InfoSec Department Management Course

Overview:

The world of InfoSec is based upon some well established disciplines: (1) the unwritten daily practices of the experienced CISO in the organization. (2) Information Security Methodology as described by (ISC)2 in the 10 Domains of the CISSP's CKB. (3) Information Security methodology as described by ISACA, in the CISM certification. (4) Information Security framework according to the ISO/IEC 2700 family of information security standards.

This course was designed to train InfoSec professionals in the delicate profession of managing the Information Security department of the organization. The course is based on real life experience in running the InfoSec department, on the unwritten methodology of handling InfoSec by experienced CISOs and on the well established methodology of (ISC)2, ISACA & NIST.

Most important it incorporates the international standards of Information Security as required by the ISO/IEC 2700 family of Information Security standards. Mainly, ISO/IEC 27001, the standard of: planning, implementing & controlling the ISMS (Information Security Management System) as a framework for managing the policy and controls process of the Information Security. The course provides to its students a comprehensive view of InfoSec management including a variety of management tools, such as managing processes and projects, budget planning, human resources handling, resource controlling & staff training. It, of course, focuses on InfoSec requirements and managing the InfoSec department according to the ISO/IEC 27001 standards, with a glance at technology and a broad understanding of necessary controls and their objectives as described by ISO/IEC 27002 (formerly – ISO/IEC 17799).

The course relies on the student's earlier acquaintance with InfoSec technologies, Operating Systems Security management, Offensive & Defensive techniques and InfoSec tools. Graduating this course will put the student in an excellent position to be an accomplished CISO, having knowledge and understanding of Information Security tools and requirements of the 21st century.

1. CISO Role

• History of ISO
• “C” in Organizations
• CISO Role
• Challenges

2. Decision Making Under Uncertainty

• Decision Making
• Business Transparency
• Working Blindfolded
• Management POV
• The “Road” Strategy

3. Organizational Management

• Organizational Chart
• CISO Function 5 Paradigms
• Information Security Matrix

4. IT Project Management (2 sessions)

• Requirements Identification
• Management Sponsorship
• Project Initiation
• Team and Resource Management
• Budgeting
• Project Process Management
• Fade Out
• Summary and Quality Assurance

5. IT Risk Management

• ISO 27005 Framework
• IT Risk analysis
• IT Risk Identification
• IT Risk Estimation
• IT Risk Evaluation

6. Information Security Risk Analysis

• Asset Identifying and Classification
• Asset Management
• Vulnerability and Threat Recognition
• Microsoft MSAT
• Scoping the Survey
• Qualitative and Quantitative Risk assessment
• Reporting

7. Information Security Risk Management (2 sessions) - Plan, Build, Run

• Introduction to security operation
• TVM process
• vulnerability assessment
• Security configuration management
• patch management
• Communication and awareness
• Penetration Testing

8. Business Continuity Management

• Corporate Continuity
• Corporate Crisis Management
• Corporate Systems
• Corporate Facilities
• Corporate People

9. Disaster Recovery

• Information Technology (IT)
• Identification of risks
• Identification of critical IT
• Recovery
• Providers
• Network resilience
• IT resilience
• Data
• Security
• Site
• Alternate site
• Review, audit and changes
• Testing
• Telephony
• Recovery
• Site
• Testing

10. Incident Response

• Selecting team members
• Define roles, responsibilities and lines of authority
• Define a security incident
• Define a reportable incident
• Training
• Detection
• Classification
• Escalation
• Containment
• Eradication
• Documentation

11. Computer Crime and Forensics

• Federal and Criminal Law
• Computer Crime Investigation (Security case investigation)
• Security event management
• Evidence
• Forensics
• PC Examination Checklist

12. Measuring Security

• Security measurements and Metrics
• Incident Management
• Vulnerability Management
• Patch Management
• Application Security
• Configuration Management
• Financial Metrics
• Future Functions

13. Organizational Security Program

• Putting it all together
• Management Sponsorship
• An Outsider POV
• From Theory to Real Life
• Testing the Program
• Business Wide implementation

14. Summary & Test