Implementing information security policy in organization

Implementing information security policy in organization

Ideal attendee profile:

CISO, Security Auditor, CIO, Security Manager, Information Security Officers
Day I - Base of information security

1. Preview – How to implement Information Security (IS) main technics:

  • Security audit/ Gap Analysis;
  • Penetration tests;
  • Risk Management;
  • Technical controls implementing (needs versus costs), types of controls;
  • Information Security Policy (ISP) creation and modification;
  • Incident response process;
  • Permanent management of IS – continuity of above-mentioned technics and improvement;
  • Relation to other ICT management processes (IT service management, Business Continuity Management).

2.Compliance requirement:

  • Example of law existing in Togo and EU (GDPR, National cybersecurity system Act, business information protection);
  • Example of industry recommendations/requirements (PCI DSS).

3. Review of most popular IS standards:

  • ISO/IEC 27001 – Information technology — Security techniques — Information security management systems — Requirements;
  • ISO/IEC 27002 – Information technology — Security techniques — Code of practice for information security controls;
  • ISO/IEC 27005 – Information technology – Security techniques – Information security risk management;
  • ISO/IEC 29134 Information technology – Security techniques – Guidelines for privacy impact assessment;
  • ENISA Guidelines on assessing DSP and OES compliance to the NISD security requirements;
  • OWASP Top 10.
Day II – Security Audit and Risk Management – 2 sides of the same coin

1. ISO 19011 and ISO 17021 – base of auditing:

  •  Main audit rules, technics, risks and traps;
  • How to create audit plan base on ISO/IEC 27001 using ISO/IEC 27006 recommendation.

2. Risk Management approach recommended in ISO/IEC 27005 (assets, threats, vulnerabilities, strength of controls, impacts, probability of incidents).

3. Risk Management approach recommended in ISO/IEC 29134.

4. Review of risk assessment procedure (based on ISO/IEC 27005).

5. Review of risk treatment procedure (based on ISO/IEC 27005).

6. Review of Excel spreadsheet used to risk assessment and risk treatment.

7. Review of risk management tools.

Day III – Practice of audit and risk management

1. Organization definition for following exercises – type of activity, stakeholders, law, relation with customers and suppliers, organization structure.

2. Exercise 1 – creation of audit plan and audit checklist.

3. Evaluation and discussion.

4. Exercise 2 – performing of risk assessment base of proposed Excel spreadsheet:

  •  Risk analysis;
  • Risk evaluation.

5. Evaluation and discussion.

6. Exercise 3 – performing risk treatment.

7. Evaluation and discussion.

Day IV – Information Security Policy

1. Hierarchy of ISP document – policies, standards, guidelines, procedures, instructions. How to fit ISP to current customer.

2. Examples of ISP Declaration.

3. Example of ICT Security Policy.

4. Example of User Security Policy.

5. Process approach:

  • Access management;
  • Monitoring process;
  • Security incident management;
  • Change management;
  • Configuration management;
  • Business continuity management;
  • Compliance management;
  • Security Audit & Penetration Testing;
  • Asset identification and classification;
  • Human resources management;
  • ISP documentation management.

6. Examples of procedures/standards e.g.:

  • User access management procedure;
  • SIEM monitoring procedure;
  • Security events reporting procedure;
  • Security incidents & breach response procedure;
  • Change management procedure (several type of changes);
  • Configuration documentation procedure;
  • Backup procedure with technical instructions;
  • Security audit planning and documentation procedure;
  • Classification standard;
  • ISP change management procedure.
Day V – Practice of ISP creation

1. Organization definition for exercise – type of activity, stakeholders, law, relation with customers, organization structure.

2. Exercise – Creation ISP documents by students:

  • ISP document;
  • Procedures.

3. Evaluation and discussion.

Duration: 5 day(s)

Training language:

English, French

Maximum participants: 8

  • Abdoulaye Fadiga Street
  • 07 BP 13215 Lomé – Togo
  • Phone: (+228) 71 20 09 10 /
    (+228) 70 54 93 34
  • [email protected]
Linkedin Twitter
Useful links
Additional page information
Help