Description

With the explosion of digital technology which has multiplied development opportunities, the management of information systems security has become a major issue for all companies. This very rich seminar will present to you all the actions and solutions to ensure the security of your IS: from risk analysis to the optimal implementation of security solutions. You will also see the insurance and legal themes closely linked to the application of a security policy.

Who is this training for ?

For whom ?

Master the information security risk management process Use the repositories and associated standards Know the legal framework Define and manage the implementation of solutions

Prerequisites

Training objectives

No special knowledge

Training program

• Introduction to risk management
  • The definition of risk and its characteristics: potentiality, impact, severity.
  • The different types of risks: accident, error, malicious intent.
  • The DIC classification: Availability, Integrity and Confidentiality of information.
  • Countermeasures in risk management: prevention, protection, risk reporting, outsourcing.
• CISO: security conductor
  • What are the role and responsibilities of the IS Security Manager? Towards a security organization, the role of "Assets Owners".
  • Optimal management of resources and allocated resources.
  • The Risk Manager in the company; his role in relation to the IS Security Manager.
• Normative and regulatory frameworks
  • SOX, COSO, COBIT regulations.
  • For whom? For what? Towards information system governance.
  • Links with ITIL and CMMI.
  • The ISO 27001 standard in an information security management system approach.
  • Links with ISO 15408: common criteria, ITSEC, TCSEC.
  • The advantages of ISO 27001 certification for organizations.
• The risk analysis process
  • Identification and classification of risks.
  • Operational, physical, logical risks.
  • How to build your own knowledge base of threats and vulnerabilities? Use the methods and standards: EBIOS/FEROS, MEHARI.
  • The risk analysis approach within the framework of ISO 27001, the PDCA approach (Plan, Do, Check, Act).
  • The ISO 27005 standard and developments in French methods.
  • From risk assessment to the risk treatment plan: good practices.
• Security audits and awareness plan
  • Continuous and complete process.
  • Audit categories, from organizational audit to intrusion test.
  • The best practices of the 19011 standard applied to security.
  • How to create your internal audit program? How to qualify your auditors? Comparative contributions, recursive approach, human implications.
  • Security awareness: who? what? how? Definitions of Morality/Deontology/Ethics.
  • The security charter, its legal existence, its content, its validation.
• The cost of security and contingency plans
  • Security budgets.
  • The definition of Return On Security Investment (ROSI).
  • Cost evaluation techniques, the different calculation methods, the Total Cost of Ownership (TCO).
  • The Anglo-Saxon concept of "Payback Period".
  • Risk coverage and continuity strategy.
  • Backup, continuity, recovery and crisis management plans, PCA/PRA, PSI, RTO/RPO.
  • Develop a continuity plan, insert it into a quality approach.
• Design optimal solutions
  • Selection approach for security solutions adapted to each action.
  • Definition of a target architecture.
  • The ISO 1540 standard as a selection criterion.
  • Choose between IDS and IPS, content control as a necessity.
  • How to deploy a PKI project? Pitfalls to avoid.
  • Authentication techniques, towards SSO projects, identity federation.
  • The security approach in IS projects, the ideal PDCA cycle.
• Security monitoring
  • Risk management: observations, certainties.
  • Key indicators and dashboards, towards an ISO and PDCA approach.
  • Outsourcing: interests and limits.
• Legal attacks on the Automatic Data Processing System
  • Reminder, definition of the Automatic Data Processing System (STAD).
  • Types of attacks, European context, the LCEN law.
  • What legal risks for the company, its managers, the CISO?
• Recommendations for “legal” IS security
  • The protection of personal data, sanctions provided for in the event of non-compliance.
  • On the use of biometrics in France.
  • Cybersurveillance of employees: legal limits and constraints.
  • The rights of employees and the sanctions incurred by the employer.