TABLE OF CONTENTS
COURSE TITLE
COURSE NAME PAGE
A FRAUD UPDATE: FORENSIC AND INVESTIGATIVE AUDITING. . . . . . 24
A PRACTICAL APPROACH TO CERTIFYING A SYSTEM. . . . . . . . . . 83
ADP SECURITY OFFICERS (ADPSO) CONCEPTS . . . . . . . . . . . 2
ADVANCED DATA COMM NETWORKS: SECURITY/AUDITABILITY . . . . . . 55
ADVANCED EDP AUDITING - GBA 577. . . . . . . . . . . . . . . . 79
ADVANCED TECHNOLOGY CONFERENCE . . . . . . . . . . . . . . . . 10
ADVANCED NETWORK SECURITY ARCHITECTURE . . . . . . . . . . . . 75
AIS SECURITY STRATEGIES. . . . . . . . . . . . . . . . . . . . 60
APPLICATION SECURITY REVIEWS . . . . . . . . . . . . . . . . . 30
ARCHITECTURE FOR SECURE SYSTEMS. . . . . . . . . . . . . . . . 73
AUDIT SOFTWARE FOR THE 21ST CENTURY. . . . . . . . . . . . . . 48
AUDIT AND SECURITY OF CLIENT/SERVER ARCHITECTURES. . . . . . . 24
AUDIT AND SECURITY OF RELATIONAL DATABASES AND APPLICATIONS. . 57
AUDIT AND CONTROL OF END-USER COMPUTING (EUC). . . . . . . . . 40
AUDIT AND CONTROL OF ELECTRONIC DATA INTERCHANGE . . . . . . . 39
AUDIT, CONTROL, AND SECURITY OF LAN AND MAINFRAME CONNECTIVITY 31
AUDITING EDI APPLICATIONS. . . . . . . . . . . . . . . . . . . 47
AUDITING THE DATA CENTER FOR CONTROLS, EFFICIENCY, AND
COST-EFFECTIVENESS . . . . . . . . . . . . . . . . . . . . 68
AUDITING THE DATA CENTER (M2020) . . . . . . . . . . . . . . . 36
AUDITING FRAUD: PREVENT, DETECT, & CONTROL . . . . . . . . . . 54
AUDITING ADVANCED INFORMATION TECHNOLOGY . . . . . . . . . . . 51
AUDITING CLIENT/SERVER TECHNOLOGY. . . . . . . . . . . . . . . 49
AUDITING SYSTEM DEVELOPMENT: NEW TECHNIQUES FOR NEW TECHNOLOGIES 47
AUDITING DATACOMM NETWORKS . . . . . . . . . . . . . . . . . . 50
AUDITING INFORMATION SYSTEMS . . . . . . . . . . . . . . . . . 41
AUDITING THE SYSTEMS DEVELOPMENT PROCESS . . . . . . . . . . . 70
BASIC SECURITY FOR PC USERS . . . . . . . . . . . . . . . . . 44
BASICS OF COMPUTER SECURITY. . . . . . . . . . . . . . . . . . 18
BECOMING AN EFFECTIVE DATA SECURITY OFFICER. . . . . . . . . . 53
BUILDING INFORMATION SECURITY AWARENESS. . . . . . . . . . . . 27
BUSINESS RESUMPTION PLANNING (M2046) . . . . . . . . . . . . . 21
BUSINESS FRAUD (M2008) . . . . . . . . . . . . . . . . . . . . 38
BUSINESS IMPACT ANALYSIS . . . . . . . . . . . . . . . . . . . 85
BUSINESS IMPACT ANALYSIS (M2044) . . . . . . . . . . . . . . . 21
CASE STUDIES IN MULTILEVEL SECURE NETWORKING . . . . . . . . . 13
COMMUNICATION SECURITY PRINCIPLES & PRACTICES. . . . . . . . . 66
COMMUNICATIONS TECHNOLOGIES. . . . . . . . . . . . . . . . . . 86
COMPREHENSIVE INFOSEC SEMINAR. . . . . . . . . . . . . . . . . 66
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
COMPUTER VIRUSES SEMINAR . . . . . . . . . . . . . . . . . . . 84
COMPUTER SECURITY FOR THE END-USER . . . . . . . . . . . . . . 80
COMPUTER SECURITY. . . . . . . . . . . . . . . . . . . . . . . 32
COMPUTER SECURITY SEMINAR. . . . . . . . . . . . . . . . . . . 64
COMPUTER CRIME & INDUSTRIAL ESPIONAGE. . . . . . . . . . . . . 82
COMPUTER SECURITY AWARENESS TRAINING . . . . . . . . . . . . . 3
COMPUTER SECURITY FOR EXECUTIVES . . . . . . . . . . . . . . . 3
COMPUTER SECURITY FOR SECURITY AND MIS PROFESSIONALS . . . . . 43
COMPUTER SECURITY AND PRIVACY. . . . . . . . . . . . . . . . . 67
COMPUTER SECURITY FOR END USERS. . . . . . . . . . . . . . . . 2
COMPUTER SECURITY. . . . . . . . . . . . . . . . . . . . . . . 35
COMPUTER VIRUSES, TROJAN HORSES, AND LOGIC BOMBS . . . . . . . 61
COMPUTER SECURITY IN APPLICATION SOFTWARE. . . . . . . . . . . 34
COMPUTER VIRUSES: DETECT, PREVENT, CURE INFECTIONS . . . . . . 69
COMPUTER FRAUD (M2010) . . . . . . . . . . . . . . . . . . . . 38
COMPUTER SECURITY EXECUTIVE OVERVIEW . . . . . . . . . . . . . 1
COMPUTER SECURITY SYSTEMS I - CS 229 . . . . . . . . . . . . . 58
COMPUTER SECURITY AWARENESS (CBT). . . . . . . . . . . . . . . 7
COMPUTER SECURITY FOR MANAGERS . . . . . . . . . . . . . . . . 30
COMPUTER VIRUSES . . . . . . . . . . . . . . . . . . . . . . . 31
COMPUTER SECURITY FOR SECURITY & ADP PROGRAM MANAGERS. . . . . 17
COMPUTER SECURITY AWARENESS. . . . . . . . . . . . . . . . . . 6
COMPUTER SECURITY & CONTINGENCY PLANNING . . . . . . . . . . . 51
COMPUTER SECURITY FOR MANAGERS SEMINAR . . . . . . . . . . . . 53
COMPUTER SECURITY FOR SECURITY OFFICERS. . . . . . . . . . . . 62
COMPUTER SECURITY SYSTEMS II - CS 329. . . . . . . . . . . . . 58
COMSEC . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
CONTINUITY OF OPERATIONS/DISASTER RECOVERY PLANNING: PART I. . 8
CONTINUITY OF OPERATIONS/DISASTER RECOVERY PLANNING: PART II WORKSHOP 30
CONTROL AND SECURITY OF LOCAL AREA NETWORKS. . . . . . . . . . 52
CONTROL AND SECURITY OF LANS . . . . . . . . . . . . . . . . . 50
DATA CENTER RECOVERY PLANNING (M2040). . . . . . . . . . . . . 20
DATA COMMUNICATIONS SECURITY . . . . . . . . . . . . . . . . . 28
DATA SECURITY PLANNING: STRATEGIES FOR EFFECTIVE INFORMATION SECURITY
(W9898). . . . . . . . . . . . . . . . . . . . . . . . . . 22
DATA SECURITY PLANNING . . . . . . . . . . . . . . . . . . . . 68
DATABASE SECURITY SEMINAR. . . . . . . . . . . . . . . . . . . 65
DETECTING AND PREVENTING COMPUTER FRAUD. . . . . . . . . . . . 11
DEVELOPING COMPUTER SECURITY POLICIES & PROCEDURES . . . . . . 28
DISASTER RECOVERY PLANNING . . . . . . . . . . . . . . . . . . 70
DISASTER RECOVERY PLANNING: STRATEGIES TO DEVELOP & MAINTAIN PROVABLE
RECOVERY CAPABILITY (W9912). . . . . . . . . . . . . . . . . . 20
EDI: New Frontiers For Auditors. . . . . . . . . . . . . . . . 56
EDP AUDITING - CIS 433 . . . . . . . . . . . . . . . . . . . . 78
EDP CONCEPTS FOR BUSINESS. . . . . . . . . . . . . . . . . . . 6
EDP AUDITING: THE FIRST STEP . . . . . . . . . . . . . . . . . 52
EXECUTIVE AIS SECURITY BRIEFING. . . . . . . . . . . . . . . . 8
FEDERAL AIS COMPUTER SECURITY REQUIREMENTS . . . . . . . . . . 4
FUNDAMENTALS OF COMPUTER SECURITY FOR FEDERAL INFORMATION SYSTEMS 64
HOW TO MANAGE AN INFORMATION SECURITY PROGRAM: A GUIDE FOR NEWLY
APPOINTED MANAGERS . . . . . . . . . . . . . . . . . . . . 23
IMPLEMENTING & MANAGING A COMPUTER SECURITY PROGRAM. . . . . . 19
IMPLEMENTING AND TESTING THE DISASTER RECOVERY PLAN. . . . . . 88
INFORMATION RISK ASSESSMENT AND SECURITY MANAGEMENT - CSMN 655 82
INFORMATION POLICY - CS 230. . . . . . . . . . . . . . . . . . 63
INFORMATION SECURITY PRINCIPLES AND PRACTICES. . . . . . . . . 17
INFORMATION SYSTEMS AUDIT WORKSHOP . . . . . . . . . . . . . . 49
INFORMATION RISK ASSESSMENT & SECURITY MANAGEMENT. . . . . . . 3
INFORMATION SYSTEMS SECURITY (CSI 214) . . . . . . . . . . . . 81
INFORMATION SYSTEMS SEMINAR FOR INTERNAL AUDITORS. . . . . . . 4
INFORMATION SECURITY AND POLICY. . . . . . . . . . . . . . . . 32
INFOSEC FOUNDATIONS SEMINAR. . . . . . . . . . . . . . . . . . 54
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
INFOSEC EVALUATIONS USING FORMAL METHODS . . . . . . . . . . . 76
INTEGRATED AUDITING: THE BASICS. . . . . . . . . . . . . . . . 42
INTRODUCTION TO COMPUTER SECURITY FOR NON-ADP MANAGERS . . . . 16
INTRODUCTION TO COMPUTER SECURITY FOR FIRST-LEVEL SUPERVISORS. 16
INTRODUCTION TO SOFTWARE VERIFICATION. . . . . . . . . . . . . 76
INTRODUCTION TO EDP AUDITING (M2022) . . . . . . . . . . . . . 37
INTRODUCTION TO LAN SECURITY . . . . . . . . . . . . . . . . . 10
INTRODUCTION TO AUDITING MICROS AND LANS: CONTROLLING END-USER
COMPUTING. . . . . . . . . . . . . . . . . . . . . . . . . 43
INTRODUCTION TO SECURE SYSTEMS . . . . . . . . . . . . . . . . 34
KEEPING OUT OF TROUBLE WITH THE SOFTWARE POLICE. . . . . . . . 9
LAN SECURITY (M2006) . . . . . . . . . . . . . . . . . . . . . 37
LAN SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . 90
LAN TUNING AND PERFORMANCE FOR AUDIT AND SECURITY PERSONNEL. . 57
LAN SECURITY OVERVIEW. . . . . . . . . . . . . . . . . . . . . 9
LAN SECURITY . . . . . . . . . . . . . . . . . . . . . . . . . 28
LEGAL ENVIRONMENT OF INFORMATION SYSTEMS - GBA 560 . . . . . . 79
MANAGING COMPUTER SECURITY-MERGERSS, ACQISITIONS, AND DIVESTITURES 67
MANAGING THE ACQUISITION OF MLS RESOURCES. . . . . . . . . . . 14
MANAGING AND DEVELOPING A DISASTER RECOVERY PLAN . . . . . . . 87
MANAGING AN ORGANIZATION-WIDE INFORMATION SECURITY PROGRAM . . 27
MARKETPLACE IMPLICATIONS OF THE EVOLUTION OF EVALUATION CRITERIA 7
MICRO SECURITY FOR INFORMATION SYSTEMS SECURITY ANALYSTS . . . 35
MICROCOMPUTER SECURITY . . . . . . . . . . . . . . . . . . . . 7
MICROCOMPUTER SECURITY . . . . . . . . . . . . . . . . . . . . 62
MODEL INTERPRETATIONS. . . . . . . . . . . . . . . . . . . . . 75
NETWORK AUDITING (M2034) . . . . . . . . . . . . . . . . . . . 35
NETWORK SECURITY ARCHITECTURE. . . . . . . . . . . . . . . . . 74
NETWORK RECOVERY PLANNING (M2056). . . . . . . . . . . . . . . 22
NETWORK SECURITY . . . . . . . . . . . . . . . . . . . . . . . 77
NETWORK SECURITY SEMINAR . . . . . . . . . . . . . . . . . . . 65
NEW FRONTIERS FOR AUDITORS . . . . . . . . . . . . . . . . . . 56
ON-LINE, DISTRIBUTED COMMUNICATIONS SYSTEMS: CONTROL, AUDIT & SECURITY 55
OPERATING SYSTEM SECURITY CONCEPTS . . . . . . . . . . . . . . 72
OPERATIONAL NETWORK SECURITY SEMINAR . . . . . . . . . . . . . 84
PC/LAN RECOVERY PLANNING (M2042) . . . . . . . . . . . . . . . 20
PC/LAN AUDITING (M2028). . . . . . . . . . . . . . . . . . . . 36
PC SECURITY (M2004). . . . . . . . . . . . . . . . . . . . . . 37
PC SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . 89
PC-LAN AND DATA SECURITY . . . . . . . . . . . . . . . . . . . 9
PHYSICAL SECURITY FOR DATA PROCESSING. . . . . . . . . . . . . 31
PLANNING AN EDP DISASTER RECOVERY PROGRAM. . . . . . . . . . . 33
PRACTICAL CONSIDERATIONS FOR IMPLEMENTING A MULTILEVEL SECURE NETWORK 15
PRACTICAL ASPECTS OF OWNING A MULTILEVEL SECURE NETWORK. . . . 14
PRACTICAL ASPECTS OF PLANNING TO ACQUIRE MULTILEVEL SECURITY IN AN OPEN
SYSTEMS ENVIRONMENT. . . . . . . . . . . . . . . . . . . . . . 12
PRACTICAL CONSIDERATIONS FOR PLANNING & IMPLEMENTING MULTILEVEL SECURITY
IN AN OPEN SYSTEMS ENVIRONMENT . . . . . . . . . . . . . . 13
PRACTICAL CONSIDERATIONS FOR PLANNING MULTILEVEL SECURITY IN AN OPEN
SYSTEMS ENVIRONMENT . . . . . . . . . . . . . . . . . . . . . 15
PRACTICAL ASPECTS OF ACQUIRING AND OWNING A MULTILEVEL SECURE NETWORK 11
PRACTICAL CONSIDERATIONS FOR ACQUIRING AND IMPLEMENTING A MULTILEVEL
SECURE NETWORK . . . . . . . . . . . . . . . . . . . . . . 12
PROTECTING YOUR NETWORKS FROM HACKERS, VIRUSES, AND OTHER ATTACKS 23
PROTECTING NETWORKS & SMALL SYSTEMS. . . . . . . . . . . . . . 29
RECENT DEVELOPMENTS IN INFORMATION SECURITY . . . . . . . . . 25
RISK ASSESSMENT. . . . . . . . . . . . . . . . . . . . . . . . 19
RISK ASSESSMENT TECHNIQUES FOR AUDITORS. . . . . . . . . . . . 71
RISK MANAGEMENT . . . . . . . . . . . . . . . . . . . . . . . 25
SECURE SYSTEMS DESIGN AND PROGRAM MANAGEMENT . . . . . . . . . 26
SECURITY AND PRIVACY OF INFORMATION SYSTEMS - GBA 578. . . . . 78
SECURITY TECHNOLOGY IN THE REAL WORLD. . . . . . . . . . . . . 45
SECURITY AND CONTROL IN AUTOMATED SYSTEMS-AUDIT IS . . . . . . 63
SECURITY IN SOFTWARE APPLICATIONS. . . . . . . . . . . . . . . 33
TELECOMMUNICATIONS SECURITY SYSTEMS - EE 250 . . . . . . . . . 59
TELECOMMUNICATIONS FOR INFORMATION SYSTEMS SECURITY ANALYSTS . 1
TEMPEST PROGRAM MANAGEMENT AND SYSTEMS ENGINEERING . . . . . . 81
THE CMW: USER TUTORIAL . . . . . . . . . . . . . . . . . . . . 90
THE SECURITY-AUDIT ALLIANCE. . . . . . . . . . . . . . . . . . 83
THE SYSTEMS INTEGRATOR'S PERSPECTIVE ON AIS SECURITY STRATEGIES 8
THE DATA CENTER: AUDITING FOR PROFIT . . . . . . . . . . . . . 56
THE CMW: ADMINISTRATOR TUTORIAL. . . . . . . . . . . . . . . . 61
THE CMW: APPLICATION PROGRAMMING . . . . . . . . . . . . . . . 88
THE INTEGRATED AUDIT WORKSHOP. . . . . . . . . . . . . . . . . 48
THEORETICAL FOUNDATION/TRUST OF INFORMATION SYSTEMS. . . . . . 73
TRUSTED SYSTEMS CRITERIA AND CONCEPTS. . . . . . . . . . . . . 72
TRUSTED INTEGRATION/SYSTEM CERTIFICATION . . . . . . . . . . . 71
UNDERSTANDING TRUSTED SYSTEMS. . . . . . . . . . . . . . . . . 19
UPS: DESIGN, SELECTION AND SPECIFICATION . . . . . . . . . . . 34
USING INVESTIGATIVE SOFTWARE TO DETECT FRAUD . . . . . . . . . 47
WRITING SECURITY PLANS . . . . . . . . . . . . . . . . . . . . 26
LIST OF APPENDICES
A - Major Categories
B - Vendor List
C - Product List
D - Product Specific Courses
E - Training Matrix� APPENDIX A
MAJOR CATAGORIES
COMPUTER SECURITY BASICS
EXECUTIVES
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 7
Computer Security Awareness Training . . . . . . . . . . . . . 3
Computer Security Executive Overview . . . . . . . . . . . . . 1
Computer Security For End Users. . . . . . . . . . . . . . . . 2
Computer Security For Executives . . . . . . . . . . . . . . . 3
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 8
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 4
Information Systems Seminar For Internal Auditors. . . . . . . 4
Microcomputer Security . . . . . . . . . . . . . . . . . . . . .7
Telecommunications for Information Systems Security Analysts . 1
� SECURITY PLANNING & MANAGEMENT
EXECUTIVES
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 7
Computer Security Awareness Training . . . . . . . . . . . . . 3
Computer Security Executive Overview . . . . . . . . . . . . . 1
Computer Security For End Users. . . . . . . . . . . . . . . . 2
Computer Security For Executives . . . . . . . . . . . . . . . 3
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 8
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
Information Systems Seminar For Internal Auditors. . . . . . . 4
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Telecommunications for Information Systems Security Analysts . 1
� SECURITY PLANNING & MANAGEMENT
EXECUTIVES
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Executive AIS Security Briefing. . . . . . . . . . . . . . . . 8
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
Marketplace Implications of the Evolution of Evaluation Criteria 7
Telecommunications for Information Systems Security Analysts . 1
The Systems Integrator's Perspective on AIS Security Strategies 8
� COMPUTER SECURITY POLICY & PROCEDURES
EXECUTIVES
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Executive AIS Security Briefing. . . . . . . . . . . . . . . . 8
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
Keeping Out of Trouble with the Software Police. . . . . . . . 9
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
� CONTINGENCY PLANNING
EXECUTIVES
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Executive AIS Security Briefing. . . . . . . . . . . . . . . . 8
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
Keeping Out of Trouble with the Software Police. . . . . . . . 9
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
� SYSTEMS LIFE CYCLE MANAGEMENT
EXECUTIVES
COURSE TITLE PAGE
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Information Systems Seminar For Internal Auditors. . . . . . . 4
� COMPUTER SECURITY BASICS
PROGRAM & FUNCTIONAL MANAGERS
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Basics of Computer Security. . . . . . . . . . . . . . . . . 18
Case Studies in Multilevel Secure Networking . . . . . . . . 13
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 7
Computer Security Awareness Training . . . . . . . . . . . . . 3
Computer Security For End Users. . . . . . . . . . . . . . . . 2
Computer Security for Security & ADP Program Managers. . . . 17
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 8
Detecting and Preventing Computer Fraud. . . . . . . . . . . 11
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Implementing & Managing a Computer Security Program. . . . . . 19
Information Security Principles and Practice . . . . . . . . 17
Information Risk Assessment & Security Management. . . . . . . 3
Information Systems Seminar For Internal Auditors. . . . . . . 4
Introduction to LAN Security . . . . . . . . . . . . . . . . 10
Introduction to Computer Security for Non-ADP Managers . . . 16
Introduction to Computer Security for First-Level Supervisors 16
LAN Security Overview. . . . . . . . . . . . . . . . . . . . . 9
Managing the Acquisition of MLS Resources. . . . . . . . . . 14
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
PC-LAN and Data Security . . . . . . . . . . . . . . . . . . . 9
Practical Considerations for Planning and Implementing Multilevel
Security in an Open Systems Environment . . . . . . . . . 13
Practical Aspects of Planning to Acquire
Multilevel Security in an Open Systems Environment. . . . 12
Practical Considerations for Acquiring and
Implementing a MultiLevel Secure Network. . . . . . . . . 12
Practical Aspects of Owning a Multilevel Secure Network. . . 14
Practical Considerations for Planning Multilevel Security in an
Open Systems Environment. . . . . . . . . . . . . . . . . 15
Practical Considerations for Implementing a MultiLevel
Secure Network. . . . . . . . . . . . . . . . . . . . . . 15
Practical Aspects of Acquiring and Owning
a Multilevel Secure Network . . . . . . . . . . . . . . . 11
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Telecommunications for Information Systems Security Analysts . 1
Understanding Trusted Systems. . . . . . . . . . . . . . . . 19� SECURITY PLANNING & MANAGEMENT
PROGRAM & FUNCTIONAL MANAGERS
COURSE TITLE PAGE
A Fraud Update: Forensic and Investigative Auditing. . . . . 24
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit and Security of Client/Server Architectures. . . . . . 24
Building Information Security Awareness. . . . . . . . . . . 27
Business Impact Analysis (M2044) . . . . . . . . . . . . . . 21
Business Resumption Planning (M2046) . . . . . . . . . . . . 21
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Viruses, Trojan Horses, and Logic Bombs . . . . . . 29
Computer Security For Managers . . . . . . . . . . . . . . . 30
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Continuity of Operations/Disaster Recovery Planning:
Part II Workshop. . . . . . . . . . . . . . . . . . . . . 30
Data Communications Security . . . . . . . . . . . . . . . . 28
Data Security Planning: Strategies for Effective Information
Security (W9898). . . . . . . . . . . . . . . . . . . . . 22
Data Center Recovery Planning (M2040). . . . . . . . . . . . 20
Developing Computer Security Policies & Procedures . . . . . 28
Disaster Recovery Planning: Strategies to Develop and Maintain
Provable Recovery Capability (W9912). . . . . . . . . . . 20
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
How to Manage an Information Security Program A Guide for Newly
Appointed Managers. . . . . . . . . . . . . . . . . . . . 23
Implementing & Managing a Computer Security Program. . . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
LAN Security . . . . . . . . . . . . . . . . . . . . . . . . 28
LAN Security Overview. . . . . . . . . . . . . . . . . . . . 9
Managing Org-Wide Information Security Program . . . . . . . 27
Network Recovery Planning (M2056). . . . . . . . . . . . . . 22
PC/LAN Recovery Planning (M2042) . . . . . . . . . . . . . . 20
PC-LAN and Data Security . . . . . . . . . . . . . . . . . . . 9
Physical Security for Data Processing. . . . . . . . . . . . 31
Protecting Networks & Small Systems. . . . . . . . . . . . . 29
Protecting Your Networks from Hackers, Viruses, and
Other Attacks . . . . . . . . . . . . . . . . . . . . . . 23
Recent Developments in Information Security. . . . . . . . . 25
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . . 19
Secure Systems Design and Program Management . . . . . . . . 26
Telecommunications for Information Systems Security Analysts . 1
Writing Security Plans . . . . . . . . . . . . . . . . . . . 26� COMPUTER SECURITY POLICY & PROCEDURES
PROGRAM & FUNCTIONAL MANAGERS
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Advanced Technology Conference . . . . . . . . . . . . . . . . 10
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit, Control, and Security of LAN and Mainframe Connectivity 31
Building Information Security Awareness. . . . . . . . . . . 27
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Viruses, Troj Horses, and Logic Bombs . . . . . . . 61
Computer Viruses . . . . . . . . . . . . . . . . . . . . . . 31
Computer Security. . . . . . . . . . . . . . . . . . . . . . 32
Continuity of Operations/Disaster Recovery Planning:
Part II Workshop. . . . . . . . . . . . . . . . . . . . . 30
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Developing Computer Security Policies & Procedures . . . . . 28
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Implementing & Managing a Computer Security Program. . . . . 19
Information Security and Policy. . . . . . . . . . . . . . . 32
Information Security Principles and Practice . . . . . . . . 17
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
Keeping Out of Trouble with the Software Police. . . . . . . . 9
LAN Security . . . . . . . . . . . . . . . . . . . . . . . . 28
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Physical Security for Data Processing. . . . . . . . . . . . 31
Protecting Networks & Small Systems. . . . . . . . . . . . . 29
Recent Developments in Information Security. . . . . . . . . 25
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
Secure Systems Design and Program Management . . . . . . . . 26� CONTINGENCY PLANNING
PROGRAM & FUNCTIONAL MANAGERS
COURSE TITLE PAGE
Advanced Technology Conference . . . . . . . . . . . . . . . 10
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Data Communications Security . . . . . . . . . . . . . . . . 28
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Security Principles and Practice . . . . . . . . 17
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Planning an EDP Disaster Recovery Program. . . . . . . . . . 33
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
� SYSTEMS LIFE CYCLE MANAGEMENT
PROGRAM & FUNCTIONAL MANAGERS
COURSE TITLE PAGE
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Application Security Reviews . . . . . . . . . . . . . . . . 30
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security In Application Software. . . . . . . . . . 34
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Introduction to Secure Systems . . . . . . . . . . . . . . . 34
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Secure Systems Design and Program Management . . . . . . . . 26
Security in Software Applications. . . . . . . . . . . . . . 33
UPS: Design, Selection and Specification . . . . . . . . . . 34
� COMPUTER SECURITY BASICS
IRM, SECURITY, & AUDIT
COURSE TITLE PAGE
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Advanced Data Comm Networks: Security/Auditability . . . . . . 55
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Audit Software for the 21st Century. . . . . . . . . . . . . 48
Audit and Control of Electronic Data Interchange . . . . . . 39
Audit and Security of Relational Databases and Applications. . 57
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Auditing the Data Center (M2020) . . . . . . . . . . . . . . 36
Auditing EDI Applications. . . . . . . . . . . . . . . . . . 47
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Auditing System Development: New Techniques for New Technologies47
Auditing Fraud: Prevent, Detect, & Control . . . . . . . . . . 54
Auditing Advanced Information Technology . . . . . . . . . . . 51
Auditing Datacomm Networks . . . . . . . . . . . . . . . . . . 50
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
Becoming An Effective Data Security Officer. . . . . . . . . . 53
Business Fraud (M2008) . . . . . . . . . . . . . . . . . . . 38
Computer Security Awareness. . . . . . . . . . . . . . . . . . 6
Computer Fraud (M2010) . . . . . . . . . . . . . . . . . . . 38
Computer Security for Managers Seminar . . . . . . . . . . . 53
Computer Security. . . . . . . . . . . . . . . . . . . . . . . 32
Computer Security & Contingency Planning . . . . . . . . . . 51
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 7
Computer Security for Security and MIS Professionals . . . . . 89
Computer Security For End Users. . . . . . . . . . . . . . . . 2
Computer Security Awareness Training . . . . . . . . . . . . . 3
Control and Security of LANS . . . . . . . . . . . . . . . . 50
Control and Security of Local Area Networks. . . . . . . . . 52
Detecting and Preventing Computer Fraud. . . . . . . . . . . 11
EDI: New Frontiers For Auditors. . . . . . . . . . . . . . . . 56
EDP Auditing: The First Step . . . . . . . . . . . . . . . . . 52
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Implementing & Managing a Computer Security Program. . . . . 19
Information Risk Assessment & Security Management. . . . . . . 3
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Systems Audit Workshop . . . . . . . . . . . . . . 49
INFOSEC Foundations Seminar. . . . . . . . . . . . . . . . . . 54
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Intro. to Auditing Micros and LANs: Controlling End-User
Computing . . . . . . . . . . . . . . . . . . . . . . . . . 43
Introduction to EDP Auditing (M2022) . . . . . . . . . . . . 37
Introduction to LAN Security . . . . . . . . . . . . . . . . 10
LAN Tuning and Performance for Audit and Security Personnel. 57
LAN Security (M2006) . . . . . . . . . . . . . . . . . . . . 37
Micro Security for Information Systems Security Analysts . . . 35
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Network Auditing (M2034) . . . . . . . . . . . . . . . . . . 35
On-Line, Dist Comm Sys:Control, Audit & Security . . . . . . . 55
PC Security (M2004). . . . . . . . . . . . . . . . . . . . . 37
PC/LAN Auditing (M2028). . . . . . . . . . . . . . . . . . . 36
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Security Technology in the Real World. . . . . . . . . . . . 45
The Integrated Audit Workshop. . . . . . . . . . . . . . . . 48
The Data Center: Auditing For Profit . . . . . . . . . . . . . 56
Understanding Trusted Systems. . . . . . . . . . . . . . . . 19
Using Investigative Software to Detect Fraud . . . . . . . . 47� SECURITY PLANNING & MANAGEMENT
IRM, SECURITY, & AUDIT
COURSE TITLE PAGE
A Fraud Update: Forensic and Investigative Auditing. . . . . 24
ADP Security Officers (ADPSO) Concepts . . . . . . . . . . . . 2
Advanced Technology Conference . . . . . . . . . . . . . . . 10
AIS Security Strategies. . . . . . . . . . . . . . . . . . . 60
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Audit and Security of Client/Server Architectures. . . . . . 24
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Auditing EDI Applications. . . . . . . . . . . . . . . . . . 47
Becoming An Effective Data Security Officer. . . . . . . . . . 53
Computer Viruses, Trojan Horses, and Logic Bombs . . . . . . 61
Computer Security For Security Officers. . . . . . . . . . . 62
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Continuity of Operations/Disaster Recovery Planning:
Part II Workshop. . . . . . . . . . . . . . . . . . . . . 30
Control and Security of LANS . . . . . . . . . . . . . . . . 50
CS 329 - Computer Security Systems II. . . . . . . . . . . . . 58
Data Communications Security . . . . . . . . . . . . . . . . 28
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
EE 250 - Telecommunications Security Systems . . . . . . . . . 59
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Implementing & Managing a Computer Security Program. . . . . 19
Information Security Principles and Practice . . . . . . . . 17
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Microcomputer Security . . . . . . . . . . . . . . . . . . . 62
Physical Security for Data Processing. . . . . . . . . . . . 31
Protecting Networks & Small Systems. . . . . . . . . . . . . 29
Protecting Your Networks from Hackers, Viruses, and Other Attacks 23
Recent Developments in Information Security. . . . . . . . . 25
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
Security Technology in the Real World. . . . . . . . . . . . 45
The CMW: Administrator Tutorial. . . . . . . . . . . . . . . . 61
Writing Security Plans . . . . . . . . . . . . . . . . . . . 26� COMPUTER SECURITY POLICY & PROCEDURES
IRM, SECURITY, & AUDIT
COURSE TITLE PAGE
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Audit, Control, and Security of LAN and Mainframe Connectivity 31
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Audit Software for the 21st Century. . . . . . . . . . . . . 48
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Auditing EDI Applications. . . . . . . . . . . . . . . . . . 47
Auditing the Data Center for Controls, Efficiency, and
Cost-Effectiveness. . . . . . . . . . . . . . . . . . . . 68
Auditing Advanced Information Technology . . . . . . . . . . . 69
Auditing the Data Center (M2020) . . . . . . . . . . . . . . 36
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
Business Fraud (M2008) . . . . . . . . . . . . . . . . . . . 38
Communication Security Principles & Practices. . . . . . . . 66
Comprehensive INFOSEC Seminar. . . . . . . . . . . . . . . . 66
Computer Viruses, Trojan Horses, and Logic Bombs . . . . . . 61
Computer Security. . . . . . . . . . . . . . . . . . . . . . 35
Computer Viruses . . . . . . . . . . . . . . . . . . . . . . 31
Computer Viruses: Detect, Prevent, Cure Infections . . . . . 69
Computer Security And Privacy. . . . . . . . . . . . . . . . . 67
Computer Security for Managers Seminar . . . . . . . . . . . 53
Computer Security Seminar. . . . . . . . . . . . . . . . . . 64
Computer Fraud (M2010) . . . . . . . . . . . . . . . . . . . 38
Computer Security & Contingency Planning . . . . . . . . . . 51
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Control and Security of LANS . . . . . . . . . . . . . . . . 50
CS 230 - Information Policy. . . . . . . . . . . . . . . . . . 63
Data Security Planning . . . . . . . . . . . . . . . . . . . . 68
Database Security Seminar. . . . . . . . . . . . . . . . . . 65
Developing Computer Security Policies & Procedures . . . . . 28
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Fundamentals of Computer Security for Federal Information
Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Security Principles and Practice . . . . . . . . 17
Information Risk Assessment & Security Management. . . . . . . 3
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Introduction to EDP Auditing (M2022) . . . . . . . . . . . . 37
Keeping Out of Trouble with the Software Police. . . . . . . . 9
LAN Security (M2006) . . . . . . . . . . . . . . . . . . . . 37
Managing Computer Security-Mergs, Acq, and Divestitures. . . 67
Microcomputer Security . . . . . . . . . . . . . . . . . . . 62
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Network Security Seminar . . . . . . . . . . . . . . . . . . 65
Network Auditing (M2034) . . . . . . . . . . . . . . . . . . 35
PC Security (M2004). . . . . . . . . . . . . . . . . . . . . 37
PC/LAN Auditing (M2028). . . . . . . . . . . . . . . . . . . 36
Protecting Networks & Small Systems. . . . . . . . . . . . . 29
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
Security Technology in the Real World. . . . . . . . . . . . 45
Security and Control in Automated Systems-Audit IS . . . . . . 63
� CONTINGENCY PLANNING
IRM, SECURITY, & AUDIT
COURSE TITLE PAGE
Advanced Technology Conference . . . . . . . . . . . . . . . 10
Advanced Network Security Architecture . . . . . . . . . . . . 75
AIS Security Strategies. . . . . . . . . . . . . . . . . . . . 60
Application Security Reviews . . . . . . . . . . . . . . . . 30
Architecture for Secure Systems. . . . . . . . . . . . . . . . 73
Audit and Control of Electronic Data Interchange . . . . . . 39
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Auditing Client/Server Technology. . . . . . . . . . . . . . 24
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Auditing the Data Center for Controls, Efficiency,
and Cost-Effectiveness . . . . . . . . . . . . . . . . . . . 68
Computer Security & Contingency Planning . . . . . . . . . . 51
Continuity of Operations/Disaster Rec. Planning: Part II Worksho 30
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Control and Security of LANS . . . . . . . . . . . . . . . . 50
Data Communications Security . . . . . . . . . . . . . . . . 28
Disaster Recovery Planning . . . . . . . . . . . . . . . . . . 70
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Information Systems Seminar For Internal Auditors. . . . . . . 4
INFOSEC Evaluations Using Formal Methods . . . . . . . . . . . 76
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Introduction to Software Verification. . . . . . . . . . . . . 76
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Model Interpretations. . . . . . . . . . . . . . . . . . . . . 75
Network Security Architecture. . . . . . . . . . . . . . . . . 74
Operating System Security Concepts . . . . . . . . . . . . . . 72
Physical Security for Data Processing. . . . . . . . . . . . 31
Risk Management. . . . . . . . . . . . . . . . . . . . . . . 25
Risk Assessment Techniques For Auditors. . . . . . . . . . . . 71
Trusted Integration/System Certification . . . . . . . . . . . 71
Trusted Systems Criteria and Concepts. . . . . . . . . . . . . 72� SYSTEMS LIFE CYCLE MANAGEMENT
IRM, SECURITY, & AUDIT
COURSE TITLE PAGE
AIS Security Strategies. . . . . . . . . . . . . . . . . . . 60
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing the Systems Development Process . . . . . . . . . . . 70
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Auditing System Development: New Techniques for New Technologies47
Becoming Effective Data Security Officer . . . . . . . . . . . 53
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
Computer Security for the End-User . . . . . . . . . . . . . . 80
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Systems Security (CSI 214) . . . . . . . . . . . 81
Information Security Principles and Practice . . . . . . . . 17
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Introduction to Secure Systems . . . . . . . . . . . . . . . 34
Network Security . . . . . . . . . . . . . . . . . . . . . . . 77
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
UPS: Design, Selection and Specification . . . . . . . . . . 34� COMPUTER SECURITY BASICS
ADP MANAGEMENT AND OPERATIONS
COURSE TITLE PAGE
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Advanced Information Technology . . . . . . . . . . . 69
Auditing System Development: New Techniques for New Technologies47
Auditing the Data Center (M2020) . . . . . . . . . . . . . . 36
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Auditing Datacomm Networks . . . . . . . . . . . . . . . . . . 50
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
Business Fraud (M2008) . . . . . . . . . . . . . . . . . . . . 38
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security For End Users. . . . . . . . . . . . . . . . 2
Computer Security Awareness (CBT). . . . . . . . . . . . . . . 7
Computer Security Awareness Training . . . . . . . . . . . . . 3
Computer Security & Contingency Planning . . . . . . . . . . 51
Computer Security for Managers Seminar . . . . . . . . . . . 53
Computer Fraud (M2010) . . . . . . . . . . . . . . . . . . . 38
Computer Security Awareness. . . . . . . . . . . . . . . . . . 6
Computer Security for Security and MIS Professionals . . . . . 89
Control and Security of LANS . . . . . . . . . . . . . . . . 50
Detecting and Preventing Computer Fraud. . . . . . . . . . . 11
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Risk Assessment & Security Management. . . . . . . 3
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
INFOSEC Foundations Seminar. . . . . . . . . . . . . . . . . . 54
Introduction to EDP Auditing (M2022) . . . . . . . . . . . . 37
Introduction to LAN Security . . . . . . . . . . . . . . . . 10
LAN Security (M2006) . . . . . . . . . . . . . . . . . . . . 37
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Network Auditing (M2034) . . . . . . . . . . . . . . . . . . 35
PC/LAN Auditing (M2028). . . . . . . . . . . . . . . . . . . 36
PC Security (M2004). . . . . . . . . . . . . . . . . . . . . 37
Protecting Your Networks from Hackers, Viruses, and Other Attacks 23
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Security Technology in the Real World. . . . . . . . . . . . 45
The Data Center: Auditing For Profit . . . . . . . . . . . . . 56� SECURITY PLANNING AND MANAGEMENT
ADP MANAGEMENT AND OPERATIONS
COURSE TITLE PAGE
A Fraud Update: Forensic and Investigative Auditing. . . . . 24
A Practical Approach to Certifying a System. . . . . . . . . . 83
AIS Security Strategies. . . . . . . . . . . . . . . . . . . 60
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit and Security of Relational Databases and Applications. . 57
Audit and Security of Client/Server Architectures. . . . . . 24
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Becoming Effective Data Security Officer . . . . . . . . . . . 80
Building Information Security Awareness. . . . . . . . . . . 27
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security & Contingency Planning . . . . . . . . . . . 51
Computer Viruses, Trojan Horses, and Logic Bombs . . . . . . 61
Continuity of Operations/Disaster Recovery Planning: Part II Workshop 30
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Control and Security of LANS . . . . . . . . . . . . . . . . 50
CSMN 655 - Information Risk Assessment and Security Management 82
Data Communications Security . . . . . . . . . . . . . . . . 28
Developing Computer Security Policies & Procedures . . . . . 28
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Security (CSI 214) . . . . . . . . . . . 81
Information Risk Assessment & Security Management. . . . . . . 3
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Security Principles and Practice . . . . . . . . 17
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
LAN Security . . . . . . . . . . . . . . . . . . . . . . . . 28
LAN Tuning and Performance for Audit and Security Personnel. 57
Microcomputer Security . . . . . . . . . . . . . . . . . . . 62
Physical Security for Data Processing. . . . . . . . . . . . . 31
Protecting Networks & Small Systems 29
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
Secure Systems Design and Program Management . . . . . . . . 26
Security in Software Applications. . . . . . . . . . . . . . 33
Security Technology in the Real World. . . . . . . . . . . . 45
TEMPEST Program Management and Systems Engineering . . . . . 81
The Security-Audit Alliance. . . . . . . . . . . . . . . . . . 83� COMPUTER SECURITY POLICY AND PROCEDURES
ADP MANAGEMENT AND OPERATIONS
COURSE TITLE PAGE
Audit, Control, and Security of LAN and Mainframe Connectivity 31
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security & Contingency Planning . . . . . . . . . . . 51
Computer Viruses: Detect, Prevent, Cure Infections . . . . . 69
Computer Viruses Seminar . . . . . . . . . . . . . . . . . . . 84
Computer Viruses . . . . . . . . . . . . . . . . . . . . . . 31
Computer Security. . . . . . . . . . . . . . . . . . . . . . 35
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Control and Security of LANS . . . . . . . . . . . . . . . . 50
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
Implementing & Managing a Computer Security Program. . . . . 19
Information Systems Seminar For Internal Auditors. . . . . . . 4
Information Systems Security (CSI 214) . . . . . . . . . . . 81
Information Security Principles and Practice . . . . . . . . 17
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Operational Network Security Seminar . . . . . . . . . . . . . 84
Secure Systems Design and Program Management . . . . . . . . 26
TEMPEST Program Management and Systems Engineering . . . . . 81� CONTINGENCY PLANNING
ADP MANAGEMENT AND OPERATIONS
COURSE TITLE PAGE
Application Security Reviews . . . . . . . . . . . . . . . . 30
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Client/Server Technology. . . . . . . . . . . . . . 49
Business Impact Analysis . . . . . . . . . . . . . . . . . . 85
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
Communications Technologies. . . . . . . . . . . . . . . . . . 86
COMPUSEC . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Computer Security & Contingency Planning . . . . . . . . . . 51
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
Continuity of Operations/Disaster Recovery Planning: Part II Workshop 30
Disaster Recovery Planning . . . . . . . . . . . . . . . . . 70
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
Implementing and Testing the Disaster Recovery Plan. . . . . . 88
Information Systems Seminar For Internal Auditors. . . . . . . 4
INFOSEC. . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Managing and Developing a Disaster Recovery Plan . . . . . . . 87
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Physical Security for Data Processing. . . . . . . . . . . . 31� SYSTEMS LIFE CYCLE MANAGEMENT
ADP MANAGEMENT AND OPERATIONS
COURSE TITLE PAGE
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing System Development: New Techniques for New Technologies 47
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
Information Systems Seminar For Internal Auditors. . . . . . . 4
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
TEMPEST Program Management and Systems Engineering . . . . . 81
The CMW: Application Programming . . . . . . . . . . . . . . . 88
� COMPUTER SECURITY BASICS
END USERS
COURSE TITLE PAGE
Audit and Control of Electronic Data Interchange . . . . . . 39
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
Computer Security for the End-User . . . . . . . . . . . . . . 80
Computer Security: For Security and MIS Professionals. . . . . 43
Computer Security & Contingency Planning . . . . . . . . . . 51
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
Information Systems Seminar For Internal Auditors. . . . . . . 4
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
LAN Security Overview. . . . . . . . . . . . . . . . . . . . . 9
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
Network Security . . . . . . . . . . . . . . . . . . . . . . . 77
PC SECURITY. . . . . . . . . . . . . . . . . . . . . . . . . . 89
PC-LAN and Data Security . . . . . . . . . . . . . . . . . . . 9
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
TEMPEST Program Management and Systems Engineering . . . . . 81� SECURITY PLANNING AND MANAGEMENT
END USERS
COURSE TITLE PAGE
Audit and Security of Relational Databases and Applications. . 57
Audit and Control of Electronic Data Interchange . . . . . . 39
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Basic Security For PC Users. . . . . . . . . . . . . . . . . 44
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
Computer Viruses . . . . . . . . . . . . . . . . . . . . . . 31
Continuity of Operations/Disaster Rec. Planning: Part II Workshop 30
Continuity of Operations/Disaster Recovery Planning: Part I. . 8
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Federal AIS Computer Security Requirements . . . . . . . . . . 4
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 560 Legal Environment of Information Systems . . . . . . 79
Information Systems Seminar For Internal Auditors. . . . . . . 4
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Physical Security for Data Processing. . . . . . . . . . . . 31
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
TEMPEST Program Management and Systems Engineering . . . . . 81� COMPUTER SECURITY POLICY AND PROCEDURES
END USERS
COURSE TITLE PAGE
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Computer Security: For Security and MIS Professionals. . . . . 43
Computer Security & Contingency Planning . . . . . . . . . . . 51
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
Information Systems Seminar For Internal Auditors. . . . . . . 4
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
LAN Security . . . . . . . . . . . . . . . . . . . . . . . . . 90
Microcomputer Security . . . . . . . . . . . . . . . . . . . . 7
TEMPEST Program Management and Systems Engineering . . . . . 81
The CMW: User Tutorial . . . . . . . . . . . . . . . . . . . . 90� CONTINGENCY PLANNING
END USERS
COURSE TITLE PAGE
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Business Impact Analysis . . . . . . . . . . . . . . . . . . . 85
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
GBA 560 Legal Environment of Information Systems . . . . . . 79
Information Systems Seminar For Internal Auditors. . . . . . . 4
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42� SYSTEMS LIFE CYCLE MANAGEMENT
END USERS
COURSE TITLE PAGE
Audit and Control of End-user Computing (EUC). . . . . . . . 40
Audit and Control of Electronic Data Interchange . . . . . . 39
Auditing Information Systems . . . . . . . . . . . . . . . . 41
Auditing System Development: New Techniques for New Technologies 47
CIS 433, EDP Auditing. . . . . . . . . . . . . . . . . . . . 78
EDP Concepts For Business. . . . . . . . . . . . . . . . . . . 6
GBA 560 Legal Environment of Information Systems . . . . . . 79
GBA 577: Advanced EDP Auditing . . . . . . . . . . . . . . . 79
GBA 578: Security and Privacy of Information Systems . . . . 78
Information Systems Seminar For Internal Auditors. . . . . . . 4
Integrated Auditing: The Basics. . . . . . . . . . . . . . . 42
Risk Assessment. . . . . . . . . . . . . . . . . . . . . . . 19
TEMPEST Program Management and Systems Engineering . . . . . 81� APPENDEX B
VENDOR LIST
VENDOR NAME
Anne Arundel Community College
Page(s): 81
ARCA
Page(s): 53, 54, 64, 65, 66, 71, 84, 108
Booz-Allen & Hamilton Inc.
Page(s): 7, 19, 26, 34, 89
California State Polytechnic, Univ, Pomona
Page(s): 78, 79
Canaudit Inc
Page(s): 45, 47, 48, 49, 50, 51, 52, 56, 96, 107, 111, 112, 113, 117
CENTER for Adv. Professional Develop
Page(s): 69
Computer Security Institute
Page(s): 27, 28, 29, 33, 53, 61, 62, 66, 67, 82, 83
COMSIS
Page(s): 4, 8, 19, 28, 30, 31, 80
DATAPRO Educational Services
Page(s): 1, 9, 35, 90
Disaster Recovery Institute
Page(s): 85, 86, 87, 88
DPEC
Page(s): 7
Ernst & Young
Page(s): 4, 6
George Mason University
Page(s): 17, 25, 107
George Washington University/GSAS
Page(s): 32
Grumman Data Systems & Services
Page(s): 7, 8, 11, 12, 13, 14, 15, 91, 99, 105, 127
GSA Training Center
Page(s): 3, 32
IBM Management Institute
Page(s): 68, 70
Information Resources Management College
Page(s): 60
Johns Hopkins University
Page(s): 67
MACRO International, Inc.
Page(s): 1, 16, 17
MIS Training Institute
Page(s): 9, 10, 11, 23, 24, 31, 43, 54, 55, 57, 68, 71, 93, 96, 98, 104, 109, 110, 114, 115, 117, 118, 119,
120, 121, 122, 123, 126, 128, 129
Montgomery College
Page(s): 35
National Security Agency
Page(s): 72, 73, 74, 75, 76
Naval Computer and Telecommunications Station
Page(s): 2, 25, 44
RSH Consulting, Inc.
Page(s): 92, 126
SAFEware
Page(s): 125
Security Engineering Services, Inc.
Page(s): 18, 26, 44, 77, 81
Skill Dynamics - An IBM Company
Page(s): 20, 21, 22, 35, 36, 37, 38, 92, 93, 100, 101, 102, 105, 110, 116, 118, 119, 121, 122
The George Washington University
Page(s): 58, 59, 63
The Institute of Internal Auditors
Page(s): 10, 40, 41, 42
The Henderson Group
Page(s): 94, 95, 97, 103
Thomas R. Hardy & Associates, Inc.
Page(s): 18
Trainix
Page(s): 106
Trusted Systems Training, Inc.
Page(s): 61, 88, 90, 124
University of Wisconsin, Milwaukee
Page(s): 34
University of Maryland, University College
Page(s): 3, 82
USDA Graduate School
Page(s): 2, 3, 30, 31, 33, 62, 63, 64, 70
� APPENDIX D
PRODUCT SPECIFIC COURSES
PRODUCT PAGE
A Three Day Emergency Session on PBX Fraud . . . . . . . . . .128
Advanced Audit, Control, and Security/ DEC's VAX/VMS . . . . .114
AS/400 Security Concepts and Implementations (S6050). . . . .116
AS/400 Recovery and Availability Management (S6051) . . . . .116
Audit, Control, and Security Of AS/400 . . . . . . . . . . . .117
Audit/Security Concepts-MVS/XA & MVS/ESA . . . . . . . . . . .122
Audit and Security of Novell . . . . . . . . . . . . . . . . .108
Audit and Security of Tandem Systems . . . . . . . . . . . . .111
Audit and Security of Unix-Based Operating Systems . . . . . .103
Audit and Security of Banyan VINES . . . . . . . . . . . . . .126
Audit & Security of DB2. . . . . . . . . . . . . . . . . . . . 96
Audit, Control and Security of CICS/ESA. . . . . . . . . . . . 11
Auditing AS/400: A Step By Step Approach . . . . . . . . . . .117
Auditing DB2 . . . . . . . . . . . . . . . . . . . . . . . . . 96
Auditing UNIX. . . . . . . . . . . . . . . . . . . . . . . . .106
Auditing MVS in a CA-ACF2 Environment (M2030) . . . . . . . . 99
Auditing MVS in a RACF Environment (M2026). . . . . . . . . .101
Auditing MVS in a CA-TOP SECRET Environment (M2032) . . . . . 99
Auditing Decnet. . . . . . . . . . . . . . . . . . . . . . . .112
Auditing RACF. . . . . . . . . . . . . . . . . . . . . . . . . 92
Auditing VAX: A Comprehensive Approach . . . . . . . . . . . .113
CA-ACF2: Proper Implementation and Security. . . . . . . . . .118
CA-TOP Secret: Proper Implementation and Security. . . . . . .119
Converting from CA-TOP SECRET to RACF (H3890). . . . . . . .119
Converting CA-ACF2 to RACF (H3891) . . . . . . . . . . . . .118
Effective RACF Administration (H3927) . . . . . . . . . . . . 92
Enterprise Systems Analysis for MVS/ESA & MVS/XA . . . . . . .123
Guide To Auditing Novell Networks V.3. . . . . . . . . . . . .109
Hands-On-Lans: Auditing Novell Networks Workshop . . . . . . .110
How to Get the Most Out of RACF. . . . . . . . . . . . . . . . 94
IBM LAN Server: Audit and Security . . . . . . . . . . . . . .129
Implementing Security for CICS Using RACF (H4001). . . . . .121
Introduction to DEC's VAX/VMS Operating System . . . . . . . .113
MaxSix Trusted Networking. . . . . . . . . . . . . . . . . . .124
MVS/ESA Disaster Recovery (J3716). . . . . . . . . . . . . . .122
MVS Security (M2002) . . . . . . . . . . . . . . . . . . . . .102
MVS/ESA as a Server, Peer and Open System Audit, Control,
and Security . . . . . . . . . . . . . . . . . . . . . . . . 97
MVS Auditing (M2024) . . . . . . . . . . . . . . . . . . . . .100
MVS/ESA -RACF Security Topics (H3918) . . . . . . . . . . . .101
Novell NetWare Security (M2000). . . . . . . . . . . . . . .109
OS/MVS and SMF: Security and Audit Facilities. . . . . . . . . 97
Practical Approach to Auditing RACF. . . . . . . . . . . . . . 94
Practical Approach to Auditing MVS Security. . . . . . . . . .102
Practical Approach to Auditing DB2 Security. . . . . . . . . . 95
RACF: Proper Implementation and Security . . . . . . . . . . . 93
RACF Installation (H3837) . . . . . . . . . . . . . . . . . . 93
SAFE = Security Awareness from Education . . . . . . . . . . .125
SE01: RACF for Project Managers. . . . . . . . . . . . . . . . 91
SE02: RACF for Security Officers . . . . . . . . . . . . . . . 91
SECO1-M: MVS Security for Project Managers . . . . . . . . . . 98
SECO2-M: MVS Security for Security Officers. . . . . . . . . . 98
SECO2-V: VM Security for Project Managers. . . . . . . . . . .127
SECO3-U: Unix Security . . . . . . . . . . . . . . . . . . . .104
SECO3-V: VM Security for Security Officers . . . . . . . . . .127
Security & Auditing of SNA Networks/ACF/VTAM & NCP . . . . . .120
Security for Banyan VINES LANs . . . . . . . . . . . . . . . .126
Unix Workshop. . . . . . . . . . . . . . . . . . . . . . . . .103
UNIX Security Seminar. . . . . . . . . . . . . . . . . . . . .107
UNIX Security . . . . . . . . . . . . . . . . . . . . . . . .106
UNIX Security For Users. . . . . . . . . . . . . . . . . . . .105
UNIX/AIX Security (M2012) . . . . . . . . . . . . . . . . . .104
UNIX Systems Security. . . . . . . . . . . . . . . . . . . . .105
What Data Security Officers & Auditors Need to Know and Do About
VTAM Security. . . . . . . . . . . . . . . . . . . . . . . . 96� APPENCIX C
PRODUCT LIST
PRODUCT PAGE
AS/400 . . . . . . . . . . . . . . . . . . . . . . . . . . . 116
BANYAN VINES . . . . . . . . . . . . . . . . . . . . . . . . 126
CA-ACF2. . . . . . . . . . . . . . . . . . . . . . . . . . . 118
CA-TOP SECRET. . . . . . . . . . . . . . . . . . . . . . . . 119
CICS/ESA . . . . . . . . . . . . . . . . . . . . . . . . . . 121
DB2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
DECNET . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
IBM. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129
MAXSIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
MVS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
NOVELL . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
PBX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128
RACF . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
SAFEware . . . . . . . . . . . . . . . . . . . . . . . . . . 125
SNA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
TANDEM . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
VAX. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113
VM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
VTAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96
�
COURSE TITLE: Telecommunications for Information Systems Security Analysts
COURSE LENGTH: 32 HRS
VENDOR:
DATAPRO Educational Services
600 Delran Parkway
Delran, NJ 08076
(609) 764-0100
This course provides an introduction of basic telecommunications systems and mediums for the System
Security analyst and an understanding of the integral role they play in successful protection of the system's
data. They will learn current regulatory and control concepts, gain a working knowledge of
telecommunications principles and develop an understanding of the products and services offered from various
vendors. They will also learn proactive techniques that support diverse information transmission mediums and
develop an understanding of telecommunication systems vulnerabilities. They will learn how to evaluate the
present contingency plan and how to develop a risk analysis formula. They will develop a project plan for
contingency implementations of hardware and software that support disaster recovery.
COURSE TITLE: Computer Security Executive Overview
COURSE LENGTH: 3 HRS.
VENDOR:
MACRO International, Inc.
8850 Stanford Boulevard
Columbia, MD 21045
(410) 290-2800
This briefing is designed for executive personnel and will present an overview of applicable laws and other
requirements for computer security. The course will emphasize implementation of these requirements at the
executive management level, and the role of senior management in supporting security initiatives.
COURSE TITLE: ADP Security Officers (ADPSO) Concepts
COURSE LENGTH: 8 HRS
VENDOR:
Naval Computer and Telecommunications Station
ATTN Code N823
PO Box 357056
San Diego, CA 92135-7056
(619) 545-8628 - DSN 735-8628
This one-day course is an overview of what is involved in implementing a command AIS Security Program
and discusses the DoD and DON Minimum Program Requirements policy. This course is excellent for a
beginner ADPSO or other AIS Security staff members. The course outlines the responsibilities of DON
management and command AIS Security Staff members, identifies the steps necessary for accreditation, and
the structure of the DON AIS Security Program which includes a discussion on the Controlled Access
Protection (CAP) Guidebook (NAVSO P-5239-15). The course discusses aids in solving common AIS
Security problems and discusses methods in determining system security levels. This course is conducted at
the NAVCOMTELSTA San Diego facility or at your command.
COURSE TITLE: Computer Security For End Users
COURSE LENGTH: 1 DAY
VENDOR:
USDA, Graduate School
600 Maryland Ave, SW
Washington, DC 20024
(202) 447-7124
This workshop will give you an overview of the threats to, and vulnerabilities of, computer systems, and
appropriate safeguards to protect those systems. We will stress your role in the protection of sensitive data,
and in the prevention and detection of computer crime. You will receive checklists and suggestions for
becoming more aware of possible computer security problems in your office, and you will be able to get advice
on how to deal with concerns that are specific to your agency or installation.
COURSE TITLE: Computer Security For Executives
COURSE LENGTH: 3 HRS
VENDOR:
USDA, Graduate School
600 Maryland Ave, SW
Washington, DC 20024
(202) 447-7124
This briefing will give you a basic understanding of computer security. It includes an overview of threats and
vulnerabilities to computer systems and your responsibility for the assessment of your agency's computer
security program. We will review briefly the history of computers, then examine current dependencies on
computers, applicable laws and regulations, computer crime, viruses, and touch on espionage. Bring your
questions because the briefing is designed to be responsive to your needs. Time has been reserved at various
points for you to raise concerns from your individual agency perspective.
COURSE TITLE: Computer Security Awareness Training
COURSE LENGTH: 3 HRS
VENDOR:
GSA Training Center
P.O. Box 15608
Arlington, VA 22215-0608
Joan Bender: (703) 603-3213
Participants learn to be aware of threats to and vulnerabilities of computer systems, as well as to encourage
use of improved security practices. Topics include: Computer Security Act of 1987; computer fraud, waste,
and abuse; and types of computer hackers. Also discussed are natural disasters and human errors relating to
computer security.
COURSE TITLE: Information Risk Assessment & Security Management
COURSE LENGTH: 1 SEM
VENDOR:
University of Maryland, University College
University Boulevard at Adelphi Road
College Park, MD 20742-1614
(301) 985-7155
An examination of the proliferation of corporate data bases and the development of telecommunications
network technology as gateways or invitations to intrusion. Ways of investigating the management of the risk
and security data and data systems are presented as a function of design through recovery and protection.
Issues of risk and security, as they relate to specific industries and government, are major topics in the course.
Examples are presented of how major technological advances in computer and operating systems have placed
data, as tangible corporate assets, at risk. Both quantitative sampling techniques for risk assessment and for
qualitative decision-making under uncertainty are explored.
COURSE TITLE: Federal AIS Computer Security Requirements
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
Ronald E. Freedman: (301) 588-0800
This course begins with a review of the Federal Computer Security framework and an introduction to the key
players and legislation that has shaped Federal Computer Security policy.
COURSE TITLE: Information Systems Seminar For Internal Auditors
COURSE LENGTH: 5 DAY
VENDOR:
Ernst & Young
2000 National City Center
Cleveland, OH 44114
Morton T. Siegel: (800) 289-5745
This introductory seminar of computer concepts and controls is designed for the MIS or internal auditing
professional who needs to learn about basic computer concepts, computer controls and security, system life
cycle planning and control, and contingency planning. Individuals with these backgrounds who complete this
seminar will be exposed to every major aspect of information systems auditing and should be able, with the
tools provided in the seminar, to perform basic IS Audits. In addition, the seminar will emphasize how ISA
is integrated with the internal audit process. This is a five-day, classroom program consisting of stand-alone
modules that can be presented as a whole or modules can be selected to provide training on specific subjects
in shorter-duration programs. Call the vendor for more information regarding which of the following modules
have been selected for this particular training area.
Module 1-Introduction to the Seminar
Module 2-Information Systems Auditor's Role
Module 3-Getting Started
Module 4-Planning the IS Audit
Module 5-Overview of the ISA Function
Module 6-Overview of Computer Operations
Module 7-A Management Approach to Computer Fraud
Module 8-Introduction to General Controls
Module 9-Organization and Administration
Module 10-System Development Life Cycle
Module 11-Change Control and Management
Module 12-Case Study
Module 13-The Time Bomb
Module 14-Access Control
Module 15-Case Study
Module 16-Program Execution
Module 17-Continuity of Operations
Module 18-Outsourcing and Other Alternative Processing
Module 19-Cloak and Data
Module 20-Data Bases
Module 21-Minicomputer Systems-Audit and Control Considerations
Module 22-Microcomputers-Audit and Control Considerations
Module 23-Introduction to Application Control Reviews
Module 24-Input Control Objectives and Procedures
Module 25-Case Study-Input Controls
Module 26-Processing Control Objectives and Procedures
Module 27-Output Control Objectives and Procedures
Module 28-Case Study-Processing and Output Controls
Module 29-Generalized Audit Software and Other CAATs
Module 30-Summary
�COURSE TITLE: EDP Concepts For Business
COURSE LENGTH: SELF-PACED
VENDOR:
Ernst & Young
2000 National City Center
Cleveland, OH 44114
Morton T. Siegel: (800) 289-5745
EDP Concepts for Business is an interactive computer-based training (CBT) program. The student receives
information and is coached based upon the answers to teaching questions. This was designed to involve the
student, be flexible, and be responsive to the student's needs; this format focuses on the student. You need
only an IBM PC, XT, AT, or any IBM-compatible microcomputer with at least 192K memory. Call the
vendor for more information regarding which of the following modules have been selected for this particular
training area.
Module 1-Computers and Their Components
Module 2-Data and Data Processing
Module 3-Programs and Languages
Module 4-The System Development Life Cycle
Module 5-EDP Personnel
Module 6-Access Control and Security
COURSE TITLE: Computer Security Awareness
COURSE LENGTH: 1 HR
VENDOR:
Booz-Allen & Hamilton Inc.
8283 Greensboro Drive
McLean, VA 22102-3838
(703) 902-5201
The purpose of this course is to provide participants with an awareness of computer security, to sensitize them
to the need for computer security policies and practices in the workplace, and to motivate each individual to
practice effective computer security techniques. The instructional content of the course is composed
of:requirements of computer-security-related laws and circulars; definitions and examples of basic computer
security terms; the increasing concern to protect computer assets; and basic computer practices, controls, and
countermeasures. NOTE:Contact the vendor for information concerning specialized agency training.
COURSE TITLE: Microcomputer Security
COURSE LENGTH: 2 HRS
VENDOR:
Booz-Allen & Hamilton Inc.
8283 Greensboro Drive
McLean, VA 22102-3838
(703) 902-5201
The purpose of this microcomputer security course is to sensitize participants to the need for microcomputer
security and to provide each individual with some practical tools to protect their microcomputer assets,
especially the stored information. The course provides practical information on computer security that
microcomputer users can implement immediately. NOTE:Contact the vendor for information concerning
specialized agency training.
COURSE TITLE: Computer Security Awareness (CBT)
COURSE LENGTH: 5-8 HRS
VENDOR:
DPEC
1679 Old Henderson Road
Columbus, OH 43220-3644
(800) 223-3732
This is a Computer Based Training (CBT) course using the framework of administrative, physical and logical
security. Computer Security Awareness explains contingency planning and precautions against computer crime
from the viewpoint of mainframe computers and micros; a computer security checklist is included. This is
a modular course lasting 5 - 8 hours. The number of hours is based upon a student interacting with
approximately 60-120 screens per hour.
COURSE TITLE: Marketplace Implications of the Evolution of Evaluation Criteria
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy
(410) 859-0123
This seminar covers the current state of the Evolution of Trusted Computer Product Evaluation schemes, of
North America and Europe, the products which are evaluated and the conclusions which can be drawn. The
discussions will concentrate on the US Federal Criteria and the implications of the proposed Common Criteria,
for the marketplace in general, and for the integration of COTS products specifically. The briefing is designed
to be responsive to your needs, and time is reserved for in-depth discussions of issues which affect you most
critically.
COURSE TITLE: The Systems Integrator's Perspective on AIS Security Strategies
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
This course presents the application of system integration and composition concepts to the management and
acquisition of AIS, especially where sensitive data is concerned. A major portion of the seminar concentrates
on determining the security implications of alternative approaches and involvement of the appropriate players
during the acquisition process. Managers responsible for the acquisition of sensitive computing resources will
benefit from this seminar.
COURSE TITLE: Continuity of Operations/Disaster Recovery Planning: Part I
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
Ronald E. Freedman: (301) 588-0800
This course outlines the steps to be performed to determine backup/recovery requirements, and effectively plan
and develop a COOP/DRP for both applications and installations.
COURSE TITLE: Executive AIS Security Briefing
COURSE LENGTH: 1/2 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
Ronald E. Freedman: (301) 588-0800
This course provides a brief overview of Federal Computer Security requirements and objectives and explores
Senior Managements role in protecting assets.
COURSE TITLE: Keeping Out of Trouble with the Software Police
COURSE LENGTH: 1 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2356
Pam Bissett: (508) 879-7999
The common practice of copying and sharing is no longer being tolerated by software publishers. Organized
under the umbrellas of the Software Publishers Association (SPA), they are waging an all-out war against
abusers of copyright law. In this special, one-day session, you will learn how to keep your organization
"software legal." Without a lot of confusing "legalese," you will learn: what you need to know about
software license and copyright laws; the methods being used to enforce software licenses and to prosecute
copyright infringement; how to recognize potential violations in your organization; and step-by-step guidelines
for establishing and implementing a practical code of software ethics.
COURSE TITLE: LAN Security Overview
COURSE LENGTH: 16 HRS
VENDOR:
DATAPRO Educational Services
600 Delran Parkway
Delran, NJ 08076
(609) 764-0100
This course will provide the Systems Security analyst with a basic understanding of the security implications
of the Local Area Networks and familiarize the students with the functional considerations of LAN security
routines. The class format will provide a controlled forum for the analyst to discuss the various security
routines and procedures currently in use by the government, their establishment and design. there will also
be discussions on the various types of security measures integrate into the Network Operating Systems of
Novell, Banyan, SCO UNIX and Starian.
COURSE TITLE: PC-LAN and Data Security
COURSE LENGTH: 40 HRS
VENDOR:
DATAPRO Educational Services
600 Delran Parkway
Delran, NJ 08076
(609) 764-0100
This course is intended to give a perspective of the various types of security threats to the first and second level
managers of the Telecom and MIS departments. It has a broad scope, however, it provides a good foundation
for future courses to focus on individual issues and develop security plans.
COURSE TITLE: Advanced Technology Conference
COURSE LENGTH: 3 DAYS
VENDOR:
The Institute of
Internal Auditors
249 Maitland Avenue
Altamonte Springs, FL 32701
(407) 830-7600 ext. 1
The Institute of Internal Auditors' annual Advanced Technology Conference presents world-renowned
technology experts who will share the solutions, tools, and techniques needed to validate and enhance job
performance.
This interactive program addresses a variety of technology challenges that auditors face. Attendees are
provided the opportunity to stay on top of emerging trends as well as the knowledge to utilize the tools and
techniques available for auditing today's technology.
Security professionals will find the sessions informative from the standpoint of learning the business concerns,
risks, and related control techniques involved in current and emerging technology.
Participants have the opportunity to:
Discuss the newest advances in audit technology.
Hear the most informed and experienced speakers.
Understand cutting-edge emerging technologies.
The conference provides a forum in which to learn and exchange information on all aspects of audit, control,
and security technologies.
COURSE TITLE: Introduction to LAN Security
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
Protecting increasingly sensitive LANs is now the most critical security issue facing today's enterprise. In this
intensive, three-day seminar you will benefit from and experience-based, real-world approach to LAN
security. You will gain an understanding of basic LAN technology and security threats. You will learn the
specific components that ensure a solid LAN security program and how security should be designed into the
system. You will leave this high-impact session prepared to plan and implement effective and responsive LAN
COURSE TITLE: Detecting and Preventing Computer Fraud
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
As the gap between computer technology and computer security widens, IS and Internal Auditors are relied
upon more than ever to ensure the integrity and security of organizational data. In this high-impact seminar
you will focus on the risks and threats inherent in computer environments and the controls that are necessary
to assure management that exposures are held to acceptable levels. Through case studies and "real-life"
exercises, you will explore areas of computer fraud, risk management, and treats. You will leave this three-day seminar knowing the controls for preventing computer fraud and methods for detecting it, should it occur.
COURSE TITLE: Practical Aspects of Acquiring and Owning a Multilevel Secure Network
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the course: Give managers and Technical personnel the tools to make appropriate acquisition
and operating decisions regarding MLS Information Systems. Following custom modules:
Module A. The Technology with MLS added. Mandatory Access Control labels, Exploring operational
impacts of MLS: MAC vs DAC - vulnerabilities New audit considerations - impact of MLS and MAC on the
makeup and sensitivity of the Audit Trail data.
Module B. The Environment with MLS added. Impact of an MLS accreditation on configuration
management. Hardware, ancillary equipment, software, especially upgrading to new functionality.
Maintaining accreditation - documentation for the Life cycle A checklist of warning signs for the
Admin/Security staff Addressing security violations (vulnerabilities) in the MLS environment. How to use
the CERT to best advantage.
Module C. Acquisition of Trusted Systems. A seminar for local procurement initiators, managers, and
procurement technicians to review the appropriate usage of language in an RFP for Trusted Systems, or MLS
Network components. This seminar discusses specification language for the SOW, how to use CDRLs for
acquiring Assurance documentation, and pitfalls to avoid in preparation of the procurement plan.
COURSE TITLE: Practical Considerations for Acquiring and Implementing a MultiLevel Secure
Network
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the Course: Give managers and technical personnel the tools to select acquire and implement
cost effective security technologies in information systems.
Module A. Sorting out the technologies defined by NCSC
A discussion of the subtleties of the "Rainbow" books
Module B. Overview of the State-of-the-Art
A Look beyond the Hype at the marketplace of Trusted Systems
Module C. Acquisition of Trusted Systems: A seminar for local procurement initiators, managers,
and procurement technicians to review the appropriate usage of language in an RFP for Trusted
Systems, or MLS Network components.
COURSE TITLE: Practical Aspects of Planning to Acquire Multilevel Security in an Open Systems
Environment
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the Course: Give managers and technical executives the tools to plan and acquire cost effective
technologies for ensuring the enforcement of their security policies in information systems.Custom modules
include:
Module A. Organizational Responsibilities
DoD Security Policy Refresher. complying with DoD Inst 5200.28
Module B. Understanding which Technology is for which Problem
(Getting there -from here)
Module C. Acquisition of Trusted Systems
A seminar for local procurement initiators, managers, and procurement technicians to review the appropriate
usage of language in an RFP for Trusted Systems.
COURSE TITLE: Practical Considerations for Planning and Implementing Multilevel
Security in an Open Systems Environment
COURSE LENGTH: 16 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the Course: Give technical executives the tools to plan and select cost effective technologies and
to make cost-effective Operational decisions regarding the enforcement of their security policies in MLS
Information Systems. This course is a tailored set of modules customized from among:
Organizational Responsibilities [2 hrs]
Sorting out the technologies defined by NCSC [4 hrs]
Overview of the State-of-the-Art [2 hrs]
Understanding which Technology is for which Problem
(Getting there -from here) [3 hrs]
The Technology with MLS added [3 hrs]
The Environment with MLS added [2 hrs]
COURSE TITLE: Case Studies in Multilevel Secure Networking
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the course: Give on-site managers and Technical personnel tools based on specific local cases,
to make cost-effective Operational decisions regarding migration to MLS Information Systems. This briefing
will cover: The Customer Environment with MLS Added, Identifying your accreditor, Reviewing
requirements for Internal Review Audits, Coordinating with the CM/QA team on-site, Tracing the flow of
ADP Security Reporting Reviewing specific responsibilities and requirements for co-location of CRYPTO
or other NSA approved/controlled items, Exploring which state-of-the-art systems might meet specific local
requirements, while being within the range of our resources. Sampler of Evaluated Operating Systems,
Workstations, Networking Components and Specialty Components. Specific information about levels of
expertise required to implement a system on-site with them.
COURSE TITLE: Managing the Acquisition of MLS Resources
COURSE LENGTH: 4 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the course: Give on-site managers and Technical personnel tools to make cost-effective
procurement decisions regarding migration to MLS Information Systems. Specific topic discussed: Acquisition
of Trusted Systems: A seminar for local procurement initiators, managers, and procurement technicians to
review the appropriate usage of language in an RFP for Trusted Systems, or MLS Network components. This
seminar discusses specification language for the SOW, how to use CDRLs for acquiring Assurance
documentation, and pitfalls to avoid in preparation of the procurement plan. You will also receive a copy of
the NSA and NIST Acquisition guidance for trusted systems.
COURSE TITLE: Practical Aspects of Owning a Multilevel Secure Network
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the course: Give managers and Technical personnel the tools to make cost-effective Operational
decisions regarding MLS Information Systems. Course Curriculum consists of: The Technology with MLS
added The Information Systems equivalents to Markings, Caveats, handling instructions - Mandatory Access
Control labels Exploring operational impacts of MLS: MAC vs DAC- vulnerabilities New audit considerations
- impact of MLS and MAC on the makeup and sensitivity of the Audit Trail data. Tracking an atomic action
through several audit trails. Enhancing the security profile of an MLS system Impact of an MLS accreditation
on Configuration Management A checklist of warning signs for the Admin/Security staff Addressing security
violations How to use the CERT to best advantage Impact of having a CRYPTO in the closet. You will receive
checklists and suggestions for operating sensitive systems daily.
COURSE TITLE: Practical Considerations for Implementing a MultiLevel Secure Network
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy: (410) 859-0123
Objectives of the Course: Give managers and technical personnel the tools to select and use cost effective
security technologies in information systems. Specific topics: technologies defined by NCSC The TCSEC
"Orange Book", The TNI "Red Book": MIAD components, The TDI "Purple Book": TCB subsets, The CSSI
"Powder Blue Book": components which support the security policy in a more restrained fashion, The
ISSPSC: there's more in there than the EPL. The definitive catalog of NSA evaluated technology. A Look
beyond the Hype at the marketplace of Trusted Systems IBM's MVS/ESA RACF (B1), CA's B1 Security
Amdahl's Trusted MDF, Unisys OS-1100 (B1)Workstations CMWs Networks and components Xerox XEU,
LEAD, Motorola NES, Blacker A sampler of specialty components (subsystems) Making an informed decision
to use non-evaluated product and the cost of getting smart enough to be able to evaluate it yourself.
COURSE TITLE: Practical Considerations for Planning Multilevel Security in an Open Systems
Environment
COURSE LENGTH: 8 HRS
VENDOR:
Grumman Data Systems & Services
839 Elkridge Landing Rd. Suite 106
Linthicum, MD 21090
Bruce Levy (410) 859-0123
Objectives of the Course: Give managers and technical executives the tools to plan and select cost effective
technologies for planning the enforcement of their security policies in information systems. Specific topics:
Organizational Responsibilities DoD Security Policy Refresher, Complying with DoD Inst 5200.28,
Accreditation Requirements, What Certification means, How Evaluation helps, Documentation of your system
(network), Cost effective steps toward MLS, Avoiding common password headaches, Some Practical
approaches to all that Audit trail. You will get expert advice on what works and what your installation needs
to enter the distributed age of computing.
COURSE TITLE: Introduction to Computer Security for First-Level Supervisors
COURSE LENGTH: 8 HRS.
VENDOR:
MACRO International, Inc.
8850 Stanford Boulevard
Columbia, MD 21045
(410) 290-2800
This program is designed for first-level supervisors and emphasizes the role of the supervisor in implementing
and managing computer security programs. The course discusses approaches for instilling security awareness
in staff, training, security administration, and incident management and reporting. An overview of threats,
protection strategies, and implementation of policies and procedures is presented, emphasizing requirements
for different levels of system sensitivity.
COURSE TITLE: Introduction to Computer Security for Non-ADP Managers
COURSE LENGTH: 8 HRS.
VENDOR:
MACRO International, Inc.
8850 Stanford Boulevard
Columbia, MD 21045
(410) 290-2800
This program is designed to provide mid-level managers with an overview of computer security program
planning and management. Presentation will emphasize compliance with P.L. 100-235 and other laws and
requirements for classified and unclassified systems. Discussion will also emphasize the threat against
sensitive systems; capabilities of potential adversaries; asset value; sensitivity and definition of protection
levels appropriate to the threat; contingency planning; and management risk acceptance. The course will
also cover the development of security plans emphasizing human resource management practices, the
implementation of computer security programs within budget and staff constraints.
COURSE TITLE: Computer Security for Security & ADP Program Managers
COURSE LENGTH: 3 DAYS
VENDOR:
MACRO International, Inc.
8850 Stanford Boulevard
Columbia, MD 21045
(410) 290-2800
This course is designed for ADP program managers and computer security program managers. It
provides an overview of Public Law 100-235 and other laws and requirements for computer security.
Discussion will emphasize various types of threats against sensitive systems; capabilities of potential
adversaries; areas of vulnerability; and control techniques.
This course provides a comprehensive understanding of the full range of potential threat and the
effectiveness of alternative security controls against different threats. This course is oriented toward those
with prior programming and systems development experience.
COURSE TITLE: Information Security Principles and Practices
COURSE LENGTH: 4.5 DAYS
VENDOR:
George Mason University
Department of Information & Software Systems Engineering
School of Information Technology and Engineering
Fairfax, VA 22030-4444
Ravi Sandhu: (703) 993-1659
This course introduces fundamental issues and concepts of information security, emphasizing the Trusted
computer System Evaluation Criteria (TCSEC), which is the seminal publication providing authoritative
guidance concerning trust technology; and its eventual successor, the Federal Criteria for Information
Technology Security. Security policy, risk management, certification and accreditation are discussed in
their supporting roles. The threat of viruses and other rogue programs is discussed; a case study
reinforces the lessons learned. Practical advice for trusted system integration is provided.
COURSE TITLE: COMPUSEC
COURSE LENGTH: 2 DAYS
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
This class is an unclassified overview of COMPUSEC requirements, issues and related COMSEC and
TEMPEST information. Attendees should be able to intelligently address technical vulnerability issues in
their ADP systems.
Topics Covered
Laws and DoD Specifications, Trusted Computer Systems, Risk Management, Configuration
Management, Data Remnance, Software Disk Protection, Virus Protection, Network Overviews,
COMSEC Protection,
TEMPEST Protection, OPSEC Issues
Student Background: Intended for entry level security people.
COURSE TITLE: Basics of Computer Security
COURSE LENGTH: 2 DAYS
VENDOR:
Thomas R. Hardy & Associates, Inc.
P.O. Box 5631
Derwood, Maryland 20855
(301) 921-0595
This course is designed for end users and management personnel - it presents the elements necessary for
developing a secure computer system environment. The class addresses the needs of small and large
systems, and network configuration. Topics include: Planning and design; Threats and Vulnerabilities;
Countermeasures; Contingency planning and disaster recovery; Backup site planning; Responsibilities.
COURSE TITLE: Understanding Trusted Systems
COURSE LENGTH: 1 DAY
VENDOR:
Booz�Allen & Hamilton
8th Floor, Room 822
8283 Greensboro Drive
McLean, VA 22102-3838
Butch Chaboudy: (703) 902-5265
This course provides an understanding of the Trusted System Evaluation Criteria (Orange Book) and the
Trusted Network Criteria and Trusted Database Management interpretation. The student will gain a
working knowledge of the security fundamentals, the features of each class and the assurance required of
these features. Additionally, the student will be introduced to other appropriate rainbow series books.
COURSE TITLE: Implementing & Managing a Computer Security Program
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
(301) 588-5922
This course provides an overview of a computer security program, and describes the requirements and
rationale for each program element.
COURSE TITLE: Risk Assessment
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
(301) 588-5922
This course provides a global examination of computer security risk assessment and the techniques for
applying risk assessment.
COURSE TITLE: Disaster Recovery Planning: Strategies to Develop and Maintain Provable
Recovery Capability (W9912)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course teaches you how to develop, maintain, and test your disaster recovery plan. The objective is to
develop provable recovery capability, not paper documentation. The focus is on what the organization - I/S
and the business functions - must put in place now, keep current and test to the satisfaction of responsible
executives that the business can survive the loss of processing capability. The course discusses strategies that
are independent of any particular hardware or software implementation. This is a management course, not
a technical course.
COURSE TITLE: Data Center Recovery Planning (M2040)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course provides you with a basic understanding of the disaster recovery planning process within a data
center environment. The course focuses on the recovery of the data center and communications to and
from business units/departments. All phases of the recovery planning process, from disaster declaration
through relocation to a new facility, are discussed
COURSE TITLE: PC/LAN Recovery Planning (M2042)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course provides you with a basic understanding of the disaster recovery planning process
encompassing personal computers (PCs) and local area networks (LANs). The course focuses on the
recovery of stand-alone PCs, LANs (the file server environment), and LAN communications to and from
business units/departments. All phases of the recovery planning process, from disaster declaration through
relocation to a new facility, are discussed.
COURSE TITLE: Business Impact Analysis (M2044)
COURSE LENGTH: 2 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course teaches you how to perform a risk analysis to ascertain the impact that a disaster may have on
your business. You will also learn how to analyze your important business functions and the
consequences, if lost, to the organization. You will learn the time period after which this loss becomes
critical and the priorities that each important business function has within the overall recovery process.
You'll learn to use a process involving a thorough impact analysis focusing on all aspects of the business,
not just computerized processes. The course enables you to build an impact analysis and better understand
your overall business process.
COURSE TITLE: Business Resumption Planning (M2046)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course teaches you the many facets of preparing a Business Resumption Plan (BRP). To be able to
resume normal business operations within an organization after a serious outage, an effective recovery
plan must be in place. This course focuses on the business reasoning of such a plan and identifies some of
the obstacles that will have to be overcome. Having a Business Resumption Plan in place may prevent
unnecessary loss to your organization if a disaster affects your manual or automated business functions.
The course shows how to build an effective BRP for your organization. Full attention will be given to the
different aspects of the plan, auditors who must review the competency of an organization's recovery
plans.
COURSE TITLE: Network Recovery Planning (M2056)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course teaches you the fundamentals of handling adverse conditions on networks and recovering
functionality even after complete shutdown or network failure. Different data exchange protocols and their
benefits and vulnerabilities are presented along with the use of servers, routers, and gateways. Typical
local area networks (LANs) and wide area networks (WANs) that mix topologies are also examined.
Particular attention is given to preventing the network failure or shutdown, and to minimizing its effect.
COURSE TITLE: Data Security Planning: Strategies for Effective Information Security (W9898)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACH (800) 426-8322
This course teaches you how to plan and implement data security. It is based upon and uses examples
from successful programs. It takes an organizational view of information and presents many policies,
standards and guidelines of IBM and other organizations. The course discusses strategies that are
independent of any particular hardware or software implementation. This is a management course, not a
technical course. The course discusses programs and processes within the context of end-user computing
and shows how they can enhance protection.
COURSE TITLE: Protecting Your Networks from Hackers, Viruses, and Other Attacks
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
Hackers, phone phreaks, viruses, corporate spies, and disgruntled employees are all real threats to today's
organizations. In this three-day technical seminar you will examine the nature of these significant security
threats and vulnerabilities. You will learn practical, cost-effective security and audit techniques that will
dramatically improve your success in reducing risk while enabling you to go systematically monitor your
organization's security strengths and weakness. You will leave this high-tech session with sample
checklists, a set of valuable software tools, and "how-to" reference materials that will increase your
effectiveness and decrease of attacks on your network.
COURSE TITLE: How to Manage an Information Security Program A Guide for Newly Appointed
Managers
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This three-day session will be your guide to establishing and managing a workable information security
program. You will learn the components of a comprehensive plan, covering access control software
applications; telecom/network security measures; physical protection of the computer facility; and the legal
and regularity aspects of information security. You will learn how to protect your organization from
computer crime and viruses. You will explore disaster recovery and the key elements of an effective
business continuity program. You will leave this session with a blueprint for building an information
security program or for measuring an existing one.
COURSE TITLE: Audit and Security of Client/Server Architectures
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
As more critical applications continue to move onto networks, the open architecture concept, a lack of true
separation of duties, poor administration, and often unfamiliar network tools leave organizations open to
risk. In this timely seminar you will review the basics of client/server architectures, uncover the risks
within the technology, and identify cost-effective controls for plugging these loopholes. You will learn
how to spot poorly designed client/server applications and how to identify connection risks. You will
explore communications protocols, distributed databases, and the most commonly used network operation
systems, including NetWare, VINES, Unix, NT and OS/2. You will leave this in-depth seminar with a
checklist that you can use as a foundation for a customized workplan for your own client/server audits.
COURSE TITLE: A Fraud Update: Forensic and Investigative Auditing
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
As incidents of fraud continue rise, management now more than ever looks to Audit as its first line of
defense against this bottom-line busting crime. Using case studies and interactive exercises, this three-day
seminar will be your road map through the major fraud concerns facing organizations today. You will
cover investigative principles, forensic auditing, rules of evidence, and federal fraud statue and sentencing
guidelines. You will learn how to develop evidence to support fraud allegations and what the
responsibilities of the audit committee are when fraud is discovered. This high-impact session will provide
you with a solid understanding of contemporary fraud issues and Audit's role in protecting the organization
from this pervasive and complicated crime.
COURSE TITLE: Risk Management
COURSE LENGTH: 24 HRS
VENDOR:
Naval Computer and Telecommunications Station
ATTN Code N823
PO Box 357056
San Diego, CA 92135-7056
(619) 545-8628 - DSN 735-8628
This three-day course is a comprehensive study of Risk Management and is given in a workshop type
environment. This course will provide the attendee with a definition of what comprises Risk Management
and will explain the different components of Risk Management. Instruction will consist of discussion on
Risk Analysis, Contingency Planning, and Security Test and Evaluation (ST&E). Attendees will have a
thorough understanding of each of these Risk Management phases and how to prepare them. Course will
provide the attendee with actual hands-on exercises for each of these phases. Risk Analysis instruction will
include preparation of a Risk Analysis using the three different methods. Also the Risk Analysis portion
will include principles for performing a Risk Analysis on a Local Area Network (LAN). Strongly
recommend completion of the ADPSO Concepts course before taking this course. This course is
conducted at the NAVCOMTELSTA San Diego facility or at your command.
COURSE TITLE: Recent Developments in Information Security
COURSE LENGTH: 4.5 DAYS
VENDOR:
George Mason University
Department of Information & Software Systems Engineering
School of Information Technology and Engineering
Fairfax, VA 22030-4444
Ravi Sandhu: (703) 993-1659
This intensive course presents a comprehensive approach to recent developments in Information
Technology (IT) security. Technology and policy issues for secure operations employing both Computer
Security (COMPUSEC) and Communications Security (COMSEC) components of Information Security
(INFOSEC) are presented. Contemporary issues addressed include: encryption, key escrow, and key
management for authentication, integrity, and confidentiality; proposed standards such as Digital Signature
and Clipper; challenges in developing international criteria; database issues such as polyinstantiation,
inference, and aggregation; and access control beyond the TCSEC (Orange Book).
Discussions will include the use of empirical and theoretical computer and database system and network
design approachers. Broader issues will also be presented, such as integrating security with computer,
database, and network systems design and development requirements; and evaluating the degree of security
available for a given computer, database and/or network system. Extensive practical advice for trusted
system integration is provided.
COURSE TITLE: Secure Systems Design and Program Management
COURSE LENGTH: 2 DAYS
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
Participants learn technical rational and requirements that lead to formal management decision making
regarding security issues. Topics Covered: Org. Security, Systems Security Engineering Management,
Risk Management, Audit Controls, Contingency Planning, Risk Analysis, System Test and Evaluation,
System Design, Network Administration, UNIX, Apple System 7, Config. Management, Life Cycle
Management, Virus Protection, COMSEC, Control, TEMPEST Control and Vulnerability Assessments
COURSE TITLE: Writing Security Plans
COURSE LENGTH: 2 DAYS
VENDOR:
Booz�Allen & Hamilton
8th Floor, Room 822
8283 Greensboro Drive
McLean, VA 22102-3838
Butch Chaboudy: (703) 902-5265
This course is designed to provide the System Security Officer with the knowledge to develop an ADP
security plan that will meet the requirements to PL 100-235 and D/CID 1/16. Practical exercises are
provided allowing students to develop key sections of a security plan as part of a work group. Each
exercise is conducted following appropriate instruction in "how to" write the plan. Upon completion of the
course, the student will know what information is needed in the development of a security plan, what the
plan should include, where that information can be obtained and how to write policy statements and
security requirements.
COURSE TITLE: Managing Org-Wide Information Security Program
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This program examines key issues in building and maintaining a security program that serves more than
one division...a program that cuts across traditional boundaries and must deal with geographically and
organizationally distinct units. Practical, cost-effective ideas on how to structure a plan, tools for
evaluating risks and safeguards, and ways to encourage participation and commitment from all levels of the
organization. Legislative and regulatory pressures including but not limited to the Foreign Corrupt
Practices Act, copyright protection, and the Computer Security Act of 1987. Take-home materials include
articles, checklists, forms, and information sources. NOTE: Ask about available discount for government
hosted classes.
COURSE TITLE: Building Information Security Awareness
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This seminar shows how to "educate" managers, users, and DP personnel on the importance of protecting
information resources. Top managers need to know in macro, bottom-line terms. Data security
professionals need detailed technical training. Computer users, operators, and programmers must be
shown what they can do on a day-to-day operational basis. This program delivers practical ideas and
techniques on how to tailor a computer security training/orientation program to each of these diverse
groups. You will learn how to plan a program. You will be shown what types of information should be
gathered for presentation, how it should be logically organized for maximum impact, and which meeting
and presentation techniques are most effective. And finally, you will be given specific ideas on how to
measure the effectiveness of your security awareness program. As a "deliverable," you will develop an
individualized training plan to be used in your own environment. NOTE: Ask about available discount for
government hosted classes.
COURSE TITLE: Data Communications Security
COURSE LENGTH: 2.5 DAYS
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
(301) 588-5922
This course provides an overview of network processing technologies, security threats, safeguards, and
protection strategies. The data communications environments covered in this course include Local Area
Networks, Wide Area Networks, Distributed Data Processing, and remote mainframe access.
COURSE TITLE: Developing Computer Security Policies & Procedures
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This seminar is for DP managers, data security managers, and security officers responsible for developing
computer security policies and procedures and integrating them into a comprehensive data processing
security manual. You will learn how to determine what policies are needed, what areas a manual should
cover, and how to gather the necessary information. Two different approaches - step-by-step "cookbook"
procedures vs. more generalized policy statements. How to establish working liaisons with support staff in
other areas, what's needed to get your policies and manual reviewed and approved, and pitfalls that must
be avoided. Critique actual samples of procedures and policies currently in use. NOTE: Ask about
available discount for government hosted classes.
COURSE TITLE: LAN Security
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
Local area networks (LANs) are significantly impacting the way organizations do business. As more and
more critical work migrates from mainframes to LANs, the need for better controls becomes apparent.
Learn about the security and control issues involved with LANs; the types of critical and sensitive data
now residing on LANs; the impact of loss, change or disclosure; and realistic remedies for identified
vulnerabilities. How transition technologies, topologies, and architectures create complex security,
recovery, and integrity problems. Security features of popular LAN systems software and add-on
packages. The need for policies, procedures, and administrative controls. NOTE: Ask about available
discount for government hosted classes.
COURSE TITLE: Protecting Networks & Small Systems
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
Widespread use of microcomputers and telecommunications technology offers greater opportunities for
increasing white-collar productivity...and the risk that this technology will proliferate out of control. This
seminar provides a security and control perspective of the opportunities and pitfalls in this new
environment. It will be valuable for data processing management, communications management and
specialists, office automation management, EDP auditors, security officers, and users of small systems.
Participants are encouraged to bring a list of specific, relevant security problems currently being faced
within their own organizations. Selected "cases" will be analyzed and discussed. NOTE: Ask about
available discount for government hosted classes.
COURSE TITLE: Application Security Reviews
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
(301) 588-5922
This course examines the requirements and objectives of application security and describes the techniques
and tools for conducting application security reviews. The course includes the planning process, review of
the baseline security goals, sensitivity and criticality determination, data collection methods, and control
weaknesses and safeguards determination.
COURSE TITLE: Computer Security For Managers
COURSE LENGTH: 1 DAY
VENDOR:
USDA, Graduate School
600 Maryland Ave, SW
Washington, DC 20024
(202) 447-7124
This workshop will show you how to develop computer security awareness for end-users, and your role in
program management, planning, personnel security, contingency planning, and the systems development
life cycle. We will briefly review the Computer Security Act of 1987, and cover threats to, and
vulnerabilities of, computer systems and appropriate safeguards, and various approaches to risk
assessment. You will receive checklists and suggestions for becoming more aware of possible computer
security problems in your office, and you will be able to get advice on how to deal with concerns that are
specific to your agency or installation.
COURSE TITLE: Continuity of Operations/Disaster Rec. Planning: Part II Workshop
COURSE LENGTH: 3 DAYS
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
Ronald E. Freedman: (301) 588-0800
This course will be specifically tailored toward the individual course audiences' environment. To
accomplish this, research questionnaires must be completed by course participants prior to attending.
These questionnaires will provide the baseline hardware, software, physical, and operational environments
critical to the development of a discreet COOP/DRP.
COURSE TITLE: Physical Security for Data Processing
COURSE LENGTH: 2 DAYS
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
(301) 588-5922
This course provides essential training to personnel in the areas of physical and environmental security in
both large scale (mainframes) and small scale (PC) processing environments.
COURSE TITLE: Audit, Control, and Security of LAN and Mainframe Connectivity
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
In this fast-paced, three seminar you will focus on the control, security, and management aspects that
should be included in any LAN evaluation. After a general overview of a LAN environment, you will
review the Open Systems and OSI "standardized" models of any computing/communication system and
develop a layered audit/analysis work plan based on the models. With this work plan as a guide, you will
investigate: LAN topologies; protocols; LAN interconnections to wide area networks (WANs); client-server and peer-to-peer LAN architectures; LAB Network Operating Systems; connecting LANs to
mainframes; and many more related topics. Keeping jargon and technology in its proper perspective,
emphasis will be placed on those aspects of LAN operation with the greatest audit and security concerns.
A basic understanding of the fundamentals of microcomputers and PC-based applications such as
spreadsheets and database management is strongly recommended.
COURSE TITLE: Computer Viruses
COURSE LENGTH: 3 HRS
VENDOR:
USDA Graduate School
600 Maryland Ave., S.W.
Washington, D.C. 20024
(202) 447-7124
This briefing is designed to provide you with a basic understanding of the nature of computer viruses and
suggested methods and procedures for identifying and dealing with them. The material will focus
primarily on the microcomputer based environment but network and mini-computer virus issues will be
discussed as well.
COURSE TITLE: Computer Security
COURSE LENGTH: 5 DAY
VENDOR:
GSA Training Center
P.O. Box 15608
Arlington, VA 22215-0608
Joan Bender: (703) 603-3213
Participants learn about federal computer security regulations and guidelines and their implementation in
government agencies. Topics include: a threat overview, national computer security policies, an overview
of the National Institute of Standards and Technology and the National Computer Security Center, physical
security considerations, microcomputer security considerations, introduction to risk assessment, qualitative
risk assessment, quantitative risk assessment, other risk assessment methodologies, contingency planning,
design reviews and system tests, and security certification and accreditation.
COURSE TITLE: Information Security and Policy
COURSE LENGTH: 1 SEMESTER
VENDOR:
George Washington University/GSAS
2000 G Street, NW
Washington, DC 20077-2685
(202) 994-7061
Computer fraud and effective countermeasures for computer system security. The social and legal
environment of information systems, including data privacy and ethics in database management.
Information access policy, data security, contracts. Antitrust and other business implications of policies,
transborder data flow, technology transfer, electronic funds transfer systems, criminal justice information
systems, cross-cultural differences, computer infringement of copyright, and protection or property rights
in software. Prerequisite: AdSc 202 and 203.
COURSE TITLE: Planning an EDP Disaster Recovery Program
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This seminar examines the critical components of the disaster recovery planning process in detail and offers
a practical framework for implementing a disaster recovery program. A "big think" approach is required,
because recovery planning is tedious, time-consuming, and requires management commitment plus cooperation
from all levels of user personnel. Less than 20% of the top 1,000 U.S. firms have workable EDP disaster
recovery plans that have been successfully tested. Indeed, many organizations today have no formal plans at
all. Some have tried to formulate a plan but failed because they underestimated the scope and complexity of
the task. Although a 3-day seminar cannot provide all the details necessary for a comprehensive program, this
seminar will give you a firm grounding in the knowledge and skills needed for a successful disaster recovery
planning effort. NOTE: Ask about available discount for government hosted classes.
COURSE TITLE: Security in Software Applications
COURSE LENGTH: 3 HRS
VENDOR:
USDA Graduate School
600 Maryland Ave., S.W.
Washington, D.C. 20024
(202) 447-7124
This briefing is designed to provide participants with a basic understanding of features and techniques for
incorporating computer security into the design and development of software applications. The material
covered explores a variety of computer security design and programming techniques to enable programmers
and system designers to build security into their applications.
COURSE TITLE: Introduction to Secure Systems
COURSE LENGTH: 2 DAYS
VENDOR:
Booz�Allen & Hamilton
8th Floor, Room 822
8283 Greensboro Drive
McLean, VA 22102-3838
Butch Chaboudy: (703) 902-5265
This class provides the student with an understanding of the basic principles to follow in the development and
operation of secure systems--that is, systems that we can trust to protect sensitive or classified information.
This course provides the fundamentals of determining security requirements for trusted systems, determination
of mode of operation, calculation of the level of trusted needed for a system, and an understanding of the
collective impact of security features on a system.
COURSE TITLE: UPS: Design, Selection and Specification
COURSE LENGTH: 2 DAY
VENDOR:
University of Wisconsin, Milwaukee
929 North 6th Street
Milwaukee, WI 53203
(800) 222-3623
Program objectives of this institute will have been accomplished if, upon completion, the attendee can answer
satisfactorily the following questions: Where is UPS needed? When is UPS needed? Should the system be
redundant? How should components be chosen? How is a system designed? What level of protection is
appropriate? What are the system maintenance requirements? What grounding and noise problems need
consideration? How can satisfactory performance be achieved while satisfying the NEC? NOTE:Previous
attendees will find that material has been added to the program since they last attended.
COURSE TITLE: Computer Security In Application Software
COURSE LENGTH: 2 DAY
VENDOR:
Booz-Allen & Hamilton Inc.
8283 Greensboro Drive
McLean, VA 22102-3838
(703) 902-5201
This course presents a logical sequence of overall computer security activities during the application
development life cycle. The course will assist application developers, sponsors, and owners in identifying
security activities that should be considered for applications, whether they are being developed, significantly
enhanced, or routinely debugged. This course is primarily intended for application software managers and
support personnel. NOTE:Contact the vendor for information concerning specialized agency training.
COURSE TITLE: Computer Security
COURSE LENGTH: 1 SEM
VENDOR:
Montgomery College
51 Mannakee Street
Rockville, MD 20850
(301) 279-5185
This course surveys major topics in assessment and development of security procedures for a variety of
computer system. Emphasis is on analysis of security needs, risk assessment and practical measures for
security management. topics include LAN security, protection for personal computers, physical security,
hardware and software protection and products, virus countermeasures and the human aspects of computer
security.
COURSE TITLE: Micro Security for Information Systems Security Analysts
COURSE LENGTH: 32 HRS
VENDOR:
DATAPRO Educational Services
600 Delran Parkway
Delran, NJ 08076
(609) 764-0100
Security Analysts and functional Security coordinators will develop basic microcomputer security skills and
understand the integral role they play in successful protection of system-wide data. Participants will learn
various methods for proper disk handling and secure storage, determine proper data backup techniques and
learn techniques for controlling access to data hardware and software. They will learn how to evaluate the
present contingency plan and develop a risk analysis formula and also will develop a project plan for
contingency implementations of hardware and software.
COURSE TITLE: Network Auditing (M2034)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the fundamentals of performing a security audit on a computer network. The course
will begin with a review of positive and negative aspects of today's most commonly used networks. The
security facts and assumptions of each network topology are explored in lecture and classroom exercises. This
examination of networks includes all elements of network security (the node, the media, and the control unit).
Different data exchange protocols and their benefits and vulnerabilities are examined along with the use of
servers, routers, and gateways. Typical local area networks (LANs) and wide area networks (WANs) that
mix several topologies are also examined for their vulnerabilities.
COURSE TITLE: PC/LAN Auditing (M2028)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to review the security controls in a PC/LAN environment. You will explore the
hardware and software components that impact the protection of the PC/LAN environment. You will learn
the types of information needed to assess the strength of implemented controls as well as how to perform the
collection of this information. Examples are presented that allow you to gain experience in interpreting
security related data.
COURSE TITLE: Auditing the Data Center (M2020)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to develop a data center audit for environmental, operational, and procedural
issues and how to prepare for such an audit. You will learn how to locate potential problems within your data
center that could result in significant losses. This course focuses not only on the technological issues but on
the business issues as well. You will learn how to report the findings to management with words that will get
their attention. The classroom exercises will illustrate 200+ questions that can be utilized within the audit
process and that will help you in preparing a data center checklist specifically for your environment.
COURSE TITLE: Introduction to EDP Auditing (M2022)
COURSE LENGTH: 3 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the fundamentals of auditing electronic data processing (EDP) information systems.
Reviewing the integrity and security of the business information processed by computers and their applications
requires specialized skills. This course provides the initial education for those skills by presenting an audit
approach to computerized information systems. You will learn about some of the tools and techniques
necessary to audit a computerized environment. The focus is on the computing center, distributed processing,
application development, operating systems, and the applications themselves. Classroom exercises will show
you how to identify the important elements of these systems and how to write effective audit reports.
COURSE TITLE: PC Security (M2004)
COURSE LENGTH: 1 day
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the fundamentals involved in providing effective and comprehensive protection of
personal computers and the information they contain. You will learn how to examine the various components
of PCs and to identify problems that can impact the protection of the PC assets. Typical threats to and
concerns about the data residing on PCs will be discussed. Guidance on countermeasures for implementing
effective controls will also be given.
COURSE TITLE: LAN Security (M2006)
COURSE LENGTH: 1.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the basics of how and where to implement effective controls in a local area network
(LAN). Security pitfalls existing in both the hardware and software components that make up a LAN will be
identified. The significant challenges presented by the fast growth of LANs in the workplace will be met head
on with guidelines for reducing security exposures. Although this course does not address the specific
implementations of any single network operating system (LAN Network Manager, NetWare, Banyan, etc.),
the topics discussed apply to any and all of these.
COURSE TITLE: Business Fraud (M2008)
COURSE LENGTH: 2 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you about some of the most common frauds and criminal activities that your organization
could fall prey to. You will learn how to recognize and detect them before your business is exploited. You
will learn which tools to use to review your organization for on-going fraudulent activities and what to do when
they are detected. Crimes against business, such as industrial espionage, telemarketing crimes, computer
crimes, and employee crimes, are a part of U.S. business today. This course will help you to understand their
symptoms, their effects, and the methods to reduce their impact. Classroom exercises illustrate ways to detect
some of them and to avoid becoming their next victim.
COURSE TITLE: Computer Fraud (M2010)
COURSE LENGTH: 2.5 Days
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches how to detect and prevent the use of the computer for fraudulent activities. The ease of
use that computers have provided to business has created an ease of use for the perpetrator of computer fraud.
You will learn how to recognize the signs of unauthorized computer activity. You will be taught the basic
ways that your organization can fall prey to these activities and the ways to prevent or minimize the threat.
The crimes discussed will range from actual programming issues to manipulation of computer for fraudulent
goals.
COURSE TITLE: Audit and Control of Electronic Data Interchange
COURSE LENGTH: 2.5 DAYS
VENDOR:
The Institute of
Internal Auditors
249 Maitland Avenue
Altamonte Springs, FL 32701
(407) 830-7600 ext. 1
This seminar explains clearly the risks and exposures that can result from opening the organization's computer
platform to additional users - both internal and external to the organization. This course covers the basics of
Electronic Data Interchange (EDI) and stresses internal controls that should be implemented to protect the
organization's assets.
Attendees will learn:
EDI concepts and terminology.
The benefits and risks of EDI.
Internal control requirements for internal and external users.
The basics of telecommunications and third party value-added networks.
Participants will perform a self-assessment of their organization's internal controls regarding EDI and will
develop an audit program throughout the course. An appendix will include a risk, control, and audit step
matrix, a generic audit program, current readings, and a glossary.
COURSE TITLE: Audit and Control of End-user Computing (EUC)
COURSE LENGTH: 2.5 DAYS
VENDOR:
The Institute of
Internal Auditors
249 Maitland Avenue
Altamonte Springs, FL 32701
(407) 830-7600 ext. 1
Audit and Control of End-user Computing focuses on the auditor's role in reviewing controls surrounding end-user developed applications. Attendees learn:
EUC concepts and terminology.
The benefits, risks, and exposures of EUC applications.
EUC controls.
How organizations should administer EUC applications.
What to include in the organization's EUC policy.
During this hands-on seminar, participants will use an IBM/Novell local area network (LAN) for class
exercises. LANSchool is used by the instructor for display of the class discussion material. Other packages
demonstrated or used include Lotus 123, Lotus FreeLance, Clear Software's ALLClear (flowcharting
package), Audit Command Language's ACL for networks, Software Publishers Association's SPAudit, and
WordPerfect.
Participants are provided the SAC Toolkit End-user Audit Program, Module 7 of the SAC report End-user
and Departmental Computing, sample EUC policies and responsibilities, a glossary of terms, and a sample
EUC survey document.
COURSE TITLE: Auditing Information Systems
COURSE LENGTH: 4.5 DAYS
VENDOR:
The Institute of
Internal Auditors
249 Maitland Avenue
Altamonte Springs, FL 32701
(407) 830-7600 ext. 1
This course explains the functions and controls required to safeguard assets in a computer processing
environment. It focuses on the auditor's role in reviewing systems management and those general or
environmental controls that affect applications operating within a given organization or network.
Key topics include:
The challenging issues and functions of information system units.
Internal audit's role in information system reviews.
Management information systems (MIS) standards.
Understanding data security and program change management.
Exploring system development life cycle concepts.
Understanding data bases, data processing standards, and processing support.
Disaster-recovery planning procedures.
Operating systems, distributed systems, and end-user computing.
Understanding network security and administration.
Sample audit programs, a glossary, and a bibliography of course-related reading materials provide an excellent
starting point for attendees preparing to audit information systems.
COURSE TITLE: Integrated Auditing: The Basics
COURSE LENGTH: 4.5 DAYS
VENDOR:
The Institute of
Internal Auditors
249 Maitland Avenue
Altamonte Springs, FL 32701
(407) 830-7600 ext. 1
This seminar offers the know-how to perform applications reviews in the computerized arena. The course
teaches basic EDP auditing skills and knowledge, and defines the "integrated auditor". The seminar includes
a comprehensive case study of a total audit. Participants are provided a sample audit program, a glossary of
terms, sample computer policies, and a sample user security manual.
Attendees learn:
The basics of computer controls, both within and around applications.
An approach to audit planning including
- risk analysis.
- identifying risks and exposures.
- development of test objectives.
- evaluation of results of auditing.
- reporting to management.
Minimal computer programming standards.
Tools and techniques needed to perform a review of modern automated applications, including
stand-alone applications and fully integrated mainframe applications.
Integrated Auditing: The Basics is tailored to auditors just entering the EDP audit arena, including auditors
in departments moving toward integration and financial/operational auditors performing functional audits
involving automated applications.
COURSE TITLE: Computer Security for Security and MIS Professionals
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
The very technologies that have streamlined today's organizations have created vast opportunities for computer
crime and misuse. With PCs on virtually every desktop and networks to link one workstation to another,
computer-savvy criminals and disgruntled employees have more ingenious ways to gain access to critical data
and confidential information. This plan-English seminar is an eye-opener that will be your road map through
a maze of high-tech, high risk exposures. You will discover how to plug the security loopholes in computer
systems, networks, E-mail, voice-mail, and fax transmissions that leave your organization vulnerable to attack.
The seminar covers: strategies for establishing polices and procedures that will keep costly abuse to a
minimum; employee security awareness techniques; sensitive legal issues surrounding employee privacy rights
and software copyright infringement; and more. You will leave this seminar with valuable guidelines and real-world models for preventing, detecting, and responding to criminal attacks, virus infections, and accidental
errors in your own organization.
COURSE TITLE: Intro. to Auditing Micros and LANs: Controlling End-User Computing
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
LANs and microcomputers have placed the tools for processing and storing data directly on the decks of end
users. In this three-day seminar you will learn the fundamentals of microcomputer and LAN technology, and
how to classify the risks microcomputer and end-user computing have introduced into the organization. You
will examine the control techniques currently available to address these risks and how to conduct an audit using
a detailed audit program you can bring back for use in your own organization.
COURSE TITLE: Basic Security For PC Users
COURSE LENGTH: 8 HRS
VENDOR:
Naval Computer and Telecommunications Station
ATTN Code N823
PO Box 357056
San Diego, CA 92135-7056
(619) 545-8628 - DSN 735-8628
This one-day course provides the attendees with a basic understanding of the AIS Security Program
fundamentals. This course satisfies the awareness training requirements prescribed in the Public Law 100-235
which mandates that all users of computers must have awareness training. Course training focuses on ways
to eliminate or control potential problems in a microcomputer and Local Area Network (LAN) environment.
This course discusses the DON policy and Minimum Program Requirements that must be met to comply with
policy mandates. The attendees will be given techniques to enhance their awareness of vulnerabilities in a
microcomputer and LAN operating environment and the appropriate protective measures available to reduce
operating risks. This course is conducted at the NAVCOMTELSTA San Diego facility or at your command.
COURSE TITLE: INFOSEC
COURSE LENGTH:
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
This course presents a comprehensive overview of information security (INFOSEC) focusing on network ADP
security and other technical issues seldom covered in general introductory level courses. DoD requirements
for government (NSA-NCCS, Air Force, MC, Navy, Joint Staff) and defense industry (DIS) are discussed.
Related OPSEC issues are presented.
Attendees should leave this course with a full understanding of the technically based INFOSEC security issues.
COURSE TITLE: Security Technology in the Real World
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
SEMINAR OUTLINE
A. THE NEW SECURITY IMPERATIVE :* Why technology security is on everyone's mind * Our
growing dependence on computers and communications * The range of threats: Some "horror stories"-Internal: - Error and omissions - Disgruntled employees - Natural disasters External: - Hackers - Competitors
- Viruses and Worms.
B. COMPUTER SECURITY RESEARCH:* Hot Topics: computer science point of view -Cryptography -
Identification - Distributed Database Security * Hot topics: business point of view - Security awareness in
industry - Level of security planning - Future plans protection.
C. WORKSHOP - IDENTIFYING KEY ISSUES FOR SEMINAR PARTICIPATION: *Introduction *
Worktime * Presentations.
D. GROUP DEBRIEFING ON WORKSHOP PROBLEMS OF IMPORTANCE
E. A METHODOLOGY FOR STRATEGIC RISK MANAGEMENT - ORGANIZATION MODELLING
* Functional model * Situation assessment * Situation simulation * Strategic systems planning and integration
* Data classification Exercise: Data classification questionnaire * Implementation of Data classification -
Mainframe - Unix environment.
F. UNIX SYSTEM SECURITY CONSIDERATIONS * Unix history with respect to security * Access
protection - owner, group, public - files and directories - listing file access (1s-1) - changing file access
(chmod) * Common Unix security problems - Password cracking - Getting root access - Superuser abuse -
Spoofing - Intelligent terminal problems * Unix network problems - Anonymous ftp - Competitors - Remote
logins - Worm programs.
G. WORKSHOP - SECURING FILES IN UNIX:* Background * Command writing exercise.
H. PHYSICAL SECURITY: * Access control * Fire protection * Flood/water damage * Theft protection
* Off site backup.
I. INSURANCE ASPECTS OF TECHNOLOGY: * Loss of assets * Loss of data * Loss of confidentiality
* Valuable papers * Business interruption * Software escrow.
J. LOGICAL ACCESS SECURITY :* Defining user IDs * Privilege fields * ID registration.
K. LEGAL ASPECTS OF T SECURITY: * What makes a "computer crime"? * Criminal Codes -
Unauthorized use of computer - Mischief against data * Civil remedies * Copyright infringement * Theft *
Fraud * Trade secrecy provisions * Working with law enforcement personnel.
L. WORKSHOP: DEALING WITH A VIRUS THREAT:* Problem description * Worktime * Presentation
of solutions.
M. COMMUNICATIONS SECURITY: * Wiretapping, low and high tech * Local area networks * Cellular
telephones * Fax modems * Voice mail systems.
N. RCMP EDP SECURITY: Bulletin #33 (reproduced with permission).
O. CONTINGENCY PLANNING :* Focus on corporate business issues * Proactive aspects * Reactive
aspects * Risk management issues * Key issues.
P. FOCUS ON ISSUES RAISED BY PARTICIPANTS: * Defining the problem * Seeking a solution - at
what cost?
Q. CREATING A SECURITY PLAN FOR YOUR ORGANIZATION:* Elements of a good security plan
* Who should do it * How to implement it * The need for regular review and testing.
R. CONTROLS IN A MICROCOMPUTER ENVIRONMENT: * Introduction * The acquisition process
* Installation and maintenance * Inventory control * Troubleshooting * Application development * Training
* Documentation * File back-up and data security
* Computer Viruses * Hardware Security * Input/Output and Processing Controls
* Application Dependency Model.
S. FUTURE TRENDS IN COMPUTER SECURITY
T. CONCLUDING REMARKS
�COURSE TITLE: Using Investigative Software to Detect Fraud
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This seminar is designed to teach the concepts of investigative software and provide participants with the skills
required to design, develop and install investigative software routines upon completion of the course material.
Each participant will receive a compendium of suggested investigative software routines for specific industries
and applications.
COURSE TITLE: Auditing System Development: New Techniques for New Technologies
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This seminar focuses on the effect new technologies have on the audit approach and explores methods to ensure
that the audit requirement is met without slowing the project or becoming a drain on project resources. Special
emphasis is placed on early identification of control requirements and the rapid reporting techniques that are
required in today's dynamic system development environment.
COURSE TITLE: Auditing EDI Applications
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This seminar will provide you with an understanding of EDI and provide you with the skills and techniques
required to audit in this complex environment. Each participant will receive suggested audit programs and
checklists, to assist in performing application audits in and EDI environment.
COURSE TITLE: The Integrated Audit Workshop
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This workshop is designed for auditors who will be using the integrated audit approach. It explains both
manual and computerized controls and provides a complete audit approach for auditing modern applications.
At the end of the workshop, participants will be able to identify and evaluate the controls in a computerized
application through the use of control matrices. This workshop can be modified for in-house presentation to
the entire audit department.
COURSE TITLE: Audit Software for the 21st Century
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
In the past audit software has been the domain of the I.S. auditor. Recent technology breakthroughs now
provide each internal and external auditor with software capability that is easy to use and increases audit
coverage. In preparing for the 21st century all audit departments require strategies to automate audits,
perform silent and remote audits and improve audit productivity. This seminar explores existing technologies
and provides participants with the knowledge to acquire, create and implement the software tools that will
form the basis of the audit philosophy of the 21st century.
The open system concept has traditionally created a software dilemma for auditors in that computer assisted
audit techniques had to be rewritten for each mainframe and minicomputer. Now PC based products enable
auditors to circumvent this situation to create software once for multiple platform execution. This capability
not only provides significant economies of scale by reducing software development costs, but it also enables
greater consistency in audit software tests while maximizing auditor productivity. The availability of pc
compatible tape drives and high capacity hard disks provide large file processing capability so that mainframe
applications can now be readily audited using the PC.
In addition to learning new techniques, participants will be provided with a free authorized demonstration copy
of ACL, the industry standard PC product for audit software. Participants will then be able to reinforce what
they learned in the seminar with examples they can code and test when they return to the office so that they
can demonstrate the 21st century audit concept to their management.
COURSE TITLE: Information Systems Audit Workshop
COURSE LENGTH: 4 DAYS
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This 4 day workshop is designed for auditors who will be conducting audits in a computerized environment.
It assumes no prior knowledge of EDP audit concepts or procedures and provides participants with a sound
understanding of the audit risks relating to information systems. Once the groundwork is laid, participants will
learn the controls required in computerized applications and a step by step approach to effectively evaluate
the EDP control structures. As their understanding increases, participants progress to more complicated IS
audit topics including local area networks, data security, telecommunications networks and operating systems.
Participants will receive the skills, audit programs and checklists required for them to perform information
systems audits on their return to the office.
COURSE TITLE: Auditing Client/Server Technology
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
Client/Server technology is rapidly becoming the preferred processing methodology for both large and small
organizations. Larger organizations are looking to client/server technology to replace traditional large scale
mainframes. Management is looking to client/server technology to provide productivity improvement,
empower employees and to provide better service levels at a reduced cost. As with any new technology,
the shift to a client/server environment poses many risks to the business and the business control structure.
This seminar will provide participants with a sound knowledge of client/server technology and the control
mechanisms required to ensure a safe and secure processing environment.
COURSE TITLE: Control and Security of LANS
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
As local area networks (LAN's) permeate the organization, security and control issues are often ignored. This
seminar takes a hard look at the audit concerns of LAN's and how to install effective controls in this dynamic
computer environment. Participants will learn what can go wrong in the LAN environment and what
preventive and detective controls are available to mitigate control weaknesses within the LAN or from external
connections. LAN Management and the role of the LAN officer is discussed in detail. Special emphasis is
placed on management of the hardware and connectivity along with the selection of software. These key items
often limit the overall usefulness of the LAN and inhibit the achievement of connectivity and productivity
objectives. Each participant will receive detailed audit programs, common control weaknesses and sample
recommendations. These are the key tools they need to conduct LAN audits.
COURSE TITLE: Auditing Datacomm Networks
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
Wide area networks are the lifeblood of corporate information processing and connectivity, yet many
organizations have yet to do a complete audit of network operations and management. This seminar provides
the IS auditor with a structured audit approach directed to identifying critical control weaknesses in the
network, the carriers, the media and network management. Proven solutions to common control weaknesses
will be provided to each participant. Focus in this seminar is on a complete audit approach for data and voice
communications from a security and cost perspective. Network management tools and problem resolution
techniques are the cornerstone of network operations. Special emphasis is placed on using NETVIEW, a
popular network management tool to identify network problems. Participants in this session will receive
detailed audit programs and checklists which will provide a strong starting point for their first Network Audit.
COURSE TITLE: Computer Security & Contingency Planning
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
Security Administration is now a reality in many organizations. Other companies that do not currently have
a security administration function are considering, or are in the process of creating the security function. This
seminar is designed to remove the mystery surrounding data security, and to provide participants with a proven
approach to securing their computer systems. At the end of the session, participants will understand security
administration and the critical items that must be included to enable the function to perform effectively. They
will be able to classify data by criticality and confidentiality. They will have an understanding of logical access
security, disaster contingency planning, and how to develop and implement security procedures in their
organization.
COURSE TITLE: Auditing Advanced Information Technology
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
When Canaudit set out to rewrite the popular ADVANCED EDP AUDITING seminar, the objective was to
make it the most comprehensive Information Systems audit course currently available in the public
marketplace. Only a completely new seminar, AUDITING ADVANCED INFORMATION TECHNOLOGY,
could incorporate all of the enhancements. AUDITING ADVANCED INFORMATION TECHNOLOGY
provides the Information Systems Auditor with the skills required to perform audits of Operating Systems,
Local Area Networks, Wide Area Networks, Access Security and DB2. In addition to generic audit programs,
participants will receive detailed product specific checklists for MVS, Tandem VAX, AS/400 and Novell.
These checklists will enable the IS auditor to conduct audits of those critical components of information
technology necessary to ensure their organization's information processing is secure, controlled and effective.
Emphasis is placed on improving the quality of management techniques and controls to enable organizations
to operate effectively in today's complex information technology environment.
COURSE TITLE: EDP Auditing: The First Step
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This seminar provides financial auditors or new information systems auditors with the skills required to audit
complex automated applications. Detailed coverage of computerized controls is provided to ensure participants
understand the key controls and how to audit them. They will also learn how to audit the data center, data
security, systems under development and how to design audit software tests. In addition, we have included
a special section on EDI which explains the concepts, the economics and key controls available to ensure
electronic transactions are processed accurately and efficiently. A special section on Auditing Trading Partner
Agreements is devoted to minimizing the negative impact of EDI and protecting your organization. Each
participant will receive detailed checklists and comprehensive audit programs so they can perform Information
Systems audits. The audit experiences related by the instructors provides valuable insight on how to locate,
identify and rectify control weaknesses in a computerized environment.
COURSE TITLE: Control and Security of Local Area Networks
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
As local area networks (LAN's) permeate the organization, security and control issues are often ignored. This
seminar takes a hard look at the audit concerns of LAN's and how to install effective controls in this dynamic
computer environment. Participants will learn what can go wrong in the LAN environment and what
preventive and detective controls are available to mitigate control weaknesses within the LAN or from external
connections.
LAN Management and the role of the LAN officer is discussed in detail. Special emphasis is placed on
management of the hardware and connectivity along with the selection of software. These key items often
limit the overall usefulness of the LAN and inhibit the achievement of connectivity and productivity objectives.
Each participant will receive detailed audit programs and checklists, common control weaknesses and sample
recommendations. These are the key tools they need to conduct LAN audits. A special module has been
created that provides a specific control approach for the Novell Netware and another module for Unix.
COURSE TITLE: Computer Security for Managers Seminar
COURSE LENGTH: 1 Day
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This session will introduce computer security concepts and management activities and policies for a successful
security program. Individuals will learn the life-cycle approach for protecting systems and how to create
effective policy. Other topics include threat and risk analysis, developing and implementing incident handling
procedures, legal issues, and how to establish and maintain cost effective programs.
COURSE TITLE: Becoming An Effective Data Security Officer
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
As a Data Security Officer, you may be responsible for creating a data security program or
administering and improving one already in place. To a great extent, you will be defining your
own role as you proceed. But where do you begin? What skills do you need to do the job?
Where do you get the information to enhance your own skills? Who are the "key players" within
your organization, and how do you get them committed to making security happen? What are the
advantages of the job? The disadvantages? How have others succeeded, and what pitfalls should
you avoid? This practical 3-day program will deliver the know-how to help you become a more
effective, proficient, and successful Data Security Officer. NOTE: Ask about available discount
for government hosted classes.
COURSE TITLE: Auditing Fraud: Prevent, Detect, & Control
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
Internal auditors are relied upon more and more to recognize the characteristics of potentially
fraudulent activities, and to be knowledgeable about where fraud is most likely to occur in the
organization. This intensive seminar examines where and why all types of fraud occur, including
white collar crime, computer fraud, insider fraud, and external fraud. In this session you will
learn to recognize red flag areas of fraud and strategies for reducing it. This seminar is your short
cut to learning how to incorporate prevention, detection, and prosecution of fraud into your annual
audit plans.
COURSE TITLE: INFOSEC Foundations Seminar
COURSE LENGTH: 2 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This foundations seminar focuses on system security fundamentals. Individual sessions review
TCSEC requirements, the NCSC's evaluation process, RAMP, environment guidelines, policy
fundamentals, assurance, trusted application development concerns, and secure system integration
issues. Other sessions describe efforts to develop international standards for trust, introduce the
products on the Evaluated Products List, highlight the concept of risk management, overview
database and network security concerns, and discuss the perils and pitfalls of secure system
integration.
COURSE TITLE: On-Line, Dist Comm Sys:Control, Audit & Security
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
In this seminar you will learn the basic concepts of computer communications systems and a
simple audit/analysis technique which can help you expose risks with very little in-depth
knowledge of the technology. Through examination of the major functions and audit/security
concerns in each layer of the ISO "Reference Model," you will learn the components of a more
in-depth communications audit and the design and evaluation criteria of internal security controls.
The sample work plans you receive, and the guidelines, audit tools, and techniques you learn will
be immediately useful in auditing any communications system.
COURSE TITLE: Advanced Data Comm Networks: Security/Auditability
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This seminar builds on the tools and techniques learned in On-Line and Distributed
Communications Systems: Control, Audit, and Security, providing a comprehensive study of the
data network portions of a computer communications system-OSI layers 1-4. You will explore,
in-depth, the audit and security concerns in each layer, and examine the design and evaluation
criteria of internal security controls. At the end of this intensive session, you will understand how
protocols, public and private communication systems, and local area networks function. You will
know how to perform a data communications audit. Participants should first attend "On-Line and
Distributed Communications Systems." Participants are invited to bring network maps, protocol
lists, and data traffic load statistics from their own installation.
COURSE TITLE: The Data Center: Auditing For Profit
COURSE LENGTH: 2 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
The audit programs provided in this course are specifically designed to enable the participants to
conduct the data center audit with little or no need for additional support. Throughout this session
emphasis is placed on ensuring that appropriate preventive controls are in place to prevent
unscheduled interruption of processing or inappropriate data access. Disaster contingency planning
is discussed in depth, with each participant receiving a copy of our general disaster recovery
program. Canaudit has also added a module on out-sourcing which provides auditors with a good
understanding of the concepts and the related risks. As with all Canaudit courses, this seminar
makes extensive use of examples and classroom discussion to supplement the lecture.
COURSE TITLE: EDI: New Frontiers For Auditors
COURSE LENGTH: 1 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
Electronic Data Interchange is emerging as a major component of many financial, retail and
manufacturing applications. Several major companies have made a public commitment to full EDI
implementation in the near future. this technology presents the auditor with many new control
and security issues in auditing EDI applications. The elimination of physical transactions and
paper audit trails will force each financial auditor to perform functions formerly done by the EDP
Auditor. This session is designed specifically for those auditors who require a comprehensive
audit approach. Modules presented in this seminar include an overview of EDI technology and
standards, critical functions of EDI, the controls available in the X12 standard and how to
implement them. Each participant will receive a comprehensive audit program as part of the
seminar handout.
COURSE TITLE: LAN Tuning and Performance for Audit and Security Personnel
COURSE LENGTH: 2 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This comprehensive, two-day seminar attacks LAN vulnerabilities head-on and provides you with
the know-how to analyze LAN activity to determine if sensitive network traffics is secured and
if the network is performing at an effective service level. Working with diagnostic tools for both
Ethernet and token-ring networks, you will learn how to read and manage network traffic. You
will discover how to use 100 dynamic network tests to verify that your LANs are meeting your
organization's objectives ins secured manner. This session will provide immediately useable
network monitoring techniques that are applicable for any diagnostic or network management tool
you are currently running. You will leave this high-payback session with the know-how to spot
network problems before they become end-user problems. Attendees should have some familiarity
with LANS.
COURSE TITLE: Audit and Security of Relational Databases and Applications
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framinghan, MA 01701-2357
Pam Bissett: (508) 879-7999
Relational technology has become the industry standard. Today an organization may run several
database systems. Auditors may need to know the specifics of three different relational databases.
This three-day course was designed so you could come to one place and learn what you will
examine and compare the features, audit and security strengths, and accounting log capabilities
of 14 leading relational database systems: DB2, Oracle, Paradox, Sybase, SQL Server, Informix,
Interbase, dBase, Rdb, NetWare, SQL, IDMS, Foxbase, and AS/400. You will learn the new
risks of relational technology, and the associated controls built into each of these specific systems.
In addition, you'll review third-party security software products. You will leave this power-packed session with useable programs for audition your systems environment, and the design,
development, and operation of a typical application within each specific environment.
COURSE TITLE: CS 229 - Computer Security Systems I
COURSE LENGTH:
VENDOR:
The George Washington University
Department of Electrical Engineering & Computer Science
Professor Lance Hoffman
Washington, DC 20052
(202) 994-4955
Techniques for security in computer systems. Authentication, logging, authorization, encryption.
Effects of operating systems and machine architecture, countermeasures, risk-analysis systems.
Companion course to EE 250. Prerequisite: CSci 144 (Concepts of Programming Languages) or
equivalent.
COURSE TITLE: CS 329 - Computer Security Systems II
COURSE LENGTH:
VENDOR:
The George Washington University
Department of Electrical Engineering & Computer Science
Washington, DC 20052
Professor Lance Hoffman: (202) 994-4955
Advanced topics in information systems security. Intrusion detection in expert systems related to
computer security. Viruses. Efficacy of anti-viral techniques under various architectures.
Advanced risk analysis methodologies, the developing standard computer security methodology,
and its relationship to other computer security models such as those of Bell and LaPadula, Biba,
and Clark and Wilson. Issues in computer network security. Advanced protection methods
against statistical inference. Prerequisite: CS 229 or permission of instructor.
COURSE TITLE: EE 250 - Telecommunications Security Systems
COURSE LENGTH:
VENDOR:
The George Washington University
Department of Electrical Engineering & Computer Science
Washington, DC 20052
Professor Lance Hoffman: (202) 994-4955
Cryptography. Speech and data scrambling. Nonlinear transformations. Block and stream
ciphers. DES algorithm and public key cryptography. Key management, digital signatures, and
authentication. Data communication security protocols. Secure voice communications. The
CLIPPER initiative and escrowed-key schemes. Companion course to CS 229. Prerequisite EE
204 (Stochastic signals and noise) or equivalent.
COURSE TITLE: AIS Security Strategies
COURSE LENGTH: 8 DAYS
VENDOR:
Information Resources Management College
National Defense University
Ft. Lesley J. McNair
Washington, DC 20319-6000
(202) 287-9321
This course is designed to provide the knowledge necessary for designers, developers reviewers
and approvers of new and updated Automated Information Systems to make sound decisions about
the security aspects of the system. In particular, the primary audience is managers who are
responsible for system design and specification, program management, oversight, certification
and/or accreditation of Automated Information Systems. The secondary audience for the course
includes staff from other disciplines, including technical staff personnel working in such areas as
system security, contracting, inspections or auditing, as well as members of the functional
community. The course does lean towards Department of Defense (DoD)-level guidance for
security in the data processing environment, but the concepts presented are also applicable to non-DoD systems, and to DoD embedded and C3I systems, as well.
Security professionals have emphatically asserted that security issues must be considered from the
very beginning of the planning of the system, in order to avoid significant problems in terms of
cost, schedule, and operational capability that occur when the need for security is not recognized
until late in the system development process. Therefore, the emphasis in this course is on the
early stages of system specification and acquisition, especially Functional Requirements
Definition, Security Requirements Definition, Concepts Development, and System Design. The
principal notion conveyed is the importance of performing these and all other steps throughout the
development and acquisition process in such a manner as to facilitate the eventual accreditation
of the system. Although the course is not oriented towards a security manager having operational
responsibilities (e.g., the Information System Security Officer for a local area network or for a
data processing installation), nevertheless many of the concepts taught are also applicable in an
operational environment.
COURSE TITLE: The CMW: Administrator Tutorial
COURSE LENGTH:
VENDOR:
Trusted Systems Training, Inc.
1107 South Orchard Street
Urbana, IL 61801-4851
Steve Sutton: (217) 344-0996
The course addresses the security administration of Compartmented Mode Workstations based on
the SecureWare technology, including SecureWare's CMW+, Hewlett-Packard's BLS, and
Digital's MLS+. It teaches the management of all new security features, like Protected
Subsystems, user accounts, security auditing, secure import/export, the CMW "Encodings file,"
and trusted (MaxSix) networking. The course book and accompanying textbook include written
and on-line, self-paced exercises that form the basis for classroom learning.
COURSE TITLE: Computer Viruses, Trojan Horses, and Logic Bombs
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This seminar examines the insidious threats to computer systems posed by malicious
programming, including viruses, Trojan horses, worms, logic bombs, and trap doors. We will
examine the broad spectrum of harmful code, the people who create it, how viruses get into
systems, demonstrations of illicit programs, and countermeasures. The impact of malignant
programming extends well beyond any immediate file damage. Hidden losses, such as
reconstruction of programs and data, and exhaustive detective work may be necessary. What
types of people would infect our systems....are they employees, competitors, outsiders? We will
review the latest legal cases relating to viruses and logic bombs, Examples of anti-virus software
- what these "digital pharmaceuticals" can and cannot do. Realistic approaches for controlling the
problem, and solutions which have worked. Note: Attendees are encouraged to provide examples,
from their own experience, of destructive programming threats and effective technical and
administrative countermeasures they have used. NOTE: Ask about available discount for
government hosted classes.
COURSE TITLE: Microcomputer Security
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This participative program examines the security issues around microcomputer use, with emphasis
on identifying issues and developing plausible solutions for your real-world environment. The
development of PC security issues and what the future holds. Security weaknesses of
microcomputers and where PC security differs from mainframe security. Physical protection for
the machines and associated media, plus data access control and virus prevention, with
demonstrations of related products. Contingency planning for personal computers. Policies and
procedures for controlling the spread and use of PCs. Software piracy and how to prevent it in
the workplace. The value of a comprehensive and continually updated security awareness program
in achieving your PC security objectives. Designed for DP and information center managers,
security officers, and EDP auditors. NOTE: Ask about available discount for government hosted
classes.
COURSE TITLE: Computer Security For Security Officers
COURSE LENGTH: 2 DAY
VENDOR:
USDA, Graduate School
600 Maryland Ave, SW
Washington, DC 20024
(202) 447-7124
This workshop will show you how to improve the computer security program in your agency.
Through lectures, discussion, case studies and checklists you will be able to determine the strength
of your current security program, and to pinpoint potential problem areas that need attention. You
also will learn about your responsibilities with your agency management in terms of policy
development and contingency planning.
COURSE TITLE: CS 230 - Information Policy
COURSE LENGTH:
VENDOR:
The George Washington University
Department of Electrical Engineering & Computer Science
Washington, DC 20052
Professor Lance Hoffman: (202) 994-4955
Issues related to computers and privacy, equity, freedom of speech, search and seizure, access to
personal and governmental information, professional responsibilities, ethics, criminality, and law
enforcement. This course examines these policy issues using the current literature and written,
electronic, and videotape proceedings of recent major conferences and government hearings.
Prerequisite CS 131 (Programming of Data Structures) or equivalent.
COURSE TITLE: Security and Control in Automated Systems-Audit IS
COURSE LENGTH: 3 DAYS
VENDOR:
USDA Graduate School
600 Maryland Ave., S.W.
Washington, D.C. 20024
(202) 382-8620
Internal auditors have a major role in reviewing the security and controls in sensitive automated
systems. This course provides practical guidelines ant techniques for auditing and evaluating the
adequacy of security and internal controls in sensitive automated systems. Major problem areas
are discussed and examples illustrating the results of inadequate security and controls are
presented. In addition, the responsibilities of management, internal audit, and data processing
personnel are discussed. This course also provides the attendee with a comprehensive
methodology for conducting security and internal control audits of sensitive data processing
systems. Using a case study approach, the course illustrates how to identify and quantify the
vulnerabilities of automated systems to fraud, disclosure, delay and other threats. The internal
control techniques which can be applied to address these vulnerabilities are discussed, as well as
the requirements of OMB circulars A-127 and A-130.
COURSE TITLE: Fundamentals of Computer Security for Federal Information Systems
COURSE LENGTH: 5 DAY
VENDOR:
USDA Graduate School
600 Maryland Ave., S.W.
Washington, D.C. 20024
(202) 447-7124
This five-day course provides those responsible for computer security with an overview of security
issues specifically related t the federal government. Designed to introduce and cover the
fundamentals areas of concern facing computer security officers, from mainframe to PC's. The
objectives are covered by lecture, group discussion, slide and video presentations. The instructor
will provide extensive insights into computer security based on operational experiences. In
addition, hands-on risk analysis exercises will be performed. The student will be provided with
extensive materials, including demonstration diskettes and public domain anti-virus software.
COURSE TITLE: Computer Security Seminar
COURSE LENGTH: 3 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This computer security seminar focuses on the hardware and software mechanism which can be
used to implement specific TCSEC security functionality. Computer security concepts,
requirements, and implementation examples are presented for policy enforcing mechanisms,
accountability mechanisms, and underlying architectures supporting the reference monitor concept.
Issues on integrity, covert channels and trusted applications are also discussed. In-class exercises
and practical examples reinforce the important concepts presented in the lecture materials. The
seminar concludes with discussions of several evaluated products.
COURSE TITLE: Network Security Seminar
COURSE LENGTH: 3 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
In this seminar you will learn how to integrate and implement secure networks. You will be
introduced to network security concepts, fundamentals, network threats, and the Trusted Network
Interpretation [TNI] of the TCSEC. Security properties required of a trusted network, secrecy,
integrity and availability are described per the OSI security services model. Interconnection of
separately accredited AIS systems is discussed focusing on possible cascading problems. The
group project has students design a hypothetical network security architecture, identify the
necessary evaluation class(es), analyze the network data flows, and specify the assurance
requirements. The seminar concludes with an overview of secure networking products and efforts.
COURSE TITLE: Database Security Seminar
COURSE LENGTH: 3 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This seminar addresses how to use multilevel databases management systems effectively and as
an integrated part of a system solution. The seminar introduces database security issues and
problems and familiarizes participants with the NCSC's Trusted Database Management System
Interpretation [TDI] of the TCSEC. Several approaches to building multilevel database systems
are presented: integrity lock, kernelized, layered, partitioned and distributed. Topics include;
database design considerations view versus relation discretionary controls, mandatory controls,
inference, and aggregation. Class exercises and practical examples are used to reinforce concepts.
COURSE TITLE: Comprehensive INFOSEC Seminar
COURSE LENGTH: 5 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This seminar provides an intensive presentation of INFOSEC topics by combining ARCA's
INFOSEC Foundations, Computer, Network, and Database Security seminars. Critical INFOSEC
topics from these public seminars are presented in detail and other topics are summarized in a
single week. This seminar provides an excellent start-up for an engineering organization starting
an MLS or security program or expanding its security staff.
COURSE TITLE: Communication Security Principles & Practices
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This workshop is for data processing managers, security officers, and auditors who have little or
no knowledge in the communications area. Because communications systems are so complex and
vulnerable, the data processing operation is a substantial risk. You will learn about the basic
concepts and the terminology needed to communicate effectively with technicians. The emphasis,
however , is on vulnerabilities and the practical security safeguards you can implement. Because
the largest communications risk faced by most organizations is unauthorized access to their
computers, considerable emphasis will be placed on how mainframe access control mechanisms
interface with other communication security techniques. In particular, you will learn to address
the three major risks - loss of network service, unauthorized access to your network and data
center resources, and surveillance of your network traffic. "Special Note" You are encouraged to
prepare, in advance of the Workshop, a description of specific communications security problems
being faced within your own organization. Cases will be discussed as time permits and as issues
arise during the Workshop. NOTE: Ask about available discount for government hosted classes.
COURSE TITLE: Managing Computer Security-Mergs, Acq, and Divestitures
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
Mergers, acquisitions, and divestitures are common in today's corporate environment.
Unfortunately, while these situations can create serious information protection problems, security
is usually considered only after the financial, legal, and structural issues have been settled. This
seminar for security officers, DP managers, and auditors examines what to do before, during and
after a major organizational change to ensure the adequate controls are in place. Computer
security problems in merger/acquisition/divestiture situations, and what we can do about them.
How major internal reorganizations, functional, consolidation, and plant closings affect security.
These days many large corporations are "outsourcing" - getting out of the DP business by
contracting all DP operations to an outside vendor. When this occurs, how do we ensure that the
vendor properly protects our sensitive data and applications? What conditions increase an
organization's vulnerability? Risk-reducing countermeasures. NOTE: Ask about available
discount for government hosted classes.
COURSE TITLE: Computer Security And Privacy
COURSE LENGTH:
VENDOR:
Johns Hopkins University
9601 Medical Center Drive
Rockville, MD 10850
(301) 294-7070
This course surveys the broad fields of computer security and privacy, concentrating on the nature
of the computer security problem by examining threats to systems, types of computer systems, and
areas of system security and protection. Policy considerations related to the technical nature of the
problem as manifested in government regulations and commercial practices are examined. The
course develops the student's ability to assess system security weakness and formulate technical
recommendations in the areas of hardware. Additional topics include access control
(hardware/software), communications and network security, and the proper use of system software
(op. system and utilities). The course addresses the social and legal problems of individual privacy
in a data processing environment, as well as the computer "crime" potential of such systems.
Several data encryption algorithms are examined. A student project or programming assignment
may be required.
COURSE TITLE: Auditing the Data Center for Controls, Efficiency, and Cost-Effectiveness
COURSE LENGTH: 2 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
As an auditor in today's business environment, you must be familiar with the information
processing function. In this seminar you will learn the components of a data center and the
controls necessary to ensure accurate and reliable processing. The course covers data center
operations, administration, scheduling, physical and data security, program change control,
incident reporting, disaster recovery, and more. The seminar focus is on mainframe data centers,
but includes security and audit responsibilities for mini and microcomputer environments as well.
Participants should have attended IS Auditing and Controls or Auditing Automated Business
Applications.
COURSE TITLE: Data Security Planning
COURSE LENGTH: 3 DAY
VENDOR:
IBM Management Institute
19th Floor
Chicago, IL 60611
(312) 245-3791
This course incorporates the latest thinking on data security planning and discusses practical
methods used by leading companies. It presents the policies and guidelines of IBM and other
organizations to help resolve the issues facing you and your organization. This course should be
attended by staff or line management responsible for implementing or enhancing the data security
program. It is also intended for data security administrators, auditors and others with a specific
interest in data security. This is a management course, not a technical course. It is appropriate
for organizations with large or small DP installations.
COURSE TITLE: Computer Viruses: Detect, Prevent, Cure Infections
COURSE LENGTH: 2 DAY
VENDOR:
CENTER for Adv. Professional Develop.
1820 E. Garry St.
Santa Ana, CA 92705
(714) 261-0240
Most of those who work with computers are aware of the existence of something called "computer
virus," and the fact that it may be a danger to their computers or data. But it is hard to get good
answers to the questions of what, exactly, a virus is, how great a danger it represents, and how
to defend against any damage it might cause. Covering technical details where necessary, but
always in non-technical language, this course will tell you what viri are, how they attack, how you
can defend against them, and what the existence of viri mean to you and your use of computers.
The course will give you a complete overview of all known ways that viri have "reproduced," and
the various types of damage they have done. New viri are constantly being written so the course
is constantly being updated, and research into ways that viri could attack, but haven't yet, will be
reported.
COURSE TITLE: Disaster Recovery Planning
COURSE LENGTH: 3 DAY
VENDOR:
IBM Management Institute
19th Floor
Chicago, IL 60611
(312) 245-3791
The real objective is to develop and maintain recovery capability - not just for DP but - for the
applications critical to the conduct of business. It is easier and cheaper to do this right. This
course is designed for those who wish to understand the issues, the alternatives, those who have
to put a recovery capability into place. Teams from both the DP and user communities are
encouraged to attend together. This is a management course, not a technical course and the
strategies discussed are independent of any particular hardware of software.
COURSE TITLE: Auditing the Systems Development Process
COURSE LENGTH: 3 DAY
VENDOR:
USDA Graduate School
600 Maryland Ave., S.W.
Washington, D.C. 20024
(202) 382-8620
Developing automated information and control systems is a critical, complex and costly
undertaking for any organization. It is also an effort that is fraught with problems if not managed
properly. This course will provide auditors in both the public and private sectors with an
understanding of the systems development life cycle; a knowledge of problems that can and have
been encountered in developing systems and the causes of such problems; and a methodology for
auditing the systems development process and providing management with focused
recommendations to prevent systems development efforts from failing. NOTE: This course is
designed for all auditors who are, or will be, involved in audits of systems prior to installation into
production. At least three years of auditing experience is required.
COURSE TITLE: Trusted Integration/System Certification
COURSE LENGTH: 2 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This case-study workshop will introduce issues related to the procurement, development,
certification and accreditation of a secure system solution for multilevel and multi-compartment
information management. The individual will learn how to formulate and specify security
requirements through a system security policy and security concept of operations. Participants
learn how to develop a system security architecture and decompose it into cost-effective designs
using trusted products as components. Seminar topics include integrating engineering plans,
system and security requirements, system and security designs, system and security
implementations, gathering assurance evidence and certification and accreditation.
COURSE TITLE: Risk Assessment Techniques For Auditors
COURSE LENGTH: 2 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
In this seminar you will learn how to design or select and implement a system for preparing your
annual audit plan. You will learn ways to define an audit universe and auditable units. The risk
concepts and methods you will learn will reduce your subjectivity and improve your efficiency and
effectiveness in determining which audits to do when. The program examines techniques used by
audit organizations today and compares strengths and weaknesses of the various methods. You
will learn risk assessment, priority setting and decision making skills that will enable you to
develop effective annual audit plans based upon risk.
COURSE TITLE: Operating System Security Concepts
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
An introduction to operating system concepts and terminology in computer security mechanisms.
These concepts include operating system services, structures and processes; design principles;
architectures; hardware security mechanisms; file systems; domain mechanisms; memory
mapping; and device drivers. Specific threats, vulnerabilities and derived countermeasures to
operating system security are emphasized. Specific case studies, e.g., MS/DOS, OS/2,
MULTICS, UNIX, VAX/VMS, SCOMP and a variety of distributed operating systems.
Problems and group exercises reinforce class presentations. Prerequisites: Bachelor's degree in
Computer Science/Electrical Engineering/Mathematics or equivalent experience. Experience
developing software employing operating systems capabilities is desirable. NOTE: This course
is technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: Trusted Systems Criteria and Concepts
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study which examines the principles and technology underlying the DoD Trusted Computer
System Evaluation Criteria (TCSEC), and the related topics of trusted system evaluations and
accreditation. Specific topics include basic principles of trusted systems, mandatory and
discretionary access control (MAC & DAC), user accountability, security architectures, formal
security models, TCSEC interpretations and other assurance techniques. Students examine how
to build secure applications for a trusted system without invalidating the system's evaluation.
Students reinforce class presentations by using the Xenix 2 software package in laboratory
exercises. Prerequisites: Familiarity with operating systems and a Bachelor's degree in Computer
Science/Electrical Engineering/Mathematics or equivalent experience. NOTE: This course is
technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: Theoretical Foundation/Trust of Information Systems
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study of fundamental concepts of models in computer security. Develops techniques necessary
to identify and describe problems in computer security using mathematical and logical concepts.
Addresses the development of a formal model for computer security, demonstrates that the model
is consistent with its axioms and that the model is used in designing secure systems. Instruction
covers classic Bell La Padula (BLP) model, as well as access control, information flow,
non-interference, concurrence, network security and take-grant models. Surveys newer models:
database, integrity and event-based. Prerequisites: CP-510 and a Bachelor's degree in Computer
Science/Electrical Engineering/Mathematics of equivalent experience. Familiarity with
mathematical logic is desirable. NOTE: This course is technical in nature. Call the vendor
regarding a clearance.
COURSE TITLE: Architecture for Secure Systems
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study of the basic architectural features to support secure computer systems. Using
requirements of trusted computer systems evaluation criteria, the student will study design and
implementation of various protection systems by addressing required protection and domain
separation mechanisms. Prerequisites: CP-510 and a firm understanding of the Bell La Padula
Model. A Bachelor's degree in Computer Science/Electrical Engineering/Mathematics or
equivalent experience. Experience in developing software using operating systems capabilities is
desirable. NOTE: This course is technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: Network Security Architecture
COURSE LENGTH: 2 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study covering networking and protocol concepts important for building secure systems in a
variety of areas including: (1) network security concepts related to different types of computer
networks (2) layered protocol-security in general and the OSI Reference Model in particular (3)
the Government Open Systems Interconnection Profile (GOSIP), including a description of the
security options supported (4) OSI Security Architecture, describing the OSI security services,
mechanisms and management (5) network security design factors for confidentiality, integrity and
assured service. Prerequisites: Bachelor's degree in Computer Science/Electrical
Engineering/Mathematics or equivalent experience. Familiarity with data communications and
computer security concepts/terminology is desirable.----CP-533 and 535 are specifically structured
to present a complete component of network information during a five-day week; we highly
recommend students take both courses. NOTE: This is technical in nature. Call the vendor
regarding a clearance.
COURSE TITLE: Advanced Network Security Architecture
COURSE LENGTH: 3 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study covering advanced secure network and protocol concepts important for building secure
systems in a variety of areas including: (1) the OSI Security Architecture (2) detailed protocol
descriptions (i.e., IEEE 802 Standards; data link protocols, X.25 and related standards;
Transmission Control Protocol/Internet Protocol (TCP/IP); Security Protocol 4 (SP4)/Security
Protocol 3 (SP3); File Transfer, Access and Management (FTAM) Protocol; and Key
Management Protocol (KMP)) (3) Secure network performance analysis using probability theory,
queuing theory and simulation (4) Integrated Services Digital Network (ISDN) and its relationship
to computer security and the OSI Reference Model (5) security services provided by protocols
such as confidentiality, integrity and assured service (6) specific network applications including
SDNS, BLACKER, CANEWARE, IBM's SNA, Novell's NetWare, Defense Data Network
(DDN), FTS 2000 and Electronic Data Interchange (EDI). Prerequisites: CP-533 and a
Bachelor's degree in Computer Science/Electrical Engineering/Mathematics or equivalent
experience.---CP-533 and 535 are specifically structured to present a complete component of
network information during a five-day week; we highly recommend students take both courses.
NOTE: This course is technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: Model Interpretations
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study covering the interpretation and subsequent application of the rules of formal security
policy models. Student will compare (map) these rules to a system's software to ensure that the
system's performance accurately complies with the formal models. Comparison will require
application of these rules to lower specification levels of both operating systems and hardware
architectures. Course will also cover state-of-the-art applications of formal models. Prerequisites:
CP-510, 520 and 530. Bachelor's degree in Computer Science/Electrical
Engineering/Mathematics or equivalent experience. Experience with mathematical logic is
desirable. NOTE: This course is technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: Introduction to Software Verification
COURSE LENGTH: 15 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study covering the state-of-the-art in verification techniques and practice using two, endorsed
NCSN verification tools. Techniques include a comparison between code and design verification.
Student will read, write and execute basic specifications and understand first-order logic and
verification systems. Student will develop and prove properties of formal specifications.
Prerequisites: MP470 or working knowledge in predicate calculus and first-order logic, CP-510
and a Bachelor's degree in Computer Science/Electrical Engineering/Mathematics or equivalent
experience. NOTE: This course is technical in nature. Call the vendor regarding a clearance.
COURSE TITLE: INFOSEC Evaluations Using Formal Methods
COURSE LENGTH: 5 DAY
VENDOR:
National Security Agency
Airport Square
Baltimore
(301) 859-6417
A study covering the verification paradigm in detail; derivation of the security policy and its
corresponding formal model; formulation of a Formal Top Level Specification (FTLS) and
Descriptive Top Level Specification (DTLS); and mapping of the FTLS to implementation. Each
of the parts of the paradigm will be investigated in terms of content and sufficiency to meet the
design specification and verification requirements for the information security system being
developed. Examples will cover how verification can be used with cryptographic Communications
Security (COMSEC) products. Prerequisites: CP-510 and a Bachelor's degree in Computer
Science/Electrical Engineering/Mathematics of equivalent experience. Knowledge of
mathematical logic is desirable. NOTE: This course is technical in nature. Call the vendor
regarding a clearance.
COURSE TITLE: COMSEC
COURSE LENGTH: 1 Day
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
Participants are provided an in-depth technical presentation of both design requirements and
theoretical issues.
Topics Covered
Security Overview, RED/BLACK Concepts, Encryption, CCEP and Military Devices
Facility Design, SCIF Issues, System/Network Design, Hardware Box Level Design, TSRD,
Security Fault Analysis, TEMPEST Countermeasures
Student Background: BSEE or equivalent design experience. Not intended for non-technical end
users.
Sponsor Required - Classified: (SECRET) - Coursebook: (UNCLASSIFIED)
**Note: There is also a confidential version of this course.
COURSE TITLE: Network Security
COURSE LENGTH: 1 Day
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
Participants learn the "how to" of integrating network security into their overall ADP security
program. This course is intended to provide formal training for computer security engineers.
Topics Covered
UNIX/Apple/Novel Security Models, Software/Hardware Protection, Hackers and Crackers,
Network Cracking, Gateway protection, Proactive Security, Examples
Student Background: BSCS or equivalent background, Network management experience
COURSE TITLE: GBA 578: Security and Privacy of Information Systems
COURSE LENGTH: 1 QUARTER
VENDOR:
California State Polytechnic, Univ, Pomona
College of Business Administration
Computer Information Systems Department
3801 West Temple Avenue
Pomona, CA 91768-4083
Dan Manson: (909) 869-3244
The purpose of the course is to introduce students to security and privacy issues
at two levels. The textbook provides a view of information protection issues from
a management viewpoint. The audit project will give students an opportunity to
translate information protection requirements from management theory to a practical level by
reviewing access controls in an actual computer system. Concepts of information security and
privacy. Understanding information protection, physical and logical security of information
systems. Prerequisite: CIS 433, GBA 577 or permission of instructor.
COURSE TITLE: CIS 433, EDP Auditing
COURSE LENGTH: 1 QUARTER
VENDOR:
California State Polytechnic Univ, Pomona
College of Business Administration
Computer Information Systems Department
3801 West Temple Avenue
Pomona, CA 91758-4083
Dan Manson: (909) 869-3244
Auditing in a computer information systems environment involves evidence that originates or is
maintained in a computer system. The course provides students with an understanding of the role
of the EDP Audit function, the purpose of controls in a computer environment, and skills required
to perform EDP Audits. Fundamentals of EDP auditing. Understanding EDP controls, types of
EDP audits, risk assessment and concepts, and techniques used in EDP audits. Prerequisite: ACC
419 or CIS 406 or permission of instructor.
COURSE TITLE: GBA 560 Legal Environment of Information Systems
COURSE LENGTH: 1 QUARTER
VENDOR:
California State Polytechnic Univ, Pomona
College of Business Administration
Computer Information Systems Department
3801 West Temple Avenue
Pomona, CA 91768-4083
Frederick Gallegos: (909) 869-3814
This course is intended to provide the student with a fundamental working knowledge of a number
of legal areas of the data processing industry. The course will stress the area of contract contents
and interpretation, tort liability including negligence and misrepresentation in the computer
industry and intellectual property rights analysis, including a survey of the areas of copyright,
patent and trade secrets and trademark law.
It is hoped that the student would obtain a fundamental knowledge of the legal concepts involved
such that as problems arise, the student will be able to recognize, in a working environment. that
legal issues must be addressed.
COURSE TITLE: GBA 577: Advanced EDP Auditing
COURSE LENGTH: 1 QUARTER
VENDOR:
California State Polytechnic Univ, Pomona
College of Business Administration
Computer Information Systems Department
3801 West Temple Avenue
Pomona, CA 91768-4083
Dan Manson: (909) 869-3244
Auditing in a computer information systems environment involves evidence that originates or is
maintained in a computer system. The course provides students with an understanding of the role
of the EDP Audit function, the purpose of controls in a computer environment, and skills required
to perform EDP Audits. Advanced concepts in EDP Auditing. Understanding EDP controls,
types of EDP audits, risk assessment and concepts, and techniques used in EDP audits.
Prerequisite: CIS 433 or permission of instructor.
COURSE TITLE: Computer Security for the End-User
COURSE LENGTH: 1 DAY
VENDOR:
COMSIS
8737 Colesville Road, Suite 1100
Silver Spring, MD 20910
Ronald E. Freedman: (301) 588-0800
This course provides training to end-users who operate sensitive and mission-critical systems
and/or rely upon automated information systems to perform their work.
COURSE TITLE: Information Systems Security (CSI 214)
COURSE LENGTH: 1 SEMESTER
VENDOR:
Anne Arundel Community College
Engineering and Computer Technology
Careers 219
101 College Parkway
Arnold, MD 21012-1895
Gail Reese: (410) 541-2758
Introduction to the protection of information and equipment in computer systems and associated
communications networks. Topics include all aspects of systems protection including physical
security, hardware, software and communications security. Includes a discussion and
demonstration of issues related to recognizing and handling viruses. Addresses technical, legal
and ethical issues associated with this important topic. NOTE: Three semester hours. prerequisite:
CSI 113 or permission of department head.
COURSE TITLE: TEMPEST Program Management and Systems Engineering
COURSE LENGTH: 2 DAYS
VENDOR:
Security Engineering Services, Inc.
5005 Bayside Road
Chesapeake Beach, MD 20732
Bruce Gabrielson: (301) 855-4565
This course provides students with a technical background of what TEMPEST is and how it is
applied to insure secure information is protected at the system/user level. In addition, the course
provides managers with the requisite background to successfully manage a commercial or military
TEMPEST program.
Introduction and History, Theory Overview
Program Management: Military and Commercial, ETPP, SSEM Aspects
Requirements: DID's
Relationship to COMSEC and EMC
Introduction to RED/BLACK Systems: Network Overview, Cabling, Fiber Optics
Facility Design: Shielding, Power Systems, Isolation Transformers, Portable Enclosures
TEMPEST Vulnerability Assessments
Overview of Network Testing, Test Labs, and Zones
Emerging Issues
Student Background: Experienced Security Officers, TEMPEST Engineers or Managers
Sponsor Required - Classified: (SECRET) - Coursebook: FOUO
COURSE TITLE: CSMN 655 - Information Risk Assessment and Security Management
COURSE LENGTH: 1 Sem.
VENDOR:
University of Maryland, University College
Graduate School of Management & Technology
University Boulevard at Adelphi Road
College Park, MD 20742-1614
Associate Professor P.F.G. Keller: (301) 985-7989
This course provides an in-depth study of the physical, logical, and personnel vulnerabilities of
information and telecommunications systems operations. It examines the historical, philosophical
and emerging trends in risk assessment methodology and the parallel contributions to security and
the control of information environments. This course fosters a deeper understanding of the
elements of management through an analysis of industry and government information resource
recovery procedures and develops insights into problems associated with regulation of computer
and information resources.
COURSE TITLE: Computer Crime & Industrial Espionage
COURSE LENGTH: 1 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
By the year 2000, projections suggest that an amazing 2.5 billion people will have access to
computer systems. Clearly, our old concepts of doing business are changing! The opportunity
for misuse of computers increases each day. This seminar is designed to help data processing
managers, plant and DP security personnel, and auditors understand the unique nature of computer
crime and the vulnerability of their critical and sensitive information to misuse. We will examine
the current state of computer crime and explore specific methods used for illicit information
gathering. Unauthorized attempts to access corporate data are no longer likely to be teenage
hackers playing games. Industrial espionage has become a significant threat as many major
corporations adopt the philosophy that it's more important to know what the competition is doing
than what the customer wants. You will learn where confidential corporate information is leaking
and what can be done to reduce the threat. You will hear about a number of actual incidents of
computer-aided crime and the specific steps you can take to prevent similar abuses from occurring
in your organization. NOTE: Ask about available discount for government hosted classes.
COURSE TITLE: A Practical Approach to Certifying a System
COURSE LENGTH: 2 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This course shows you how to go about certifying the security of a system, whether IBM, DEC,
another vendor, or a combination of equipment and software on a network. The approach used
in the class will provide you with flexible techniques to conduct risk assessments, to obtain
consensus on the standard (whether or not a formal standard exists), to develop a framework for
certification, and to identify and evaluate the controls on the system against this framework. The
result is a documented summary of the risks and controls, organized in a way that permits easy
follow-up and modification if needed. These techniques can be applied to any organizational
culture. NOTE: Ask about available discount for government hosted classes.
COURSE TITLE: The Security-Audit Alliance
COURSE LENGTH: 3 DAY
VENDOR:
Computer Security Institute
600 Harrison Street
San Francisco CA 94107
(415) 905-2626
This one day session is intended for both auditors and security controls. It will provide both
groups of professionals with specific ideas to improve their effectiveness and productivity by
working together in non-traditional ways. NOTE: Ask about available discount for government
hosted classes.
COURSE TITLE: Operational Network Security Seminar
COURSE LENGTH: 2 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
This seminar will teach the individual how to assess the level of operational network security
required in different networking environments and how to implement security measures in these
environments. Participants will gain a knowledge of basic operational network security principles,
and an understanding of current threats to network security. This session will enable the individual
to understand the differences in operational environments and to gain knowledge of network
security architectures and their effectiveness in achieving security. The individual will gain an
understanding of gateway-level solutions, including firewalls, and secure routers and a familiarity
with network security tools including intrusion detection systems.
COURSE TITLE: Computer Viruses Seminar
COURSE LENGTH: 1 Day
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
The Computer Viruses Seminar will teach individuals how to detect viruses on PC and Macintosh
platforms, how to determine what a virus is programmed to do and how to respond efficiently to
a virus infection in stand-alone systems and local area networks. The curriculum covers what a
virus is and how virus code differs from other types of malicious code, typical virus structures and
modes, virus replication, activation and survival mechanisms. You will learn the symptoms and
effects of virus infections and the basic mechanisms of virus detection and eradication software.
Also covered are the advantages and limitations of major virus detection and eradication software.
COURSE TITLE: Business Impact Analysis
COURSE LENGTH: 2 DAYS
VENDOR:
Disaster Recovery Institute
1810 Craig Road, Suite 213
St. Louis, MO 63146-4761
Bill Langendoerfer: (314) 434-2272
This course is designed for contingency planners who will be involved in organizing, managing,
and conducting a Business Impact Analysis (BIA). It is appropriate for all levels of contingency
planning experience.
Topics to be addressed include discussions of an organization's contingency program and planning
methodology. Participants are introduced to the business impact analysis and the importance of
this element in the Functional Requirements Phase of corporate contingency planning. Attendees
will address how to plan and successfully conduct a business impact analysis project. Class
participation and team utilization of ideas will be emphasized.
Upon completion of the course, students will be able to understand the need and commitment
required to conduct a BIA; plan the BIA project to determine the scope, resources, and time
requirements; conduct the data gathering; analyze the data to reach conclusions; document the
findings to achieve results; and obtain acceptance of the findings and approval to go to the next
step.
COURSE TITLE: Communications Technologies
COURSE LENGTH: 2.5 DAYS
VENDOR:
Disaster Recovery Institute
1810 Craig Road, Suite 213
St. Louis, MO 63146-4761
Bill Langendoerfer: (314) 434-2272
This course is the second of four courses intended for novices in the area of disaster recovery
planning. It is designed for disaster recovery planners who are unfamiliar with communications
technologies as well as prospective contingency planners, data communications managers, and
others who will be involved in the development or management of the contingency plan and the
recovery of communications networks.
Participants will be introduced to network components, network loading analysis, voice network
analysis, and other significant aspects of network recovery planning. Attendees will also learn
to identify and evaluate alternative configurations and techniques. Class participation and team
utilization of concepts will be emphasized.
Upon completion of the course, students will be able to understand the concepts of electronic
communications, identify the components in a data communications network, identify and examine
alternative configurations and techniques for the backup and recovery of networks, and begin
emergency planning and control of communications recovery teams.
COURSE TITLE: Managing and Developing a Disaster Recovery Plan
COURSE LENGTH: 2.5 DAYS
VENDOR:
Disaster Recovery Institute
1810 Craig Road, Suite 213
St. Louis, MO 63146-4761
Bill Langendoerfer: (314) 434-2272
This course is designed for those who have limited experience in the area of disaster recovery
planning. It was developed for prospective contingency planners, operations managers, data
communications managers, disaster planning and recovery team members, and others who will
be involved in the development or management of the contingency planning and recovery
functions.
The course will prepare participants for managing the planning project, developing the actual plan,
and preparing the plan's documentation. Students will review verbal and written communications
techniques, the basics of disaster recovery plan design using project teams, the selection of
alternative procedures, and basic documentation standards. Class participation and team utilization
of concepts will be emphasized.
Upon completion of the course, participants will be able to apply improved project and time
management skills for managing the planning project, use improved verbal and written
communications skills and techniques to communicate with organization management and disaster
recovery teams, develop the basic design of the disaster recovery plan, produce standardized
documentation of the plan, and use improved management report presentation techniques and skills
to assist in gaining plan approval.
COURSE TITLE: Implementing and Testing the Disaster Recovery Plan
COURSE LENGTH: 2.5 DAYS
VENDOR:
Disaster Recovery Institute
1810 Craig Road, Suite 213
St. Louis, MO 63146-4761
Bill Langendoerfer: (314) 434-2272
This course is designed for those who have limited experience in the area of disaster recovery
planning. It was developed for prospective contingency planners, operations managers, data
communications managers, disaster planning and recovery team members, and others who will
be involved in the development or management of the contingency planning and recovery
functions.
The course will prepare participants to develop the detailed procedures within the disaster recovery
plan and be prepared to teach those procedures when training other disaster recovery teams. Other
topics to be explored include the development of a testing and assessment program, as well as
periodic maintenance of the plan. Class participation and team utilization of concepts will be
emphasized.
As part of this course, participants will learn to develop and conduct specialized training courses
for those participating in the design and implementation of the plan; implement the plan by
developing detailed recovery procedures; develop a disaster recovery plan testing program that
incorporates various scenarios, periodic use of recovery teams, and documentation of the test
results; and apply methods and procedures for reviewing the recovery plan controls, maintaining
the plan, and evaluating its effectiveness.
COURSE TITLE: The CMW: Application Programming
COURSE LENGTH:
VENDOR:
Trusted Systems Training, Inc.
1107 South Orchard Street
Urbana, IL 61801-4851
Steve Sutton: (217) 344-0996
The course addresses programmers who create or port trusted applications for Compartmented
Mode Workstations based on the SecureWare technology, including SecureWare's CMW+,
Hewlett-Packard's BLS, and Digital's MLS+. It teaches the secure use of all new security
features, like Protected Subsystems, sensitivity and information labels, and trusted (MaxSix)
networking. The course book and accompanying textbook include many programming examples
and written exercises that form the basis for classroom learning.
COURSE TITLE: PC SECURITY
COURSE LENGTH: 1 DAY
VENDOR:
Booz�Allen & Hamilton
8th Floor, Room 822
8283 Greensboro Drive
McLean, VA 22102-3838
Butch Chaboudy: (703) 902-5265
This course provides a basic understanding of Information Security as it applies to Personal
Computers and PC networks. The student will learn the key elements of information security and
gain an understanding of concepts such as risk management, trusted products and certification and
accreditation as it applies to the PC environment. User responsibilities are stressed and user
actions that lead to security problems are discussed. Additionally, the student will gain an
understanding of the security attributes of basic network topologies and be able to apply user
action to protect their system as part of a network or when operating in a stand-alone
configuration.
COURSE TITLE: LAN Security
COURSE LENGTH: 16 HRS
VENDOR:
DATAPRO Educational Services
600 Delran Parkway
Delran, NJ 08076
(609) 764-0100
This course will provide the student with a comprehensive view of the issues involving the security
of the Local Area Networks. It will also provide a basic knowledge of the management of ARLs.
user rights, and login-password routines of Novell, Starian and Banyan. The instructor and
students will discuss the various policy issues and the tactics required to involve management on
the security LAN installations, and selling security to the end-users.
COURSE TITLE: The CMW: User Tutorial
COURSE LENGTH:
VENDOR:
Trusted Systems Training, Inc.
1107 South Orchard Street
Urbana, IL 61801-4851
Steve Sutton: (217) 344-0996
The course addresses the day-to-day users of Compartmented Mode Workstations based on the
SecureWare technology, including SecureWare's CMW+, Hewlett-Packard's BLS, and Digital's
MLS+. It teaches the principles and use of all new security features, like the Trusted Path,
authorizations, access control lists, and sensitivity and information labels. students learn all they
need to know to securely use these systems. The course book and accompanying textbook include
written and on-line, self-paced exercises that form the basis for classroom learning. This course
also serves as the basis for more advanced CMW courses.
� PRODUCT SPECIFIC COURSES
RACF
COURSE TITLE: SE02: RACF for Security Officers
COURSE LENGTH: 1 DAY
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Security Officers the ability to monitor and control access to data
and resources for projects on an MVS system using RACF. Specifically they will learn to list and
describe the options available under RACF, use RACF to authorize the use of resources and
control access to data, and to monitor compliance with security procedures.
Specific topics include an overview of RACF, how it provides security, Dod requirements, setting
RACF options including tape protection, reporting activity, protecting system resources, programs
and datasets, RACF and TSO, monitoring security using AUDITOR, and RACF recovery.
COURSE TITLE: SE01: RACF for Project Managers
COURSE LENGTH: 2 DAYS
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Project Managers the ability to manage and control authorization
to access and modify data and userid resources for projects under their jurisdiction. Specifically
they will learn to manage and control access to project related data, list and describe the userid
controls available under RACF.
Specific topics include an overview of RACF, global access checking, discretionary and
mandatory access controls, discussions of what makes a system secure and DoD requirements,
using RACF commands, RACF groups, resource profiles and permits, and the control of userids.
COURSE TITLE: Auditing RACF
COURSE LENGTH: 2 DAY
VENDOR:
RSH Consulting, Inc.
29 Caroline Park
Newton, MA 02168
Bob Hansel: (617) 969-9050
This course is designed to give auditors and security administrators who are new to RACF a
foundation and framework for reviewing controls. It provides an introduction to RACF and
presents a structured program for conducting a RACF audit in an MVS environment. The course
begins by providing basic information on the function, features, options, and components of
RACF. Users, groups, and resources will be described, and their relationships will be defined.
The logic RACF uses to determine whether access administrative authorities will also be
discussed. Lastly, audit tools, techniques, and strategies will be described. Sample RACF reports
will be used to examine RACF controls and identify vulnerabilities. The course provides a
comprehensive set of tools and techniques required for conducting an effective audit.
COURSE TITLE: Effective RACF Administration (H3927)
COURSE LENGTH: 4.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This lab course teaches you how to RACF effectively to implement resource access control for
MVS and VM systems. Course emphasis is on preparing you to be an effective security
administrator when you return to your job. Through a combination of lecture and hands-on lab
exercises you will gain experience and confidence in using RACF. Classroom lecture topics are
reinforced with hands-on lab exercises where you will use RACF commands and panels to define
users, set-up a group structure, protect resources, and produce audit reports.
*RACF is a trademark of the IBM Corporation
COURSE TITLE: RACF Installation (H3837)
COURSE LENGTH: 1.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to install and support RACF in MVS and VM environments.
*RACF is a trademark of the IBM Corporation
COURSE TITLE: RACF: Proper Implementation and Security
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This course introduces you to the facilities of RACF that have an impact upon audit and control
objectives. It provides a complete overview of all important functions and terminology associated
with RACF. You will learn to identify how RACF functions within your MVS installation and
how to audit its use and administration. The course covers the Data Security Monitor and other
Auditability enhancements in versions 1.7 and 1.8. You will also learn the internal security
features of RACF and how you can conduct tests to insure that control and audit mechanisms are
implemented properly. The seminar outline is subject to change based on enhancements and
changes to the RACF product. Participants should have attended OS/MVS Operating:Security and
Audit. NOTE: A 2-DAY WORKSHOP IS ALSO AVAILABLE.
COURSE TITLE: How to Get the Most Out of RACF
COURSE LENGTH: 5 DAYS
VENDOR:
the Henderson Group
6101 Wynnwood Road
Bethesda, MD 20816
(301) 228-7187
This course provides data security officers, auditors, and RACF administrators with a
comprehensive foundation in RACF, how it works, and how to use it, including the new features
of RACF 1.9.2. (RACF is IBM's strategic security software for mainframe computers.) Students
learn: all the operands of all the commands; how to use each resource class; a strategy for rapid,
effective, roll-out of RACF protection; and a non-technical understanding of RACF internals,
architecture, and philosophy. This course covers how to use RACF with: CICS, VM, DB2, IMS,
SMS, and other software such as job schedulers. Students receive a 350-page workbook/reference
manual as part of the course. Handouts include exercises and diagrams showing the relation
between RACF and other system software.
COURSE TITLE: Practical Approach to Auditing RACF
COURSE LENGTH: 2 DAYS
VENDOR:
the Henderson Group
6101 Wynnwood Road
Bethesda, MD 20816
(301) 228-7187
You cannot have effective security in an MVS installation without security software such as
RACF, ACF2, or TopSecret. This course provides EDP auditors and security administrators with
a basic understanding of what RACF is and how it works, and then shows you how to audit or
review it. Attendees develop their own RACF audit or security review program as a class
exercise. The course workbook provides forms for data collection and analysis, as well as a
checklist of items to consider incorporating into the plan. Handouts include exercises and
diagrams showing the relation between RACF and other system software. This course addresses
all the features of RACF 1.9 and 1.9.2. Attendees learn: how RACF works in non-technical
terms; how to evaluate RACF protection; how to evaluate delegation of authority and the RACF
group structure; what data to gather, how to gather it, and how to analyze it to audit RACF
efficiently.
DB2
COURSE TITLE: Practical Approach to Auditing DB2 Security
COURSE LENGTH: 2 DAYS
VENDOR:
the Henderson Group
6101 Wynnwood Road
Bethesda, MD 20816
(301) 228-7187
DB2 (IBM's strategic database management software for mainframe computers) has its own
approach to security. This approach is very different from that found with ACF2, RACF, or
TopSecret. An effective security program will provide for integration of DB2 security and
administration with the rest of the security program on a mainframe. DB2's security approach
is different because it has its own mechanisms for identifying users and for determining what each
user is permitted to do. In this seminar you will learn how these mechanisms work, and to
identify how they are implemented in a given installation. This seminar provides auditors and
security administrators with a basic introduction to DB2 concepts and SQL (Structured Query
Language). You will have the opportunity to develop your own DB2 audit or security review
program as a class exercise. Attendees receive a 100-page reference manual and a variety of
handouts including exercises and diagrams showing the relation between DB2 and other software
in the computer. You will learn: how to investigate and evaluate DB2 security; how DB2 security
relates to security software such as ACF2, RACF, or TopSecret; use of DB2 tools such as
referential integrity for data integrity and data quality; what data to gather, how to gather it, and
how to analyze it to evaluate DB2 security efficiently; and DB2 security and control considerations
for designing and application or for conducting an application controls review. (An application
controls review provides for review of an application system, either after or during its
development, to identify ways to improve controls over data integrity and reliability.)
COURSE TITLE: Auditing DB2
COURSE LENGTH: 2 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
IBM's DB2 language is now an accepted standard. As a result, auditors are currently faced with
yet another area where they must perform a highly technical audit. This seminar provides the
auditor with a detailed understanding of DB2, the audit issues and concerns, as well as useful audit
programs which address DB2, security and the interfaces with IMS and CICS. This intensive
session prepares the auditor for their first DB2 audit. Special emphasis is placed on the controls
inherent in DB2 and how to use them.
COURSE TITLE: Audit & Security of DB2
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
In this course you will learn how IBM's newest relational data base operates and how it affects
the integrity, security, and control of application systems. You will first gain a thorough
understanding of the specific ways in which DB2 exposes your organization to threats such as data
security, integrity, reliability, backup and recovery. You will then learn specific audit controls
to employ to reduce those risks. You will leave the seminar knowing all the control points and
retrieval utilities that are available within DB2. More importantly, you will take back to the job
a tested audit approach to use in your DB2 environment. NOTE: A 2-DAY WORKSHOP IS
ALSO AVAILABLE.
�VTAM
COURSE TITLE: What Data Security Officers & Auditors Need to Know and Do About
VTAM Security
COURSE LENGTH: 1 DAY
VENDOR:
the Henderson Group
6101 Wynnwood Road
Bethesda, MD 20816
(301) 228-7187
This course provides you with an understanding of VTAM (IBM's Virtual Telecommunications
Access Method) and how it works, along with a description of the critical control points in a
network definition. Since VTAM both determines and controls the paths into your system, you
need to understand VTAM security to provide comprehensive computer security. This course will
show you how, even if you have no experience with telecommunications. The workbook provides
forms for data collection and analysis, as well as a reference of VTAM terms and concepts.
Handouts include exercises and diagrams showing the relations of VTAM components to each
other, and to other system software.
�MVS
COURSE TITLE: OS/MVS and SMF: Security and Audit Facilities
COURSE LENGTH: 4 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This intensive four-day seminar focuses on the facilities available within MVS for solving audit
and security programs. You will learn how MVS works, how you can use MVS utilities as an
audit tool, and the essentials of TSO/ISPF. You will cover, in detail, the operation of SMF, the
MVS audit trail. You will learn potential audit exposures within the SMF installation, and the
various audit trail records that can be extracted from SMF and then analyzed. You will leave this
session with and understanding of MVS and the MVS utilities, and with the know-how to use
SMF as an audit tool. NOTE: Participants should have attended IS Audit and Control and have
IS audit experience.
COURSE TITLE: MVS/ESA as a Server, Peer and Open System Audit, Control, and
Security
COURSE LENGTH: 2 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
In this high-octane session, you will explore the new features available in the MVS/ESA operating
system that counteract its weakness as an open system. You will examine the open system-based
networks that provide users a more direct window into the data processing of the enterprise, and
address the resulting control and security issues. The MVS operating system as an open system
is a reality and its role as a peer will continue to expand as hardware platforms that run MVS
become powerful , two-day session to discover the client/server systems and facilities that allow
MVS/ESA to be a server of servers and to learn what you need to know to audit and secure it.
COURSE TITLE: SECO2-M: MVS Security for Security Officers
COURSE LENGTH: 1 DAY
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Security Officers the ability to monitor and control access to an
MVS system. Students will learn to write appropriate security procedures for an MVS system with
ACF2, implement ACF2 security rules, and to monitor compliance with security procedures.
Specific topics include discussion of security policies, directives and procedures, an overview of
ACF2 features and capabilities, ACF2 database resource access rules and how to maintain/modify
them, ACF2 commands for userid record maintenance, TSO records and defaults, batch
processing options and rules, reporting of violations and testing.
COURSE TITLE: SECO1-M: MVS Security for Project Managers
COURSE LENGTH: 2 DAYS
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give MVS project managers an understanding of how to monitor and
control access to data within the scope of their authority.
Specific topics include: an overview of ACF2 features and capabilities, description of ACF2
databases, the rules which allow specific access to MVS datasets and how to write those rules,
ACF2 commands, the use of NEXTKEY, testing procedures and the maintenance of basic userid
characteristics. The project manager will be introduced to the use of ACF2 to enforce security on
an MVS system.
COURSE TITLE: Auditing MVS in a CA-ACF2 Environment (M2030)
COURSE LENGTH: 1.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the necessity for and the implementation of effective controls in the MVS
operating system within a CA-ACF2 environment. You will learn how to apply the controls
provided within a CA-ACF2 system to the problems discussed in MVS Security (Course Code
M2002) and MVS Auditing (Course Code M2024). You will also learn how to use CA-ACF2
security and audit tools to better understand the protection of your system.
COURSE TITLE: Auditing MVS in a CA-TOP SECRET Environment (M2032)
COURSE LENGTH: 1.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the necessity for and the implementation of effective controls in the MVS
operating system within a CA-TOP SECRET environment. You will learn how to apply the
controls provided within a CA-TOP SECRET system to the problems discussed in MVS Security
(Course Code M2002) and MVS Auditing (Course Code M2024). You will also learn how to use
CA-TOP SECRET security and audit tools to better understand the protection of your system.
Hands-on labs will utilize CA-TOP SECRET tools to ascertain the current security status of an
MVS system.
*CA-TOP SECRET is a trademark of Computers Associates, Inc.
COURSE TITLE: MVS Auditing (M2024)
COURSE LENGTH: 3.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to review the security controls in an MVS environment. You will
explore the security sensitive areas of the MVS environment. You will learn the types of
information needed to assess the strength of implemented controls as well as how to perform the
collection of this information. Hands-on MVS system auditing will be conducted so that attendees
may gain experience in performing audit procedures and in interpreting security related data. This
course focuses on MVS systems in general and is not related to specific security package
implementations.
�COURSE TITLE: Auditing MVS in a RACF Environment (M2026)
COURSE LENGTH: 1.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the necessity for the implementation of effective controls in the MVS
operating system with a RACF environment. You will learn how to apply the controls provided
within a RACF system to problems discussed in MVS Security (Course Code M2002) and MVS
Auditing (Course Code M2024). You will also learn how to use RACF security and audit tools
to better understand the protection of your system. Hands-on labs will utilize RACF tools to
ascertain the current security status of an MVS system.
*RACF is a trademark of the IBM Corporation
COURSE TITLE: MVS/ESA -RACF Security Topics (H3918)
COURSE LENGTH: 2.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the new security facilities that are available, beginning with MVS/SP
3.1.3 and RACF 1.9. You will learn which of your installation's security needs may be satisfied
by using the new security facilities. You will learn to select, plan for, and implement the new
security features. Subjects include controlling job unit, SYSOUT, NJE, commands and consoles,
using security labels, restructuring the RACF data base, and developing an implementation plan.
*MVS/ESA and RACF are trademarks of the IBM Corporation
COURSE TITLE: MVS Security (M2002)
COURSE LENGTH: 3.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza - 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you the necessity for and the implementation of effective controls in the MVS
operating system. You will learn the MVS security-sensitive areas and the associated system and
business impact of exposures in these areas. You will learn the proper use and implementation
of controls to reduce security risks. Through hands-on use of the MVS system functions, you will
gain valuable experience in maintaining effective and consistent system security. Although this
course does not address the implementation of any specific security program (RACF , CA-TOP
SECRET , etc.) the topics discussed will apply to MVS environments in general.
*CA-TOP SECRET is a trademark of Computers Associates, Inc.
COURSE TITLE: Practical Approach to Auditing MVS Security
COURSE LENGTH: 1 DAY
VENDOR:
the Henderson Group
6101 Wynnwood Road
Bethesda, MD 20816
(301) 228-7187
MVS security (the security provided by IBM's Multiple Virtual System operating system) provides
the basis for all other security on MVS mainframes, including VTAM, DB2, CICS, RACF,
ACF2, and TopSecret. This means that understanding the material in this course will be critical
to your providing effective security in your installation. The course provides auditors, security
administrators, and anyone interested in managing MVS security effectively with an understanding
of hardware and software controls used by MVS to provide the foundation for computer security.
The workbook provides forms and checklists for data collection and analysis, and is also a useful
reference to MVS controls.
�UNIX
COURSE TITLE: Audit and Security of Unix-Based Operating Systems
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This three-day seminar identifies the weaknesses of Unix-based operating systems and shows you
how to detect and prevent unauthorized access to such systems. You will examine Unix loopholes
and discover successful techniques for plugging them. Along with Unix System V, you will
explore the security features and vulnerabilities of such Unix-based operating systems as SUN
O/S, AIX. HP-UX, ULTRIX, SCO-UNIX, and BERKELEY Unix. You will leave this session
with the know-how to set up, manage, and maintain an enforceable Unix security policy, and with
a tried-and-true audit approach for securing Unix-based operating systems.
COURSE TITLE: Unix Workshop
COURSE LENGTH: 2 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
In this interactive workshop you will apply security and control concepts to a Unix Lan case study.
You will reinforce what you learned in the Audit and Security of Unix-Based Operating Systems
seminar as you proceed through a comprehensive Unix system audit and application access review.
In addition, you will learn how to read and write shell scripts to expedite the review process and
to read and write shell scripts to expedite the review process and to enhance system security
monitoring. NOTE: Participants in this workshop have attended Audit and Security of Unix-Based Operating Systems or have equivalent on-the-job experience.
COURSE TITLE: SECO3-U: Unix Security
COURSE LENGTH: 2 DAYS
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Security Officers the ability to control and monitor the security
of a Unix system. Specifically they will learn to use Unix security related commands to establish
access control and monitor security related activities.
Specific topics include discussion of security concepts and management (i.e. security for users,
programmers and super-user administrators), security auditing, network security, control of
groups, users and their passwords, the management of password expirations, restricted
environments, adding and deleting users and file systems, data integrity, viruses and compromises,
hints and common mistakes.
COURSE TITLE: UNIX/AIX Security (M2012)
COURSE LENGTH: 3 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to use the fundamental and essential security controls within the
UNIX or AIX operating system. You will discover the tools available with the environment to
identify security vulnerabilities. The discussion will detail the necessary precautions to take
through initial system setup and ongoing administration. The focus will be on reducing the
inherent exposures in UNIX, without removing the benefits of an open environment. Hands-on
experience in identifying and closing exposures will guide you in safeguarding your own systems
from loss and damage.
*UNIX is a trademark of UNIX Systems Laboratories
COURSE TITLE: UNIX Systems Security
COURSE LENGTH: 3 DAY
VENDOR:
Trainix
1686 Bismark Drive
Deltona, FL 32723
(800) 538-9271
This course discusses UNIX security and how system managers and administrators can implement
security measures on UNIX. The focus of the course is on the inherent security vulnerabilities
commonly found on UNIX systems and how to correct them. Examples are presented which
illustrate how to insure a high level of security confidence against unauthorized users from
accessing the system. The common methods used to penetrate UNIX systems, gain unauthorized
root access permission, become another user, plant trojan horses or spoofs, and other ways of
circumventing the normal system protection are disclosed. Each attendee will receive detailed
audit checklists and a diskette containing UNIX shell and C programs which will assist in
performing security auditing and risk analysis. Prerequisites: UX001-Fundamentals of UNIX and
UX006-UNIX System Administration. A knowledge of Shell and C programming is helpful.
COURSE TITLE: UNIX Security For Users
COURSE LENGTH: 1 DAY
VENDOR:
Trainix
1686 Bismark Drive
Deltona, FL 32723
(800) 538-9271
This seminar is designed to make all users aware of the UNIX security vulnerabilities and show
them how to prevent an unauthorized user from compromising their login account or data. The
security features which are provided as part of the operating system are first discussed. Then,
some of the ways in which unauthorized people may use to gain access to a UNIX system or
another users files and directories are discussed. Next, the ways of preventing unauthorized
access are described in detail, along with exact descriptions of each UNIX command and the way
it is used. Each attendee will be provided with a self-assessment checklist and sample programs
which will allow them to perform a personal audit on their account. The seminar concludes with
a discussion of the actions a user should take if they suspect compromise of their login and/or
files.
COURSE TITLE: Auditing UNIX
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This seminar will walk you through the UNIX operating system, describe the functions and
control features and provide a step by step audit approach complete with detailed audit programs
and checklists. This seminar focuses on the two main versions of UNIX, System V and the
Berkeley Software Distribution (BSD). The course material includes the control features of both
systems and provides control guidelines for each. At the end of the seminar the participants will
be ready for their first UNIX audit. Limited after class telephone support is available to assist
participants when they do the audit. In addition, Canaudit staff are available to perform on site
audit assistance at reasonable rates. Participants should attend the EDP Audit Workshop of
Information Systems Workshop prior to attending this seminar.
COURSE TITLE: UNIX Security
COURSE LENGTH: 4 DAYS
VENDOR:
George Mason University
Department of Information & Software Systems Engineering
School of Information Technology and Engineering
Fairfax, VA 22030-4444
Ravi Sandhu: (703) 993-1659
UNIX is intended to be an easy-to-use system with great flexibility-this makes protection of UNIX
systems difficult. The tutorial is focused on UNIX in general, rather than any particular vendor's
implementation, with many vendor-specific items provided throughout. Included are tips and
techniques drawn from the instructor's years of experience as a UNIX system administrator,
incident investigator, security researcher, professor and consultant. Both BSD and System V
versions of UNIX are covered in the material.
This course will start with the very basics about UNIX security, including some common threats,
what to monitor in the file system, standard but little-known tools and resources, how to secure
NFS/NIS, and how to deal with denial-of-service attacks. More advanced topics include policy
formation, firewalls, Kerberos, X Window system security, some legal implications, and how to
write your own setuid/setgid programs. The course provides tutorials in UNIX tools for the
system administrator. these include using the Korn shell (ksh), the Awk scripting language, the
sed stream editor, and the Perl programming language. Modern security tools like COPS and
Tripwire, are discussed as well as customizing local monitoring tools.
COURSE TITLE: UNIX Security Seminar
COURSE LENGTH: 2 DAYS
VENDOR:
ARCA
Commerce Center
10320 Little Patuxent Parkway
Suite 1005
Columbia, MD 21044
(410) 715-0500
In this seminar participants will learn how to identify security weaknesses in UNIX systems and
how to implement measures to increase security. This session details the basic principles of UNIX
security, including basic concepts, available security features and how capabilities vary in UNIX
systems. Current threats and vulnerabilities are covered as well as what makes some UNIX
applications more secure than others and what increases applications security. Individuals will also
learn how to detect and respond to UNIX security incidents by participating in a security incident
simulation.
�NOVELL
COURSE TITLE: Audit and Security of Novell
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
NetWare V.4's decentralized database, NetWare Directory Services (NDS), globally controls all
users , servers, and resources. Because NDS establishes security privileges across all servers and
provides a centralized login point to the network, building and implementing it to reflect your
organizational structure is critical. In this three-day crash course you will learn how to implement
V.4 so that access can be assigned based on functional positions. You will identify which controls
are critical to provide effective data and access integrity, and learn new approaches for monitoring
the network. You will examine the audit trail system that allows you to review network activity.
At the end of this session you will have built the framework for a controlled enterprise network/
To get the most out of this course, participants should have a good understanding of personal
computing, and DOS operating system, commands, and batch language. Participants should first
attend Audit and Security of Micros and LANS; Controlling End-User Computing and/or
Introduction to LAN Security.
COURSE TITLE: Novell NetWare Security (M2000)
COURSE LENGTH: 3.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to plan for and maintain effective protection with a NetWare LAN
operating system. You will learn the essentials of implementing basic security controls. In
addition, you will learn the requirements for ensuring an adequate level of access restrictions
within the environment. Discover the security pitfalls and often overlooked issues within a
NetWare environment. These sometimes complex issues are taken to their simplest level and
developed into a comprehensive understanding of the technical security requirements. Hands-on
labs and classroom exercises illustrate the proper techniques to isolate security controls and to
improve the overall security within the NetWare environment. While learning how to use system
utilities, like SYSCON, you will explore the ways in which you can uncover security
vulnerabilities within your LAN.
*Netware and Novell are trademarks of Novell, Inc.
COURSE TITLE: Guide To Auditing Novell Networks V.3
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
Local area networks, and Novell in particular, offer enormous productivity gains to organizations.
Unfortunately, along with the benefits, come unique and complex security and control risks. If
you are a computer auditor who now must audit networks, this course is for you. In this session
you will gain a thorough understanding of basic networking concepts. You will learn the
exposures and control concepts within Novell NetWare, the associated environmental control
concerns, and the organizational and procedural issues which affect the integrity of networked
LANs. The course will detail the specific access control facilities critical to the LAN
implementation and administration. You will come away from this course with a framework for
determining the auditability of a Novell LAN implementation, and with a foundation for building
a LAN audit work program. Participants should have a good understanding of personal
computing, the DOS operating system and DOS commands, and the DOS batch language.
COURSE TITLE: Hands-On-Lans: Auditing Novell Networks Workshop
COURSE LENGTH:
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This hands-on workshop provides participants with a detailed understanding of the Novell
operating system, the security features and how to audit them. The Canaudit audit approach,
complete with audit programs and comprehensive checklists, will provide participants with a
sound starting point for conducting their first audit. The hands-on exercises provide the practice
which auditors require to understand the necessary audit procedures and techniques.
Canaudit also provides a Novell LAN (release 3.11), consisting of five micro computers for use
in this class at no additional cost. The instructor will bring the LAN to your site and set it up
prior to the course. Alternately, the instructor is also prepared to use the client's LAN if it is
more appropriate to do so.
For client's with Blind View, the instructor is prepared to demonstrate how to audit a Novell LAN
using this product and how to use Blind View reports to reduce the total time required to perform
the audit.
�TANDEM
COURSE TITLE: Audit and Security of Tandem Systems
COURSE LENGTH: 2 DAYS
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This two day seminar will enable participants to perform a complex review of security features
provided by the Tandem operating system and Safeguard security product. The instructor explains
normal control weaknesses and potential security loopholes in depth. commands and utilities used
to probe the system and detect control weaknesses are explained. A program for reviewing system
security is also provided. We recommend that auditors attend the Information Systems Workshop
or EDP Audit Workshop seminars, or their equivalents, prior to attending this session.
�DECNET
COURSE TITLE: Auditing Decnet
COURSE LENGTH: 2 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
Many Canaudit clients use the DEC VAX as an integral part of extensive network applications.
It is essential that these applications be secure and that communications be safe and confidential.
this seminar is specifically designed for Canaudit clients using DECnet, the primary
communications architecture for Digital networks. Complete coverage of all aspects of DECnet
security including network implementations, Network Control Program and network access
control methodologies is included in this concentrated seminar. All participants will learn the
critical control features of DECnet and how to evaluate the control structure. In addition they will
receive complete audit programs and utilities to automate much of the audit. NOTE:AUDITING
VAX:A COMPREHENSIVE APPROACH is the prerequisite for this course.
�VAX
COURSE TITLE: Auditing VAX: A Comprehensive Approach
COURSE LENGTH: 3 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
This session is the most comprehensive VAX Audit course currently available. It is intended for
auditors who will be auditing the VAX operating system and its components. The seminar
provides participants with an understanding of the hardware, software and security requirements
as well as depth, along with detailed descriptions of utilities and System Generation controls.
Because of the popularity of this topic, we recommend early registration. NOTE:We recommend
that participants attend the AUDITING ADVANCED INFORMATION TECHNOLOGY or EDP
AUDIT WORKSHOP seminars or their equivalents prior to attending this course.
COURSE TITLE: Introduction to DEC's VAX/VMS Operating System
COURSE LENGTH: 2 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This course provides a thorough introduction to VAX/VMS from the perspective of audit and
security personnel who need access to the systems-dependent facilities of VAX/VMS. Through
case examples you will see demonstrated the major features of VAX/VMS, including DCL,
utilities, and analysis of the system. This session is guaranteed to give you a basic knowledge of
the VMS operating system and a comfort level in moving around it. The facilities, tools and
techniques taught during these two days will dramatically increase your understanding of and
productivity in the VMS environment. NOTE: ADVANCED COURSE AS A FOLLOW-ON
ALSO AVAILABLE.
COURSE TITLE: Advanced Audit, Control, and Security/ DEC's VAX/VMS
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This advanced seminar builds on the concepts and facilities presented in "Introduction to DEC's
VAX/VMS Operating System" and focuses on the critical points to consider when auditing
VAX/VMS systems and applications. You will come away with a detailed understanding of the
VAX/VMS architecture, DCL commands, Digital's Network Architecture (DNA), and VAX
built-in and optional security features. Emphasis will be placed on important areas for audit
concentration within VMS such as systems generation, systems dump analyzer, VMS protection
and privilege levels, systems and user logs, and DECnet and LAN interfaces. Those attending
should have experience in the VAX/VMS environment, or should have attended "Introduction to
DEC's VAX/VMS Operating System."
�AS/400
COURSE TITLE: AS/400 Recovery and Availability Management (S6051)
COURSE LENGTH: 2 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This classroom course explains how to plan for, implement, and manage the back-up and recovery
functions of the AS/400 system. In this course, the student also learns how to perform tasks like
implementing recovery functions and practice these skill sin hands-on labs.
*AS/400 is a trademark of the IBM Corporation
COURSE TITLE: AS/400 Security Concepts and Implementations (S6050)
COURSE LENGTH: 2 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This classroom course explains how to plan for, implement, and manage the security and back-up
and recover functions of the AS/400 system. This course also provides and introduction to
problem determination and PTF application. You will learn how to perform tasks like creating
security profiles and user environments, in addition to implementing recover functions. These
skills are practiced in hands-on labs.
*AS/400 is a trademark of the IBM Corporation
COURSE TITLE: Audit, Control, and Security Of AS/400
COURSE LENGTH: 4 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
In this seminar you will learn about the architecture, security and integrity of AS/400, and about
the system's unique object-oriented design and integrated data base management system (DBMS).
You will examine the impact of on-line systems on the control objectives within an EDP
environment in general, and the security-related concerns and control objectives specific to
AS/400. You will leave the seminar with a methodology and techniques for testing and reviewing
AS/400.
COURSE TITLE: Auditing AS/400: A Step By Step Approach
COURSE LENGTH: 2 DAY
VENDOR:
Canaudit Inc.
P.O. Box 4150
Simi Valley, CA 93093
(805) 583-3723
IBM's AS/400 computer series is rapidly becoming the work horse of the mini and midi computer
world. With a broad industry base, this multi functional machine serves as a primary business
platform, as a front end processor or as a process controller. This intensive seminar concentrates
on the control and security concerns relating to the AS/400. The participants will learn how to
automate the audit using ROBOT, utilities and AS/400 tools. Key control points are identified to
enable auditors to focus their efforts to ensure a complete audit while reducing the audit duration.
Actual case studies are used throughout the seminar to provide real life examples to reinforce the
audit programs and techniques.
�CA-ACF2
COURSE TITLE: Converting CA-ACF2 to RACF (H3891)
COURSE LENGTH: 2 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to effectively plan and perform a CA-ACF2 to RACF conversion
for an MVS system. The course material is divided into three major topics: project management
issues, converting the CA-ACF2 database to FACF, and interfacing other products to RACF. The
discussion on database conversion includes how to us a conversion tool, with examples and sample
output from a commonly-used migration aid.
*CA-ACF2 is a trademark of Computer Associates, Inc.
*RACF is a trademark of the IBM Corporation
COURSE TITLE: CA-ACF2: Proper Implementation and Security
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This intensive seminar has been updated to cover the newest features in Release 5.2, including the
new GROUP feature and major changes to the CA-ACF2/CICS interface. In this in-depth session
you will master the terms and concepts you need to know in order to understand how CA-ACF2
protects files and other resources in your MVS environment. You will discover all of the
important testing tools available in this security package, and how to use them effectively. In
addition, you will learn how to anticipate the deficiencies most commonly found in CA-ACF2
implementation and administration. You will leave this intensive session with tips for
demonstrating risks and for selling common-sense recommendations that have proven track records
for working. The course materials you receive will include an in-depth audit program and
valuable sample reports. NOTE: A CONTINUING 2-DAY WORKSHOP IS AVAILABLE.
�CA-TOP SECRET
COURSE TITLE: Converting from CA-TOP SECRET to RACF (H3890)
COURSE LENGTH: 2 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course teaches you how to effectively plan and perform a CA-TOP SECRET to RACF
conversion for an MVS system. The course material is divided into three major topics: project
management issues, converting the CA-TOP SECRET database to RACF, and interfacing other
products to RACF. The discussion on database conversion includes how to use a conversion tool,
with examples and sample output from a commonly-used IBM migration aid.
*CA-TOP SECRET is a trademark of Computers Associates, Inc.
*RACF is a trademark of the IBM Corporation
COURSE TITLE: CA-TOP Secret: Proper Implementation and Security
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
In this seminar you will learn the functions and components of TOP SECRET and the auditor tools
within TOP SECRET to monitor the effective installation and on-going functions of the security
system. You will learn all the important features of TOP SECRET and their relationship to the
MVS operating system. The workshop covers the audit trails produced by the system and
describes how these reports can be used as an effective detective control for monitoring both
authorized and unauthorized access to system resources. Participants should first attend OS/MVS
Operating System:Security and Audit. NOTE: A 2-DAY WORKSHOP IS ALSO AVAILABLE.
�SNA
COURSE TITLE: Security & Auditing of SNA Networks/ACF/VTAM & NCP
COURSE LENGTH: 3 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This comprehensive seminar presents the concepts, terminology, components, functions, access
points, and use of SNA (System Network Architecture) networks. It provides the technical
information necessary to ensure that appropriate controls are implemented and are being used.
With the information you gain from this seminar you can enhance the integrity, control, and
reliability of data transfers within SNA environments and to/from SNA networks. You will learn
standard techniques and optional enhancements for implementing and maintaining proven audit
and control procedures for SNA systems. The seminar covers IBM's environments. Practical
audit and control issues to be addressed include; present and new communications controllers,
protocol emulators, Netview and Netview/PC, front end hardware and software, terminal systems,
and SNA network management programs. NOTE: A 2-DAY WORKSHOP IS ALSO
AVAILABLE.
�CICS/ESA
COURSE TITLE: Implementing Security for CICS Using RACF (H4001)
COURSE LENGTH: 3 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This lab course teaches you how to implement security in CICS/ESA V3 and CICS/MVS V2
using RACF as the external security manager. In the classroom you will learn both the CICS
and RACF definitions necessary to establish your security environment. You will learn how to
define CICS terminal users to RACF, control access to transactions, CICS resources, SPI
commands, and installation-defined resources. This course covers security in both single-region
and multi-region CICS systems (MRO and ISC). You will perform hands-on lab exercises that
let you apply your new skills to actually set-up these definitions in both CICS and RACF. Also,
we will discuss the security interface between CICS, RACF, and DB2. Additionally, we will
discuss the RACF and CICS definitions necessary for secure access to CICS/ESA from other
platforms via APPC.
*CICS, CICS/ESA, RACF, CICS/MVS are trademarks of the IBM Corporation
COURSE TITLE: Audit, Control and Security of CICS/ESA
COURSE LENGTH: 5 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
Telecommunications technology has created a whole new set of concerns regarding the control and
auditability of on-line systems. This seminar will show you how to identify the available control
and security features within CICS. You will learn how to audit CICS systems to insure those
control measures are functioning properly. Participants should first attend "OS/MVS Operating
System: Security and Audit." NOTE: A 2-DAY WORKSHOP IS ALSO AVAILABLE.
�COURSE TITLE: MVS/ESA Disaster Recovery (J3716)
COURSE LENGTH: 2.5 DAYS
VENDOR:
Skill Dynamics - An IBM Company
One IBM Plaza, 19th Floor
Chicago, IL 60611
(800) IBM-TEACh (800) 426-8322
This course enables you to confront the issues of contingency planning and disaster recovery as
they affect your MVS/ESA system. You will explore technical and procedural issues that cover
a range of topics, including backup and recovery options, problem management within a disaster
recovery environment, and automating backup and recovery procedures. Recommendations are
provided for selecting critical applications and data for backup. By studying examples, you'll gain
insight into techniques you can use to backup, recover, and synchronize system and application
elements, including:
�Catalogs
�System libraries and data sets
�System parameters (e.g., PARMLIB, JES2, VTAMLIST, etc.)
�Job streams and procedures
�IOCP/MVSCP
�DFHSM control data
�Applications and application data
COURSE TITLE: Audit/Security Concepts-MVS/XA & MVS/ESA
COURSE LENGTH: 5 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
While attending this program you will develop your technical understanding of the MVS/XA and
MVS/ESA operating system and gain the skills you need to successfully review any MVS
installation. This session presents a foolproof methodology for conducting a successful MVS
operating system review. You will apply this methodology for reviewing an installation and
develop the steps for a complete audit program. NOTE: Participants should have attended
OS/MVS Operating System: Security and Audit Facilities or have technical experience in the
MVS environment, including familiarity with TSO or the use of IBM utilities.
COURSE TITLE: Enterprise Systems Analysis for MVS/ESA & MVS/XA
COURSE LENGTH: 4 DAY
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701
Pam Bissett: (508) 879-7999
This seminar address the external and internal workings of the MVS/XA and MVS/ESA operating
systems, focusing on security and control aspects. This seminar will answer questions and fill in
those technical areas you need to understand in order to perform more effective and detailed MVS
reviews. NOTE: Participants should have attended "Audit and Security Concepts for the MVS
Operating System" and completed one or more MVS reviews. Participants are requested to bring
to the session technical data or code extracted from their own MVS installation.
�MAXSIX
COURSE TITLE: MaxSix Trusted Networking
COURSE LENGTH: 1 Day
VENDOR:
Trusted Systems Training, Inc.
1107 South Orchard Street
Urbana, IL 61801-4851
Steve Sutton: (217) 344-0996
The course addresses network security administrators and programmers for Compartmented Mode
Workstations based on the SecureWare technology, including SecureWare's CMW+, Hewlett-Packard's BLS, and Digital's MLS+. It teaches the secure use of all new networking security
features, like setting up and installing the network security databases, and attribute mapping.
(These topics are presented as a part of TST's other courses, but are also offered as this 1-day
seminar.)
�SAFEware
COURSE TITLE: SAFE = Security Awareness from Education
COURSE LENGTH:
VENDOR:
SAFEware
2953 Timber Wood Way
Herndon, VA 22071
Kyle Myers: (703) 758-8777
SAFE is not a course, it is an ongoing program. All presentations are animated, full color PC-based graphic shows or may be viewed in the VHS video format. [SAFE (in Q3 or 1993 will add
full interactivity, hypertext and hotwords.] After being viewed just once, users immediately
implement many of the points made because 1) they are common sense and users only need to see
them once, 2) they are so easy to implement and 3) the user understands "what's in it for me" to
become involved.
All of the presentation can be viewed with or without user intervention, constantly viewed in
cafeterias and lobbies where the specific policies and practices of your organization may be
presented in detail. These presentations are selected from the Windows launcher or the DOS
menu.
SAFE is a comprehensive, coordinated PC-based security education and awareness program for
commercial and federal users of PCthrough mainframe computers. SAFE recruits users to be
involved in security--all of the time, educates users about common sense security issues, and
reminds users to be security conscious on a daily basis.
�BANYAN VINES
COURSE TITLE: Audit and Security of Banyan VINES
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This seminar will provide you with a practical guide to auditing the VINES operating system and
the applications running under it. You will learn the technical fundamentals of VINES as well
as exposures and control concepts specific to VINES and to networking. You will learn
recommended procedures for protecting the integrity of LANs and VINES specifically. You will
cover the access control facilities critical to implementing and administering VINES networks, and
witness a demonstration of a VINES server and workstation. You will return to your office with
guidelines for ensuring that systems running under the VINES operating environment are
auditable, and with a checklist you can use to conduct an audit or security review of your VINES.
COURSE TITLE: Security for Banyan VINES LANs
COURSE LENGTH: 1 DAY
VENDOR:
RSH Consulting, Inc.
29 Caroline Park
Newton, MA 02168
Bob Hansel: (617) 969-9050
This workshop provides basic information about the security features and capabilities of a Banyan
VINES 5.x local area network. We will begin with an introduction to the VINES Network
Operating System and its component services, such as Server Service, File Services, and VINES
Security Service. We will also discuss the directory service StreetTalk and its role in security.
Thereafter, user identification and authentication controls including Group and User Login
parameters. Next, we will address resource access control, focusing on Access Rights Lists and
console security. We follow this with a discussion on controls over WAN network links. Finally,
we will address security administration and monitoring. this workshop will conclude with a
discussion of tools and techniques for reviewing security in a VINES network.
VM
COURSE TITLE: SECO2-V: VM Security for Project Managers
COURSE LENGTH: 2 DAYS
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Project Managers the ability to manage and control access to data
and userid resources on a VM system. Specifically they will learn to write appropriate security
procedures for a VM system with ACF2 and VMSECURE, implement ACF2 security rules, and
monitor compliance with security procedures.
Specific topics include discussion of the VM system structure, an overview of ACF2 features and
capabilities, ACF2 databases, logon-id and minidisk access rules, ACF2 and VM SECURE
commands and subcommands, VM user directory attributes, planning, writing, compiling,
changing and testing ACF2 rules and testing procedures.
COURSE TITLE: SECO3-V: VM Security for Security Officers
COURSE LENGTH: 1 DAY
VENDOR:
Grumman Data Systems
2411 Dulles Corner Park, Suite 500
Herndon, VA 22071
Bruce Levy: (703) 713-4121
Objectives of the Course: Give Security Officers the ability to control and monitor the security
of a VM system. Specifically they will learn to write appropriate security procedures for a VM
system using ACF2, use ACF2 commands to establish security rules, establish and change system-wide ACF2 characteristics, and monitor compliance with security procedures.
Specific topics include discussion of security policies, directives and procedures, how they are
created and implemented, the characteristics of VM and how DASD is used in a VM system,
ACF2 databases logon-id, dataset access rules, resource access rules, ACF2 commands and
reports, setting system-wide ACF2 specifications, VM records and defaults, and testing
procedures.
PBX
COURSE TITLE: A Three Day Emergency Session on PBX Fraud
COURSE LENGTH: 2 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
In this two-day, crash briefing you will learn how to protect your organization against high-priced,
high-tech PBX fraud. You will explore the world of phone hackers and discover how fraud and
theft of services begins. You will look at the economic impact on and legal liability of your
organization if it is "hit," and the responsibilities of your local/long distance carriers and federal
law enforcement agencies. You will address the hardware and programming issues that must be
taken into account to ensure that your network, PBX, voice mail, and automated attendant and
adjunct processors are protected. You will leave this eye-opening session armed and ready to fight
back when phone phreaks try to invade your PBX. NOTE: This course assumes that participants
will have basic knowledge of phone systems and the telecommunications environment.�IBM
COURSE TITLE: IBM LAN Server: Audit and Security
COURSE LENGTH: 3 DAYS
VENDOR:
MIS Training Institute
498 Concord Street
Framingham, MA 01701-2357
Pam Bissett: (508) 879-7999
This intensive, three-day seminar will provide you with a technical understanding of IBM and
LAN Server and a practical guide to auditing it. You will discover the audit and control
mechanisms built into LAN server. You will uncover LAN Server's inherent exposures and learn
techniques that will provide a reliable, secure network environment for your organization. Topics
covered include: the specific access control facilities that should be a part of your day-to-day
security measures; how to provide network, server, and user security; how to enable specific
auditing features; how to generate audit reports; and how to work around LAN Server's
shortcomings. You will leave this session with an audit and security features in your own
organization. NOTE: Seminar participants should have a working knowledge of DOS or OS/2
operating environments and understand PC architecture.
It is our intention to update this document as the need arises and we welcome any comments
and corrections that will yield a better product. Please contact Kathie Everhart (301) 975-3868.