Sizing and Implementing ISO/IEC 17799 in Controlled ... · PDF file© Copyright QualityIT 2005 A comprehensive approach to planning and securing the enterprise Course Overview This

© Copyright QualityIT 2005

Quality Systems are Secure Systems

5 day IN-HOUSE WORKSHOP resulting in a cost-optimized conformance plan

Sizing and Implementing ISO/IEC 17799

in Controlled Environments

Companies understand that to trade products and provide services in the global marketplace they must prove adequate attention to information security. ISO/IEC 17799 Code of Practice for Information Security Management is the de facto worldwide standard used for this purpose. Interpreted from the British Standard, ISO/IEC 17799-2000 Code of practice for information security management and its counterpart ISO/IEC FDIS 17799 Security techniques, together these embody 186 pages of guidance covering 10 security areas that detail 163 organizational security requirements. Although the standard suggests strategies for its practical application, ultimately it is left up to the user to interpret the standard in text form, determine the scope of application, organize the information for reviewing and reference purposes and to set up the infrastructure for adoption and dissemination. Considering that the standard impacts every group, individual and activity in the enterprise, adoption of the standard can appear costly and difficult, if not overwhelming. This need not be the case. Many companies already have in place business and technology controls frameworks that may meet many of the requirements of 17799. Equivalencies can be determined that can reduce the cost and effort of 17799 implementation by as much as 78%.


ISO/IEC 17799 is the de facto worldwide standard in information

security management

What organizations really need to know is how much of the standard they must apply to fully conform to 17799 guidelines. This course offers an unique approach to 17799 implementation that provides a method for determining equivalencies with the IT Governance Institute’s CobiT framework that may already fulfill some of the 17799 controls requirements. This can significantly reduce the amount of cost and effort required for conformance—in many cases a cost savings of more than 50%. QualityIT’s ISO/IEC 17799: Sizing and Implementing in Controlled Environments five day course delivers a practical solution for sizing the effort needed to achieve complete conformance for any organization, regardless of its size, core business focus, security maturity level or technology infrastructure. It provides a complete overview of the principles embodied in ISO/IEC 17799, and teaches leadership groups how to integrate security seamlessly into the enterprise business and technology processes. Participants learn how to eliminate redundant requirements, leverage internal knowledge and skills, and plan and execute the implementation to minimize cost and disruption to staff and existing organizational processes. This course assumes a cross section of representative participants from Strategic and Tactical roles, including Executive and Senior Management, Networking and Communications, Project Management, System Acquisition & Development, Support, Project Management, Quality Assurance and Risk Management (recommended one from each group). The course guides participants through the Implementation planning process and provides all the tools necessary for assessing a company's current level of conformance and determining what specific actions must be taken to provide proof of full conformance to the level acceptable for audit purposes. It supplies remediation templates as well as a comprehensive framework for monitoring changes to security infrastructure and practices that could affect conformance levels. In addition to classroom instruction, the client receives automated equivalency and conformance tools, 21 implementation planning templates, and checklists for the 57 requirements not covered by the CobiT controls framework. By the end of the course, participants have verified their current level of conformance, scoped and sized the problem, mobilized as a group and organized the action plan to quickly correct any ISO/IEC 17799 audit deficiencies.


A comprehensive approach to planning and securing the enterprise

Course Overview

This course includes:

QualityIT’s Executive Guide to IT Quality & Security, a handbook of 31 principles

The curriculum manual including approximately 600 Power point slides used in the 30 hours of classroom instruction with notes.

REGULATORY MANDATES: A survey of current and pending regulatory mandates likely to impact organizations, including Sarbanes-Oxley, HIPAA, California 1386, U.S. Patriot Act, 911 Commission Findings, FISMA and Basel II.

ISO/IEC 17799 OVERVIEW: A complete overview of the 10 security areas covered by ISO/IEC 17799

Potential business impacts on non-conformance based on current threats and reported cases.

Comprehensive perspective on the challenges of integrating information security objectives into the business and technology processes.

CONFORMANCE EQUIVALENCY TOOL: Instruction in how to determine the size of the effort using a simple automation tool designed to determine conformance equivalencies based on the Information Technology Governance Institute’s CobiT framework.

FRAMEWORK SOLUTION TOOL: Exposition of QualityIT’s Framework Solution for Life Cycle Security based on upcoming revisions to IEEE P1074 Standard for Developing Software Life Cycle Processes and hands-on instruction in using the framework tool on typical technology projects.

Step by step instructions for how to plan an implementation, and how to use the 22 implementation templates provided for this purpose.

SUPPORTING TEMPLATES & CHECKLISTS: covering the 57 requirements not covered by the CobIT controls framework.

EXECUTION PLANNING: Hands on Labs that guide participants through evaluation and execution planning for their organizations, resulting in a TO DO list take-away.


5 days of hands-on instruction resulting in actionable plans for ISO/IEEE 17799 conformance

5-Day In-House Course Schedule


Information Security is no longer optional

Day 1-Morning Session: Survey and Impacts of Regulatory Mandates

This day begins with a one hour orientation that provides an overview of curriculum objectives, followed by a survey of prevailing and upcoming regulatory mandates.

Topics include:

The course objectives overview, schedule and survey of deliverables

The range of potential business impacts due to breaches

Global business implications for non-conformance, case studies

Introduction to ISO/IEC 17799

The unique challenges of enterprise wide transition and the risks

of underestimating it

Necessary obligations for Executive and Management Roles

Transition Lead requirements for facilitating access to necessary

Corporate resources, as required

The essential need to execute as a formal Project

Sarbanes-Oxley, current interpretations and prevailing approaches

HIPAA, and relevance for non-Health Care companies

California 1386, hidden risks and implications

911 Commission: the Putnam additions and future implications


U.S. Patriot Act, and its relationship to Emergency Response and

Computer Forensics

Basel II, relevance for Financial Institutions

FISMA, Government systems mandates and implications for the

private sector

Day 1-Afternoon Session: Perspective on the Enterprise Security Challenge

This session explores the Enterprise Security challenge in depth, and how historical factors have conspired to shape perceptions that resist change.

Topics include:

A brief overview of business technology history and the emergence and evolution of IT process life cycles

The history of security solutions over the last 20 years, and their rapid evolution in the face of accelerating threats

Foundation security principles: Confidentiality, Integrity and Availability

Current strategies and Trends

The relationship of Security to the Business Continuity and Disaster Planning program

The relationship of Security to Quality and Risk Management programs

Obstacles to integrating security into the business, acquisition, software development, and service outsourcing processes

Security Roles and Responsibilities, survey of past and progressive approaches

Graphical exposition of convergence vectors between organizational life cycles

ASSEMBLY LAB: Participants collaborate and execute the Business Impact Analysis and the Technology Dependency, and Sarbanes-Oxley Survey worksheets, obtaining quotients indicating the perceived level of current organizational and regulatory security risk.


ISO/IEC 17799 impacts all organizational groups and activities

Day 2-Morning Session: Overview of ISO/IEC 17799 Areas 1-5

This day begins with in-depth exploration of 5 areas that mostly affect Strategic and Tactical security roles.

A.3 Security policy

A.4 Organizational security

A.5 Asset classification and control

A.6 Personnel security

A.12 Compliance

Topics include:

Terms & Definitions

Information Security Infrastructure requirements

Policy definition, dissemination and change control

Accountability for assets

Information classification

Security in job definition and sourcing

Security Training

Security incident response

Third party access and contract requirements

Outsourcing risks


Compliance with legal requirements

The Policy and Compliance review process

System audit requirements

Day 2-Afternoon Session: Overview of ISO/IEC 17799 Areas 6-10

This day continues with in-depth exploration of 5 areas that mostly affect Tactical and Operational security roles.

A.7 Physical and environmental security

A.8 Communications and operations management

A.9 Access control

A.10 System development and maintenance

A.11 Business continuity management

Topics include:

General workplace & Equipment controls, and secure areas

Operational procedures and Responsibilities

System Planning and Acceptance

Housekeeping

Controlling unauthorized software

Network management

Media handling and security

Transaction and information exchange control

Access control requirements of Users, Networks, Systems & Applications

Monitoring access and resource use

Mobile and remote teleworking controls

Secure development and maintenance including Security Requirements of systems; Security in application systems; Cryptographic controls; System file security; Secure development and testing; Review and Support processes

Business continuity and Disaster Recovery controls

ASSEMBLY LAB: Participants collaborate and explore the ISO/IEC 17799 Compliance Checklist, obtaining a quotient indicating the organization’s current level of non-conformance with ISO/IEC 17799.


Equivalencies can be mapped to common control frameworks that can reduce the cost of implementing ISO/IEC 17799 by as much as 78%

Day 3-Morning Session: Scoping and Sizing the Implementation Effort

This session concentrates on determining how much of ISO/IEC 17799 guidance must be addressed to achieve full conformance.

Topics include:

IT Governance Institute’s basis for CobiT equivalency

The structure and organization of equivalency findings

Relevance of equivalencies for your environment

Approach toward cross-referencing findings for other controls

Frameworks (COSO, Cadbury, CoCo, ISO 9000, Six Sigma)

Example equivalencies

Case scenarios that indicate verifiable equivalencies

The structure of QualityIT’s Conformance Equivalency tool

How to use the tool to determine equivalency


Day 3-Afternoon Session: Implementation Plan and Templates

This session explores ISO/IEC implementation strategy and the accompanying 21 essential templates used for planning and execution.

Topics include:

ISO/IEC recommended implementation process and exploration of the recommended 22 Implementation templates:

1. Benefits Presentation Template Plan

2. Project Justification Signoff Document

3. Allocation of Security Responsibility Document

4. Organizational Statement of Commitment

5. Service Level Agreements Template

6. Example Security Policy Document

7. Security Awareness Signoff Template

8. Information Security Management Scope (ISMS) Document

9. Asset Valuation Plan

10. Vulnerability Assessment Strategy Document

11. Risk Prioritization Procedure

12. Risk Analysis Document

13. Security Risk Policy Document

14. Risk Acceptability Statement

15. Residual Risk Policy Statement

16. Residual Risk Policy Decision Template

17. Risk Management Plan Template

18. Risk Mitigation Controls Identification and Selection Procedure

19. Statement of Applicability (non-conformance checklist)

20. Master Traceability Matrix

21. Implementation Plan Document

22. Quality Assurance Completion Checklist

ASSEMBLY LAB: Participants collaborate and execute the Conformance Equivalency tool, yielding the list of organizational activities that do not conform to ISO/IEC guidelines to be addressed by Implementation Planning.


A key factor in organizational security failure is lack of adequate coordination of the security effort across the enterprise

Day 4-Morning Session: Framework Solution for Life Cycle Security

Those ISO/IEC 17799 requirements not covered by CobiT are covered by QualityIT’s Framework Solution for Life Cycle Security. This session introduces the Framework and demonstrates how it closes most of the remaining gaps of conformance with ISO/IEC 17799.

This tool is derived from upcoming changes to the IEEE P1074 Standard for Developing Software Life Cycle Processes. Whereas ISO/IEC 17799 concentrates on the high level management aspects of information security, QualityIT’s Framework Solution provides the change management infrastructure that ensures organizational technology efforts yield quality security deliverables that will meet ISO/IEC 17799 audit expectations. It ensures security relevant deliverables (products, processes and documentation) are properly managed—especially at high risk times during which the technology infrastructure is undergoing significant change.


The Framework Solution complements the ISO/IEC 17799 effort by seamlessly integrating security into the technology development and maintenance processes—where the highest organizational security risk lies. Participants learn how each organizational role fits into this framework, what their security obligations are, and how they must contribute in the effort to achieve and maintain optimal organizational security. It creates a sustainable security monitoring and change control infrastructure for technology and support deliverables.

Topics include:

What the Framework Solution is and where it comes from

Structure and organization of the Framework

Understanding the part each role plays in the model

Range of typical IT projects

Required roles for each type of project

How project deliverables affect enterprise security artifacts and organizational processes

Understanding what can and cannot be controlled

External pre-requisites to technology projects

Determining the level of security needed for a project and product

The critical importance of security centric Project Management


Day 4-Afternoon Session: Using the Framework Solution Tool

This session demonstrates how to use the Framework Solution tool to control security relevant changes to the Information Technology Infrastructure.

Topics covered include:

Selection of activities for the following projects

o Complete in-house technology solution

o Acquisition and integration project

o Full or partial outsourced project

o System retirement

o Product patch upgrade

Determining project Security Objectives

Determining the security Risk and impacts: a primer in collaborative Threat Modeling

Determining the Security Acceptability quotient

Security Accreditation concepts

Tracing the impact of project outcomes to Enterprise security artifacts

ASSEMBLY LAB: Participants will execute the Framework Tool, selecting relevant activities for the various kinds of projects usually undertaken by the organization and explore the impact on Enterprise artifacts and processes using the supplied Enterprise Security Coordination Road Map.


Cost effective conformance with ISO/IEC 17799 is absolutely achievable

Day 5-Morning Session: Completion of the Implementation Plan

This session concentrates on completing the ISO/IEC 17799 Conformance Implementation Plan. Participants review what aspects of security are in their control, how to optimize their resources, minimize staff impacts and maintain budget. They are given an overview of the remaining supplied tools that can be helpful in controlling the project and optimizing security in the enterprise.

Topics covered include:

Review of Implementation obstacles

Selection of relevant Implementation templates

Allocation of security forum responsibilities

Sketch contents of selected templates

Exploration of toolkit worksheets

o NIST 800-27 Baseline Security Principles

o Project Plan Template

o Critical System Evaluation Worksheet

o NIST 800-26 System Self-Assessment Tool

o QualityIT’s Security Testing Process Assessment Tool

o QualityIT’s Security Test Plan Tool


Day 5-Afternoon Session: The Roadmap Forward

This day brings the course to a close, by formalizing the Enterprise Security Forum and its procedures, or else validating the structure and procedures already in place.

Participants collaborate and agree on what their specific responsibilities are with regard to insuring program adoption, tools and techniques that will ensure conformance success.

Topics include:

Implementation issues definition and prioritization

Root cause analysis of department representative

Issue resolution strategy

Roadmap Action Plan


ISO/IEC 17799 Implementation strategy combined with QualityIT’s Framework Solution for Life Cycle Security provides a complete enterprise

security management solution.

At Course Completion Upon course completion, participants will fully understand basic security concepts and terminoloogy, and best practices embodied in ISO/IEC 17799, IEEE P1074 and ISO/IEC 15408 and security guidance from ITGI/ISACA and NIST. They will have explored all the issues related to ISO/IEC 17799 conformance for their organiztion, and identified all equivalencies that can be eliminated from the implementation effort. Partificants will have created a fully formed plan for managing the implementation effort across the enterprise, and executing remedial activities that will bring the organization to full conformance with the ISO/IEC 177999 guideline. Participants will also understand the leadership part they each play in supporting the organizational security effort in their areas, and how to effectively coordinate and manage resources across enterprise groups optimize enterprise security protections and reduce investment.


A skilled workforce is a competitive asset, not an empty expense.

Target Audience

This course encompasses training for senior business and technology mangers, security officers and professionals, project managers, product and service architects, technical and QA leads, and support and operations managers identified to lead the Implementation process.

Course Requirements

There are no course pre-requisites. Participants are only expected to be proficient in their job role areas.

Included Materials: Handbook: The Executive Guide to IT Quality & Security: 31

principles.

Curriculum training manual with power point slides and notes

Assembly Labs that guide participants through the Implementation sizing and planning process

22+ templates, checklists

Excel Workbook of automated tools

Cost: $10,000 all inclusive, maximum 10 participants


Bar Biszick-Lockwood, cisa, cissp, csqa

Instructor Credits

Bar Biszick-Lockwood is a Certified Information Systems Security Professional (CISSP), and a Certified Information Systems Auditor (CISA) and a Certified Software Quality Analyst (CSQA). She is an expert in Security Life Cycle standards and specializes in IT regulatory compliance audit, IS assessment and IT process re-engineering to optimize organizational security.

Ms. Biszick-Lockwood authored the security activities for the pending revision of IEEE P1074 Standard for Developing Software Life Cycle Processes that provide practical guidance in applying optimal security controls to software projects and building adequate security controls into products. She is a member of IEEE, ISSA, ISACA, and SIM, has designed security curriculum for Construx and for Logical Security, the latter a security education company led by Shon Harris, author of McGraw-Hill's best selling CISSP All-In-One-Guide. She has been a featured speaker at numerous conferences including QAI’s I International Conference on Information Technology Quality (QAI, Orlando April, 2001), Information Technology Conference on Security (QAI, Kansas City, May, 2001); Applied Computer Security Association Conference (ACSAC, Tucson, AZ 2004), and has provided training and in-house presentations at Adobe, Microsoft, for the Port of Seattle and City of Seattle Technology Professionals.

Ms. Biszick-Lockwood uses a proprietary audit workbook featuring over 1850 data points to baseline organizational security for large and small organizations It provides a 360 degree view of organizational security risk and improvement designed to minimize cost and optimize security protections.


QualityIT offers and promotes highest quality instruction in information security and quality assurance that prepares organizations to meet the

challenges of 21st century business with a competent workforce.

QualityIT

http://www.qualityit.net

15805 NE 83rd Ct. Redmond, WA 98052

(206) 388-3333

Documents

Sizing and Implementing ISO/IEC 17799 in Controlled ... · PDF file© Copyright QualityIT 2005 A comprehensive approach to planning and securing the enterprise Course Overview This