Information Security Manager: Architecture, Planning, and Governance
(Three Days; 24 CPE hours)

IT Security has become more important than ever for organizations like yours. Your organization needs to be able to protect the vital information resources your company depends on, or it will suffer direct financial consequences of losses due to poor access control and poor data integrity maintenance. Failing to protect your information has also become less of a choice in light of rapidly changing legal compliance requirements for financial institutions, telecommunications companies, insurance organizations, energy companies, and even public utilities. Globally impacting laws, such as Sarbanes-Oxley, the U.K. Combined Code, Canada's Multi-Lateral Instrument 52-109, and the Payment Card Industry Data Security Standard (PCI DSS), are enforcing mandatory information security governance and internal control management. Many other countries around the world are also enacting privacy legislation that radically affects the way your organization can do business in a global marketplace. Failing to prepare properly to comply with the security requirements of many new information security related laws could mean a costly plan of remedy later, or could even potentially limit your organizations ability to continue to compete.   

Even if your organization is not regulated directly by these laws, you may find that your clients are, and that the need to govern, implement, and prove sound information security is now simply a fact of doing business. All though information security has been largely an ad hoc function in the past, the majority of organizations today are building and maintaining a true formalized information security governance program according to globally recognized standards such as BS ISO/IEC 17799 and BS ISO/IEC 27001.

What you will learn:

The first step towards creating or maintaining such a robust information security governance program is to identify and address the skills/knowledge gap that prohibits your organization from effectively achieving its business goals and objectives. This course provides a comprehensive and advanced foundation of knowledge to show you how to:

Information Security Governance:

• Develop information security strategy to align with business strategy and direction
• Obtain senior management commitment and support for information security across the entire enterprise
• Define information security governance roles and responsibilities
• Establish reporting and communication channels regarding information security governance activities
• Identify current and potential legal and regulatory issues affecting information security, as well as assessing corresponding impact
• Establish and maintain information security policies, procedures, and guidelines that support business goals and objectives
• Develop the business case for supporting information security program investments

Risk Management

• Develop a systematic, analytical, and continuous risk management process
• Understand and implement risk identification, analysis, and mitigation activities
• Define and prioritize risk mitigation strategies
• Appropriately report changes in risk to the correct levels of management on a periodic and event-driven basis

 Information Security Program Management

• Create and maintain plans for implementing a carefully designed information security governance framework
• Develop information security baselines from organizational needs, as well as international standards
• Develop guidelines and procedures for integrating security risk management into business processes
• Develop procedures and guidelines for the IT infrastructure that comply with senior-level information security policies
• Promote accountability of business process owners for managing information security risks
• Establish metrics to manage the information security governance framework
• Ensure internal and external resources for information security
• Ensure that the administrative procedures for internal information systems comply with organizational information security policies
• Ensure that outsourced services are in compliance with established organizational information security policies
• Use formal and internationally-recognized frameworks and metrics to measure, monitor, and report on information security internal controls
• Ensure security is effectively incorporated into the organizations established change management processes
• Effectively integrate information security policies, guidelines, procedures, and accountability into the organization’s culture

Information Technology Deployment Risks 

• Properly align IT strategic planning with organizational strategic planning

• Control risk within software development or acquisition projects

• Control risk within IT change management

• Control risk within IT deployment projects

IT Management Risks

• How to position information security management within the organization

• Control IT security risk relating to IT funding

• Control IT security risk relating to IT staffing

• Control IT security risk relating to IT management

• Understand critical IT internal controls

IT Networks and Telecommunications Risks

• Manage risk associated with social engineering, physical infrastructure threats, malicious code, and software vulnerabilities

• Understand key logical access control concepts

• Understand cryptography and PKI

Integrating Information Security into Business Continuity, Disaster Recovery, and Incident Response

• Develop and implement processes for identifying, detecting, and analyzing security-related events
• Develop response procedures that support incident investigation and legal prosecution
• Develop response and recovery plans and procedures
• Organize, train, and properly equip response teams
• Ensure periodic and event-driven testing of recovery plans
• Ensure execution of response and recovery plans
• Manage post-event reviews to identify incident causes and necessary preventive, detective, and corrective actions

Legal Issues

• Manage security risk from contracts; transfer risk with contracts
• Understand information security compliance issues resulting from Sarbanes-Oxley

You and your team will be performing 12 in-class gap assessments, resulting in your own custom executive summary gap assessment for your enterprise-wide information security program that clearly indicates what is most critical to initiate or improve your program, and how to best move forward in doing it throughout all departments in the organization.

Target Audience.

• Information Security Managers
• Chief Information Officer (CIO / CISO)
• Compliance Officer
• Revenue Protection Management
• Business Continuity Planners, Coordinators, and Team Members
• IT Managers
• IT Administrators
• Risk Managers
• Facility Managers
• Business Process Owners (Department Heads)
• IT/Systems Auditors

Led by Allen Keele, this course delivers advanced information security knowledge essential to your organization, and delivers it in a way that does not rely upon prerequisite knowledge.  However, this course has been designed with management staff in mind.  We recommend at least two years of professional experience associated with any of the above target audience in order to gain maximum benefit from this course.

Upon Course Completion.

At the end of the course, students will have an excellent understanding of a wide variety of information security topics.  This training serves as excellent preparation for CIS' Risk Management Approach to Auditing and Implementing Internal Controls: Aligning Internal Controls with Corporate Governance. 

Course Pricing, Scheduling, and Registration

Our courses are offered at various locations across the United States and around the world.  Please visit our online event schedule for a current listing of course times and locations, or to request course pricing or other information.