Simple competence                   certification !    EXIN’s unique Information Security          Certification Program  ...
Simple competence                           certification !    Objective for an Reduce risk by improving awareness    orga...
Personal certifications !    Certified Information Security Manager (CISM)    awarded by ISACA    Certifications:    5 yea...
Personal certifications !    Certified Information Systems Security Professional (CISSP)    awarded by ICS    Accredited u...
Different international                               standards    Information technology, security techniques    — Inform...
Different international                                     standards                  Governance                         ...
Different international                                   standards    • Competent people for implementation and third par...
Code of practice (27002)    NOTE: Items 1,2 and 3    are introduction items8
Code of practice (27002)        6.1 Internal organization        • … management framework for        information security ...
Code of practice (27002)         Section 8: Human resources security         8.1 Prior to employment         Security resp...
Code of practice (27002)         11.3 User responsibilities         Users should be made aware of their         responsibi...
Different Exin programs     EXIN, the Examination Institute for Information Science     •  global, independent IT examinat...
EXIN’s Cloud program                        connection with security     Cloud computing, EXIN’s exam requirements:     3....
EXIN’s ITSM20 connection                        with Information security     Foundation level: … Information Security man...
EXIN’s security programs     Foundation target group:     • intended for everyone in the     organization who is     proce...
EXIN’s security programsISFS Foundation exam              Mastery level: 40 questions, 10% - Information and Security   60...
EXIN’s security programs Advance target group: Everyone involved in the implementation, evaluation and reporting of inform...
EXIN’s security programsISMAS Advance exam                  Mastery level: 30 questions,     20% Security policy and plan ...
Exin’s security programs     Expert level target group:     IT professionals responsible     for the partial or overall se...
EXIN’s security programs     ISO/IEC 27002 Qualification scheme20
EXIN’s security programs     Context                                         Wisdom                                       ...
Different standards                   Governance                                                   Information security   ...
Personal certifications !     People beyond the certification !     Understand why !     Reflect on the understanding, lev...
EXIN’s security programs Questions / exchange24
EXIN’s ITSM20 References     http://www.iso27001security.com/     http://www.iso.org/iso/iso_catalogue.htm     http://www....
Upcoming SlideShare
Loading in...5
×

Know more about exin unique information security program

535

Published on

Conheça os benefícios do Programa de Certificação Profissional em Segurança da Informação baseada na ISO27002

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
535
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Know more about exin unique information security program"

  1. 1. Simple competence certification ! EXIN’s unique Information Security Certification Program (based on ISO/IEC 27002) Benefits and differences By Marc Taillefer 2012.03.151
  2. 2. Simple competence certification ! Objective for an Reduce risk by improving awareness organization: & practical skills in safety. Principle: People are the solution; processes and technology are needed to support people Agenda: • Many personal certification, which one is better? • Different international standards • EXIN’s Program • “Unsecured” factors in Security: the people2
  3. 3. Personal certifications ! Certified Information Security Manager (CISM) awarded by ISACA Certifications: 5 years + experience in information security including 3 years in information security management • Information risk management • Managing incidents • Corporate governance • 200 multiple-choice questions (twice a year) ISACA created the CISM to help foster a better fusion between IT auditing and information security perspectives.3
  4. 4. Personal certifications ! Certified Information Systems Security Professional (CISSP) awarded by ICS Accredited under ISO/IEC 17024:2003 standard • 5 years + experience of direct full-time security work experience in two or more of the ten (ISC)² information security domains • OR Associate of (ISC)² designation by passing CISSP exam • Criminal history and related background. • 6 hours exam 250 multiple-choice questions with 70% • Exam @ $450, last minute registration @ $100, annual fee @ $85 Based on the CIA triangle of confidentiality, integrity and availability4
  5. 5. Different international standards Information technology, security techniques — Information security management systems ISO 27000 Security Overview and vocabulary ISO 27001 Requirements ISO 27002 Code of practice for information security management ISO 27003 Information security management system implementation guidance ISO 27013 Guidelines on the integrated implementation of ISO IEC 27001 and ISO IEC 20000-1 ISO 20000-1 Information technology -- Service management -- Part 1: Service management system requirements5
  6. 6. Different international standards Governance Information security Information security Management system 27001 IT Service Code of practice 27002 management (control objectives) system Guidelines on people involvement and competence 10018, PCMMI … Auditing Auditing Auditing compliance compliance compliance 19001 27008:2011 270076
  7. 7. Different international standards • Competent people for implementation and third party management • Inform third party people, candidates, contractors • Activities to make people aware of ... • Adapted to their roles & responsibilities … so they understand … so they know who to contact for additional info … so they know how to report incidents • Disciplinary sanctions !! (specific process to be just and fair) • Change of position or leaving the organization7
  8. 8. Code of practice (27002) NOTE: Items 1,2 and 3 are introduction items8
  9. 9. Code of practice (27002) 6.1 Internal organization • … management framework for information security • Roles and responsibilities should be defined for the information security function. • Contacts should be established with relevant authorities (e.g. law enforcement) and special interest groups. Information security should be independently reviewed. 10.1 Operational procedures and responsibilities • IT operating responsibilities and procedures should be documented. • Duties should be segregated between9 different people where relevant
  10. 10. Code of practice (27002) Section 8: Human resources security 8.1 Prior to employment Security responsibilities … when recruiting permanent employees, contractors and temporary staff • job descriptions, • pre-employment screening • terms and conditions of employment • signed agreements on security roles and responsibilities). During employment Management • All be made aware, educated in security procedure 8.3 Termination or change of employment / contract10
  11. 11. Code of practice (27002) 11.3 User responsibilities Users should be made aware of their responsibilities towards maintaining effective access controls 13.1 An incident reporting/alarm procedure is required • plus the associated response • and escalation procedures • employees, contractors etc. should be informed of their incident reporting responsibilities.11
  12. 12. Different Exin programs EXIN, the Examination Institute for Information Science • global, independent IT examination • qualification programs for • ITSM20 based, on ISO/IEC 20000:2011 • Information Security, based on ISO/IEC 27002 • Cloud • ITIL®, • Green IT • MOF • ASL, • BiSL • Tmap • Prince 2 ® EXIN enables professionals and organizations to turn their skills into a reputation. www.exin.com12
  13. 13. EXIN’s Cloud program connection with security Cloud computing, EXIN’s exam requirements: 3.1 The candidate understands the security risks of Cloud computing and knows mitigating measures (10%) The candidate can: 3.1.1 Describe the essential elements of security in the cloud (Confidentiality, Integrity and Availability) 3.1.2 Describe the standard measures for authorized use (Authentication, Authorization and Accountability) 3.1.3 Describe the main security risks for the three types of virtualized environments13
  14. 14. EXIN’s ITSM20 connection with Information security Foundation level: … Information Security management 3.1.1 Describe the objectives and quality requirements of the delivery processes 3.1.2 Describe the best practices of the delivery processes 2.3 Associate level: 2.3.1 Identify risks 2.3.2 Define mitigating actions 2.3.3 Monitor risks14
  15. 15. EXIN’s security programs Foundation target group: • intended for everyone in the organization who is processing information • entrepreneurs of small independent businesses for whom some basic knowledge of information security is necessary • good start for new information security professionals.15
  16. 16. EXIN’s security programsISFS Foundation exam Mastery level: 40 questions, 10% - Information and Security 60 minutes, in understanding The Concept of 10% - Approach and Organization Information Security Policy and Value of Information Security Organization Reliability Aspects Components of the 30% - Threats and Risks Security Organization Threat and Risk Incident Management The Relationships 40% - Measures between Threats, Importance of Measures Risks and the Physical Security Reliability of Information Technical Security Organizational Measures 10% Legislation and Regulations16
  17. 17. EXIN’s security programs Advance target group: Everyone involved in the implementation, evaluation and reporting of information security, such as: • Information Security Manager (ISM) • Information Security Officer (ISO) • Line Manager, • Process Manager • Project Manager.17
  18. 18. EXIN’s security programsISMAS Advance exam Mastery level: 30 questions, 20% Security policy and plan 90 minutes, in analyzing Information security policy 10% - Standards … plan Application of standards 30% Organization of ISO/27001 & 27002 information security 15% - Compliance Design of information security Legislation and regulations Function (roles) Protection of personal 15% Risk analysis data • Classification of Agreements and contracts information & management of capital 10% Evaluation assets • Quick review18 • Risk analysis method • Audit
  19. 19. Exin’s security programs Expert level target group: IT professionals responsible for the partial or overall set up and development of structural information security • Chief Information Security Officer • Information Security Manager • Business Information Security Architect19
  20. 20. EXIN’s security programs ISO/IEC 27002 Qualification scheme20
  21. 21. EXIN’s security programs Context Wisdom Why? Knowledge How? Information Who, what, when, where? Understanding21
  22. 22. Different standards Governance Information security Information security Management system 27001 IT Service Code of practice 27002 management (control objectives) system Guidelines on people involvement and competence 10018, PCMMI … Auditing Auditing Auditing compliance compliance compliance 19001 27008:2011 2700722
  23. 23. Personal certifications ! People beyond the certification ! Understand why ! Reflect on the understanding, level by level ! Enthuse to know more, even if we are in a rapid-pace world ! Ask to inform others !23
  24. 24. EXIN’s security programs Questions / exchange24
  25. 25. EXIN’s ITSM20 References http://www.iso27001security.com/ http://www.iso.org/iso/iso_catalogue.htm http://www.exin.com/NL/en/exams/ Milena Andrade, Regional Manager We turn skills into reputation Off: +55 11 3443 6270 Mob: +55 11 8786 1114 milena.andrade@exin.com Marc Taillefer, senior consultant Accredited trainer for EXIN’s Executive Manager/Consultant certification Accredited trainer for all of EXIN’s ISO/IEC 20000 and 27002 based courses marc@marc-taillefer.ca25

×