IMPACT SecurityCore Course Outline
Proposed length:
2 days (14 hours contact time)
Course Format:
Audience:
IT systems administrators, security administrators, database administrators, Access control (PKI) administrators, systems analysts and designers, application developers, business analysts and user representatives.
Course Objective:
This course sets a core foundation of IT security knowledge for all attendees. It is suitable for any member of the IT community from the newest member of the team to the most experienced professional. Describing the core fundamentals of information security in an interesting, relevant manner, this course describes the close alignment of information security with ever-changing business requirements and enables the attendees to effectively understand information security concepts and build them into all business processes and design.
Supporting Standards:
In order to be a credible and authoritative program, this course is based on the ISO_IEC_27002;2005, and other internationally recognized standards and practices.
Course Outline:
Module One: (Introduction to Information and Information Security)
- What is Information
- The relationship between Information and Business
- Understanding the difference business mission
- Government
- Commercial
- Not for profit
- Military
- What is the role of information in today’s economy
- Knowledge
- Intellectual Property
- Customer Service
- Future trends
- Understanding the difference business mission
- What is Information Security
- What are transactions
- What is the difference between Systems Protection and Information Security
- How to describe security (case study/discussion)
- Security metrics (measuring success and security planning)
- Making security simple
- What is Risk and how does it relate to Information Security
- How to measure risk
- What are controls
- Management
- Technical
- Physical
Module Two: (The Core Fundamentals of Information Security)
- Key Security Principles
- Need to know
- Least privilege
- Separation of Duties
- Layered Defense (defense in depth)
- Eleven Major Security Areas of ISO 27002 (introduce only)
- Security Policy
- Organizing Information Security
- Asset Management
- Human Resources Security
- Physical and Environmental Security
- Communications and Operations Management
- Access Control
- Information Systems Acquisition, Development and Maintenance
- Information Security Incident Management
- Business Continuity Management
- Compliance
Module Three: (Designing and Implementing Security)
- Defining Security Requirements
- Systems and Data Ownership
- Information Classification (case study/discussion)
- Critical versus Sensitive Systems/Information
- Policy and Oversight
- Accountability
- Information Classification (case study/discussion)
- Building Security in to Systems and Business Processes
- Security versus Productivity
- Access Controls
- Business Continuity and Resilience
- Training and Educating the Security Advocate
- Detecting and Preventing Social Engineering
- Intimidation
- Name-Dropping
- Appealing for assistance
- Technical
- Detecting and Preventing Social Engineering
Module Four: (Assurance and Compliance)
- Monitoring, Logs and Audit trails
- Incident Management
- Preventing Incidents
- Feedback and Improvement
- Reporting to Management
- Technical Countermeasures
- Effective use of tools (firewall, IDS, etc.)
- Scans and Penetration Tests
- Stopping the Hacker (case study/examples)
- Understanding why breaches happen
- Risky behavior
- Shortcuts and curious
- Risky behavior
- Simple Security Solutions
- Portable Media
- Destruction of old media
- Secure Passwords
- Asset Management
Review Questions and Discussion
- 25 review questions on core topics and examples
