Bank Information Risk Management

Brought to you by

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Strategic, Tactical & Operational requirements formanaging information and IT-related risk

Bring this coursein-house and SAVE

up to 50%Contact Us For More

Details

Course Director: John Sherwood

A 3-Day Training Event9th - 11th February 2009, London

8th - 10th June 2009, London12th - 14th October 2009, London

14th - 16th December 2009, London

Attend this Training Event and you will:The strategic, tactical and operationalrequirements for managing information andIT-related risk, with particular focus on thebanking and other financial servicesindustries.

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Who Should Attend?• Head of IT• IT Staff• IT Project Managers• Risk Managers• Risk Analysts• Heads of Risk Management• Heads of Operations• Operations Analysts

Learning LevelIntermediate

Knowledge Pre-RequisitesIt is expected that attendees will have areasonable level of experience in, and befamiliar with the financial services industry. Course Director

John SherwoodJohn Sherwood has 34 years of experience as an information-systems and riskprofessional, the last 20 of which have been as a specialist in the security andrisk management of business information systems. The great majority of thisexperience is in the banking and finance industry sector, but covers alsoaerospace, oil & gas, chemicals, telecommunications, media, retail andgovernment.John is currently a Director of idRisk Limited, where he heads up theoperational risk and compliance management specialist group. Prior to thishe had been Managing Director of Sherwood Associates Limited, a specialistinformation security consultancy that he founded in 1990.For a while, and following 10 successful years of running Sherwood AssociatesLimited, he joined Netigy Corporation at the beginning of 2000. Amongst themany things that he brought with him into Netigy was the SABSA®methodology for developing enterprise-wide security architectures. This wasintegrated into the Netigy eProved Methodology, where it formed the heartof the architectural approach used by Netigy. John was at first ExecutiveDirector Architecture in Netigy’s Global Security Practice, developing theNetigy service offerings. Later as Practice Director EMEA, he was responsiblefor leading the development and delivery of Netigy’s strategic business-focused consulting services across the EMEA region.In December 2001 John Sherwood joined QinetiQ as the Director ofProfessional Services (EMEA) within QinetiQ Trusted InformationManagement. He became one of the key players transforming that companyinto a global world-class provider of Information Security Services. A yearlater he left QinetiQ to join idRisk Limited.John is also a visiting lecturer and external examiner at Royal HollowayCollege, University of London, and has published and lectured extensivelyaround the world on a broad range of topics in the information securitydomain. He is the lead author of a book entitled ‘Enterprise SecurityArchitecture: A Business Driven Approach’ published in September 2005. Thisbook is based around the SABSA® methodology and brings together allexisting security management standards under an over-arching managementframework.

Training Event Focus and FeaturesRisk management is a crucial input into the strategic decision making of allbanks. This three day course will describe the strategic, tactical andoperational requirements for managing information and IT-related risk, withparticular focus on the banking and other financial services industries. After attending this course delegates will be able to:• Describe the main information and IT-related risks that are faced by a largefinancial services firm, explain the various approaches to managing these risksand discuss objectively the benefits and costs that accompany theseapproaches to managing information risk.• Develop plans for implementing an information risk management strategyacross the enterprise and analyse the potential impacts on his or her firm.• Synthesise alternative information risk management strategies that could beappropriate as a response to the perceived risks.• Design architectures, systems and processes to implement the potentialstrategies most suited to the needs of the firm.

Fee£1750.00 (ex. VAT)

In-House TrainingSave up to 50% on training

Tailored Training for your team and save up to50% when you run this course in-house. If youhave 6 or more people who require training onthe same topic, we can tailor training coursesto meet your exact needs and budget, savingyou up to 50%. We charge per day NOT perdelegate, so the cost remains the sameregardless of how many people you have inyour team.

With In-House Training You Will:• Save money over public training event feesin addition to savings on travel andaccommodation costs.• Save time on travel as the instructor willtravel to you. Furthermore, the training canbe held at the most convenient time for you.• Ensure the relevance of the training eventfor your organisation and industry. You maywish to tailor the structure and methodologyof your seminar or customise the seminar orto meet the expertise levels of your attendingemployees.

Brought to you by

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Day 1Session 1: Information Risk and Security

• The meaning of ‘security’• The meaning of ‘risk’• Measuring and prioritising business risk• Information security as a business enabler• Adding value to the core product• Empowering customers• Protecting relationships and leveraging trust

Session 2: Information Risk ManagementStrategy

• Enterprise security architecture (ESA)- Managing complexity- Reference architectures- Why strategic information risk programmes fail and how to avoid failure- The holistic approach

• The SABSA model and methodology- Developing enterprise security architectures- The owner’s view- The architect’s view- The designer’s view- The builder’s view- The tradesman’s view- The facilities manager’s view- The inspector’s view

• The SABSA development process- Strategy and concept phase- Design phase- Implementation phase- Operational phase – management and measurement

AGENDASession 3: A Systems Approach to InformationSecurity

• The role of systems engineering- Basic systems design concepts- The system boundaries and its environment- Sub-system decomposition

• Control systems• Security system case study

- Equities market trading system design• Advanced systems modelling techniques

- Business process analysis- Dependency tree modelling- Finite state machine modelling

Session 4: Aligning Information RiskManagement with the Business

• Return on investment for information security• The need for metrics• Measurement approaches

- Scorecards- Business drivers and traceability- Business attributes profiling- Setting up a metrics framework- Maturity modelling applied to information security

- Risk reporting

Brought to you by

Course Methodology & InstructorsClassroom style lectures featuring intensive use of up-to-date and relevant case studies. The course is at anIntermediate level and will be taught by an internationalconsultant in risk management and former information-systems and risk executive.

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Day 2Session 5: Managing the Information RiskProgramme

• Selling the benefits of information risk management to senior management• Getting sponsorship and budget• Building the team• Programme planning and management• Collecting the information you need• Getting consensus on the conceptual security architecture• Architecture governance, compliance and maintenance• Long-term confidence of senior management

Session 6: Business Drivers for InformationRisk Management

• Business needs for information security• Security as a business enabler• Digital business security• Operational continuity and stability• Safety-critical dependencies• Business goals, success factors and operational risks• Business processes and their need for security and control• Organisation and relationships affecting business security needs• Location and time dependence of business security needs

Session 7: Risk Assessment and OperationalRisk Management

• The components of risk• Qualitative risk assessment• Semi-quantitative risk assessment• Risk appetite• Cost-benefit analysis for risk control and residual risk• Regulatory drivers for operational risk management• The complexity of operational risk management• Risk mitigation and control• Risk-based security reviews• Risk financing• The risk management dashboard

Session 8: Security Policy Management• The meaning of security policy• Influencing behaviour through policies• Structuring the content of security policy• Policy hierarchy and architecture• Corporate security policy• Security policy principles• Information classification• System classification• Certificate authority and registration authority policies• Application system security policies• Platform security policies• Network security policies• Other information security policies

Session 9: Security Organisation• Roles and responsibilities• Governance structures• Security culture development• Outsourcing strategies and their relation to security policy

Session 10: Conceptual Security Models• Conceptual thinking• The Business Attributes Profile• Control objectives• Technical security strategies and architectural layering• Security entity model and trust framework• Security domain model• Security lifetimes and deadlines• Assessing the current state of your security architecture

Session 11: Logical Security Models andManagement

• Business information model• Security services• Application and system security services• Security management services• Entity schema and privilege profiles• Security domains and security associations• Security processing cycle• Security improvements programme

Brought to you by

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Day 3Session 12: Cryptographic Techniques andother Security Mechanisms

• Business data model and file security mechanisms• Database security mechanisms• Security rules, practices and procedures• Mapping security mechanisms to security services• Cryptographic mechanisms and their uses

- Encryption- Data integrity mechanisms- Public key certificates- Digital signature mechanisms- Authentication exchange mechanisms- Cryptographic key management- Cryptographic services architecture- Strength of cryptographic mechanisms- Future of cryptographic mechanisms

Session 13: Identity and Access Management• Unique entity naming• Registration• Public key certification• Credentials certification• Federated Identity management• Directory services

- Information model- Service naming model- Service functional model- Service security model- Authorisation services

• Entity authentication• Use authentication• Device authentication

Session 14: Network & CommunicationsSecurity

• Network security polices• Network security concepts• Network security services

- Network domains• Network security mechanisms

- Firewall architectures

• Network security components• Communication security services

- Session authentication- Message origin authentication- Message integrity protection- Message replay protection- Message content confidentiality- Non-repudiation- Traffic flow confidentiality

Session 15: Application Security• Application security polices• Application security concepts• Application security services• Application security mechanisms• Application security components• Secure programming techniques

Session 16: Assurance Management• Assurance of operational continuity

- Matching assurance levels to Risk Profiles• Organisations security audits• System security audits• System assurance strategy• Functional testing• Penetration testing

Session 17: Security Administration andOperations

• Managing the people• Managing physical and environmental security• Managing IT operations and support• Access control management• Compliance management• Security-specific operations• Managed security services• Product evaluation and selection• Business continuity management

Brought to you by

Course MaterialsDelegates will be provided with printed course slides,together with extensive appendices containing practicalworkshop materials and example case studies, allowingyou to concentrate on the course presentation and toannotate your notes with key information.

Contact:Company:Address:

Telephone:E-Mail:Date:From:BOOKING DETAILS

TERMS AND CONDITIONSTerms and conditions will be according to our Premier’s standard training ‘Terms of Business’. Please note the followingpoints:

l Payment is due 30 days from date of invoice, or before or on the day of the course if this is the first booking withPremier.l If the course is cancelled within fourteen days of course commencement there wil be a 100% cancellation charge.

TO BE COMPLETED BY CLIENTAfter ensuring that all course details are correct, please either sign below and FAX back to confirm your acceptance of thisbooking and our Terms and Conditions or check this box to confirm your booking and return by E-Mail.

enquiries@premiercs.co.uk Tel +44 (0)20 7729 1811 www.premcs.com Fax +44 (0)20 7729 9412

Booking Form

Order Number:

Position and Department

DatePrint Name

Signature

Product Date Location Delegates Fee Excluding VAT

TOTALPlease state if you have any special dietary requirements:

Brought to you by