Speaking Topics for an Information Security Community

These topics require some level of experience in InfoSec or interest in practical advice on how to contribute as an InfoSec professional. Depending on the experience and interest of the audience, these can be a one hour overview or a full day lesson.

Cyber Security Policy Issues: This seminar distinguishes the process of establishing cyber security policy from other activities aimed at cyberspace security improvement. This understanding enables the attendee to have informed opinions on cyber security policy issues. The benefit to the attendee is clarity of understanding of complex situations involving multiple government and industry stakeholders that directly impact their activities in cyberspace and those of their businesses. Specific topics in this day-long class include material from the recently published Cyber Security Policy Guidebook. These include:

A framework and taxonomy for explaining cyber security policy issues.
Policy decision-making processes related to cyber security.
Example cyber security policy issues at global, federal, industry, and enterprise levels.
An overview of US government decisions with respect to cyber security policy issues.

Information Classification: Information classification schemes are the basis for information labeling, and information labeling is the basis for information handling. Thus, any inaccurate judgment in the labeling processes leads to mishandling. The fatal flaw in most conventional information classification programs is that they lack procedures for the labeler. This course walks people through elements of a Information classification designed to facilitate the labeling process and thus lead to more appropriate information handling.
Specific topics in the day-long version include:
Textbook information classification schemes and why to avoid them.
Database schema basics required for classification efforts.
Field-based information classification techniques
Application inventory and corresponding data repositories.
Roles and responsibilities with respect to data handling.
Content filtering technology alternatives.

Security Governance: Although everyone understands that policy is the basic building block upon which to rest a security program, few understand enough about governance to ensure policies truly reflect organizational objectives. Without this reflection, they are unlikely to be followed. This course provides tools and techniques to enhance the reflection between organization and policy, as well as carry the vision through into implementation. Components of governance strategy are presented as interlocking and dynamic. Exercises include identification of gaps in roles and responsibilities as well as design of redundant and compensating controls with which to offset unforeseen weakness.
Specific topics in the day-long version include:
Roles and responsibilities at both organizational and individual levels.
Policy approval versus policy acceptance.
Awareness activities to promote accountability.
Checks and balances within implementation lifecycles.
Monitoring and escalation paths designed for continuous improvement.
Governance versus remediation metrics.

Security Metrics: Measurement is the process of mapping from the empirical world to the formal, relational world. The measure that results characterizes an attribute of some object under scrutiny. Information Security is not the object, nor a well-understood attribute. Attempts to create information security metrics fall into a wide variety of characterizations. This topic steps through various kinds of metrics in use at a variety of InfoSec programs and encourages the audience to critically examine their own metrics in the context of the criteria used to evaluate them.
Specific topics in the day-long version include:
Metrics type characterization and the utility of each in contributing information required to manage a security program.
How to understand the contextual value (if any) in metrics designed to show the efficacy of a security program.
Data, tools, and techniques to demonstrate that metrics correspond to systems architecture.
Remediation metrics and how they differ from risk management metrics.
How to determine whether metrics correspond to control points.
Mapping metrics to InfoSec program objectives.
How to spot misleading metrics
Examples and exercises in metrics development

System Security Architecture: Most information security officers are responsible for signing off on system security architecture, but few are formally trained in technology architectural alternatives. This class provides a goal-oriented and principle-based method of understanding and analyzing security architecture that will equip an information security officer or auditor to analyze security architecture and assess its efficacy in meeting business requirements for security. Specific topics in this day-long class include: Systems engineering as applied to security requirements
Threat analysis as the basis for security requirements
Security engineering tools and techniques
Security concepts for operations
Secure design verification versus validation
Innovations in security technology

Stepping Through the IS Audit: This topic covers the material in my book: Stepping Through the IS Audit. It provides a brief history of the IS Audit profession, key management concepts required to understand audit activities, nomenclature of professional IS Auditors, and the sequential components of the audit process.
Specific topics in the day-long version include:
Management Concerns and Industry Responses
Control Frameworks
Risk Assessment and Audit Planning
Control Objectives and Activities
Fieldwork and Evidence
Reporting and Remediation

Stepping Through the InfoSec Program: This topic covers the material in my book: Stepping Through the InfoSec Program. It provides a history of the InfoSec Professional. It describes the lifecycle of the Information Security program as a continuous feedback loop, beginning and ending with strategy.
Specific topics in the day-long version include:
Strategy – Department activities and responsibilities with respect to security.
Policy – Outlines methodology for complying with management and regulatory objectives for data confidentiality, integrity, and availability.
Awareness – Activities range from training classes and videos to security tollgates within development and operations processes.
Implementation - InfoSec participation in the development and execution of processes related to Information Handling and IT solution delivery.
Monitoring – Covers metrics on security configuration and activity logs as well as InfoSec point of escalation for legal or HR investigation.
Remediation– Security violations are investigated and conclusions of these investigations are reported.

Vendor Due Diligence: Service providers routinely sign confidentiality agreements. But organizations are now required to perform "due diligence" to assess whether the provider is actually has enough security in place to keep them. This course covers the requirements for a vendor risk management program and the industry resources available to provide assurance that the program is effective. It also provides a framework for a generic vendor risk management program as well as case studies of program implementation.
Specific topics in the day-long version include:
The difference between audit and due diligence
Regulatory requirements for due diligence
How to identify scope in vendor assessments
The questionnaire approach to data gathering
Vendor self-assessments and associated independence issues
Vendor risk management program components
Vendor risk rating criteria
How to leverage legal and procurement processes for vendor risk management
Subject matter expertise requirements in vendor risk acceptance
Documentation and reporting requirements for a vendor risk management program

Home