Enrollment Form | Request Prices | Request More Info | On-Site Proposals | Government & Military | Penetration Testing Services
 (No Downloads for Chat) |
 |
Information Systems Security Officer
- ISSO Course Description:
Prerequisites: Participants in this course need to have an introductory level of knowledge of business process and finances, experience with network and systems administration, a familiarization with network networking protocols and operating systems and an intermediate level of knowledge of security concepts. Certified Professional Exams: Although the course is not a specific certification test preparation course, it does cover the subjects which is part of a number of security professional certifications. The course includes a list of books, whitepapers, study guides and courses for each topic discussed to guide the participant to the available resources for more in-depth study. This course will prepare you for the following professional certifications:
Upon Completion: Graduating students should gain an understanding of the breadth of the responsibilities of an information security officer and how information security interconnects with other organizations within the enterprise to provide uniform protection for its employees, information, and property. Course Benefits & Distinctions: To be an information systems security officer takes more than just certification. It takes an understanding of the breadth of information security and the business demands which create the need for it. This course goes beyond certification training to provide the foundation to make you a successful information systems security officer in the real world. For this reason we recommend that you attend the class at least two to three weeks before attempting certification exams, the primary objective of this course is to enable the participant to effectively apply the knowledge gained in the enterprise, the secondary objective is exam preparation for which additional materials are provided for part-time self study after the class. Topics Covered Information Security Governance Governance is a set of responsibilities and practices exercised by the board and executive management of an enterprise with the goal of providing strategic direction, ensuring that objectives are achieved, ascertaining that risks are managed appropriately and verifying that the enterprise’s resources are used responsibly.
Governance is a business process which includes the strategic alignment of security and business processes, managing the security resources so that they are cost-effective. This module examines this framework and explores how to monitor, measure and modify the processes to improve their contribution to the business.
Ethics is not a black and white issue; it encompasses a spectrum of grey area. This module discusses the professional responsibilities an information security officer has to adequately protect the information as well as his responsibilities to the organization. Topics covered include: fiduciary, ethical and professional responsibility.
Regulations define a limit to business conduct. However, regulations vary between industries and locations. Understanding the laws and legal systems is necessary to effectively protect an organization. This module examines the different legal systems, the jurisdiction of these systems and the laws which affect information security and privacy.
Security directives define the foundation of a security program. They delineate the alignment with the business model and provide the basis of the security program. This module examines each of these layers.
Most security issues involve employees. It is critical that IT security policies and HR employee policies are consistent and cohesive. This module examines the policies and practices associated with employee hiring, monitoring, and termination. The corporation and the employee have specific legal and ethical responsibilities to each other, both during and after the period of employment. Hiring and termination criteria, trade secrets, and noncompetition clauses are all issues that can cause serious legal problems for a corporation and its employees.
A key element of governance is education, training and awareness. This module examines the methods of providing security information throughout the organization with the proper level of detail for the appropriate individuals. It explores design choices, delivery methods and implementation options. Risk Management Risk management is the identification, measurement, control and minimization of losses associated with uncertain events. This is the core of information security.
This module details each step in the risk management process.
Identifying and evaluating the importance of specific risks determines what is an appropriate response. This module looks at both the quantitative approach and the qualitative approach to risk management and then looks at risk management in practice.
Resource-based risk analysis evaluates the organization’s resources and determines the security requirements for each resource. Then, based on this security requirement classification, appropriate safeguards are selected. This module details the steps in the process:
Process-based risk analysis examines business processes. All business process are identified, their interdependencies determined and an impact analysis performed to determine the business impact of any of the processes failing. This module examines the steps in the process: • Business Process Management • Business Impact Assessment • Business Continuity Planning • Disaster Recovery Planning • Disaster Recovery Plan Maintenance • Disaster Recovery Testing
Risk mitigation is the process of determining the most effective method of minimizing the likelihood of losses. This module explores the options available and the process of selecting and justifying security safeguards. Cryptography Review Cryptography is a crucial technology in securing information, so it is imperative that every information security officer understands how cryptography works, its applications, and the issues involved with implementing cryptographic solutions.
Although cryptography is an ancient art, it has not been universally implemented in most computer systems until recently. The history of cryptography shows the evolution of the art, the role it has played in history and how it has arrived at its current form.
Cryptography is used to provide confidentiality, integrity and accountability for information systems. This module examines the algorithms and processes involved including cryptographic checksums and digital signatures.
Symmetric cryptographic systems, or more correctly, single key systems have been the mainstay of cryptography providing secrecy for information. Symmetric algorithms will be explored and explained, examining their strengths and weaknesses and common applications. This module covers a number of symmetric cryptographic algorithms including DES, Triple DES (DTEA), SkipJack and AES.
New in the cryptographic landscape, asymmetric cryptography provides a method of sharing secrets without sharing keys. It enables strong authentication and non-repudiation. This module explores asymmetric key algorithms and their use in public key cryptography.
The security of cryptography is based on the security of the cryptographic keys. How these keys are managed, stored, shared and verified is equally as important as the cryptographic process itself. This module examines secure key exchange protocols, key storage and escrow, digital certificates and key infrastructures.
Cryptanalysis is the process of breaking the cryptographic process to determine the secrets. This module examines some of the numerous linguistic and mathematical ways cryptographic implementations are compromised. Included in this module are: statistical analysis, linear cryptanalysis, differential cryptanalysis, and non-cryptographic attacks. Protection Mechanisms Protection mechanisms are the safeguards which protect the confidentiality, integrity or availability of the information systems. These protection mechanisms need to address the information in any form it might take (e.g. printed, spoken, digital) while it is in transit or being stored as well as the resources which process, transmit or store the information.
Availability to information and applications is a top priority with most companies. Many technologies exist to help enable high availability. However, there are many facets to availability which have to be taken into account. This module looks at formal models, architectures and implementations which provide increased data availability, computational availability, transactional availability, and infrastructure availability.
Confidentiality is the assurance that information will only be disclosed to authorized individuals. Privacy is the right that individuals have to control the release of personal information. Business have a requirement to manage both the confidentiality of proprietary information and the privacy of information about individuals. This module examines formal models and implementation options and the legal protection of intellectual property and privacy.
The quality of information and of information systems is critical to the quality of decisions based on those resources. The quality of information is dependent on the information’s initial accuracy, the integrity of its management and the appropriateness of its use. Protection of the information’s accuracy and integrity is required throughout the information lifecycle. This protection requires both protecting the contents of the system and of the environment in which they operate. This module looks at appropriate acquisition and use of information as well as formal integrity models and implementation options for all forms of information. Security Controls Security controls are the management, operational and technical safeguards and countermeasures which are implemented to protect the information systems.
Identification is the process of associating an identifier with a specific individual. Addressing the requirements of identification (unique, verifiable, unforgeable, transportable, usable) for an enterprise is a significant task. There are numerous issues which have to be addressed to successfully implement an enterprise identification project. This module addresses issuance, scope of use, administration, and storage of identifiers.
Authentication is the process of accurately verifying the association of an identifier with a specific individual. The quality of authentication sets the quality of the security system. This module explores the authentication options available, their architecture and management, how well they are accepted and how they are exploited.
Access controls restrict the manner by which a user and a resource interact. This includes digital and physical access. This module examines network and physical access and how to implement choke points as check points to restrict access to only those authorized.
Authorizations determine the level of access provided to specific resources. The authorization architecture definite the relationship between users and resources. Many factors are involved in creating a secure and functional authorization system. This module examines formal models (user-based, process-based, location-based) and architectures (peer-to-peer, trusted third-party), how they are implemented, and the impact on users and management.
Assurance is the level of confidence that a system provides that the protection mechanism and security controls will provide the appropriate level of security. Providing assurance is an ongoing process of inspection, protection, detection and reaction. This module details these processes and examines how to continuously provide the highest level of assurance.
Activity must be tracked to determine accountability. Therefore, any method for protecting resources requires both responsibility and accountability for all of the parties involved in developing, maintaining, and using processing resources. This model includes accountability models, the collection of records and evidence, and the process of investigation and prosecution of computer crimes. Information System Development Lifecycle Including security early in the information system development life cycle will usually result in less expensive and more effective security than adding it to an operational system.=
The initiation phase encompasses the identification and validation of the financial opportunity of the project, the identification of significant assumptions and constraints, and the exploration of alternative solutions. In addition, the initiation phase needs to evaluate the potential risks involved in implementing the system.
The acquisition of off-the-shelf systems comes with its own set of security issues. There are questions to be answered about how the off-the-shelf system addresses the issues of protection mechanisms and security controls as well as how it will integrate with the existing security infrastructure. This module explores the key points in determining how well systems will integrate with enterprise security architecture.
There are many different software development methodologies. However, they all encompass defining, designing, developing, testing, deploying and ongoing operations of the software system. This module details the process of integrating security into the software development cycle and the issues involved with developing secure software.
Prior to actual implementation of the system, it has to have its security controls inspected and accepted. It is this process of evaluation, acceptance, certification and accreditation which is detailed in this module.
Operations includes the on-going management of the system and the impact the security systems have on that process. This module examines many of those operational issues including configuration management and control and the change management process.
Unsecured
disposal
of
information
and
information
system
components
cause
a
great
number
of
security
incidents.
This
module
looks
at
appropriate
procedures
for
media
sanitization
and
the
proper
disposal
of
hardware
and
software. |
