety-critical dependencies
- Business goals,.success factors and operational risks
- Business processes and their need for security and control
- Organisation and relationships affecting business security needs
- Location and time dependence of business security needs
Module 7: Risk Assessment and Operational Risk Management
- The components of risk
- Qualative risk assessment
- Risk appetite
- Cost-benefit analysis for risk control and residual risk
- Regulatory drivers for operational risk management
- The complexity of operational risk management
- Risk mitigation and control
- Risk-based security reviews
- Risk financing
- The risk management dashboard
Workshop: Assets at Risk. Extending the Business Attributes
Profile
Delegates will use the Business Attributes profikle developed in an earlier
workshop to carry out a high-level risk assessment for the case study
firm.
Module 8: Security Policy Management
- The meaning of security policy
- Influencing behavious through policies
- Structuring the content of security policy
- Policy hierarchy and architecture
- Corporate security policy
- Security policy principles
- Information classification
- System classification
- Certificate authority and registration authority policies
- Application system security policies
- Platform security policies
- Network security policies
- Other information security policies
|
Module 9: Security Organisation
- Roles and Responisbilities
- Governance structures
- Security culture development
- Outsourcing strategies and their relation to security policy
Workshop: Developing a Security Policy
Delegates will build on the earlier workshop activity to develop an outline
corporate security policy for the case study firm.
Module 10: Conceptual Security Models
- Conceptual thinking
- The Business Attributes Profile
- Control Objectives
- Technical security strategies and architectural layering
- Security entity model and trust framework
- Security domain model
- Security lifetimes and deadlines
- Assessing the current state of your security architecture
Module 11: Logical Security Models and Management
- Business information model
- Security services
- Application and system security services
- Security management services
- Entity schema and privilege profiles
- Security domains and security associations
- Security processing cycle
- Security improvements programme
DAY 3
Module 12: Cryptographic Techniques and other Security Mechanisms
- Business data model and file security mechanisms.
- Database security mechanisms
- Security rules, practices and procedures
- Mapping security mechanisms to security services
- Cryptographic mechanisms and their uses
- Encryption
- Data integrity mechanisms
- Public key certificates
- Digital signatures mechanisms
- Authentication exchange mechanisms
- Cryptographic key management
- Cryptographic services architecture
- Strength of cryptographic mechanisms
- Future of cryptographic mechanisms
Module 13: Access Control and Authentication
Unique entity naming
Registration
Public key certification
Credentials certification
Directory services
- Information model
- Service naming model
- Service functional model
- Service security model
Authorisation services
Entity authentication
Use authentication
Device authentication
Communication security services
- Session authentication
- Message origin authentication
- Message integrity protection
- Message replay protection
- Message content confidentiality
- Non-repudiation
- Traffic flow confidentiality
Module 14 - Network Security
Network security police
Network security concepts
Network security services
Network security mechanisms
Network security components
Module 15 - Application Security
- Application security police
- Application security concepts
- Application security services
- Appliation security mechanisms
- Application security components
Module 16 - Assurance Management
- Assurance of operational continuity
- Organisations security audits
- System security audits
- System assurance strategy
- Functional testing
- Penetration testing
Module 17 - Security Administration and Operations
- Manging the people
- Managing physical and environmental security
- Managing IT operations and support
- Access control management
- Compliance management
- Security-specific operations
- Managed security services
- Product evaluation and selection
- Business continuity management
Case Study: Calculation of risk appetite
Case Study: Development of metrics and application to
business units
Case Study: Consideration of personal risk appetite
Case Study: Review of board structures
Case Study: Development of a risk register
Case Study: Key roles in the area and a comparison to
global standards |
