Bright*Star

Attendees will receive the following sample policies:

  • Data Security – Comprehensive data security policy – access control, acceptable use, data classification, data ownership, and data lifecycle (creation, usage, transmission, storage, and disposal)
  • Data and Media Disposal – Policy around disposal of data and media
  • Incident Management – Policy for managing incidents
  • 3rd Party Data Security – Data handling policy for vendors, partners, and other 3rd parties
  • Attendees are requested to bring a Windows XP or Vista laptop computer for the practical exercise during day 2. Attendees will be installing Imperva Scuba on this computer for this exercise.

About

In this training you will learn:
• Where your company and customer data actually resides and methods for securing your data wherever it might be
• Who owns the data and who is responsible for managing the data
• How to better leverage leading frameworks to drive improved data   security results
• How current technology solutions can help you drive quick improvements to your data security issues
• Strategies for engaging with internal audit and other risk and compliance groups within your company to help you achieve your goals
• About tools to help you identify the current state of data protection at your organization

Benefits from this training:
• Gain insight into better alignment of data security efforts to company strategic goals
• Discover new technology solutions that might be helpful in mitigating the risk of an adverse data disclosure
• Improve engagement with Information Assurance professionals to help you and your company achieve your goals
• Integrate your efforts (and create allies) with other departments in your organisation to improve data security efforts
• Enhance your data security policies through better alignment with leading governance frameworks
• Expand your data security vision to encompass all company and customer data wherever it might reside

Outline

DAY ONE

Data Security Essentials – Framework and Policy Introduction
• What is data? Where does data live? Who owns it? Who manages it?
Practical Exercise One
- Brainstorm session
- Assign owner and custodian to selected items discussed during brainstorm session
- Data security and the need for it
- Identifying the expectations of your senior management, executives, board of directors/governing bodies, and customers

The Role of Corporate/Organisational Governance and IT/Information Security Governance in Building a Data Security Programme
• Corporate/Organisational governance role in data security
• IT and Information Security governance role in data security
• IT/Information Security Governance Frameworks and Standards
- COBIT 4.1 and data security
- ISO 27001/27002 and data security

Key Players and Roles in the Data Security Programme
• Introduction to RACI Charts
• The business
• IT and Information Security
• Customer
• Government
Practical Exercise Two
ObjectivesUse tools like RACI charts to help communicate to senior management and identify the key players in your organization.
- What are the roles and responsibilities of the key players? (Use RACI Charts)

Building your Data Security Programme:
A Step-by-Step Approach to building a Data Security Programme that aligns with the strategic goals of organization and leading IT and Information Security governance frameworks and standards
• Understand risks and create risk treatment plan
- Consider compliance/legal requirements (PCI, SOX, Privacy, etc.) as 
inputs for the risk treatment plan
• Receive management approval for implementing risk treatment plan
• Implement controls required by risk treatment plan
• Implement solutions to measure effectiveness of controls
• Implement training and awareness programmes
• Implement monitoring and construct procedures for rapid detection of security events and responses to incidents
Practical Exercise Three
Movie Clip“New Face of Cybercrime”
We are now transitioning from theory to practice. This movie places us into the frame of mind of discussing practical, real-world issues and finding solutions to the real data security threats we face. This movie discusses the example of one risk area, external bad actors. What keeps you up at night? What are your company’s most significant risks? External? Internal? Illegal activity? Mistakes?

Writing the Data Security Policy – The Strong Foundation of your Risk Treatment Plan will be your Data Security Policy
• Leveraging ISO 27001/27002 and COBIT to build a comprehensive policy
• Understanding data as a company asset
• Access control
• Acceptable use of data assets
• Data classification
• Labelling and handling data assets
• Monitoring and continuous improvement
• Integration with your other Information Security, IT, Risk Management and business policies such as the backup policy, business continuity and disaster recovery, and others
Practical Exercise Four
ObjectiveNot all data security policies are the same. Similar industries will face similar risks. This exercise will take you through a sample data security policy customised for your own industry in teams.
Attendees will work in industry teams to review a sample data security policy and fwill craft up to five suggestions on how to improve the policy.

DAY TWO
Data Security Essentials – Controls,  Monitoring,  and Incident Response
Data Security Controls – People and Technology
• Current state of many organisations – what’s not working and why?
• Data security and the fallible human being – implementing controls (including training) that limit accidental misuse of data and data disclosure
• Handling internal and external bad actors and why this is a never-ending battle
Case studyThe struggle against phishing attacks and criminal attempts to extract data from SaaS providers (salesforce.com)
• Multi-layered defenses –Preventative and detective controls
Practical Exercise Five
Objectives All organizations have room for improvement. The list of control weaknesses from this exercise will be mapped to potential solutions discussed in the next section of the training.
- What are the major control weaknesses for organisations?
- What is preventing organisations from improving those controls?

New Technical Solutions for Improving Data Security
• Considerations for implementing new solutions – Pros and Cons
• Data Leakage Prevention
• Database Logging/Security
Case studyThis case will identify two scenarios where a database administrator could monetize their access with little risk of discovery for significant personal financial gain, why conventional controls are inadequate, and the potential controls that could mitigate the risk
• Identity and Access Management
• End Point Security
• Network Access Control
• Vulnerability Assessment
• Enterprise Password Management
• Data masking
• Encryption
• Intrusion Detection/Prevention (NIDS/NIPS, HIDS/HIPS, WIDS/WIPS)
• Web application data security
• Patch management
Practical Exercise Six
Objectives Every attendee will have an opportunity to identify one security control which they believe should be implemented. Attendees will also have an opportunity to learn about controls that they may want to implement in the future.
- Select one data security control you would like to implement in your organisation.
Practical Exercise Seven
ObjectivesDatabases are where much of the company and customer data is stored; however, many organizations do not appropriately test the security of these repositories. This exercise will demonstrate how easy it is to gain an understanding of database security risks.
- Database vulnerability assessment
- The database is where much of your organisation’s data is located; however, many organisations have no mechanism for assessing whether the database security is adequate.
- Hands-on session using Scuba, the Database Vulnerability Scanner from Imperva

Testing, Monitoring and Continuous Improvement
• Using ISO 27001 and COBIT to implement appropriate testing, monitoring and continuous improvement
• Following your policy – Testing, monitoring and continuous improvement should be part of your policy
Case studyThis case will show that when considering your test plans, you should attempt to simulate real-world testing.  In this short case, a major US collocation provider failed to appropriately test the diesel generators.
• Log aggregation, correlation, alerting, and remediation
• Creating your own metrics
• Managing remediation
• Incident management
• Forensic investigations

Audit
• The role of Internal Audit and using Internal Audit to improve Data Security
• External Audit – why are they here and what are they looking for?

3rd Parties and Outsource Partners
• Building Data Security requirements into outsource agreements
• Understanding the risk of outsourcing
• Creating a framework for assessing potential outsource partners
• Verifying adherence to the data security requirements integrated into outsource agreements

Facilitator

Eric Svetcov

 Eric Svetcov is a leading Information Security specialist who has more than 15 years of industry experience in securing key corporate and customer data. His previous roles have include Information Security and Business Continuity national service leader for KPMG in New Zealand, Information Security Director for salesforce.com in San Francisco, Director of IT and Operations at Grassroots Enterprise, and Manager of Information Systems at Intuitive Surgical.

Eric is a Board Member of the ISACA chapter in Auckland and is a member of the International Association of Privacy Professionals (IAPP), (ISC)2,  and American Board for Certification in Homeland Security (ABCHS). He has an MBA and holds the following certifications: CISSP, CISM, CISA, CIPP, and CHS-III. His articles have been published in SC Magazine, Technology & Learning magazine, School CIO, and Windows NT Systems magazine.

Over the past year, Eric has spoken at ComputerWorld’s Utility Computing Briefing in Auckland, the New Zealand IIA National Conference, and the Information and IT Security Summit in Auckland and chaired the Cloud Computing Summit in October 2009.

Partial list of organisations Eric has worked for:
Visa, HSBC, ING, Royal Bank of Scotland, United Commercial Bank, Bank of New Zealand, Westpac, Intuit, US Department of Defense, California Department of Motor Vehicles, New Zealand Ministry of Economic Development, Housing New Zealand, Waikato Institute of Technology, Chevron, Pacific Gas and Electric, Vector, Pacific Bell (now AT&T), ShoreTel, Verio (Now NTT Communications), Google, Cisco, salesforce.com, Plantronics, Xilinx, Autodesk, Intuitive Surgical, Pfizer, and Fonterra.

In-house Training

Do you have a number of staff who would benefit from this course? Find out more about running Data Security Essentials, in-house at your organisation or ask us about our team training discounts:

Contact Lone M Tapp (Director, Bright*Star Training) on 09 912 3610 or fill in the form below.

Sorry, this event currently has no dates scheduled.

Do you have a number of staff who would benefit from this course? Find out more about running Data Security Essentials, in-house at your organisation or ask us about our team training discounts:

Contact Lone M Tapp (Director, Bright*Star Training) on 09 912 3610 or fill in the form below.