Varukorg
{{item.CourseTitle}}
Pris: {{item.ItemPriceExVatFormatted}} {{item.Currency}}
Aron Mesterbasic
During this BCS course you will gain a clear understanding of IS management issues including risk management, security standards, legislation and business continuity.
Your course package is designed to provide maximum learning and convenience. This is included in the price of your course:
Your expert instructor will get you ready for the following exam and certification, which are included in your course package and covered by the Certification guarantee.
There are no formal entry requirements however, the candidate should have basic working IT knowledge and an awareness of the issues involved with the security control activities.
Using our engaging learning methodology including a variety of tools, we’ll cover the entire curriculum.
1. Information Security Management Principles
In this section, candidates will learn the basic concepts of information security together with the main terms in common usage. Candidates will gain an understanding of why information security is becoming increasingly important not just in the IT community but also in the business community at large.
1.1 Concepts and Definitions
Note: This covers the definitions, meanings and use of concepts and terms across information security management. It includes the concepts and terms:
1.1.1 Information security (confidentiality, integrity, availability and non-repudiation)
1.1.2 Cyber security
1.1.3 Asset and asset types (information, physical, software)
1.1.4 Asset value and asset valuation
1.1.5 Threat, vulnerability, impact and risk
1.1.6 Information security policy concepts
1.1.7 The types, uses and purposes of controls
1.1.8 Identity, authentication, authorization
1.1.9 Accountability, audit and compliance
1.1.10 Information security professionalism and ethics
1.1.11 The Information Security Management System (ISMS) concept
1.1.12 Information Assurance and Information Governance
1.2 The need for, and the benefits of information security
Note: This covers the way in which information security management relates to its environment. It includes:
1.2.1 Importance of information security as part of the general issue of protection of business assets and of the creation of new business models e.g. cloud, mergers, acquisitions and outsourcing
1.2.2 Different business models and their impact on security (e.g. online business vs. traditional manufacturing vs. financial services vs. retail; commercial vs. governmental)
1.2.3 Effect of rapidly changing information and business environment on information security
1.2.4 Balancing the cost/impact of security against the reduction in risk achieved
1.2.5 Information Security as part of overall company security policy
1.2.6 The need for a security policy and supporting standards, guidelines and procedures Copyright © BCS 2017 Page 8 of 21 BCS Foundation Certificate in Information Security Management Principles Syllabus Version 8.2 March 2017
1.2.7 The relationship with corporate governance and other areas of risk management
1.2.8 Security as an enabler; delivering value rather than cost
2. Information Risk
In this section, candidates will gain an appreciation of risk assessment and management as it applies to information security. Candidates will learn how:
Threats and vulnerabilities lead to risks
Threats and vulnerabilities apply specifically to IT systems
The business must assess the risks in terms of the impact suffered by the organisation should the risk materialise
To determine the most appropriate response to a risk and the activities required to achieve the effective management of risks over time.
2.1 Threats to and vulnerabilities of information systems
Note: This covers the threats to, and vulnerabilities of information systems, and their contribution to risk. It includes:
2.1.1 Threat intelligence and sharing, the speed of change of threats and the need for a timely response
2.1.2 Threat categorisation (accidental vs. deliberate, internal vs. external, etc.)
2.1.3 Types of accidental threats (e.g. hazards, human error, malfunctions, fire, flood, etc.)
2.1.4 Types of deliberate threats (e.g. hacking, malicious software, sabotage, cyber terrorism, hi-tech crime, etc.)
2.1.5 Big Data, the Internet of Things and the Dark Web
2.1.6 Sources of accidental threat (e.g. internal employee, trusted partner, poor software design, weak procedures and processes, managed services, newsgroups, etc.)
2.1.7 Sources of deliberate threat (internal employee, trusted partner, random attacker, targeted attack, managed and outsourced services, web sites, etc.)
2.1.8 Vulnerability categorisation (e.g. weaknesses in software, hardware, buildings/facilities, people, procedures)
2.1.9 Vulnerabilities of specific information system types (e.g. PCs, laptops, hand held devices, Bring Your Own Devices (BYOD), servers, network devices, wireless systems, web servers, email systems, etc.)
2.1.10 The contribution of threats, vulnerabilities and asset value to overall risk
2.1.11 Impact assessment of realised threats (e.g. loss of confidentiality, integrity, and availability, leading to financial loss, brand damage, loss of confidence, etc.)
2.2 Risk Management
Note: This covers the processes for understanding and managing risk relating to information systems. It includes:
2.2.1 Risk management process (establish the context, assessment, including identification, analysis and evaluation; treatment, communication and consultation; and monitoring and review
2.2.2 Strategic options for dealing with risks (e.g. avoid/eliminate/terminate/reduce/ modify/transfer/accept/tolerate)
2.2.3 Tactical ways in which controls may be used – preventive, directive, detective and corrective
2.2.4 Operational types of controls – physical, procedural (people) and technical
2.2.5 The purpose of and approaches to impact assessment including qualitative quantitative, software tools and questionnaires
2.2.6 Identifying and accounting for the value of information assets
2.2.7 Principles of information classification strategies
2.2.8 The need to assess the risks to the business in business terms
2.2.9 Balancing the cost of information security against the cost of potential losses
2.2.10 The role of management in accepting risk
2.2.11 Contribution to corporate risk registers
3. Information Security Framework
In this section, candidates will gain an understanding how risk management should be implemented in an organisation.
3.1 Organisation and Responsibilities
3.1.1 The organisation’s management of security
Information security roles in an enterprise
Placement in the organisation structure
Board/Director responsibilities
Responsibilities across the organisation
Need to take account of statutory (e.g. data protection, health & safety), regulatory (e.g. financial services regulations) and advisory (e.g. accounting practices, corporate governance guidelines) requirements
Provision of specialist information security advice and expertise
Creating a culture of good information security practice
3.1.2 Organisational policy, standards and procedures
Developing, writing and getting commitment to security policies
Developing standards, guidelines, operating procedures, etc. internally and with third parties (outsourcing), managed service providers, etc.
Balance between physical, procedural and technical security controls
End user codes of practice
Consequences of policy violation
3.1.3 Information Security Governance
Review, evaluation and revision of security policy
Security audits and reviews
Checks for compliance with security policy
Reporting on compliance status with reference to legal and regulatory requirements, e.g. Sarbanes Oxley
Compliance of contractors, third parties and sub-contractors
3.1.4 Information Security implementation
Planning – ensuring effective programme implementation
How to present information security programmes as a positive benefit (e.g. business case, ROI case, competitive advantage, getting management buy-in)
Security architecture and strategy
Need to link with business planning and risk management and audit processes
3.1.5 Security Information management
Note: This covers incidents that affect the confidentiality, integrity or availability of information either directly or indirectly. This includes:
Security incident reporting, recording, management
Incident response teams/procedures
Need for links to corporate incident management systems
Processes for involving law enforcement or responding to requests from them
3.2 Legal Framework
Note: This section addresses general principles of law, legal jurisdiction and associated topics as they affect information security management. These will cover a broad spectrum from the security implications on compliance with legal requirements affecting business (e.g. international electronic commerce) to laws that directly affect the way information can be monitored and copied. Note that specific laws and legal issues relating to the country(s) within which a training provider operates may be mentioned as examples and included in course material, but the examination will only test the principles. Topics include:
3.2.1 Protection of personal data, restrictions on monitoring, surveillance, communications interception and trans-border data flows
3.2.2 Employment issues and employee rights (e.g. relating to monitoring, surveillance and communications interception rights and employment law)
3.2.3 Common concepts of computer misuse
3.2.4 Requirements for records retention
3.2.5 Intellectual property rights, e.g. copyright, including its application to software, databases and documentation
3.2.6 Contractual safeguards including common security requirements in outsourcing contracts, third party connections, information exchange, etc.
3.2.7 Collection of admissible evidence
3.2.8 Securing digital signatures (e.g. legal acceptance issues)
3.2.9 Restrictions on purchase, use and movement of cryptography technology
3.3 Security Standards and Procedures
Note: There are a number of common, established standards and procedures that directly affect information security management. Awareness of these to include:
3.3.1 Where to find national and international information security standards
3.3.2 ISO/IEC 27000 series, ISO/IEC 20000 (ITIL®), Common Criteria and other relevant international standards
3.3.3 International industry sector standards
3.3.4 Certification of information security management systems to appropriate standards – e.g. ISO/IEC 27001:2013
3.3.5 Product certification to recognised standards – e.g. ISO/IEC 15408 (the Common Criteria) 3.3.6 Key technical standards – e.g. IETF RFCs, FIPS, ETSI
4. Procedural/People Security Controls
In this section, candidates will learn about the risks to information security involving people. Candidates will gain:
An understanding of the controls that may be used to manage those risks
An appreciation of the importance of appropriate training for all those involved with information
4.1 People
4.1.1 Organisational culture of security
4.1.2 Employee, contractor and business partner awareness of the need for security
4.1.3 Role of contracts of employment
4.1.4 Need for and topics within service contracts and security undertakings
4.1.5 Rights, responsibilities, authorities and duties of individuals - codes of conduct
4.1.6 Typical topics in acceptable use policies
4.1.7 Role of segregation of duties/avoiding dependence on key individuals
4.1.8 Typical obligations on interested parties (e.g. contractors, managed service providers, outsourced services, etc.)
4.2 User Access Controls
4.2.1 Authentication and authorisation mechanisms (e.g. passwords, tokens, biometrics, etc.) and their attributes (e.g. strength, acceptability, reliability)
4.2.2 Approaches to use of controls on access to information and supporting resources taking cognisance of data ownership rights (e.g. read/write/delete, control), privacy, operational access, etc.
4.2.3 Approaches to administering and reviewing access controls including rolebased access, management of privileged users, management of users (joining, leaving, moving, etc.), emergency access
4.2.4 Access points – remote, local, web-based, email, etc. - and appropriate identification and authentication mechanisms
4.2.5 Information classification and protection processes, techniques and approaches
4.3 Training and Awareness
4.3.1 Purpose and role of training – need to tailor to specific needs of different interested parties (e.g. users vs. IT staff vs. business manager vs. customers)
4.3.2 Approaches to training and promoting awareness – e.g. videos, books, reports, computer based training and formal training courses
4.3.3 Sources of information, including internal and external conferences, seminars, newsgroups, trade bodies, government agencies, etc.
4.3.4 Developing positive security behaviour
5. Technical Security Controls
In this section, candidates will learn about the technical controls that can be used to help ensure effective information security. Candidates will:
Learn about the threats from malware
Gain an understanding of the impact of those threats on networks and other communications systems
Learn about the different approaches to information security required when dealing with out-sourced or other external facilities providers
Learn about the importance of effective information security in all networked environments where there is information storage, processing or access being provided
5.1 Protection from Malicious Software
5.1.1 Types of malicious software – Trojans, botnets, viruses, worms, active content (e.g. Java, Active-X, XSS), etc.
5.1.2 Different ways systems can get infected
5.1.3 Methods of control – common approaches, need for regular updates, Open Web Application Security Project, etc.
5.2 Networks and Communications
Note: This subsection focuses on information security principles associated with the underlying networks and communications systems. This includes:
5.2.1 Entry points in networks and associated authentication techniques
5.2.2 Partitioning of networks to reduce risk – role of firewalls, routers, proxy servers and network boundary separation architectures
5.2.3 The role of cryptography in network security – common protocols and techniques (HTTPS, PKI, SSL/TLS, VPN, IPSec, etc.)
5.2.4 Controlling third party access (types of and reasons for) and external connections
5.2.5 Network and acceptable usage policy
5.2.6 Intrusion monitoring and detection methods and application
5.2.7 Vulnerability analysis and penetration testing of networks and connections
5.2.8 Secure network management (including configuration control and the periodic mapping and management of firewalls, routers, remote access points, wireless devices, etc.)
5.3 External Services
Note: This subsection focuses on the information security issues relating to value-added services that use the underlying networks and communications systems. This includes:
5.3.1 Securing real-time services (instant messaging, video conferencing, voice over IP, etc.)
5.3.2 Securing data exchange mechanisms e.g. e-commerce, email, internet downloads, file transfers, etc.
5.3.3 Protection of web servers and e-commerce applications
5.3.4 Mobile computing, home working and BYOD
5.3.5 Security of information being exchanged with other organisations The management of information security within managed service and outsourced operations including during the circumstances of subsequent insourcing and changes of supplier
5.4 Cloud Computing
Note: This subsection focuses on the information security issues relating to organisations that utilise cloud computing facilities. Cloud computing is location independent computing providing off-site resources e.g. services, applications and storage facilities. This includes:
5.4.1 Legal implications for cloud computing notably for personal data, IPR and related issues
5.4.2 The particular information security considerations when selecting a cloud computing supplier
5.4.3 Comparing the risks of maintaining a ‘classical’ organisation and architecture with the risks in a cloud computing environment
5.4.4 The importance of distinguishing between commercial risk (of a supplier) and the other consequences of risk to the purchaser
5.5 IT Infrastructure
Note: This covers all aspects of security in information systems, including operating systems, database and file management systems, network systems and applications systems. This includes:
5.5.1 Security Information and Event Monitoring (SIEM)
5.5.2 Separation of systems to reduce risk
5.5.3 Conformance with security policy, standards and guidelines
5.5.4 Access control lists and roles, including control of privileged access
5.5.5 Correctness of input and on-going correctness of all stored data including parameters for all generalised software
5.5.6 Recovery capability, including back-up and audit trails
5.5.7 Intrusion monitoring, detection methods and application
5.5.8 Installation baseline controls to secure systems and applications - dangers of default settings
5.5.9 Configuration management and operational change control
5.5.10 The need to protect system documentation and promote security documentation within the organisation, within partner organisations and within managed service and outsourced operations
6. Software Development and Lifecycle
In this section, candidates will learn about the risk to security brought about by the development and full lifecycle of software. Candidates will:
Gain an understanding of the importance of appropriate audit and review processes, of effective change control and of configuration management
Learn about the differences for security between open source and proprietary solutions, commercial off the shelf and bespoke systems, and certified and noncertified systems
Learn about some of the techniques involved in reducing the security risks in the development of code
6.1 Testing, Audit and Review
6.1.1 Methods and strategies for security testing of business systems, including vulnerability analysis and penetration testing
6.1.2 Need for correct reporting of testing and reviews
6.1.3 Verifying linkage between computer and clerical processes
6.1.4 Techniques for monitoring system and network access and usage including the role of audit trails, logs and intrusion detection systems, and techniques for the recovery of useful data from them
6.2 Systems Development and Support
6.2.1 Security requirement specification
6.2.2 Security involvement in system and product assessment – including open source vs proprietary solutions
6.2.3 Security issues associated with commercial off-the-shelf systems/applications/ products
6.2.4 Importance of links with the whole business process – including clerical procedures
6.2.5 Separation of development and support from operational systems
6.2.6 Security of acceptance processes and security aspects in process for authorising business systems for use
6.2.7 Role of accreditation of new or modified systems as meeting their security policy
6.2.8 Change control for systems under development to maintain software integrity
6.2.9 Security issues relating to outsourcing software development
6.2.10 Preventing covert channels, Trojan code, rogue code, etc. – code verification techniques
6.2.11 Handling of security patches
6.2.12 Use of certified products/systems
6.2.13 Use of “Escrow” to reduce risk of loss of source code
7. Physical and Environmental Security Controls
In this section, candidates will gain an understanding of the physical aspects of security available in multi-layered defences.
Candidates will learn about the environmental risks to information in terms of the need, for example, for appropriate power supplies, protection from natural risks (fire, flood etc.) and in the everyday operations of an organisation.
Note: There is a need for information security managers to have a good appreciation of associated physical security issues, so they can make sure there is a seamless information security management system across the whole organisation. This includes:
General controls on access to and protection of physical sites, offices, secure areas, cabinets and rooms
Protection of IT equipment – servers, routers, switches, printers, etc.
Protection of non-IT equipment, power supplies, cabling, etc.
Need for processes to handle intruder alerts, deliberate or accidental physical events, etc.
Clear screen and desk policy
Moving property on and off-site
Procedures for secure disposal of documents, equipment, storage devices, etc.
Procedures for the disposal of equipment with digital-data retention facilities
The Virtual Classroom is an online room, where you will join your instructor and fellow classmates in real time. Everything happens live and you can interact freely, discuss, ask questions, and watch your instructor present on a whiteboard, discuss the courseware and slides, work with labs, and review.
Yes, you can sit exams from all the major Vendors like Microsoft, Cisco etc from the comfort of your home or office.
With Readynez you do any course form the comfort of your home or office. Readynez provides support and best practices for your at-home classroom and you can enjoy learning with minimal impact on your day-to-day life. Plus you'll save the cost and the environmental burden of travelling.
Well, learning is limitless, when you are motivated, but you need the right path to achieve what you want. Readynez consultants have many years of experience customizing learner paths and we can design one for you too. We are always available with help and guidance, and you can reach us on the chat or write us at info@readynez.com.