Upload
lyngoc
View
217
Download
1
Embed Size (px)
Citation preview
© Copyright QualityIT 2005
Quality Systems are Secure Systems
5 day IN-HOUSE WORKSHOP resulting in a cost-optimized conformance plan
Sizing and Implementing ISO/IEC 17799
in Controlled Environments
Companies understand that to trade products and provide services in the global marketplace they must prove adequate attention to information security. ISO/IEC 17799 Code of Practice for Information Security Management is the de facto worldwide standard used for this purpose. Interpreted from the British Standard, ISO/IEC 17799-2000 Code of practice for information security management and its counterpart ISO/IEC FDIS 17799 Security techniques, together these embody 186 pages of guidance covering 10 security areas that detail 163 organizational security requirements. Although the standard suggests strategies for its practical application, ultimately it is left up to the user to interpret the standard in text form, determine the scope of application, organize the information for reviewing and reference purposes and to set up the infrastructure for adoption and dissemination. Considering that the standard impacts every group, individual and activity in the enterprise, adoption of the standard can appear costly and difficult, if not overwhelming. This need not be the case. Many companies already have in place business and technology controls frameworks that may meet many of the requirements of 17799. Equivalencies can be determined that can reduce the cost and effort of 17799 implementation by as much as 78%.
© Copyright QualityIT 2005
ISO/IEC 17799 is the de facto worldwide standard in information
security management
What organizations really need to know is how much of the standard they must apply to fully conform to 17799 guidelines. This course offers an unique approach to 17799 implementation that provides a method for determining equivalencies with the IT Governance Institute’s CobiT framework that may already fulfill some of the 17799 controls requirements. This can significantly reduce the amount of cost and effort required for conformance—in many cases a cost savings of more than 50%. QualityIT’s ISO/IEC 17799: Sizing and Implementing in Controlled Environments five day course delivers a practical solution for sizing the effort needed to achieve complete conformance for any organization, regardless of its size, core business focus, security maturity level or technology infrastructure. It provides a complete overview of the principles embodied in ISO/IEC 17799, and teaches leadership groups how to integrate security seamlessly into the enterprise business and technology processes. Participants learn how to eliminate redundant requirements, leverage internal knowledge and skills, and plan and execute the implementation to minimize cost and disruption to staff and existing organizational processes. This course assumes a cross section of representative participants from Strategic and Tactical roles, including Executive and Senior Management, Networking and Communications, Project Management, System Acquisition & Development, Support, Project Management, Quality Assurance and Risk Management (recommended one from each group). The course guides participants through the Implementation planning process and provides all the tools necessary for assessing a company's current level of conformance and determining what specific actions must be taken to provide proof of full conformance to the level acceptable for audit purposes. It supplies remediation templates as well as a comprehensive framework for monitoring changes to security infrastructure and practices that could affect conformance levels. In addition to classroom instruction, the client receives automated equivalency and conformance tools, 21 implementation planning templates, and checklists for the 57 requirements not covered by the CobiT controls framework. By the end of the course, participants have verified their current level of conformance, scoped and sized the problem, mobilized as a group and organized the action plan to quickly correct any ISO/IEC 17799 audit deficiencies.
© Copyright QualityIT 2005
A comprehensive approach to planning and securing the enterprise
Course Overview
This course includes:
QualityIT’s Executive Guide to IT Quality & Security, a handbook of 31 principles
The curriculum manual including approximately 600 Power point slides used in the 30 hours of classroom instruction with notes.
REGULATORY MANDATES: A survey of current and pending regulatory mandates likely to impact organizations, including Sarbanes-Oxley, HIPAA, California 1386, U.S. Patriot Act, 911 Commission Findings, FISMA and Basel II.
ISO/IEC 17799 OVERVIEW: A complete overview of the 10 security areas covered by ISO/IEC 17799
Potential business impacts on non-conformance based on current threats and reported cases.
Comprehensive perspective on the challenges of integrating information security objectives into the business and technology processes.
CONFORMANCE EQUIVALENCY TOOL: Instruction in how to determine the size of the effort using a simple automation tool designed to determine conformance equivalencies based on the Information Technology Governance Institute’s CobiT framework.
FRAMEWORK SOLUTION TOOL: Exposition of QualityIT’s Framework Solution for Life Cycle Security based on upcoming revisions to IEEE P1074 Standard for Developing Software Life Cycle Processes and hands-on instruction in using the framework tool on typical technology projects.
Step by step instructions for how to plan an implementation, and how to use the 22 implementation templates provided for this purpose.
SUPPORTING TEMPLATES & CHECKLISTS: covering the 57 requirements not covered by the CobIT controls framework.
EXECUTION PLANNING: Hands on Labs that guide participants through evaluation and execution planning for their organizations, resulting in a TO DO list take-away.
© Copyright QualityIT 2005
5 days of hands-on instruction resulting in actionable plans for ISO/IEEE 17799 conformance
5-Day In-House Course Schedule
© Copyright QualityIT 2005
Information Security is no longer optional
Day 1-Morning Session: Survey and Impacts of Regulatory Mandates
This day begins with a one hour orientation that provides an overview of curriculum objectives, followed by a survey of prevailing and upcoming regulatory mandates.
Topics include:
The course objectives overview, schedule and survey of deliverables
The range of potential business impacts due to breaches
Global business implications for non-conformance, case studies
Introduction to ISO/IEC 17799
The unique challenges of enterprise wide transition and the risks
of underestimating it
Necessary obligations for Executive and Management Roles
Transition Lead requirements for facilitating access to necessary
Corporate resources, as required
The essential need to execute as a formal Project
Sarbanes-Oxley, current interpretations and prevailing approaches
HIPAA, and relevance for non-Health Care companies
California 1386, hidden risks and implications
911 Commission: the Putnam additions and future implications
© Copyright QualityIT 2005
U.S. Patriot Act, and its relationship to Emergency Response and
Computer Forensics
Basel II, relevance for Financial Institutions
FISMA, Government systems mandates and implications for the
private sector
Day 1-Afternoon Session: Perspective on the Enterprise Security Challenge
This session explores the Enterprise Security challenge in depth, and how historical factors have conspired to shape perceptions that resist change.
Topics include:
A brief overview of business technology history and the emergence and evolution of IT process life cycles
The history of security solutions over the last 20 years, and their rapid evolution in the face of accelerating threats
Foundation security principles: Confidentiality, Integrity and Availability
Current strategies and Trends
The relationship of Security to the Business Continuity and Disaster Planning program
The relationship of Security to Quality and Risk Management programs
Obstacles to integrating security into the business, acquisition, software development, and service outsourcing processes
Security Roles and Responsibilities, survey of past and progressive approaches
Graphical exposition of convergence vectors between organizational life cycles
ASSEMBLY LAB: Participants collaborate and execute the Business Impact Analysis and the Technology Dependency, and Sarbanes-Oxley Survey worksheets, obtaining quotients indicating the perceived level of current organizational and regulatory security risk.
© Copyright QualityIT 2005
ISO/IEC 17799 impacts all organizational groups and activities
Day 2-Morning Session: Overview of ISO/IEC 17799 Areas 1-5
This day begins with in-depth exploration of 5 areas that mostly affect Strategic and Tactical security roles.
A.3 Security policy
A.4 Organizational security
A.5 Asset classification and control
A.6 Personnel security
A.12 Compliance
Topics include:
Terms & Definitions
Information Security Infrastructure requirements
Policy definition, dissemination and change control
Accountability for assets
Information classification
Security in job definition and sourcing
Security Training
Security incident response
Third party access and contract requirements
Outsourcing risks
© Copyright QualityIT 2005
Compliance with legal requirements
The Policy and Compliance review process
System audit requirements
Day 2-Afternoon Session: Overview of ISO/IEC 17799 Areas 6-10
This day continues with in-depth exploration of 5 areas that mostly affect Tactical and Operational security roles.
A.7 Physical and environmental security
A.8 Communications and operations management
A.9 Access control
A.10 System development and maintenance
A.11 Business continuity management
Topics include:
General workplace & Equipment controls, and secure areas
Operational procedures and Responsibilities
System Planning and Acceptance
Housekeeping
Controlling unauthorized software
Network management
Media handling and security
Transaction and information exchange control
Access control requirements of Users, Networks, Systems & Applications
Monitoring access and resource use
Mobile and remote teleworking controls
Secure development and maintenance including Security Requirements of systems; Security in application systems; Cryptographic controls; System file security; Secure development and testing; Review and Support processes
Business continuity and Disaster Recovery controls
ASSEMBLY LAB: Participants collaborate and explore the ISO/IEC 17799 Compliance Checklist, obtaining a quotient indicating the organization’s current level of non-conformance with ISO/IEC 17799.
© Copyright QualityIT 2005
Equivalencies can be mapped to common control frameworks that can reduce the cost of implementing ISO/IEC 17799 by as much as 78%
Day 3-Morning Session: Scoping and Sizing the Implementation Effort
This session concentrates on determining how much of ISO/IEC 17799 guidance must be addressed to achieve full conformance.
Topics include:
IT Governance Institute’s basis for CobiT equivalency
The structure and organization of equivalency findings
Relevance of equivalencies for your environment
Approach toward cross-referencing findings for other controls
Frameworks (COSO, Cadbury, CoCo, ISO 9000, Six Sigma)
Example equivalencies
Case scenarios that indicate verifiable equivalencies
The structure of QualityIT’s Conformance Equivalency tool
How to use the tool to determine equivalency
© Copyright QualityIT 2005
Day 3-Afternoon Session: Implementation Plan and Templates
This session explores ISO/IEC implementation strategy and the accompanying 21 essential templates used for planning and execution.
Topics include:
ISO/IEC recommended implementation process and exploration of the recommended 22 Implementation templates:
1. Benefits Presentation Template Plan
2. Project Justification Signoff Document
3. Allocation of Security Responsibility Document
4. Organizational Statement of Commitment
5. Service Level Agreements Template
6. Example Security Policy Document
7. Security Awareness Signoff Template
8. Information Security Management Scope (ISMS) Document
9. Asset Valuation Plan
10. Vulnerability Assessment Strategy Document
11. Risk Prioritization Procedure
12. Risk Analysis Document
13. Security Risk Policy Document
14. Risk Acceptability Statement
15. Residual Risk Policy Statement
16. Residual Risk Policy Decision Template
17. Risk Management Plan Template
18. Risk Mitigation Controls Identification and Selection Procedure
19. Statement of Applicability (non-conformance checklist)
20. Master Traceability Matrix
21. Implementation Plan Document
22. Quality Assurance Completion Checklist
ASSEMBLY LAB: Participants collaborate and execute the Conformance Equivalency tool, yielding the list of organizational activities that do not conform to ISO/IEC guidelines to be addressed by Implementation Planning.
© Copyright QualityIT 2005
A key factor in organizational security failure is lack of adequate coordination of the security effort across the enterprise
Day 4-Morning Session: Framework Solution for Life Cycle Security
Those ISO/IEC 17799 requirements not covered by CobiT are covered by QualityIT’s Framework Solution for Life Cycle Security. This session introduces the Framework and demonstrates how it closes most of the remaining gaps of conformance with ISO/IEC 17799.
This tool is derived from upcoming changes to the IEEE P1074 Standard for Developing Software Life Cycle Processes. Whereas ISO/IEC 17799 concentrates on the high level management aspects of information security, QualityIT’s Framework Solution provides the change management infrastructure that ensures organizational technology efforts yield quality security deliverables that will meet ISO/IEC 17799 audit expectations. It ensures security relevant deliverables (products, processes and documentation) are properly managed—especially at high risk times during which the technology infrastructure is undergoing significant change.
© Copyright QualityIT 2005
The Framework Solution complements the ISO/IEC 17799 effort by seamlessly integrating security into the technology development and maintenance processes—where the highest organizational security risk lies. Participants learn how each organizational role fits into this framework, what their security obligations are, and how they must contribute in the effort to achieve and maintain optimal organizational security. It creates a sustainable security monitoring and change control infrastructure for technology and support deliverables.
Topics include:
What the Framework Solution is and where it comes from
Structure and organization of the Framework
Understanding the part each role plays in the model
Range of typical IT projects
Required roles for each type of project
How project deliverables affect enterprise security artifacts and organizational processes
Understanding what can and cannot be controlled
External pre-requisites to technology projects
Determining the level of security needed for a project and product
The critical importance of security centric Project Management
© Copyright QualityIT 2005
Day 4-Afternoon Session: Using the Framework Solution Tool
This session demonstrates how to use the Framework Solution tool to control security relevant changes to the Information Technology Infrastructure.
Topics covered include:
Selection of activities for the following projects
o Complete in-house technology solution
o Acquisition and integration project
o Full or partial outsourced project
o System retirement
o Product patch upgrade
Determining project Security Objectives
Determining the security Risk and impacts: a primer in collaborative Threat Modeling
Determining the Security Acceptability quotient
Security Accreditation concepts
Tracing the impact of project outcomes to Enterprise security artifacts
ASSEMBLY LAB: Participants will execute the Framework Tool, selecting relevant activities for the various kinds of projects usually undertaken by the organization and explore the impact on Enterprise artifacts and processes using the supplied Enterprise Security Coordination Road Map.
© Copyright QualityIT 2005
Cost effective conformance with ISO/IEC 17799 is absolutely achievable
Day 5-Morning Session: Completion of the Implementation Plan
This session concentrates on completing the ISO/IEC 17799 Conformance Implementation Plan. Participants review what aspects of security are in their control, how to optimize their resources, minimize staff impacts and maintain budget. They are given an overview of the remaining supplied tools that can be helpful in controlling the project and optimizing security in the enterprise.
Topics covered include:
Review of Implementation obstacles
Selection of relevant Implementation templates
Allocation of security forum responsibilities
Sketch contents of selected templates
Exploration of toolkit worksheets
o NIST 800-27 Baseline Security Principles
o Project Plan Template
o Critical System Evaluation Worksheet
o NIST 800-26 System Self-Assessment Tool
o QualityIT’s Security Testing Process Assessment Tool
o QualityIT’s Security Test Plan Tool
© Copyright QualityIT 2005
Day 5-Afternoon Session: The Roadmap Forward
This day brings the course to a close, by formalizing the Enterprise Security Forum and its procedures, or else validating the structure and procedures already in place.
Participants collaborate and agree on what their specific responsibilities are with regard to insuring program adoption, tools and techniques that will ensure conformance success.
Topics include:
Implementation issues definition and prioritization
Root cause analysis of department representative
Issue resolution strategy
Roadmap Action Plan
© Copyright QualityIT 2005
ISO/IEC 17799 Implementation strategy combined with QualityIT’s Framework Solution for Life Cycle Security provides a complete enterprise
security management solution.
At Course Completion Upon course completion, participants will fully understand basic security concepts and terminoloogy, and best practices embodied in ISO/IEC 17799, IEEE P1074 and ISO/IEC 15408 and security guidance from ITGI/ISACA and NIST. They will have explored all the issues related to ISO/IEC 17799 conformance for their organiztion, and identified all equivalencies that can be eliminated from the implementation effort. Partificants will have created a fully formed plan for managing the implementation effort across the enterprise, and executing remedial activities that will bring the organization to full conformance with the ISO/IEC 177999 guideline. Participants will also understand the leadership part they each play in supporting the organizational security effort in their areas, and how to effectively coordinate and manage resources across enterprise groups optimize enterprise security protections and reduce investment.
© Copyright QualityIT 2005
A skilled workforce is a competitive asset, not an empty expense.
Target Audience
This course encompasses training for senior business and technology mangers, security officers and professionals, project managers, product and service architects, technical and QA leads, and support and operations managers identified to lead the Implementation process.
Course Requirements
There are no course pre-requisites. Participants are only expected to be proficient in their job role areas.
Included Materials: Handbook: The Executive Guide to IT Quality & Security: 31
principles.
Curriculum training manual with power point slides and notes
Assembly Labs that guide participants through the Implementation sizing and planning process
22+ templates, checklists
Excel Workbook of automated tools
Cost: $10,000 all inclusive, maximum 10 participants
© Copyright QualityIT 2005
Bar Biszick-Lockwood, cisa, cissp, csqa
Instructor Credits
Bar Biszick-Lockwood is a Certified Information Systems Security Professional (CISSP), and a Certified Information Systems Auditor (CISA) and a Certified Software Quality Analyst (CSQA). She is an expert in Security Life Cycle standards and specializes in IT regulatory compliance audit, IS assessment and IT process re-engineering to optimize organizational security.
Ms. Biszick-Lockwood authored the security activities for the pending revision of IEEE P1074 Standard for Developing Software Life Cycle Processes that provide practical guidance in applying optimal security controls to software projects and building adequate security controls into products. She is a member of IEEE, ISSA, ISACA, and SIM, has designed security curriculum for Construx and for Logical Security, the latter a security education company led by Shon Harris, author of McGraw-Hill's best selling CISSP All-In-One-Guide. She has been a featured speaker at numerous conferences including QAI’s I International Conference on Information Technology Quality (QAI, Orlando April, 2001), Information Technology Conference on Security (QAI, Kansas City, May, 2001); Applied Computer Security Association Conference (ACSAC, Tucson, AZ 2004), and has provided training and in-house presentations at Adobe, Microsoft, for the Port of Seattle and City of Seattle Technology Professionals.
Ms. Biszick-Lockwood uses a proprietary audit workbook featuring over 1850 data points to baseline organizational security for large and small organizations It provides a 360 degree view of organizational security risk and improvement designed to minimize cost and optimize security protections.
© Copyright QualityIT 2005
QualityIT offers and promotes highest quality instruction in information security and quality assurance that prepares organizations to meet the
challenges of 21st century business with a competent workforce.
QualityIT
http://www.qualityit.net
15805 NE 83rd Ct. Redmond, WA 98052
(206) 388-3333