Information Security Standards, Laws and Regulations
How to establish your corporate security policy
26 April 2007 (14-21)
Location: Sofitel Diegem
(Diegem near Brussels (Belgium))
Presented in English
Price: 540 EUR
(excl. 21% VAT)
This event is history,
please check out the List of Upcoming Seminars, or send us an email
Check out these related open workshops:
Check out our related in-house workshops:
Why do we organize this seminar ?
This seminar is intended to help organizations to establish their own Corporate Security Framework (or Policy). This seminar gives an insight in the different standards, laws and regulations available and will explain more in depth all domains that can be addressed when talking about a Corporate Security Framework. This seminar is built around some overview topics (positioning a Corporate Security Framework) and some use cases, giving insight in the practical implementation of specific standards and regulations used.
Questions answered during this seminar:
The participants will be able to:
- Get support from senior management
- Define what a Corporate Security Framework is
- Define what a Corporate Security Policy is
- Explain the overall security lifecycle and security policy lifecycle
- Describe why a corporate security framework is important
- Identify key frameworks, policies & principles for an organization
- Explain the difference between the most commonly used documents
- Explain how social awareness can help corporate security programs
- Opening the track towards implementation of the Corporate Security Framework
- Give a view on the standards, laws and regulations
All these questions will be treated during the seminar and highlighted with recent use cases.
Who should attend this seminar ?
This course will significantly benefit IT Managers, Corporate Security Officers, Security Professionals, Information Security Officers, Information Systems Managers, Auditors, Consultants and anyone who wants to gain insight in the overall approach related to a Corporate Security Framework, the standards, laws, regulations and the implementation.
13.30h - 14.00h
Registration, coffee/tea and croissants
14.00h - 15.00h
Introduction to Security Standards, Laws and Regulations
- Steven Ackx (Ascure)
- Why are they your concern?
- Sources of Legislation
- Overview of applicable Laws
- Why are they your concern?
- Sources of Regulation
- Overview of applicable Regulations
- Why are they your concern?
- Sources of Standardization
- Overview of applicable Standards
- Who and where to implement:
- A generic business model
- Information (Technology) within the generic business model
- Mapping laws, regulations and standards
- Criteria to determine your compliance
- Risk-based approach
- Ownership and responsibility
15.00h - 16.00h
How to Implement Laws, Regulations and Standards
- Geert Vandenbranden (Ascure)
- Position in the organization
- Obtaining Buy-in
- Project or Program?
- Which information to collect?
- Where and how to get it?
- The PPT- Triad
- Corporate Maturity
- The Cost vs. Risk/Benefits
- Monitor & Audit:
- Difference between monitoring and auditing
- Closing the Circle
- At the center
16.00h - 16.20h
Coffee/Tea and Refreshments
16.20h - 17.00h
ICT Security Governance at the Flemish Government
- Peter Debasse (Vlaamse Overheid)
ICT Security Governance is not the responsibility of one single person. It requires the engagement of top management, involvement of all stackholders during the decision process and support of all users. The selection of standards and the development of a policy are key aspects but a governance organisation and risk management approach must guarantee a continuous life cycle.
The approach of the Flemish Government, a large and complex organisation, is presented, with special focus on its ICT security policy, security organisation and risk management process.
17.00h - 17.40h
Audit standards and international norms on information security and continuity at Partena
- Jean-Pierre Christians (Partena)
Partena defined projects to ensure continued accuracy, and to provide due diligence security checks on controlled activities regarding confidentiality, integrity and availability needed to verify security for business processes. Partena defined controls, audited controls and closed the gab towards predefined controls, in successfully gaining SAS 70 Type II certification.
19.00h - 19.40h
Birth, Life and Death of a Standard
- Dr. Marijke De Soete (ISO-Shadow Committee)
In the last 20 years, security has evolved from an “exclusivity” within the IT department of a company with limited resources to an inherent part of the corporate governance and strategy. It is obvious that for reasons such as interoperability and cost-effectiveness “Standardization” plays today a major role in IT Security. Standardization provides interoperability and cost-effectiveness in an area of in-depth complexity. The presentation will provide an overview on the main standardization bodies in ICT security. Further it will handle in more detail the work of ISO/IEC JTC 1 SC 27, and more in particular the 2700x family of ISMS standards.
- ISO organization:
- What is it?
- How is it organized?
- Lifecycle of an ISO-standard
- History and status of information security standards
- Future on the ISO-standard (27000 Family)
19.40h - 20.40h
Writing a Corporate Security Policy - The story from the trenches
- Geert Vandenbranden (Ascure)
- Approach and flow
- Writing cycle of an information security policy
- Key success factors
- Tips & Tricks
- Shopping lists
- Implementing, maintaining and keeping an information security policy alive
20.40h - 21.00h
Final Q & A
End of this seminar
Dr. Marijke De Soete is Managing Director of Security4Biz, a consultancy company which she established in April 2004. As an independent consultant, she offers consultancy services on risk management and security for Corporate Governance, business development in ICT security, and security aspects of systems and applications based on emerging technologies. She has over 20 years of experience in ICT management and security in international environments with a strong involvement in standardization and legal aspects.
Until the end of 2003, she was Vice President Emerging Technologies Product Security with MasterCard International since its merger with Europay. The responsibilities of her global
department included the security architectures of new payment products in emerging environments. The team was also responsible for the development of the PKI infrastructures to support these new products. The department was furthermore in charge of the specification of numerous security requirements for members, member service providers, third party processors and for security aspects of vendor products such as cards and payment devices. In this context the department also executed some evaluation /certification tasks to member banks and vendors. Last but not least it was acting as a centre of competence on cryptography and IT security (e.g., participation in standard and industry bodies, consultancy). Before that, she was Director of Payment System Security at Europay from 1995 till 2001.
Dr. De Soete has been active in several standardisation committees in the domain of IT security and chip cards for banking and telecom (ISO, ECBS, ETSI). She is currently Vice-Chair of ISO/IEC JTC 1 /SC 27, IT technology - Security techniques and was editor of several authentication standards produced by that committee (1988 -1995). She is regularly involved in the organisation of international conferences and was reviewer for several journals in this area.
Dr. De Soete has written over 35 articles and is a frequent speaker at international conferences and workshops. She also gives regularly courses in dedicated post university programmes on ICT security and cryptography.
Dr. De Soete holds a Ph.D. in Science (mathematics) from the University of Ghent (Belgium), where she was employed from 1979 till 1988 and was a visiting professor in 1995-1996, teaching a course on Cryptography and IT-Security, and she still is a member of the International Organisation for Cryptologic Research.
Steven Ackx is a Certified Senior level consultant at Ascure NV with extensive experience in ICT and Information Security related disciplines both at the strategic, tactical, operational and technical levels where he has focused on Information Security Governance, Information Security Management, Assessments/Audits, Awareness Programs and Risk Management. He started his career in the Media/Movie-theatre sector, where he was involved in the introduction of new technologies, like Internet, e-ticketing and e-business. After this he joined Ubizen where he continued his career starting as a security pre-sales consultant/engineer. Two years later he was promoted to technical product manager of two high-volume security products, which were developed in-house by Ubizen. After being a technical product manager at Ubizen for more than two years, he joined the Ascure company as an Information Security Consultant mainly working on Information Governance and Security Management. He is also responsible for all Ascure education, marketing and communication activities.
Mr. Ackx has a consultancy and management background in information security, networking and security applications disciples and has engaged in several major and medium security and related projects throughout his career.
He obtained the CISSP certification (Certified Information Security Systems Professional issued by ISC²) and the CISA certification (Certified Information Systems Auditor issued by ISACA) as well as the CISM certification (Certified Information Systems Manager issued by ISACA). He graduated with an EMBIS masters degree (European Master in Business Information Systems) at the EHSAL (Brussels - Belgium).
Geert Vandenbranden has an extensive experience in ICT and Information Security related disciplines both at the strategic, tactical and technical levels. In his current position as Senior Information Security Consultant, he focuses on Business Continuity Planning, Business Continuity Testing, Awareness Programs, Information Security Policy design and implementation, Information Security Governance / Program Management, Risk assessment and Risk management, Intrusion Detection/Prevention techniques and Security Architectures and Infrastructures. He obtained the CISSP certification (Certified Information Security Systems Professional issued by ISC²) and the CISA certification (Certified Information Systems Auditor issued by ISACA) as well as the CISM certification (Certified Information Systems Manager issued by ISACA). Recently he also obtained an MBCI certificate (Member of the Business Continuity Institute).
Peter Debasse is staff member of the "entiteit ICT-Beleid" at the Flemish Government.
As ICT Security Officer he coordinates the steering comitee which has the highest decision power regarding ICT security within the Flemish Government.
Regarding the outsourced ICT-services to the consortium EDS-Telindus he is responsable for the security strategy, tactical planning and overall security risk management.
Peter is former IT manager of McKinsey&Company Belgium.
Since more than 30 years, Pierre Leclercq is active in operational management. He built up his experience in piloting mechanisms for business and development, designing new development solutions strategies and the adaptation of organizations to these novelties.
After several years during which he exercised management responsibilities (2 entities of more one than 80 persons), he joined for 6 years an internal audit division, where he was in charge of projects on the quality of operational services. Following this he specialized himself in project management, while implementing an adapted methodology according to maturity and needs of the organization.
Since 3 years, he assumes the function of Project & Control Manager at Partena with objectives to manage strategic projects and to develop an internal business compliance process, including implementing methods and tools for managing processes and procedures with respect to audit standards and international norms regarding information security and business continuity.
Questions about this ? Interested but you can't attend ? Send us an email !