Ideal attendee profile:
CISO, Security Auditor, CIO, Security Manager, Information Security OfficersDay I - Base of information security
1. Preview – How to implement Information Security (IS) main technics:
- Security audit/ Gap Analysis;
- Penetration tests;
- Risk Management;
- Technical controls implementing (needs versus costs), types of controls;
- Information Security Policy (ISP) creation and modification;
- Incident response process;
- Permanent management of IS – continuity of above-mentioned technics and improvement;
- Relation to other ICT management processes (IT service management, Business Continuity Management).
2.Compliance requirement:
- Example of law existing in Togo and EU (GDPR, National cybersecurity system Act, business information protection);
- Example of industry recommendations/requirements (PCI DSS).
3. Review of most popular IS standards:
- ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements;
- ISO/IEC 27002 – Information technology — Security techniques — Code of practice for information security controls;
- ISO/IEC 27005 – Information technology – Security techniques – Information security risk management;
- ISO/IEC 29134 Information technology – Security techniques – Guidelines for privacy impact assessment;
- ENISA Guidelines on assessing DSP and OES compliance to the NISD security requirements;
- OWASP Top 10.
Day II – Security Audit and Risk Management – 2 sides of the same coin
1. ISO 19011 and ISO 17021 – base of auditing:
- Main audit rules, technics, risks and traps;
- How to create audit plan base on ISO/IEC 27001 using ISO/IEC 27006 recommendation.
2. Risk Management approach recommended in ISO/IEC 27005 (assets, threats, vulnerabilities, strength of controls, impacts, probability of incidents).
3. Risk Management approach recommended in ISO/IEC 29134.
4. Review of risk assessment procedure (based on ISO/IEC 27005).
5. Review of risk treatment procedure (based on ISO/IEC 27005).
6. Review of Excel spreadsheet used to risk assessment and risk treatment.
7. Review of risk management tools.
Day III – Practice of audit and risk management
1. Organization definition for following exercises – type of activity, stakeholders, law, relation with customers and suppliers, organization structure.
2. Exercise 1 – creation of audit plan and audit checklist.
3. Evaluation and discussion.
4. Exercise 2 – performing of risk assessment base of proposed Excel spreadsheet:
- Risk analysis;
- Risk evaluation.
5. Evaluation and discussion.
6. Exercise 3 – performing risk treatment.
7. Evaluation and discussion.
Day IV – Information Security Policy
1. Hierarchy of ISP document – policies, standards, guidelines, procedures, instructions. How to fit ISP to current customer.
2. Examples of ISP Declaration.
3. Example of ICT Security Policy.
4. Example of User Security Policy.
5. Process approach:
- Access management;
- Monitoring process;
- Security incident management;
- Change management;
- Configuration management;
- Business continuity management;
- Compliance management;
- Security Audit & Penetration Testing;
- Asset identification and classification;
- Human resources management;
- ISP documentation management.
6. Examples of procedures/standards e.g.:
- User access management procedure;
- SIEM monitoring procedure;
- Security events reporting procedure;
- Security incidents & breach response procedure;
- Change management procedure (several type of changes);
- Configuration documentation procedure;
- Backup procedure with technical instructions;
- Security audit planning and documentation procedure;
- Classification standard;
- ISP change management procedure.
Day V – Practice of ISP creation
1. Organization definition for exercise – type of activity, stakeholders, law, relation with customers, organization structure.
2. Exercise – Creation ISP documents by students:
- ISP document;
- Procedures.
3. Evaluation and discussion.