|What to bring:
It is day 1. You are charged with securing your company. You have limited resources, management that wants to see progress and a very complex problem to solve. Just where do you begin?
Whether you are starting from scratch, working within an existing framework, or investigating what an Information Security program could mean for your company, creating a comprehensive Information Security program can be a daunting task.
- How do you break down an organization into meaningful, and manageable, pieces?
- Where do you concentrate your efforts and limited resources?
- How do you drill down into the detail without leaving gaps elsewhere?
- How do you develop audits that are relevant and provide meaningful information?
- Which of the 1000's of policies, guidelines, procedures, standards and controls do you actually need and how do you get the employees to accept and follow them?
- How do you decide which countermeasures are actually relevant to your needs and how do you ensure that they mesh together?
- How do you manage everything once it is implemented?
- And, perhaps most importantly, how do you get the business to support all of your efforts and keep that support for ongoing and future initiatives?
This course aims to answer these questions and many more by providing a practical, step-by-step approach to securing an entire organization.
What you will learn:
two days students will gain an understanding of:
Understanding the Business
- How understanding your company will guide you in prioritizing and targeting your efforts.
- How to determine what makes your company of value and the systems and processes that allow it to realize that value.
- Other aspects of your company that should be taken into account in developing your risk analysis - e.g. legal status, business model, industry type, culture, business practices, etc.
- How to identify and use the storage and flow of information as a means of providing you with the 'scope' for your risk analysis.
- How to identify 'real' and 'virtual' perimeters.
- Understanding the differences between the 'bricks and mortar' and 'clicks and data' business worlds.
- Understanding the effects on your company's perimeter of business practices and relationships as well as information systems.
- How executive and senior management support is crucial to the success of your Information Security program.
- How to communicate to senior and executive management what you are trying to do, why you are trying to do it and what role they need to play for it to be successful.
- How to develop understanding and support within your company.
- How to maintain that support once you have it.
- How auditing forms the basis of your risk analysis.
- How to use attack maps as a way of designing relevant audits.
- How deep you need to drill when auditing specific areas.
- When and how to use other peoples audits effectively.
- How to use risk analysis as the basis for the assessment, design, development and implementation of relevant countermeasures.
- Looking at how to develop policies, guidelines, procedures, standards and controls and use them to form the basis of effective countermeasures.
- Appreciating the role of different countermeasures as a means of providing defense in depth.
- Successfully implementing your countermeasures.
Monitoring and Review
- The importance of monitoring and review.
- Approaches to monitoring and review.
- How to use it as a means of measuring success and as the basis for continual improvement.
- Its importance in securing continued support.
Who Should Attend?
This course is primarily intended for Information Systems Security Professionals who want to develop an understanding of how to approach securing an entire organization. It is also aimed at providing a solid framework for your existing skills, allowing you to apply them successfully within any commercial environment.
This course would also be useful for people wanting to move from an operational to a strategic security role and would like to understand the different skillsets involved and for people who would like to know what the implications of implementing an Information Security program actually are.
Note that though this course is designed for commercial entities and does not directly address Federal auditing requirements it is being presented as part of the Federal Show due to the considerable attendance by government agency security professionals in the past and the opinion they have expressed that the approaches and methodologies presented here do add value to their working context.
Chris Conacher has over 8 years experience in formal Information Security roles. This time has been spent with the Fortune 500 companies BAE Systems (formerly British Aerospace and Marconi Space Systems), BAE Systems Airbus, Intel Corporation and TransCanada Pipelines. He has also worked for the Information Risk Management consultancy practice of 'Big 5' audit firm KPMG LLP where he specialized in 'High-Tech' companies. Chris' time in Information Security has seen him working in England, France, Germany, Greece, Russia and the USA. His specialties include the development, deployment and review of corporate information security programs; the secure integration of Mergers & Acquisitions; data protection in disaster recovery planning; and information security business impact analysis. Chris has a strong understanding of the strategic business impact of information security and works to align information security to complement corporate operating models. He is also an experienced trainer, project manager and has held numerous speaking engagements to internal and external clients and professional groups.