|About | Courses | Seminars | Self-study tools | Related sites | Contact us|
- October 27 - October 31, 2014
(Chicago, IL) Apply Now >>>
Information Systems Vulnerability Management, Session 2S.T.R.E.A.M/Technology Lab Courses - The Federal Reserve Bank of Chicago
Type of Participant Targeted
The Information Systems Vulnerability Management course is a one-week course intended for examiners with IT examination responsibilities but who may not have had university training in information technology. At least one year of field examination experience is preferred.
This course provides participants with a technical grounding in networking concepts and technologies that are critical to IT operations in financial institutions, including TCP/IP networking protocols and common network infrastructures and configurations. The course examines key network perimeter security tools, including firewalls and intrusion detection systems.
After completing the course, the participant, at a minimum, will be able to
- Recognize where and how vulnerability management fits in with the bank's overall information security program and IT operations
- Identify the role a vulnerability management program has in safeguarding information and assets
- Assess the adequacy of a patch management, vulnerability scanning and assessment, and penetration testing tools and their limitations
- Evaluate the adequacy of an organization's testing program
- Recognize key elements of an incident response program
- Discuss key technology terms related to information systems vulnerability management
- Assess the key risks, controls and processes in a supervisory context, including regulatory compliance issues
- Identify what the financial institution must do to respond to new threats
Participants will learn the essential components of a sound vulnerability management program. The bank must position vulnerability management as an integral part of the enterprise-wide information security program, network engineering, and IT operations. Other key elements include asset inventory, risk assessment, monitoring for vulnerabilities, patch management, vulnerability testing, security intelligence, incident response, forensics, and the relationship of vulnerability management to regulatory compliance.
Examiners should be able to articulate the key elements associated with operating and managing a vulnerability management program. This starts with having an accurate inventory of all assets (servers and applications) that communicate over the network. Accuracy in this case means that consideration should be given to potential risks for each system (internal and external) and that all systems should be inventoried. It includes having an accurate risk assessment and relies on configuration management. Configuration management is critical as this requires operational discipline regardless of institution size. Finally, the financial institution must be able to articulate a risk-mitigation strategy; this should be reviewed to ensure that new applications and/or systems are treated from a holistic perspective, and that controls for all systems are re-evaluated for effectiveness periodically.
By module, the following learning objectives will be accomplished:
|General Information Security Concepts||
|SQL Injection--Case Study||
|Penetration Testing and Vulnerability Assessment (Case Study and Demonstration)||
Federal Reserve System and may also include instructors from an external agency.