Certified PKI Professional

Note: This course is no longer available.
This page is maintained only for archival purposes.

  • Someone defaces an organization's website and posts anti-national propaganda on the site. The unwitting dissemination of this information renders your Board of Directors and other personnel liable for life imprisonment.How does one prevent such attacks and protect oneself from legal liability?
  • A patient's diagnosis is e-mailed to his doctor who is out of the country. The doctor e-mails the prescription, which is unauthorizedly altered before it reaches the hospital. Due to the wrong medication the patient passes away.How do you prevent such an unfortunate incident of cyber murder?
  • A virus infects your organization networks, and attaches itself to all your outgoing messages. You are now responsible for spreading malicious code and liable to pay crores of rupees in fines.How do you safeguard yourself from such activities that hold you liable without your knowledge?
  • Someone launches an attack on your network bypassing the firewalls and other safety measures installed by you, and steals information valued at crores of rupees.How do you prevent such data theft attacks that cost you money for information stolen and system failure?
Public Key Infrastructure (PKI) answers all these and more.
Simply put, PKI is a system that incorporates the power of asymmetric encryption (and its applications like digital signatures) to ensure the objectives of information security like Privacy, Data integrity, Entity authentication and identification, Message authentication, Signature, Access control, Certification, Time stamping, Witnessing, Non-repudiation, Revocation etc.The term PKI refers to the laws, policies, standards, and software that regulate the use of asymmetric encryption and its applications for achieving the abovementioned objectives.BENEFITS OF USING PKI

  • PKI protects your invaluable information resources from any unauthorized access and alteration.
  • PKI mitigates email spoofing and other authentication attacks.
  • PKI is the only legally recognized method of authenticating electronic records.
  • PKI provides information and communication security.

The hardware and software costs for deploying PKI is next to nothing for organizations powered by the Microsoft Windows 2000 operating system.

The built in Certificate Services that are bundled with the Microsoft Windows 2000 Advanced Server, can be used in combination with the Office XP software to deliver a powerful inter and intra organizational PKI. All that you require is adequate consultancy and training.

MISSION OF THE PROGRAM

  • To make participants thoroughly aware of the intricacies of PKI design, implementation and administration
  • To equip the participants to lead a team involved in the design and deployment of inter and intra organizational PKI using Windows 2000
  • To equip the participants with the knowledge of the policies and laws relating to PKI
  • To give an insight into a real life fully integrated inter and intra organizational PKI models

COURSE OVERVIEW

This is an intensive course suitable for network and system administrators, consultants, IT and legal professionals and students. This program provides a detailed view of the various issues involved in the design, implementation and administration of inter and intra-organizational PKI.

This program is perfect for students seeking career opportunities in the emerging area of PKI design and deployment.

COURSE CURRICULUM

 

  1. PKI - Conceptual issues
  2. PKI - Deployment Issues

Securing Information & Communication through PKI

Note: This course is no longer available.
This page is maintained only for archival purposes.

THE NEED FOR PKI

  • Someone defaces an organization's website and posts anti-national propaganda on the site. The unwitting dissemination of this information renders your Board of Directors and other personnel liable for life imprisonment.How does one prevent such attacks and protect oneself from legal liability?
  • A patient's diagnosis is e-mailed to his doctor who is out of the country. The doctor e-mails the prescription, which is unauthorizedly altered before it reaches the hospital. Due to the wrong medication the patient passes away.How do you prevent such an unfortunate incident of cyber murder?
  • A virus infects your organization networks, and attaches itself to all your outgoing messages. You are now responsible for spreading malicious code and liable to pay crores of rupees.How do you safeguard yourself from such activities that hold you liable without your knowledge?
  • Someone launches an attack on your network bypassing the firewalls and other safety measures installed by you, and steals information valued at crores of rupees.How do you prevent such data theft attacks that cost you money for information stolen and system failure?

Public Key Infrastructure (PKI) answers all these and more.

Simply put, PKI is a system that incorporates the power of asymmetric encryption (and its applications like digital signatures) to ensure the objectives of information security like Privacy, Data integrity, Entity authentication and identification, Message authentication, Signature, Access control, Certification, Time stamping, Witnessing, Non-repudiation, Revocation etc.

The term PKI refers to the laws, policies, standards, and software that regulate the use of asymmetric encryption and its applications for achieving the abovementioned objectives.

BENEFITS OF USING PKI

  • PKI protects your invaluable information resources from any unauthorized access and alteration.
  • PKI mitigates email spoofing and other authentication attacks.
  • PKI is the only legally recognized method of authenticating electronic records.
  • PKI provides information and communication security.

The hardware and software costs for deploying PKI is next to nothing for organizations powered by the Microsoft Windows 2000 operating system.

The built in Certificate Services that are bundled with the Microsoft Windows 2000 Advanced Server, can be used in combination with the Office XP software to deliver a powerful inter and intra organizational PKI. All that you require is adequate consultancy and training.

MISSION OF THE PROGRAM

  • To highlight the need and importance of PKI for information security
  • To create awareness and give practical training on the concepts of encryption and digital signatures.
  • To equip participants with the knowledge necessary to design and deploy a PKI according to organizational requirements
  • To give an insight into a fully integrated security policy that is indispensable for maintaining information security.
  • To enable participants to provide a cost effective security solution for their organizations.

COURSE OVERVIEW

This is an intensive three-day training program in practice and theory suitable for top and middle level management, network and system administrators, consultants, IT and legal professionals.

This program provides an overall view of the various issues involved in the design, implementation and administration of inter and intra-organizational PKI. The program will provide a hands on and practical approach to using digital signatures.

Day 1
Introduction to PKI

  1. Overview of Cryptography
  2. Introduction to PKI
  3. Designing a PKI

 

Day 2
Designing, implementing and administering a PKI

  1. Installing the Windows 2000 PKI
  2. Administrative Functions

Day 3 Practical case study

Securing Critical Information in the Banking Environment

Note: This course is no longer available.
This page is maintained only for archival purposes.

The banking industry has always been subjected to tighter controls as compared to any other industry. Perhaps this is not surprising since the banking system plays a very important role in the economic development of a country.

Not so long back, banking transactions used to be manual. There has been, however, a paradigm shift in such transactions in the past few years.

The use of information technology in the banking industry has increased considerably. Computers are being extensively used to manage the flow of information and process data in a bank.

However, every new technology has its pitfalls and information technology is no exception.

Since banking information is highly sensitive, there is that much more need for information flowing through banking channels to be secure from prying eyes and be immune to any kind of tampering.

This necessitates regular audit of a bank's information technology systems to verify that the information systems of a bank are secure. In fact, periodic information security audits are becoming a statutory requirement in most countries of the world.

COURSE OBJECTIVES

  • To understand the importance of information security audits in a bank.
  • To comprehend the various steps involved in information security audit for banks.
  • To recommend security measures to be taken by banks to protect information.
  • To learn to design a comprehensive security policy for banks.

Course Contents:

  1. Understanding the needs of information security audits in banks
  2. Design and implementation of a Public Key Infrastructure (PKI)
  3. Audit trails and maintenance
  4. Internet Banking
  5. Security policy

Understanding the BS7799 Standard

Note: This course is no longer available.
This page is maintained only for archival purposes.

The rising value of information and the recent high-profile information security breaches have emphasized the ever-increasing need for organizations to protect their data.

An Information Security Management System (ISMS) is crucial for ensuring that organizations effectively manage the risks inherent to organizational information data systems.

Such ISM Systems should have scalability and universal inter-operability as their prime features.

This can be achieved by using the British Standard BS-7799, as a tool for auditing and scaling the existing security procedures and having them conform to international best practices.

First published in February 1995, BS-7799 comes equipped with a comprehensive set of information security controls, which cover all domains of Information security.

BS7799 was significantly revised, extended and improved in May 1999, before being republished as ISO 17799 in December 2000.

Now, with BS-7799 accreditation and certification schemes also firmly established, BS-7799 has become a benchmark against which the information security practices of all organizations will be measured.

COURSE OBJECTIVES

  1. To enable professionals to design and implement an ISM System that adequately supports BS-7799.
  2. To establish compliance level for all ten security controls.
  3. To identify which additional controls can be applied to increase compliance and thus improve security of information assets.
  4. To produce a comprehensive and professional report, in business format.

COURSE METHODOLOGY

  1. Instructor led intensive classroom training sessions that are backed by comprehensive self-study course material and exercises.
  2. Case studies and Class Exercises involving designing of security policies and auditing hypothetical organizational systems.
  3. Hands-on application of BS-7799 application software.
  4. Practical, case study and theory based assessment.

TARGET AUDIENCE

  • Top management
  • Internal Affairs / Vigilance Department
  • Management Consultants
  • Security Professionals
  • Audit, Law, Security and IT consultants
  • Defence and Law Enforcement

COURSE CONTENTS

Introduction to Information Security

This section examines the needs and objectives of Information Security and also the background of the British Standard and its current status. This session will be illustrated with how information security has attained the importance that necessitates having an independent standard for benchmarking security practices.

The rise of the British Standard - 7799, as the world's accepted parameter of security controls will be traced since the release of the standard.

Managing Information Risks

This session starts with understanding the many risks that information assets are prone to, along with the technology that is often employed by those who pose a threat to the information. The focus of this session will be electronic information assets and electronic crimes. The main topics of discussion in this session are:

  • Risks, Threats and Vulnerabilities of Information Assets.
  • Real time threats to Information Assets
  • Technology Used by Attackers.

The continuing session shall focus on how the present and potential risks or vulnerabilities within or outside an organization are perceived as threats to the business continuity. This session shall provide a practical approach to evaluation and concurrent management of risks. The topics covered are:

  • Risk Assessment and Risk Analysis.
  • Classification of Risks, Threats and Vulnerabilities.

Role & Initiatives of Management

This session deals with the role of the executive management of an organization in keeping updated with the risk scenario of the company. It is always advisable to delegate the security functions to subordinates but never the accountabilities for security management.

This session discusses the aspects of Information Security that any management should keep close within reach. Also it covers the basic functions of the management of the company in its security management. Some of the topics covered briefly are:

  • Creation of Security forum and its functions.
  • Security Policies
  • Reporting Policies and Feedback
  • Management Reviews

Security Controls and Practices

This session shall discuss in depth the ten security controls that are recommended by the British Standard for maintaining of the information security of all organizations. The technical aspects of some of the security mechanisms and controls shall be discussed length like firewalls for network security, cryptography for information security and legislative requirements for business security.

Security Controls and Practices (Contd.)

In continuation of the previous session the remaining Security Controls shall be explained as well as the demonstrations of the security practices like basic-level firewalls and encryption technologies will be provided for better comprehension of the controls. Software demos include Zone-Alarm, PGP v. 8 and Windows 2000 Advance Server Security Mechanism.

Planning Audits of Security Systems

In this session, the participants will be explained how one goes about planning for a security audit of any organization. It includes all preliminary measures that are to be taken by the auditor before he commences the audit. The session includes:

  • Preparing the Audit Team.
  • Scope and Goals of the Audit.
  • Preparing the Statement of Applicability (SoA).

Audit Process

Once the due diligence process for the audit has been performed, the auditor moves on to the various phases of the audit process. The participants will be required to analyse real-life cases for covering this session. The topics that are provided are:

  • Collection of Evidence and Verification.
  • Explaining the Process to Management.
  • Preparing an Audit Report.
  • Real Life Case Studies for Audits.

Audit Software

The presentation of the audit findings in standardized audit formats has been simplified by the use of automated systems for preparation of the standardized audit reports. It is essential for the participants to adapt themselves to using popular audit tools. This is briefly taken up in hands-on practical in this session.

  • Use of COBRA Software for Audit Compliance.

Assessment of Participants

The assessment of the participants shall be conducted to gauge the understanding of the participants to the subject. This assessment shall comprise of practical, case study and theory based examination.