• Information security
  
• Why information security is needed
  
• How to establish security requirements
  
• Information security starting point
  
• Critical success factors
  

• Information security policy
  
• What is strategy
  
• Developing a strategy
  
• Strategy and culture
  
• Strategy and culture
  
• Strategy framework
  
  • Information security policy document
    
• Use of DOD standards
  
  • Applying DOD standards to strategy
    
• Strategy bed rocks
  
  • Review and evaluation
    
  • Security responsibility
• Case study

• Information security infrastructure
  
• Management information security forum/committee
  
• Allocation of security information responsibilities
  
• Authorisation process for information security responsibilities
  
• Computer based planning tools
  
• Specialist advice
  
• Co-operation between organisations
  
• Independent review of IT security
  
• Security of third party access
  
• Partners
  
• E-business, partners and collaborative software
  
• B2B
  
• E-collaboration
  
• Identification of risks from 3rd party organisations
  
• Software to support collaboration
  
  • Confidentiality
    
  • Authentication
    
  • Non-repudiation
    
  • Integrity
    
  • Access control
    
  • Availability
    
• Reasons for access
  
• On-site contractors
  
• Security considerations for third party contracts
  

• Accountability for assets
  
• Inventory of assets
  
• Information classification
  
  • Hard copy and media
    
• Implementation of security mechanisms
  
• Data ownership
  
• Information labelling and handling

• Security in job definition and resourcing
  
  • Vandalism and sabotage
    
  • Breach of privacy
    
  • Fraud and theft
    
  • Espionage
    
  • Violation of data integrity
    
  • Denial of service
    
  • Organised crime
    
  • Hackers
    
    • Packet sniffers
      
  • Eavesdropping
    
• Personnel screening and policy
  
  • Screening backgrounds
    
  • Negative screening
    
  • Positive screening
    
  • Basic clearance requirements
    
  • Standards of living
    
• Confidentiality agreements
  
• Terms and conditions of employment
  
  • Notice
    
  • Disciplinary procedures
    
  • Summary dismissal
    
• User training
  
• Targeting the training programme
  
• Responding to security incidents and malfunctions
  
• Reporting security incidents
  
  • Reporting security weaknesses
    
  • Reporting software malfunction
    
  • Learning from incidents
    
  • Disciplinary process
    

• Secure areas Physical security perimeter
  
  • Curtilage security
    
  • Barriers
    
  • Doors
    
• Physical entry controls
  
• Computerised entry controls
  
  • Card performance features
    
  • Biometrics
    
  • Building management systems
    
  • Guard station
    
• Securing offices, rooms and facilities
  
  • Security survey
    
  • Designing a security scheme
    
  • Calculations
    
  • History of crime
    
• Working in secure areas
  
• Isolated delivery and loading areas
  
• Cars, lorries and parking
  
• Equipment security
  
  • Terrorist attacks
    
  • Postal bombs
    
  • Indiscriminate vandalism
    
• Responsible persons
  
• Power supplies
  
  • Cabling security
    
• Equipment maintenance
  
• Security of equipment off-premises
  
• Clear desk and screen policy
  
• Data storage
  
• Removal of property
• Example of physical security analysis
  

7. COMMUNICATIONS AND OPERATIONS MANAGEMENT

• Operational procedures and responsibilities
  
• Documented operating procedures
  
• Operational change control
  
• The need for programming controls
  
  • Waterfall method
    
• External facilities and management
  
• System planning and acceptance
  
• Capacity planning
  
• System acceptance
  
• Protection against malicious software
  
  • Trojan horses
    
• Controls against malicious software
  
• Viruses
  
• Housekeeping
  
• Information back -up Operator logs
  
• Fault logging
  
• Recovery from intrusion
  
  • Routers/firewalls
    
  • Confidentiality
    
• Network management
  
• Media handling and security
  
  • Management of removable computer media
    
  • Disposal of media
    
  • Information handling procedures
    
  • Security of system documentation
    
• Electronic commerce security
  
  • Client security
    
  • Security of media in transit
    
• SET
  
• Security of electronic mail
  
• Security of electronic office systems
  
• Publicly available systems
• Other forms of information exchange
  

• Business requirement for access control
  
• Subjects and objects
  
• Authorisation rules
  
• Access control policy
  
• Database access
  
• Security axioms
  
• IDS
  
• Access control rules
  
• User access management
  
• Privilege management
  
  • Privilege and the child/parent process
    
• High risk options
  
• Access to sensitive areas
  
• Client host name and IP address restrictions
  
• Secure passwords
  
• User password management
  
• Review of user access rights
  
• User responsibilities
  
• Authentication on Webs
  
• Kerberos
  
• User password authentication
  
  • Dongles
    
• Network access control
  
• Screening routers
  
• Handling IP fragments
  
• DNS
  
• Protocols without fixed address
  
• Filter placement
  
• Circuit level gateways
  
• Tunnels good and bad
  
• Polonius identity authentication
  
• Digital certificates
  
• Access models
  
• DAC and MAC
  
• Activity logs
  
• Policy on use of network services
  
• Enforced path
  
• Internal threats to firewalls
  
• Ipsec
  
• Illegal access through pole vaulting
  
• User authentication for external connections
  
  • PGP
    
  • SSL
    
  • Long key SSL
    
  • S-HTTP
    
  • DSS
    
• Encryption keys
  
• E-mail and PGP
  
• Certificates
  
• Node authentication
  
• Remote diagnostic port protection
  
• Segregation in networks
  
  • Firewall security software
    
  • Security within firewalls
    
• Network connection control
  
• Network routing controL
  
• Security of network services

• Automatic terminal identification
  
• User authentication
  
• Use of systems utilities
  
• Duress alarm to safeguard users
  
• Terminal time-out
  
• Limitation of connection time
  
• Application access control
  
• Sensitive systems isolation
  
• Monitoring systems use
  
• Logging and reviewing events.
  

10. MOBILE COMPUTING AND TELEWORKING

• Mobile computing
  
• Teleworking
  
  • The new opportunity
    
  • Health and safety
    
  • Knowledge espionage
    
  • Improper database access
    
• Firewalls and routers
  
• Security requirements for home working
  
• Security of transmission
  
• Virus protection
  
• Implementing security
  
• Training
  
  

11. SYSTEMS DEVELOPMENT AND MAINTENANCE

• Security requirements of systems
  
• Security requirements analysis and specification
  
• Security in application systems
  
• Input data validation
  
• Control of internal processing
  
• Message authentication
  
• Output data validation
  
• Cryptographic controls
  
• Policy on the use of cryptographic controls
  
• Encryption
  
• Digital signatures
  
• Non-repudiation services
  
• Key management
  
• Security of system files
  
• Control of operational software
  
• Protection of system test data
  
• Access control to pro gram source library
  
• Security in development and support processes
  
• Change control procedures
  
• Technical review of operating system changes
  
• Restrictions on changes to software packages
  
• Covert channels and Trojan code
  
• Outsourced software development

12. BUSINESS CONTINUITY MANAGEMENT

• Business continuity
  
• Who should lead
  
• Business disaster life cycle
  
• Normal operations
  
• Interim response
  
• Restoration
  
• Problems inherent in plans
  
• Recovery plan work flow
  
• The steering committee
  
• The administrator
  
• Questions to be answered in the design of the plan
  
• Insurance
  
• Consequential loss
  
• Recreation costs
  
• Insurance assessment policy
  
• Disaster costings
  
• Actuarial calculations
  
• Physical security and contingency
  
  • Electrical equipment
    
  • Flood
    
  • Fire
    
  • Entry controls
    
• Reducing the risk of an IT disaster
  
• Finding vulnerabilities
  
• Risk management
  
• Business risk analysis
  
  

• Determining business requirements
  
• The Disaster recovery co-ordinator
  
• Command and control
  
• Pre-written releases
  
• Department plans
  
  • Directors
    
  • Managers
    
  • Supervisors
    
  • Staff
    
• Analysis of requirements
  
• Information gathering
  
• Survival time
  
• Disaster triggers
  
• Analysis of business process
  
• Collaboration the process
  
• Planning considerations
  
• Selecting alternate sites
  
  • Node triangularisation
    
• Finalising the recovery site
  
• Extrapolating events and requirements
  
• Logistics
  
• Home working
  
• Interoperability
  
• Available back-up operation
  
• Centralised and decentralised back-up
  
• Scope of the recovery
  
• Alternate site
  
• Cost of recovery
  
• Writing and implementing continuity plans
  
• Validating the plan
  
• Plan up-dates
  
• Testing monitoring and reassessing the continuity plan
  
• Communicating the plan
  

14. COMPLIANCE WITH LEGAL REQUIREMENTS

• Compliance
  
• Identification of applicable legislation
  
• Intellectual property rights (IPR)
  
• Safeguarding of organisational records
  
• Data protection and privacy of personal information
  
• Prevention of misuse of information processing facilities
  
• Regulation of cryptographic controls
  
• Collection of evidence
  
• Reviews of security policy and technical compliance
  
• Compliance with security policy
  
• Technical compliance checking
  
• System audit considerations
  
• System audit controls
  
• Protection of system audit tools
  
  

• Certification aids
  
• Questionnaires