Subject | Target group |
Laws & Regulations (privacy, data protection, export) | Systems management, users |
Secure Software development | User, user coordinator, contractor |
System hardening | System admin, network engineering |
System operations | System admin, network engineering |
Monitoring and logging | System admin, network engineering, response teams |
Forensics | Response teams |
Incident respons and analysis | Response teams |
Contigency planning and disaster recovery | Management, governance, admin, user coordinator, response team |
Organisation, roles, responsibilities (generic introduction) | All |
AAI proces and procedures, FIM, SSO | System admin, user coordinator |
Systems design | Architect, network engineer |
General use and awareness | Users, user coordinator, all |
Developing and maintaining policies and procedures | Management, governance |
Applying policies and procedures | Architect, system admin, user coodinator |
System acquisition | Acquistion |
Decommissioning (data leakage prevention) | Admins, governance, user coordinator |
Risk management |
Laws & Regulations (privacy, data protection, export)
Secure Software development
Training withing this group should focus on all the aspects related to software programming from the security point of view. It should include integrating security practices into the software development lifecycle and verifying the security of internally developed applications before they are deployed. This will help to mitigate risk from internal and external sources. Security practices which should be included are: design, construction, testing, release, and response.
One of the important steps in secure development is integrating testing tools and services into the software development lifecycle. The training could describe or train on tools allowing developers to model an application, scan the code, check the quality and ensure that it meets regulations. Furthermore, automated secure development testing tools that find and fix security issues could be elaborated.
Additionally secure development trainings could be offered certifying experience in secure development.
See e.g.: http://www.sans.org/curricula/secure-software-development
System hardening
Any system providing ressources to the outside world is on risk to be hacked. Often simple security tools are installed and used by default like local firewalls, virus scanner etc., but even with these security measures in place, computers are often still vulnerable to outside access. System hardening, also called Operating System hardening, helps minimize these security vulnerabilities.
The trainings offered should provide detailed trainning on those tasks eliminating as many security risks as possible. The trainings should include e.g. technics to check for non-essential software programs which can be removed from the system, since they could provide "back-door" access to the system. Guest accounts should be closed, alternate boot devices disabled, only secure passwords allowed, no remote root access, monitoring of unauthorized access attempts, etc.