Professional Documents
Culture Documents
GENERAL STAFF
No matter how much technology-based defense and offense you have in place, it’s
people who interact with sensitive information such as personally identifiable
information, payment information, intellectual property, protected health
information, confidential company plans, and financials. Employees can carry this
sensitive information outside the office on laptops, mobile phones, USB drives, and
paper – just in the course of doing their work every day. Security rests with all of your
employees. A misstep by any one of them could create an opportunity for a motivated
attacker. Shifting the way employees think about and protect sensitive information
can be a company’s best protection.
eLearning Course:
Information Security Awareness
IT STAFF
Employees who are on the front lines of deploying, managing, and securing information
technology must be well-equipped to protect sensitive information. The IT Security
Fundamentals eLearning training course was designed specifically for system
architects to database administrators who deploy, maintain, and protect the enterprise
infrastructure.
eLearning Course:
IT Security Fundamentals
DEVELOPMENT STAFF
By identifying and resolving vulnerabilities early in the software development lifecycle,
your team can substantially reduce information risk cost-effectively. Secure coding has
been greatly advanced by the adoption of formal software security assurance
methodologies such as Microsoft SDL, OWASP’s SAAM, and BSIMM. Central to the
successful implementation of these methodologies is role-specific training for all
development staff – whether they are architects, developers, QA testers, or managers.
eLearning Course:
Application Security Fundamentals
Information Security Awareness
Course Description
SECURITY IS EVERY EMPLOYEE’S RESPONSIBILITY
Interface & Interactivity: Is there anyone in your organization who is not in a position—every day—to
Easy-to-Navigate Interface
behave in a way that either exposes or protects the valuable information that is
in their hands? No matter how much technology-based defense and offense
Interactive Learning you have in place, it’s people who interact with sensitive information such as
Integrated Assessment personally identifiable information, payment information, intellectual property,
protected health information, confidential company plans, and financials.
Quizzes
Employees can carry this sensitive information outside the office on laptops,
Auto-Scrolling Transcript
mobile phones, USB drives, and paper — just in the course of doing their work
every day. Security rests with all of your employees. A misstep by any one of
them could create an opportunity for a motivated attacker.
Engaging Topics:
A shift in the way employees think about and protect sensitive information can
Mitigating Social Engineering
be a company’s best protection. The Information Security Awareness eLearning
Attacks course for general staff is designed to reduce your organization’s information
Email Precautions risk by increasing security awareness among all your business staff.
Reporting and Responding to
Threats (Interactive Scenarios) COURSE OVERVIEW
This highly interactive scenario-based course equips employees to recognize
Configurable Link to your the value of different types of information; to understand the scope, nature, and
Internal Security Policy origin of the diverse risks to such information; and to behave proactively to
protect this information in their everyday work. Topics include computer crime,
social engineering, physical security, technology threats, and information
security self-defense.
AUDIENCE
This course is appropriate for all employees who have access to an
organization’s computers, systems, and information.
DURATION
DELIVERY: Approximately 80 minutes out-of-the-box.
This SCORM 1.2-compliant course can
be integrated into a client’s Learning PREREQUISITE KNOWLEDGE/SKILLS
Management System or it can be This introductory course is appropriate for all staff regardless of role. There are
delivered as an on-demand service no course prerequisites.
through our education portal.
COURSE OBJECTIVES
CUSTOMIZATION: Upon successful completion of this course, participants should be able to:
This course can be customized to meet
Understand computer crimes and criminals
the specific requirements of each Understand the insider threat and industrial espionage
client. Clients can customize the Describe actions that increase identity theft and steps to minimize it
course by modifying or removing Understand social engineering; how to spot it and mitigate attacks
standard content and/or by adding Understand physical security, risks of hardware theft, and travel security
custom content. Understand the threats of computer malware and wireless security
Identify sensitive data
Understand email and password precautions
COURSE OUTLINE
Module 1: Computer Crime Travel Security
Introduction to Computer Crime ▬ Risks associated with transporting sensitive data
▬ The importance of maintaining personal security while
▬ Examples of computer criminals and opponents
traveling
▬ Examples of recent computer crime
▬ Types of conversations never to have in public
Identity Theft ▬ Techniques and strategies for keeping data secure while
▬ How attackers use personally identifiable information traveling
▬ Actions that increase the potential for identity theft ▬ Best practices for accessing public computers and sharing
▬ Techniques to minimize the risk of identity theft information via USB and Bluetooth
Insider Theft
Module 4: Technology Threats
▬ Controls for the insider threat
▬ The importance of encrypting sensitive data Computer Malware
▬ Impacts of sharing passwords ▬ Types of malware that typically infect computers
▬ Impacts of malware
Industrial Espionage
▬ Strategies to avoid malware
▬ How individuals and organization use information
▬ Why is antivirus necessary but not sufficient
systems attacks for competitive advantage
▬ Tools that can complement antivirus
▬ How the insider threat relates to industrial espionage
▬ Controls that help minimize the risk of information Wireless Security Risks
system compromises related to industrial espionage ▬ Risks of wireless technology
▬ Using VPNs, SSL, or some other encrypted protocols
Module 2: Social Engineering ▬ Best practices for using wireless security
Introduction to Social Engineering
▬ What social engineering is and how it works Module 5: Information Security Self Defense.
▬ Examples of real world social engineering attacks Identifying Sensitive Data
Tips for Spotting Social Engineering Attacks ▬ Distinguishing sensitive data from non-sensitive data
▬ Techniques that help distinguish between routine ▬ Defining Personally Identifiable Information (PII)
inquiries and social engineering attacks ▬ Different types of sensitive information
▬ Examples of sensitive data
Best Practices to Mitigate Social Engineering Attacks
▬ Best practices that minimize the effectiveness of social Email Precautions
engineering attacks ▬ The impact of sending sensitive information over an
insecure medium
Module 3: Physical Security ▬ Potential dangers of email attachments
Introduction to Physical Security ▬ Why HTML email can potentially be dangerous
▬ Strategies for using email securely
▬ How attackers bypass physical security features
▬ Actions that increase the potential of a successful Password Precautions
physical security breach ▬ Risks of weak passwords
Accepted practices for minimizing the risk of a physical ▬ Distinguishing between strong and weak passwords
security breach ▬ Creating a strong password that is memorable
▬ Hardware theft ▬ Why passwords must expire
▬ Types of data that may be exposed in hardware theft Report/Respond Threat
▬ Types of devices at risk for loss or theft ▬ When and how to respond to information security threats
▬ Impacts to the business from loss of devices ▬ Customer-specific notes about how and where to report
▬ Techniques for minimizing the risk of data exposure due threats
to device loss
▬ Why not storing data on mobile devices is safer than the
use of encryption or remote wipe technologies
Technical Specifications:
All courses are SCORM 1.2-compliant. Courses can be integrated into a client’s Learning Management System or delivered as an on-demand service.
Minimum Requirements:
Computer: Web Browser: Flash Player: Audio:
• Screen Resolution: 1280x720 • Microsoft internet Explorer 6.0 • Adobe Flash Player v10.0 or above • Highly recommended
• Standard Operating System: SP3 or above (preferred) [If sound is unavailable, user can
– Mac OSX 10.x or above • Mozilla Firefox 3.0 or above [Courses will work with v8 and 9 follow on-screen transcript.]
– Windows XP or above • Mac: Safari 4.0 or above but not v7.]
PREREQUISITE KNOWLEDGE/SKILLS
This course is appropriate for all administrative staff regardless of role.
COURSE OBJECTIVES
Upon successful completion of this course, participants should be able to:
Understand access control issues involving operating systems, user
management, and authentication
Understand network access control issues including control restrictions,
node authentication, connections, routing, and VPNs
DELIVERY:
Understand the importance of application access controls including
information access, sensitive system isolation, and separation of duties
This SCORM 1.2-compliant course can
be integrated into a client’s Learning
Understand user access management issues and controls including
Management System or it can be procedures for access rights, privilege management, and role-based
delivered as an on-demand service access control
through our education portal. Understand the importance of monitoring systems to ensure conformity
with policies, detect unauthorized activities, and determine the
effectiveness of security measures
CUSTOMIZATION:
Recognize the value of operational procedures and responsibilities
This course can be customized to meet
the specific requirements of each
Know how to effectively use audits and auditing tools
client. Clients can customize the
course by modifying or removing
standard content and/or by adding
custom content.
COURSE OUTLINE
Module 1: Application Security: An Introduction Module 6: User Access Management
Formal procedures to control allocation of access rights to IT
Module 2: Systems Access Control systems and services
Control of access to computer services and data on the basis Authorization/Approvers (data owners, Information
of business requirements Stewards/Custodians)
Access control policy User registration
Privilege management
Module 3: Operating Systems Access Control User password management
Automatic terminal identification Review of user access rights
Terminal logon procedures Procedures to remove inactive IDs and IDs that are no longer
User IDs needed
Password management Maker/checker process
Event alarming and escalation RBAC
Terminal time out
Limited connection time Module 7: Monitoring Systems Access and Use
Biometrics Monitoring systems to ensure conformity with access policy and
standards
RSA SecurID® Tokens
Monitoring systems to detect unauthorized activities
Single use password devices
Monitoring systems to determine the effectiveness of adopted
Multi-factor authorization security measures
Single sign-on/reduced sign-on Event logging
Clock synchronization
Module 4: Network Access Control Centralized log storage and protection
Control of connections to network services to ensure that
connected users or computer services do not compromise the
Log file entries standards
security of any other networked services
Limited services Module 8: Operational Procedures and Responsibilities
Enforced path Established responsibilities and procedures for the
management and operation of all computers and networks
Control restrictions by IP address
Documented operating procedures
User authentication
Operational change control procedures and requirements
Node authentication
Incident management procedures
Remote diagnostic port protection
Segregation of duties
Network segregation
Separation of development and operational facilities
Network connection control
External facilities management
Network routing control
Security in network services
Module 9: Audit Controls and Tools
User certificates
Controls to safeguard operational systems and audit tools
VPN during system audits
Minimization of interference to and from the system audit
Module 5: Application Access Control process
Logical access controls to protect application systems and Protection of the integrity and preventing the misuse of audit
data from unauthorized access tools
Information access restriction Other protection requirements for system audit tools
Separation of duties Secure storage of audit reports
Monitoring — user privilege violations Access to audit reports
Unique IDs for tasks Audit occurrence policies, for example, those that must occur
Information access restriction annually, triggers for audits, and so forth
Sensitive system isolation
Access control to program source libraries
Technical Specifications:
All courses are SCORM 1.2-compliant. Courses can be integrated into a client’s Learning Management System or delivered as an on-demand service.
Minimum Requirements:
Computer: Web Browser: Flash Player: Audio:
• Screen Resolution: 1280x720 • Microsoft internet Explorer 6.0 • Adobe Flash Player v10.0 or above • Highly recommended
• Standard Operating System: SP3 or above (preferred) [If sound is unavailable, user can
– Mac OSX 10.x or above • Mozilla Firefox 3.0 or above [Courses will work with v8 and 9 but follow on-screen transcript.]
– Windows XP or above • Mac: Safari 4.0 or above not v7.]
AUDIENCE
This course is appropriate for all staff who participate in application
development projects — developers, architects, testers, business analysts,
project managers, quality assurance professionals, system administrators, and
database administrators.
DURATION
Approximately 120 minutes out-of-the-box.
DELIVERY:
PREREQUISITE KNOWLEDGE/SKILLS
This SCORM 1.2-compliant course can
This introductory course requires basic knowledge of the software development
be integrated into a client’s Learning
lifecycle.
Management System or it can be
delivered as an on-demand service
through our education portal. COURSE OBJECTIVES
Upon successful completion of this course, participants should be able to:
Understand computer crimes and criminals, information security drivers,
CUSTOMIZATION: and security misconeptions and myths
This course can be customized to meet Understand injection flaws, cross-site scripting, unvalidated redirects and
the specific requirements of each forwards, and insecure direct object references
client. Clients can customize the Describe the importance of security goals and controls
course by modifying or removing Understand essential strategic, design, and implementation principles
standard content and/or by adding Describe the importance of input validation and output sanitation
custom content.
Understand how to holistically manage risk and incrporate security
throughout the software development lifecycle
COURSE OUTLINE
Module 1: Application Security: An Introduction Module 3: Information Security Goals and Controls
Computer Crime Introduction to Security Goals and Controls
▬ Reasons why people attack systems ▬ The three security goals: confidentiality, integrity, and
▬ Common attack modes availability
Computer Crime Incidents ▬ The three security controls: authentication, authorization,
and auditing
▬ Frequency and financial impact of computer crime
Security Goals
The Hacker’s Mindset
▬ The impact of confidentiality on system design and
▬ The hacker’s mindset and the impact of faulty
development
assumptions
▬ Threats to data integrity
Information Security Drivers ▬ Issues of system availability
▬ The business imperatives of information security
Security Controls
▬ The technology drivers behind information security
▬ Different types of authentication factors
▬ The impact of regulations on information security
▬ How users and data are categorized for the purposes of
Information Security Misconceptions and Myths authorization
▬ Common misconceptions about information security ▬ Auditing best practices
▬ The reality behind common information security myths
Module 4: Security Principles
Module 2: OWASP Top 10 Security Risks
Strategic Principles
OWASP Top 10 Security Issues ▬ How complexity and security are often at odds; the
▬ The OWASP security risks and available resources importance of layered security
Injection Flaws Design Principles
▬ Common types of injection flaws and the impact to an ▬ The principle of least privilege; the security benefits of
application from an injection flaw segmentation
Cross-Site Scripting Implementation Principles
▬ Mechanics of a cross-site scripting attack and common ▬ The importance of proper error handling and the security
mechanisms for defending against cross-site scripting benefits of input validation and output sanitization
Unvalidated Redirects and Forwards
▬ How attackers exploit an unvalidated redirect or forward; Module 5: Handling Input and Output Securely
the controls needed to protect from malicious redirection Input Validation
Broken Authentication and Session Management ▬ The importance of effective input validation in applications
▬ How web applications typically maintain user state and the different roles responsible
▬ Common flaws in authentication and session ▬ How to implement effective input validation principles in
management mechanisms applications to handle common threats
Insecure Direct Object Reference ▬ Real-world examples of input validation
▬ Types of objects often left vulnerable to insecure direct Output Sanitization
reference and how to mitigate it ▬ The necessity of effective application output sanitization
Security Misconfiguration ▬ How to implement output sanitization measures to handle
▬ The impact of security misconfiguration and the control common output error messages in applications
developers have over security configuration ▬ Real-world examples of output sanitization
Failure to Restrict URL Access
▬ The impact of failure to restrict URL access and potential Module 6: Managing Security and Risk in the Software
defense mechanisms to properly restrict URL access Development Lifecycle (SDLC)
Cross-Site Request Forgery Risk Management
▬ The mechanics of a cross-site request forgery flaw and ▬ Four ways to manage security risk
how to remediate cross-site request forgery issues ▬ Potential security risks involved in applications
Insufficient Transport Layer Protection ▬ The importance of documentation in maintaining security
▬ Risk to applications that do not provide transport layer SDLC
security and mechanisms to provide it ▬ The importance of incorporating security throughout the
Cryptographic Storage entire SDLC
▬ The need to protect data at rest; the characteristics of ▬ Ways to incorporate security into each development phase
strong cryptography
Technical Specifications:
All courses are SCORM 1.2-compliant. Courses can be integrated into a client’s Learning Management System or delivered as an on-demand service.
Minimum Requirements:
Computer: Web Browser: Flash Player: Audio:
• Screen Resolution: 1280x720 • Microsoft internet Explorer 6.0 • Adobe Flash Player v10.0 or above • Highly recommended
• Standard Operating System: SP3 or above (preferred) [If sound is unavailable, user can
– Mac OSX 10.x or above • Mozilla Firefox 3.0 or above [Courses will work with v8 and 9 but follow on-screen transcript.]
– Windows XP or above • Mac: Safari 4.0 or above not v7.]
DELIVERY OPTIONS
In addition to delivery through the RSA Education portal, RSA Security Concepts and
Principles courses can be integrated into your own Learning Management System
(LMS).
By providing access through your own LMS, you have control and tracking information
for each student including assessment results through SCORM 1.2-compliant
reporting.
COURSE CUSTOMIZATION
The RSA Security Concepts and Principles courses can be customized to meet your
specific requirements. In addition to branding the eLearning course with your corporate
look and feel, courses can be customized by modifying or removing standard content
and/or adding custom content.
Where appropriate, your own contact information for employees and your own
procedural information can be included in a course to give your employees direct
information relative to your business.
“We’ve done tremendous work to secure computers but nothing to secure the human operating system. To
change human behavior, you need to educate and train employees, not just once a year but continuously.
Like you continually patch computers and applications, you’re continually training and patching human
operating systems.”
LANCE SPITZNER, SANS
From article: “TARGET: THE HUMAN”
MARCIA SAVAGE, EDITOR
INFORMATION SECURITY MAGAZINE
MAY 2011
TECHNICAL SPECIFICATIONS – MINIMUM REQUIREMENTS
Computer:
“Employees who are trained to • Screen Resolution: 1280x720
be security-aware are more • Standard Operating System:
likely to [know if they’ve been] – Mac OSX 10.x or above
victimized … That speeds – Windows XP or above
response...” Web Browser:
LANCE SPITZNER, SANS •Microsoft internet Explorer 6.0 SP3 or above
From article: “TARGET: THE HUMAN”
MARCIA SAVAGE, EDITOR
• Mozilla Firefox 3.0 or above
INFORMATION SECURITY MAGAZINE • Mac: Safari 4.0 or above
MAY 2011
Flash Player:
• Adobe Flash Player v10.0 or above (preferred)
[Courses will work with v8 and 9 but not v7.]
Audio:
• Highly recommended
[If sound is unavailable, user can follow on-screen transcript.]
HAVE QUESTIONS?
CONTACT US:
Worldwide Training
E-mail: trainingregistration@rsa.com
Phone: (781) 515-6807
Fax: (781) 515-6810
About RSA
RSA is the premier provider of security, risk, and compliance management solutions for business
acceleration. RSA helps the world’s leading organizations succeed by solving their most complex
and sensitive security challenges. These challenges include managing organizational risk,
safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud
environments.
Combining business-critical controls in identity assurance, encryption & key management, SEIM,
Data Loss Prevention, and Fraud Protection with industry-leading eGRC capabilities and robust
consulting services, RSA brings visibility and trust to millions of user identities, the transactions that
they perform, and the data that is generated. For more information, please visit www.RSA.com and
www.EMC.com.