CISRM: Certified Information Systems Risk Manager

The vendor neutral Certified Information Systems Risk Manager certification is designed for IT and IS professionals who are involved with risk identification, assessment & evaluation, risk response, risk monitoring, IS control design & implementation as well as IS control monitoring & maintenance.

All Prices Are in Candian Dollars

Days : 5
Price :

$3,195.00

Clear
course is guaranteed to run

Description

Prerequisites: 

  • A minimum of 1 year of Information Systems

  Student Materials:

  • Student Workbook
  • Student Reference Manual
  • Key Security Concepts & Definitions Book

  Certification Exam:

  • Mile2 C)ISRM
  • Covers ISACA CRISC®

  CPEs: 

  • 24

  WHO SHOULD ATTEND?

  • Information System Security Officers
  • Risk Managers
  • Information Systems Owners
  • Info Security Control Assessors
  • System Managers
  • State & Local Government
  • Risk Managers

  COURSE OVERVIEW The vendor neutral Certified Information Systems Risk Manager certification is designed for IT and IS professionals who are involved with risk identification, assessment & evaluation, risk response, risk monitoring, IS control design & implementation as well as IS control monitoring & maintenance. The Certified Information Systems Risk Manager training will enable professionals to elevate their understanding in identifying and evaluating entity-specific risk but also aid them in assessing risks associated to enterprise business objectives by equipping the practitioner to design, implement, monitor and maintain risk-based, efficient and effective IS controls. The Certified Information Systems Risk Manager covers 5 critical subjects; Risk Identification Assessment and Evaluation, Risk Response, Risk Monitoring, IS Control Design and Implementation and IS Control Monitoring & Maintenance.  

UPON COMPLETION

Upon completion, Certified Information Systems Risk Manager students will be prepared to pass the CISRM exam. In addition, the candidate will be competent to implement risk management best practices and Federal standards. Students will enjoy an in-depth course that is continuously updated to maintain and incorporate the ever-changing security and risk environment.  

EXAM INFORMATION

The Certified Information Systems Risk Manager exam is taken online through Mile2’s Assessment and Certification System (“MACS”), which is accessible on your mile2.com account. The exam will take 2 hours and consist of 100 multiple choice questions.  

COURSE CONTENT

I. The Big Picture

II. Domain 1 Risk Identification Assessment and Evaluation

III. Domain 2 – Risk Response

IV. Domain 3 – Risk Monitoring

V. Domain 4 – IS Control Design and Implementation    

C)ISRM Part 1: The Big Picture About the C)ISRM Exam Exam Relevance About the C)ISRM Exam Section Overview Part 1 Learning Objectives Section Topics Overview of Risk Management Risk Risk and Opportunity Management Responsibility vs. Accountability Risk Management Roles and Responsibilities Relevance of Risk Management Frameworks Standards and Practices Frameworks Standards Practices Relevance of Risk Governance Overview of Risk Governance Objectives of Risk Governance Foundation of Risk Governance Risk Appetite and Risk Tolerance Risk Awareness and Communication Key Concepts of Risk Governance Risk Culture Case Study Practice Question 1 Practice Question 2 Practice Question 3 Practice Question 4 Practice Question 5 Acronym Review Definition Review  

C)ISRM Part II – Domain 1 Risk Identification Assessment and Evaluation Section Overview Exam Relevance Domain 1 Learning Objectives Task Statements Knowledge Statements The Process Describing the Business Impact of IT Risk IT Risk in the Risk Hierarchy IT Risk Categories High Level Process Phases Risk Scenarios Definition of Risk Scenario Purpose of Risk Scenarios Event Types Risk Scenario Development Risk Registry & Risk Profile Risk Scenario Development Risk Scenario Components Risk Scenario Development Risk Scenario Development Enablers Systemic, Contagious or Obscure Risk Generic IT Risk Scenarios Definition of Risk Factor Examples of Risk Factors Risk Factors— External Environment Risk Factors— Risk Management Capability Risk Factors— IT Capability Risk Factors— IT Related Business Capabilities Methods for Analyzing IT Risk Likelihood and Impact Risk Analysis Output Risk Analysis Methods Risk Analysis Methods—Quantitative Risk Analysis Methods—Qualitative Risk Analysis Methods—for HIGH impact risk types Risk Analysis Methods Risk Analysis Methods—Business Impact Analysis (BIA) Methods for Assessing IT Risk Identifying and Assessing IT Risk Definitions Adverse Impact of Risk Event Business Impacts From IT Risk Business Related IT Risk Types IT Project-Related Risk Risk Components—Inherent Risk Risk Components—Residual Risk Risk Components—Control Risk Risk Components—Detection Risk Business Risk and Threats Addressed By IT Resources Identifying  and Assessing IT Risk Methods For Describing IT Risk In Business Terms Case Study Acronym Review Definition Review Domain 1 – Exercises    

C)ISRM Part II Domain 2 – Risk Response Section Overview Exam Relevance Domain 2 Learning Objectives Task Statements Knowledge Statements Risk Response Objectives The Risk Response Process Risk Response Options Risk Response Parameters Risk Tolerance and Risk Response Options Risk Response Prioritization Options Risk Mitigation Control Types Risk Response Prioritization Factors Risk Response Tracking, Integration and Implementation Process Phases Phase 1—Articulate Risk Phase 2—Manage Risk Phase 3—React To Risk Events Sample Case Study Domain 2 – Exercise 1  

C)ISRM Part II – Domain 3 – Risk Monitoring Course Agenda Exam Relevance Learning Objectives Task Statements Knowledge Statements Essentials Risk Indicators Risk Indicator Selection Criteria Key Risk Indicators Risk Monitoring Risk Indicator Types and Parameters Risk Indicator Considerations Criteria for KRI Selection Benefits of Selecting Right KRIs Disadvantages of Wrong KRIs Changing KRIs Gathering KRI Data Steps to Data Gathering Gathering Requirements Data Access Data Preparation Data Validating Considerations Data Analysis Reporting and Corrective Actions Optimizing KRIs Use of Maturity Level Assessment Assessing Risk Maturity Levels Risk Management Capability Maturity Levels Changing Threat Levels Monitoring Changes in Threat Levels Measuring Changes in Threat Levels Responding to Changes in Threat Levels Threat Level Review Changes in Asset Value Maintain Asset Inventory Risk Reporting Reporting Content Effective Reports Report Recommendations Possible Risk Report Recipients Periodic Reporting Reporting Topics Risk Reporting Techniques Sample Case Study Practice Question 1 Practice Question 2 Practice Question 3 Practice Question 4 Acronym Review Definition Review Domain 3 – Exercises  

C)ISRM Part II Domain 4 – IS Control Design and Implementation Section Overview Exam Relevance Domain 4 Learning Objectives Task Statements Knowledge Statements C)ISRM Involvement Control Definition Control Categories Control Types and Effects Control Methods Control Design Considerations Control Strength Control Strength Control Costs and Benefits Potential Loss Measures Total Cost of Ownership For Controls Role of the C)ISRM in SDLC The SDLC Process Outcomes of the Feasibility Study Task 1—Define Requirement Requirement Progression Business Information Requirements (COBIT) Requirements Success Factors Task 3—Acquire Software “Options” Software Selection Criteria Software Acquisition Software Acquisition Process Leading Principles for Design and Implementation C)ISRM Responsibilities Key System Design Activities Steps to Perform Phase 2 Phase 2 – Project Design and Development System Testing Test Plans Project Testing Types of Tests UAT Requirements Certification and Accreditation Project Status Reports Phase 3 –Project Testing Testing Techniques Verification and Validation Phase 4 – Project Implementation Project Implementation The Systems Development Life Cycle (SDLC) ‘Meets and Continues to Meet’ SDLC SDLC Phases Addressing Risk Within the SDLC Business Risk versus Project Risk Understanding Project Risk Addressing Business Risk Understanding Business and Risk Requirements Understand Business Risk High Level SDLC Phases Project Initiation Phase 1 – Project Initiation Phase 1 Tasks Task 1—Feasibility Study Feasibility Study Components Determining Feasibility Implementation Phases Phase 4 – Project Implementation End User Training Plans & Techniques Training Strategy Data Migration/Conversion Considerations Risks During Data Migration Data Conversion Steps Implementation Rollback Data Conversion Project Key Considerations Changeover Techniques Post-Implementation Review Performing Post-Implementation Review Measurements of Critical Success Factors Closing a Project Project Management and Controlling Project Management Tools and Techniques Project Management Elements Project Management Practices PERT chart and critical path PERT Attribute Sample Case Study Practice Question 1 Practice Question 2 Practice Question 3 Practice Question 4 Practice Question 5

 

Module 1: Risk Management

  • What Is the Value of an Asset?
  • What Is a Threat Source/Agent?
  • What Is a Threat?
  • What Is a Vulnerability?
  • Examples of Some Vulnerabilities that Are Not Always Obvious
  • What Is a Control? What Is Likelihood?
  • What Is Impact?
  • Control Effectiveness
  • Risk Management
  • Purpose of Risk Management
  • Risk Assessment
  • Why Is Risk Assessment Difficult?
  • Types of Risk Assessment
  • Different Approaches to Analysis
  • Quantitative Analysis
  • ALE Values Uses
  • Qualitative Analysis – Likelihood
  • Qualitative Analysis – Impact
  • Qualitative Analysis Risk Level
  • Qualitative Analysis Steps
  • Managements Response to Identified Risks
  • Comparing Cost and Benefit Cost of a Countermeasure

Module 2: Security Management

  • Enterprise Security Program
  • Building A Foundation
  • Planning Horizon Components
  • Enterprise Security The Business Requirements
  • Enterprise Security Program Components
  • Control Types
  • “Soft” Controls
  • Technical or Logical Controls
  • Physical Controls
  • Security Roadmap
  • Senior Managements Role in Security
  • Negligence and Liability
  • Security Roles and Responsibilities
  • Security Program Components
  • Security and the Human Factors
  • Employee Management
  • Human Resources Issues
  • Importance to Security?
  • Recruitment Issues
  • Termination of Employment
  • Informing Employees
  • About Security
  • Enforcement
  • Security Enforcement Issues

Module 3: Identification and Authentication

  • Agenda
  • Access Control Methodology
  • Access Control Administration
  • Accountability and Access Control
  • Trusted Path
  • Who Are You?
  • Authentication Mechanisms
  • Strong Authentication
  • Authorization
  • Access Criteria
  • Fraud Controls
  • Access Control Mechanisms
  • Agenda
  • Biometrics Technology
  • Biometrics Enrollment Process
  • Downfalls to Biometric Use
  • Biometrics Error Types
  • Biometrics Diagram
  • Biometric System Types
  • Agenda
  • Passwords and PINs
  • Password “Shoulds”
  • Password Attacks
  • Countermeasures for Password Cracking
  • Cognitive Passwords
  • One-Time Password Authentication
  • Agenda
  • Synchronous Token
  • Asynchronous Token Device
  • Cryptographic Keys
  • Passphrase Authentication
  • Memory Cards
  • Smart Card
  • Agenda
  • Single Sign-on Technology
  • Different Technologies
  • Scripts as a Single Sign-on Technology
  • Directory Services as a Single Sign-on Technology
  • Thin Clients
  • Kerberos as a Single Sign-on Technology
  • Tickets
  • Kerberos Components Working Together
  • Major Components of Kerberos
  • Kerberos Authentication Steps
  • Why Go Through All of this Trouble?
  • Issues Pertaining to Kerberos
  • SESAME as a Single Sign-on Technology
  • Federated Authentication
  • Agenda
  • IDS
  • Network IDS Sensors
  • Types of IDSs
  • Behavior-Based IDS
  • IDS Response Mechanisms
  • IDS Issues
  • Trapping an Intruder

Module 4: Access Control

  • Role of Access Control
  • Definitions
  • More Definitions
  • Layers of Access Control
  • Layers of Access Controls
  • Access Control Mechanism Examples
  • Access Control Characteristics
  • Preventive Control Types
  • Control Combinations
  • Administrative Controls
  • Controlling Access
  • Other Ways of Controlling Access
  • Technical Access Controls
  • Physical Access Controls
  • Accountability Information Classification
  • Information Classification Criteria
  • Declassifying Information
  • Types of Classification Levels
  • Models for Access
  • Discretionary Access Control Model
  • Enforcing a DAC Policy
  • Mandatory Access Control Model
  • MAC Enforcement Mechanism Labels
  • Where Are They Used?
  • Role-Based Access Control (RBAC)
  • Acquiring Rights and Permissions
  • Rule-Based Access Control
  • Access Control Matrix
  • Access Control Administration
  • Access Control Methods
  • Remote Centralized Administration
  • RADIUS Characteristics
  • RADIUS
  • TACACS+ Characteristics
  • Diameter Characteristics
  • Decentralized Access
  • Control Administration

Module 5: Security Models and Evaluation Criteria

  • System Protection Trusted Computing Base
  • System Protection Reference Monitor
  • Security Kernel Requirements
  • Security Modes of Operation
  • System Protection Levels of Trust
  • System Protection Process Isolation
  • System Protection Layering
  • System Protection – Application Program Interface
  • System Protection- Protection Rings
  • What Does It Mean to Be in a Specific Ring?
  • Security Models
  • State Machine
  • Information Flow
  • Bell-LaPadula
  • Rules of Bell-LaPadula
  • Biba
  • Clark-Wilson Model
  • Non-interference Model
  • Brewer and Nash Chinese Wall
  • Take-Grant Model
  • Trusted Computer System Evaluation Criteria (TCSEC)
  • TCSEC Rating Breakdown
  • Evaluation Criteria – ITSEC
  • ITSEC Ratings ITSEC Good and Bad
  • Common Criteria
  • Common Criteria Components
  • First Set of Requirements
  • Second Set of Requirements
  • Package Ratings
  • Common Criteria Outline
  • Certification vs. Accreditation

Module 6: Operations Security

  • Operations Issues
  • Role of Operations
  • Administrator Access
  • Computer Operations Systems Administrators
  • Security Administrator
  • Operational Assurance
  • Audit and Compliance
  • Some Threats to Computer Operations
  • Specific Operations Tasks
  • Product Implementation Concerns
  • Logs and Monitoring
  • Records Management
  • Change Control
  • Resource Protection
  • Contingency Planning
  • System Controls
  • Trusted Recovery
  • Fault-Tolerance Mechanisms
  • Duplexing, Mirroring, Check Pointing
  • Redundant Array of Independent Disks (RAID)
  • Fault Tolerance
  • Redundancy Mechanism
  • Backups
  • Backup Types
  • Remote Access
  • Facsimile Security
  • Email Security
  • Before Carrying Out Vulnerability Testing
  • Vulnerability Assessments
  • Methodology
  • Penetration Testing Penetration Testing
  • Hack and Attack Strategies
  • Protection Mechanism Honeypot
  • Threats to Operations
  • Data Leakage Social Engineering
  • Data Leakage Object Reuse
  • Object Reuse
  • Why Not Just Delete File or Format the Disk?
  • Data Leakage Keystroke Logging
  • Data Leakage Emanation
  • Controlling Data Leakage TEMPEST
  • Controlling Data Leakage Control Zone
  • Controlling Data Leakage White Noise
  • Summary

Module 7: Symmetric Cryptography and Hashing

  • Cryptography Objectives
  • Cryptographic Definitions
  • A Few More Definitions
  • Need Some More Definitions?
  • Symmetric Cryptography Use of Secret Keys
  • Cryptography Uses Yesterday and Today
  • Historical Uses of Symmetric Cryptography
  • Historical Uses of Symmetric Cryptography Scytale
  • Cipher
  • Historical Uses of Symmetric Cryptography: Substitution Cipher
  • Caesar Cipher Example
  • Historical Uses of Symmetric Cryptography: Vigenere Cipher
  • Polyalphabetic Substitution
  • Vigenere Table Example
  • Example Continued
  • Historical Uses of Symmetric Cryptography: Enigma Machine
  • Historical Uses of Symmetric Cryptography: Vernam Cipher
  • Historical Uses of Symmetric Cryptography: Running Key and Concealment
  • One-Time Pad Characteristics
  • Binary Mathematical Function
  • Key and Algorithm Relationship
  • Why Does a 128-Bit Key Provide More Protection than a 64-Bit Key?
  • Ways of Breaking Cryptosystems Brute Force
  • Ways of Breaking Cryptosystems Frequency
  • Analysis
  • Determining Strength in a Cryptosystem
  • Characteristics of Strong Algorithms
  • Open or Closed More Secure?
  • Types of Ciphers Used Today
  • Encryption/Decryption Methods
  • Type of Symmetric Cipher Block Cipher
  • S-Boxes Used in Block Ciphers
  • Type of Symmetric Cipher Stream Cipher
  • Encryption Process
  • Symmetric Characteristics
  • Sender and Receiver Must Generate the Same Keystream
  • They both must have the same key and IV Strength of a Stream Cipher
  • Lets Dive in DeeperSymmetric Key Cryptography
  • Symmetric Key Management Issue
  • Symmetric Algorithm Examples
  • Symmetric Downfalls
  • Secret Versus Session Keys
  • Symmetric Ciphers We Will Dive Into
  • Symmetric Algorithms DES Evolution of DES
  • Block Cipher Modes CBC
  • Different Modes of Block Ciphers ECB
  • Block Cipher Modes CFB and OFB
  • CFB and OFB Modes
  • Symmetric Cipher AES
  • Other Symmetric Algorithms
  • Hashing Algorithms
  • Protecting the Integrity of Data
  • Data Integrity Mechanisms
  • Weakness in Using Only Hash Algorithms
  • More Protection in Data Integrity
  • MAC Sender
  • MAC Receiver
  • Security Issues in Hashing
  • Birthday Attack
  • Example of a Birthday Attack

Module 8: Asymmetric Cryptography and PKI

  • Asymmetric Cryptography
  • Public Key Cryptography Advantages
  • Asymmetric Algorithm Disadvantages
  • Symmetric versus Asymmetric
  • Asymmetric
  • Asymmetric Algorithm Diffie-Hellman
  • Asymmetric Algorithm RSA
  • Asymmetric Algorithms El Gamal and ECC
  • Example of Hybrid Cryptography
  • When to Use Which Key
  • Using the Algorithm Types Together
  • Digital Signatures
  • Digital Signature and MAC Comparison
  • What if You Need All of the Services?
  • S. Government Standard
  • Why Do We Need a PKI?
  • PKI and Its Components
  • CA and RA Roles
  • Lets Walk Through an Example
  • Digital Certificates
  • What Do You Do with a Certificate?
  • Components of PKI Repository and CRLs
  • Steganography
  • Key Management
  • Link versus End-to-End Encryption
  • End-to-End Encryption
  • E-mail Standards
  • Encrypted message
  • Secure Protocols
  • SSL and the OSI Model
  • SSL Hybrid Encryption
  • SSL Connection Setup
  • Secure E-mail Standard
  • SSH Security Protocol
  • Network Layer Protection
  • IPSec Key Management
  • Key Issues Within IPSec
  • IPSec Handshaking Process
  • SAs in Use
  • IPSec Is a Suite of Protocols
  • IPSec Modes of Operation
  • IPsec Modes of Operation
  • Attacks on Cryptosystems
  • More Attacks

Module 9: Network Connections

  • Network Topologies Physical Layer
  • Topology Type Bus
  • Topology Type Ring
  • Topology Type Star
  • Network Topologies Mesh
  • Summary of Topologies
  • LAN Media Access Technologies
  • One Goal of Media Access Technologies
  • Transmission Types Analog and Digital
  • Transmission Types Synchronous and Asynchronous
  • Transmission Types Baseband and Broadband
  • Two Types of Carrier Sense Multiple Access
  • Transmission Types Number of Receivers
  • Media Access Technologies – Ethernet
  • Media Access Technologies Token Passing
  • Media Access Technologies Polling
  • Cabling
  • Signal and Cable Issues
  • Cabling Types Coaxial
  • Cabling Types Twisted Pair
  • Types of Cabling Fiber
  • Cabling Issues Plenum-Rated
  • Types of Networks
  • Network Technologies
  • Network Technologies
  • Network Configurations
  • MAN Technologies SONET
  • Wide Area Network Technologies
  • WAN Technologies Are Circuit or Packet Switched
  • WAN Technologies ISDN
  • ISDN Service Types
  • WAN Technologies DSL
  • WAN Technologies Cable Modem
  • WAN Technologies Packet Switched
  • WAN Technologies X.25
  • WAN Technologies Frame Relay
  • WAN Technologies ATM
  • Multiplexing

Module 10: Network Protocols and Devices

  • OSI Model
  • An Older Model
  • Data Encapsulation
  • OSI Application Layer
  • OSI Presentation Layer
  • OSI Session Layer
  • Transport Layer
  • OSI Network Layer
  • OSI Data Link
  • OSI Physical Layer
  • Protocols at Each Layer
  • Devices Work at Different Layers
  • Networking Devices
  • Repeater
  • Hub
  • Bridge
  • Switch
  • Virtual LAN
  • Router
  • Gateway
  • Bastion Host
  • Firewalls
  • Firewall First line of defense
  • Firewall Types Packet Filtering
  • Firewall Types Proxy Firewalls
  • Firewall Types Circuit-Level Proxy Firewall
  • Type of Circuit- Level Proxy SOCKS
  • Firewall Types Application-Layer Proxy
  • Firewall Types Stateful
  • Firewall Types Dynamic Packet-Filtering
  • Firewall Types Kernel Proxies
  • Firewall Placement
  • Firewall Architecture Types Screened Host
  • Firewall Architecture Types Multi- or Dual-Homed
  • Firewall Architecture Types Screened Subnet
  • IDS Second line of defense
  • IPS Last line of defense?
  • HIPS
  • Unified Threat Management
  • UMT Product Criteria
  • Protocols
  • TCP/IP Suite
  • Port and Protocol
  • Relationship
  • Conceptual Use of Ports
  • UDP versus TCP
  • Protocols ARP
  • Protocols ICMP
  • Protocols SNMP
  • Protocols SMTP
  • Protocols FTP, TFTP, Telnet
  • Protocols RARP and BootP
  • Network Service DNS
  • Network Service NAT

Module 11: Telephony, VPNs and Wireless

  • PSTN
  • Remote Access
  • Dial-Up Protocols and Authentication
  • Protocols
  • Dial-Up Protocol SLIP
  • Dial-Up Protocol PPP
  • Authentication Protocols PAP and CHAP
  • Authentication Protocol EAP
  • Voice Over IP
  • Private Branch Exchange
  • PBX Vulnerabilities
  • PBX Best Practices
  • Virtual Private
  • Network Technologies
  • What Is a Tunnelling Protocol?
  • Tunnelling Protocols PPTP
  • Tunnelling Protocols L2TP
  • Tunnelling Protocols IPSec
  • IPSec – Network Layer Protection
  • IPSec
  • IPSec
  • SSL/TLS
  • Wireless Technologies Access Point
  • Standards Comparison
  • Wireless Network Topologies
  • Wi-Fi Network Types
  • Wireless Technologies Access Point
  • Wireless Technologies Service Set ID
  • Wireless Technologies Authenticating to an AP
  • Wireless Technologies WEP
  • WEP
  • Wireless Technologies
  • More WEP Woes
  • Weak IV Packets
  • More WEP Weaknesses
  • How WPA Improves on WEP
  • How WPA Improves on WEP
  • TKIP
  • The WPA MIC Vulnerability
  • 11i WPA2
  • WPA and WPA2 Mode Types
  • WPA-PSK Encryption
  • Wireless Technologies WAP
  • Wireless Technologies WTLS
  • Wireless Technologies Common Attacks
  • Wireless Technologies War Driving
  • Kismet
  • Wireless Technologies Countermeasures
  • Network Based Attacks
  • ARP Attack
  • DDoS Issues
  • Man-in-the Middle
  • Traceroute Operation

Module 12: Security Architecture and Attacks

  • ESA Definition…
  • What is Architecture?
  • Architecture Components
  • Key Architecture Concepts – Plan
  • Objectives of Security Architecture
  • Technology Domain Modeling
  • Integrated Security is Designed Security
  • Security by Design
  • Architectural Models
  • Virtual Machines
  • Cloud Computing
  • Memory Types
  • Virtual Memory
  • Memory Management
  • Accessing Memory Securely
  • Different States that Processes Work In
  • System Functionality
  • Types of Compromises
  • Disclosing Data in an Unauthorized Manner
  • Circumventing Access Controls
  • Attacks
  • Attack Type Race Condition
  • Attack Type – Data Validation
  • Attacking Through Applications
  • How Buffers and Stacks Are Supposed to Work
  • How a Buffer Overflow Works
  • Attack Characteristics
  • Attack Types
  • More Attacks
  • Host Name Resolution Attacks
  • More Attacks (2)
  • Watching Network Traffic
  • Traffic Analysis
  • Cell Phone Cloning
  • Illegal Activities

Module 13: Software Development Security

  • How Did We Get Here?
  • Device vs. Software Security
  • Why Are We Not Improving at a Higher Rate?
  • Usual Trend of Dealing with Security
  • Where to Implement Security
  • The Objective
  • Security of Embedded Systems
  • Development Methodologies
  • Maturity Models
  • Security Issues
  • OWASP Top Ten (2011)
  • Modularity of Objects
  • Object-Oriented Programming Characteristic
  • Module Characteristics
  • Linking Through COM
  • Mobile Code with Active Content
  • World Wide Web OLE
  • ActiveX Security
  • Java and Applets
  • Common Gateway Interface
  • How CGI Scripts Work
  • Cookies
  • PCI Requirements
  • Virtualization – Type 1
  • Virtualization Type 2

 Module 14: Database Security and System Development

  • Database Model
  • Database Models Hierarchical
  • Database Models Distributed
  • Database Models Relational
  • Database Systems
  • Database Models Relational Components
  • Foreign Key
  • Database Component
  • Database Security Mechanisms
  • Database Data Integrity Controls
  • Add-On Security
  • Database Security Issues
  • Controlling Access
  • Database Integrity
  • Data Warehousing
  • Data Mining
  • Artificial Intelligence
  • Expert System Components
  • Artificial Neural Networks
  • Software Development Models
  • Project Development Phases III, IV, and V
  • Project DevelopmentPhases VI and VII
  • Verification versus Validation
  • Evaluating the Resulting Product
  • Controlling How Changes Take Place
  • Change Control Process
  • Administrative Controls
  • Malware
  • Virus
  • More Malware
  • Rootkits and Backdoors
  • DDoS Attack Types
  • Escalation of Privilege
  • Protect against privilege escalation
  • DDoS Issues
  • DDoS
  • Buffer Overflow Definition
  • Overflow Illustration
  • Mail Bombing
  • E-Mail Links
  • Phishing
  • Spear Phishing
  • Replay Attack
  • Cross-Site Scripting Attack
  • Timing Attacks
  • More Advanced Attacks
  • Summary

Module 15: Malware and Software Attacks

  • Malware
  • Virus
  • More Malware
  • Rootkits and Backdoors
  • DDoS Attack Types
  • Escalation of Privilege
  • DDoS Issues
  • DDoS
  • Buffer Overflow Definition
  • Overflow Illustration
  • Buffer Overflows
  • Mail Bombing
  • E-Mail Links
  • Phishing
  • Spear Phishing
  • Replay Attack
  • Cross-Site Scripting Attack
  • Timing Attacks
  • More Advanced Attacks
  • Summary

Module 16: Business Continuity

  • Phases of Plan
  • Who Is Ready?
  • Pieces of the BCP
  • BCP Development
  • Where Do We Start?
  • Why Is BCP a Hard Sell to Management?
  • Understanding the Organization
  • Critical products and services
  • Dependencies
  • Supply chain
  • Between departments
  • Personnel
  • Information
  • Equipment
  • Facilities
  • BCP Committee
  • BCP Risk Analysis
  • Identify Vulnerabilities and Threats
  • Categories
  • How to Identify the Most Critical Company Functions
  • Loss Criteria
  • Interdependencies
  • Identifying Functions Resources
  • How Long Can the Company Be Without These Resources?
  • Calculating MTD
  • Recovery Point Objective
  • Calculation of maximum data loss
  • Determines backup strategy
  • Defines the most current state of data upon recovery
  • Recovery Strategies
  • Based on the results of the BIA
  • May be different for each department
  • Must be less than MTD
  • Sets the RTO
  • What Items Need to Be Considered in a Recovery?
  • Facility Backups Hot Site
  • Facility Backups Warm Site
  • Facility Backups Cold Site
  • Compatibility Issues with Offsite Facility
  • Which Do We Use?
  • Choosing Offsite Services
  • Subscription Costs
  • Choosing Site Location
  • Other Offsite Approaches
  • BCP Plans Commonly and Quickly Become Out of Date
  • Summary

Module 17: Disaster Recovery

  • Proper Planning
  • Executive Succession Planning
  • Preventing a Disaster
  • Preventive Measures
  • Backup/Redundancy Options
  • Disk Shadowing
  • Backing Up Over Telecommunication
  • Serial Lines
  • HSM
  • SAN
  • Co-Location
  • Other Options
  • Review – Results from the BIA
  • Review – Results from
  • Recovery Strategy
  • Now What?
  • Priorities
  • Plan Objectives
  • Defining Roles
  • The Plan
  • Recovery
  • Return to Normal Operations
  • Environment
  • Operational Planning
  • Emergency Response
  • Reviewing Insurance
  • When Is the Danger Over?
  • Now What?
  • Testing and Drills
  • Types of Tests to Choose From
  • What Is Success?
  • Summary

Module 18: Incident Management, Law, and Ethics

  • Seriousness of Computer Crimes
  • Incidents
  • Incident Management Priorities
  • Incident Response Capability
  • Incident Management Requires
  • Preparing for a Crime Before It Happens
  • Incident Response Phases
  • Types of Law
  • Foundational Concepts of Law
  • Common Laws Criminal
  • Common Laws Civil
  • Common Laws Administrative
  • Intellectual Property Laws
  • More Intellectual Property Laws
  • Software Licensing
  • Digital Millennium Copyright Act
  • Historic Examples of Computer Crimes
  • Who Perpetrates These Crimes?
  • The Evolving Threat
  • Types of Motivation for Attacks
  • A Few Attack Types
  • Telephone Fraud
  • Identification Protection & Prosecution
  • Computer Crime and Its Barriers
  • Countries Working Together
  • Security Principles for International Use
  • Determine if a Crime Has Indeed Been Committed
  • When Should Law Enforcement Get Involved?
  • Citizen versus Law Enforcement Investigation
  • Investigation of Any Crime
  • Role of Evidence in a Trial
  • General Rules for Evidence
  • Evidence Requirements
  • Evidence Collection Topics
  • Chain of Custody
  • How Is Evidence Processed?
  • Evidence Types
  • Hearsay Rule Exception
  • Privacy of Sensitive Data
  • Privacy Issues U.S. Laws as Examples
  • European Union Principles on Privacy
  • Routing Data Through Different Countries
  • Employee Privacy Issues
  • Computer Forensics
  • Trying to Trap the Bad Guy
  • Companies Can Be Found Liable
  • Sets of Ethics
  • Ethics mile2
  • Ethics Computer Ethics Institute
  • Ethics Internet Architecture Board
  • GAISP- Generally Accepted Information Security Principles

Module 19: Physical Security

  • Physical Security Threats
  • Different Types of Threats & Planning
  • Facility Site Selection
  • Facility Construction
  • Devices Will Fail
  • Controlling Access
  • Possible Threats
  • External Boundary Protection
  • Lock Types
  • Facility Access
  • Piggybacking
  • Securing Mobile Devices
  • Entrance Protection
  • Perimeter Protection Fencing
  • Perimeter Protection Lighting
  • Perimeter Security Security Guards
  • Surveillance/Monitoring
  • Types of Physical IDS
  • Electro-Mechanical Sensors
  • Volumetric Sensors
  • Facility Attributes
  • Electrical Power
  • Problems with Steady Power Current
  • Power Interference
  • Power Preventive Measures
  • Environmental Considerations
  • Fire Prevention
  • Automatic Detector Mechanisms
  • Fire Detection
  • Fire Types
  • Suppression Methods
  • Fire Extinguishers
  • Fire Suppression
  • Fire Extinguishers