On-Site Classes

Every CSI class, including scheduled classes, can be scheduled for presentation at your organization. In addition, the classes here are available for on-site presentation only.

Since presentation is private, at your site, you may select topics to stress, add on or omit. Call Pam Salaway at 631-878-2205 or email .

On-Site Course Descriptions

Get your programs up-to-speed in just one week. CSI will come to you and work with your team to jump-start your Policies or Awareness Programs.

Fast Track to Security Policies & Procedures

If you recognize the need to create or update a carefully crafted set of security policies but lack the time and staff to tackle it alone, this program is for you.

Through a combination of education and on-site assistance, CSI staff provide the expertise and coaching needed to help your policy development team create a set of policies and procedures that remain applicable down the line, as your business changes.

After completing this program, your team will possess a comprehensive strategy for creating sharply honed policies that state exactly what needs to be done, and procedures that state clearly who must perform necessary tasks in order to protect your valuable information assets.

• Customize policies and procedures to your unique organizational culture and technologies
• Educate your staff to own and understand the policy development process for now and in the future, rather than relying on a "cookbook" set of policies
• Management expectations will be clearly defined, documented and shared throughout the organization
• Deliver a consistent set of security guidelines to employees, partners and auditors

Fast Track to Information Security Awareness

Establish an information security awareness program across your entire organization.

This project will provide short-term assistance to your staff in planning an awareness program and its roll-out. The plan will be implemented by your team members according to schedules created as part of this project.

• Educate all awareness team members in order to allow maximum input of your specific concerns and prepare for ownership and maintenance by your staff.
• Assist in the creation of an information security awareness program plan designed around the specific needs of your organization. Final document will be prepared by your team members.
• Provide a customized end-user awareness newsletter ready for reproduction and distribution to all employees on a quarterly basis.

To discuss Fast Track Programs or receive a price quotation, contact CSI's Pam Salaway at 631-878-2205 or email psalaway@cmp.com.

Back to the top of the On-Site Class Section.

• Identify critical business functions
• Determine the impact of an outage on operations
• Evaluate alternatives for recovery
• Choose a strategy for recovering some or all of these capabilities to support critical business functions
• Implement a recovery plan
• Test elements and the entirety of a recovery plan

• Completed exercises supporting the concepts and techniques of contingency planning
• A self-produced outline for a tailored, individually-developed contingency plan for your organization

What would the impact be on your organization if your network or Website went down for 24 hours? How would it affect your contracts or regulatory compliance? Should you have an alternate site in place to make sure that business continues uninterrupted? What are the costs of operating and maintaining a backup Website or physical site? Should you do it in-house? This 3 day course will answer those questions.

Topics Covered:

Concepts and Terminology — Gain a solid grounding in the concepts and jargon of contingency planning. Learn how client/server systems positively impact recovery. Analyze terminology from "Acceptable Losses" and "Business Resumption vs Business Continuity" to "Hotsites," "Hot-swappable", "Mirrored Servers" and "Vaulting". You must be able to explain why you want to do certain things in recovery. The material here prepares you to do so.

Identifying Criticality — How do we proceed to determine what gets included, what gets brought back up and when? Who makes the final call?

Dependence on SyStems — Determine how dependent you are on your systems to perform mission-critical functions and services. Learn to probe for the hidden dependencies that could make even a carefully crafted plan inadequate.

Impact of an Outage — Analyze the effects of outages on business functions and customer expectations. Perhaps a small outage can lead to a large problem. Money is not the only way to gauge impact.

Recovery Alternatives — In analyzing recovery alternatives, we identify what infrastructure elements we need and where we're going to get them. Hardware, software, databases, connections, procedures, support staff, environmental services (heating, ventilation, air conditioning, etc.), physical locations — all must be accounted for to some degree. And will we do this in-house or contract for help?

Recovery Planning — Learn the three phases to plan for, determine who should be involved and what elements the plan should include. Exercises completed throughout the course should give you an outline for your own workable plan.

Costs — To maintain credibility, you must accurately identify where the costs will be and, at least within the ballpark, what they will be. Whose budget gets hit for which items? Analyze 'timely' recovery from a cost standpoint. Learn to explain why that expensive redundant server is actually worth every penny.

Testing — Learn what you can test, how and when. Determine who should be involved in testing separate components of the plan. Define the criteria for a successful test.

Maintenance — Make sure that recovery plans and testing scenarios evolve as your environment does. Learn why it is crucial to have a backup person for every identified participant in the plan. Determine how often you'll re-issue the entire plan and how interim changes will be handled.

Back to the top of the On-Site Class Section.

• From team member to "cop": Ways to maintain the relationships and credibility necessary for effectiveness in all components of your job
• Information security basics: administration, product evaluation, risk analysis, DRP, incident response, awareness, vulnerabilities and countermeasures
• How performing security-related tasks well can often concurrently improve other things
• The urgency of troubleshooting vs. the importance of implementing long-term solutions
• Ways to maximize your effectiveness by identifying points of overlap between jobs
• How to avoid losing sight of your primary job

• exercises wherein you explain how you would handle a reality-based pressure scenario

Continuing contraction of both corporate and government resources has forced more and more systems professionals and departmental function specialists to add information systems security to their roster of "other duties as assigned." If you are currently operating in this mode or see yourself there in the future, this two-day seminar is for your organization.

We will take a look at these questions and more: How can you be effective as a part-time security practitioner? How can you balance the requirements of your usual work function with the demands of the security job? What do you have to know? What can be set aside, and for how long? What's going to bite you if it doesn't get proper attention?

We'll survey how security works in some of the more popular platforms and identify sources where you can available for your own environment. After this course, students will be more able to balance the competing demands of all their sub-jobs and do the security one especially well.

Day One:

Challenges of part-time — We'll discuss the unique challenges involved in doing any function part-time vs. full-time. We'll look at the difficulties of shifting your mindset to an interrupting task and back again, and give suggestions for minimizing the effects of disruption.

Security role vs. "other" — We will examine the security function as a whole, to give you a broader view of your role and help you see where those potentially devastating errors lurk, waiting to be committed either by act or omission. Learn how others react to you when you are in your "security mode", and how to help avoid misunderstandings that can result when others' views of your role differ from your own.

Information security principles and practices — We'll give you a solid grounding in the philosophies and jargon of information systems security with an eye to tying security principles and practices to even the seemingly unrelated components of your variety of jobs. Discussions will cover not only the "how" but the expand your detailed knowledge of the particular security controls "why" of security measures (anticipating your need to address that inevitable question by co-workers). You'll learn information security basics: administration, product evaluation, risk analysis, DRP, incident response, awareness, vulnerabilities and countermeasures.

Day Two:

Challenges of being "multi-hatted" — We'll discuss setting priorities and personal goals, relating to co-workers differently in your various roles, gaining the support of others to assist you in your efforts, recognizing situations wherein you must stop and switch functions, leveraging information and techniques from one job function to the other and not losing sight of your primary job. We'll discuss the advantages as well as the downsides of being a part-time security person, especially in regards to how your co-workers react and interrelate with you as you act first in one capacity and then another.

Participative exercises — Throughout the course, you'll engage in exercises designed to confront you with the type of scenarios that you will see as a part-time security practitioner, taking into account corporate politics, group expectations and your need to enlist cooperation now and in the future.

Back to the top of the On-Site Class Section.

• Basic principles and technology of communications systems currently in use
• The three basic goals of network security and how they relate to your environment
• Critical vulnerabilities in communications systems and the safeguards available
• Network security terminology, and what it really means
• How to apply basic security principles to your particular communications configuration
• The importance of a focused awareness program

• An understanding of the concepts, equipment and implementations of communications security
• Specific steps to take to avoid significant financial loss to telecommunications fraud
• A 3-step plan to minimize the threat to your organization posed by software piracy on internal networks

This two-day workshop is for IT professionals, information security practitioners and auditors who need to understand the implications of communication methods, trends, and technologies from a security standpoint, and thus have a minimal technical foundation on which to build a framework for interacting with service providers and vendors.

You'll get a basic understanding of technical underpinnings, procedures and skills needed to evaluate the risks to your communications systems and make good decisions regarding protection alternatives. The emphasis is on security principles and vulnerabilities and the practical safeguards you can take to mitigate, if not eliminate, the dangers. This course assumes no baseline knowledge of communications technology.

Day One:

Communication Security Basics — We'll start by taking you through communications systems, concepts and components, tracking transmissions from end to end to give you a "big picture" of the entire process, explaining and analyzing terms in the ever expanding vocabulary of data communications security. Then, introducing the crucial concept of security domains, we'll show what happens when your data goes out over public networks and onto intranets, extranets or the Internet or into the custody of the common carriers. You will learn vulnerabilities and protection strategies. We'll weigh the benefits and costs of encryption and other countermeasures. And you'll see how to take the best advantage of available security provisions to protect vital communications channels.

Network Security — How does a communications system work? You'll find out by tracing a message through a network of clients, servers, routers, encryptor boxes, firewalls, switches and modems; over wire, fiber and through the air. You'll learn how each can contribute to the strength or weakness of security in the network.

Transmission Technologies — Network security depends in part on the vulnerability of specific transmission methods. We will analyze the security of various implementations of metal wire, fiber optic cable, terrestrial microwave, satellite transmission, infrared and emerging technologies, focusing on inherent dangers and the protection they offer against unauthorized signal interception.

Day Two:

Telecommunications — Your telephone system can be a major vulnerability. Hackers have taken over voice mail boxes and used company phone systems for criminal activity. Learn what the exposures are, what you can do to minimize your organizations' liability, and how you can prevent significant loss from phone fraud.

Networks — Local area networks and client/server systems present some formidable security challenges. What are the various network topologies and configurations, and how do they relate to security? What can we do to secure our LANs? We'll explain why an effective awareness program is so vital a part of LAN security.

Pressing Issues — What encryption methods are available and what factors affect the choice? What can you do to minimize the security exposure of Internet, intranet and extranet connections? Why is software piracy such a worrisome organizational danger in client/server systems? More importantly, what can we do about it? How does worldwide web commerce accentuate the need for rapid intrusion detection and response?

Essential Training for the Decentralized Security Team

Your security department has been reallocated, leaving a skeleton crew of full-time security professionals teamed with an array of decentralized representatives. Whether you call them Local Security Representatives, Security Liaisons, or Departmental Security Officers, your security "point people" are no longer full-time security professionals. How will you provide them with a solid foundation in the principles of this job function?

Computer Security Institute has hand-crafted a unique on-site training session especially for these individuals, packaging it into one, cost-effective, intensive day. John O'Leary will deliver not only an understanding of security principles, but will deal with the everyday realities of functioning as a "part-time" security professional.

• Why We Need Security
• Conflicting priorities
• Real-life Information Security Issues
• Challenges and role of security
• Security as a Business Enabler
• Security and Productivity
• Sources of Error
• Proprietary Information
• System Penetration Threats
• Handling Exposures
• Management's Role in Computer Security
• Systems Life Cycle
• Program Organization
• Policies and Procedures
• Security Planning
• Risk Analysis
• Training/Awareness
• Handling Incidents
• Responsibilities
• Current Topics
• The Internet and Security
• Inherent security limitations
• Vulnerabilities
• Lessons learned
  

Back to the top of the On-Site Class Section.

Computer Security A Management Briefing

This presentation will help an organization's executives understand current, critical security topics and management's role in protecting corporate information resources.

Course Outline

• Why we need it
• Relationship to corporate mission performance

• Security and productivity
• Sensitive information
• Systems penetration threats
• Handling exposures
• Properties, principles, functions
• The Three Goals of a Security Program

• General
• Encryption/ cryptography
• Network/telecom
  

• Strategies for protection
• Criteria for evaluating
• Encryption
• Authentication
• Access Control
• Specialized hardware
• Physical security
• Administrative controls
• Virus controls

• Administration
• Risk analysis
• Incident response
• Awareness

Customer Service Essentials For the Security Administrator

It's a side that's not often mentioned, but in the wake of September 11, 2001, we have seen how improperly applied, heavy- handed security can drive both internal and external customers toavoid dealing with the IS Security staff, resulting in a weaker overall security posture for the enterprise.

In this course, we'll explore the customer service and "people side" of the security administrator role. We strive to leave students with an appreciation that their mission is to further security within the context of the corporate mission. We'll employ practical tips, horror stories, and student exercises to underscore the criticality of this aspect of the job.

Although the corporation's product probably is not security, security plays a vital role in ensuring that the corporation's goals are met and products delivered in a safe, reliable, consistent and effective fashion.

Back to the top of the On-Site Class Section.