bank information risk management - js · - business process analysis - dependency tree modelling -...
TRANSCRIPT
Bank Information Risk Management
Brought to you by
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Strategic, Tactical & Operational requirements formanaging information and IT-related risk
Bring this coursein-house and SAVE
up to 50%Contact Us For More
Details
Course Director: John Sherwood
A 3-Day Training Event9th - 11th February 2009, London
8th - 10th June 2009, London12th - 14th October 2009, London
14th - 16th December 2009, London
Attend this Training Event and you will:The strategic, tactical and operationalrequirements for managing information andIT-related risk, with particular focus on thebanking and other financial servicesindustries.
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Who Should Attend?• Head of IT• IT Staff• IT Project Managers• Risk Managers• Risk Analysts• Heads of Risk Management• Heads of Operations• Operations Analysts
Learning LevelIntermediate
Knowledge Pre-RequisitesIt is expected that attendees will have areasonable level of experience in, and befamiliar with the financial services industry. Course Director
John SherwoodJohn Sherwood has 34 years of experience as an information-systems and riskprofessional, the last 20 of which have been as a specialist in the security andrisk management of business information systems. The great majority of thisexperience is in the banking and finance industry sector, but covers alsoaerospace, oil & gas, chemicals, telecommunications, media, retail andgovernment.John is currently a Director of idRisk Limited, where he heads up theoperational risk and compliance management specialist group. Prior to thishe had been Managing Director of Sherwood Associates Limited, a specialistinformation security consultancy that he founded in 1990.For a while, and following 10 successful years of running Sherwood AssociatesLimited, he joined Netigy Corporation at the beginning of 2000. Amongst themany things that he brought with him into Netigy was the SABSA®methodology for developing enterprise-wide security architectures. This wasintegrated into the Netigy eProved Methodology, where it formed the heartof the architectural approach used by Netigy. John was at first ExecutiveDirector Architecture in Netigy’s Global Security Practice, developing theNetigy service offerings. Later as Practice Director EMEA, he was responsiblefor leading the development and delivery of Netigy’s strategic business-focused consulting services across the EMEA region.In December 2001 John Sherwood joined QinetiQ as the Director ofProfessional Services (EMEA) within QinetiQ Trusted InformationManagement. He became one of the key players transforming that companyinto a global world-class provider of Information Security Services. A yearlater he left QinetiQ to join idRisk Limited.John is also a visiting lecturer and external examiner at Royal HollowayCollege, University of London, and has published and lectured extensivelyaround the world on a broad range of topics in the information securitydomain. He is the lead author of a book entitled ‘Enterprise SecurityArchitecture: A Business Driven Approach’ published in September 2005. Thisbook is based around the SABSA® methodology and brings together allexisting security management standards under an over-arching managementframework.
Training Event Focus and FeaturesRisk management is a crucial input into the strategic decision making of allbanks. This three day course will describe the strategic, tactical andoperational requirements for managing information and IT-related risk, withparticular focus on the banking and other financial services industries. After attending this course delegates will be able to:• Describe the main information and IT-related risks that are faced by a largefinancial services firm, explain the various approaches to managing these risksand discuss objectively the benefits and costs that accompany theseapproaches to managing information risk.• Develop plans for implementing an information risk management strategyacross the enterprise and analyse the potential impacts on his or her firm.• Synthesise alternative information risk management strategies that could beappropriate as a response to the perceived risks.• Design architectures, systems and processes to implement the potentialstrategies most suited to the needs of the firm.
Fee£1750.00 (ex. VAT)
In-House TrainingSave up to 50% on training
Tailored Training for your team and save up to50% when you run this course in-house. If youhave 6 or more people who require training onthe same topic, we can tailor training coursesto meet your exact needs and budget, savingyou up to 50%. We charge per day NOT perdelegate, so the cost remains the sameregardless of how many people you have inyour team.
With In-House Training You Will:• Save money over public training event feesin addition to savings on travel andaccommodation costs.• Save time on travel as the instructor willtravel to you. Furthermore, the training canbe held at the most convenient time for you.• Ensure the relevance of the training eventfor your organisation and industry. You maywish to tailor the structure and methodologyof your seminar or customise the seminar orto meet the expertise levels of your attendingemployees.
Brought to you by
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Day 1Session 1: Information Risk and Security
• The meaning of ‘security’• The meaning of ‘risk’• Measuring and prioritising business risk• Information security as a business enabler• Adding value to the core product• Empowering customers• Protecting relationships and leveraging trust
Session 2: Information Risk ManagementStrategy
• Enterprise security architecture (ESA)- Managing complexity- Reference architectures- Why strategic information risk programmes fail and how to avoid failure- The holistic approach
• The SABSA model and methodology- Developing enterprise security architectures- The owner’s view- The architect’s view- The designer’s view- The builder’s view- The tradesman’s view- The facilities manager’s view- The inspector’s view
• The SABSA development process- Strategy and concept phase- Design phase- Implementation phase- Operational phase – management and measurement
AGENDASession 3: A Systems Approach to InformationSecurity
• The role of systems engineering- Basic systems design concepts- The system boundaries and its environment- Sub-system decomposition
• Control systems• Security system case study
- Equities market trading system design• Advanced systems modelling techniques
- Business process analysis- Dependency tree modelling- Finite state machine modelling
Session 4: Aligning Information RiskManagement with the Business
• Return on investment for information security• The need for metrics• Measurement approaches
- Scorecards- Business drivers and traceability- Business attributes profiling- Setting up a metrics framework- Maturity modelling applied to information security
- Risk reporting
Brought to you by
Course Methodology & InstructorsClassroom style lectures featuring intensive use of up-to-date and relevant case studies. The course is at anIntermediate level and will be taught by an internationalconsultant in risk management and former information-systems and risk executive.
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Day 2Session 5: Managing the Information RiskProgramme
• Selling the benefits of information risk management to senior management• Getting sponsorship and budget• Building the team• Programme planning and management• Collecting the information you need• Getting consensus on the conceptual security architecture• Architecture governance, compliance and maintenance• Long-term confidence of senior management
Session 6: Business Drivers for InformationRisk Management
• Business needs for information security• Security as a business enabler• Digital business security• Operational continuity and stability• Safety-critical dependencies• Business goals, success factors and operational risks• Business processes and their need for security and control• Organisation and relationships affecting business security needs• Location and time dependence of business security needs
Session 7: Risk Assessment and OperationalRisk Management
• The components of risk• Qualitative risk assessment• Semi-quantitative risk assessment• Risk appetite• Cost-benefit analysis for risk control and residual risk• Regulatory drivers for operational risk management• The complexity of operational risk management• Risk mitigation and control• Risk-based security reviews• Risk financing• The risk management dashboard
Session 8: Security Policy Management• The meaning of security policy• Influencing behaviour through policies• Structuring the content of security policy• Policy hierarchy and architecture• Corporate security policy• Security policy principles• Information classification• System classification• Certificate authority and registration authority policies• Application system security policies• Platform security policies• Network security policies• Other information security policies
Session 9: Security Organisation• Roles and responsibilities• Governance structures• Security culture development• Outsourcing strategies and their relation to security policy
Session 10: Conceptual Security Models• Conceptual thinking• The Business Attributes Profile• Control objectives• Technical security strategies and architectural layering• Security entity model and trust framework• Security domain model• Security lifetimes and deadlines• Assessing the current state of your security architecture
Session 11: Logical Security Models andManagement
• Business information model• Security services• Application and system security services• Security management services• Entity schema and privilege profiles• Security domains and security associations• Security processing cycle• Security improvements programme
Brought to you by
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Day 3Session 12: Cryptographic Techniques andother Security Mechanisms
• Business data model and file security mechanisms• Database security mechanisms• Security rules, practices and procedures• Mapping security mechanisms to security services• Cryptographic mechanisms and their uses
- Encryption- Data integrity mechanisms- Public key certificates- Digital signature mechanisms- Authentication exchange mechanisms- Cryptographic key management- Cryptographic services architecture- Strength of cryptographic mechanisms- Future of cryptographic mechanisms
Session 13: Identity and Access Management• Unique entity naming• Registration• Public key certification• Credentials certification• Federated Identity management• Directory services
- Information model- Service naming model- Service functional model- Service security model- Authorisation services
• Entity authentication• Use authentication• Device authentication
Session 14: Network & CommunicationsSecurity
• Network security polices• Network security concepts• Network security services
- Network domains• Network security mechanisms
- Firewall architectures
• Network security components• Communication security services
- Session authentication- Message origin authentication- Message integrity protection- Message replay protection- Message content confidentiality- Non-repudiation- Traffic flow confidentiality
Session 15: Application Security• Application security polices• Application security concepts• Application security services• Application security mechanisms• Application security components• Secure programming techniques
Session 16: Assurance Management• Assurance of operational continuity
- Matching assurance levels to Risk Profiles• Organisations security audits• System security audits• System assurance strategy• Functional testing• Penetration testing
Session 17: Security Administration andOperations
• Managing the people• Managing physical and environmental security• Managing IT operations and support• Access control management• Compliance management• Security-specific operations• Managed security services• Product evaluation and selection• Business continuity management
Brought to you by
Course MaterialsDelegates will be provided with printed course slides,together with extensive appendices containing practicalworkshop materials and example case studies, allowingyou to concentrate on the course presentation and toannotate your notes with key information.
Contact:Company:Address:
Telephone:E-Mail:Date:From:BOOKING DETAILS
TERMS AND CONDITIONSTerms and conditions will be according to our Premier’s standard training ‘Terms of Business’. Please note the followingpoints:
l Payment is due 30 days from date of invoice, or before or on the day of the course if this is the first booking withPremier.l If the course is cancelled within fourteen days of course commencement there wil be a 100% cancellation charge.
TO BE COMPLETED BY CLIENTAfter ensuring that all course details are correct, please either sign below and FAX back to confirm your acceptance of thisbooking and our Terms and Conditions or check this box to confirm your booking and return by E-Mail.
[email protected] Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412
Booking Form
Order Number:
Position and Department
DatePrint Name
Signature
Product Date Location Delegates Fee Excluding VAT
TOTALPlease state if you have any special dietary requirements:
Brought to you by