About | Courses | Joint Programs | Related sites | Contact us |
Course Dates
- October 23 - October 27, 2017
(Chicago, IL) Apply Now >>>
Information Security Vulnerability Management, Session 2S.T.R.E.A.M/Technology Lab Courses - The Federal Reserve Bank of Chicago
Type of Participant Targeted
The Information Security Vulnerability Management course is a one-week course intended for examiners with IT examination responsibilities but who may not have had university training in information technology. At least one year of field examination experience is preferred.
Prerequisites
None.
Course Overview
This course focuses on the operational aspects of information security vulnerability management. Topics include network and system monitoring, risk assessment and mitigation, patch management, and incident response. Hands-on exercises with penetration testing, vulnerability scanning, and patch management tools reinforce the necessity for bank IT managers to have an accurate asset inventory and risk assessment.
Course Objectives
After completing the course, the participant, at a minimum, will be able to
- Recognize where and how vulnerability management fits in with the bank's overall information security program and IT operations
- Identify the role a vulnerability management program has in safeguarding information and assets
- Assess the adequacy of a patch management, vulnerability scanning and assessment, and penetration testing tools and their limitations
- Evaluate the adequacy of an organization's testing program
- Recognize key elements of an incident response program
- Discuss key technology terms related to information security vulnerability management
- Assess the key risks, controls and processes in a supervisory context, including regulatory compliance issues
- Identify what the financial institution must do to respond to new threats
Post-Course Intervention
Participants will learn the essential components of a sound vulnerability management program. The bank must position vulnerability management as an integral part of the enterprise-wide information security program, network engineering, and IT operations. Other key elements include asset inventory, risk assessment, monitoring for vulnerabilities, patch management, vulnerability testing, security intelligence, incident response, forensics, and the relationship of vulnerability management to regulatory compliance.
Learning Objectives
Examiners should be able to articulate the key elements associated with operating and managing a vulnerability management program. This starts with having an accurate inventory of all assets (servers and applications) that communicate over the network. Accuracy in this case means that consideration should be given to potential risks for each system (internal and external) and that all systems should be inventoried. It includes having an accurate risk assessment and relies on configuration management. Configuration management is critical as this requires operational discipline regardless of institution size. Finally, the financial institution must be able to articulate a risk-mitigation strategy; this should be reviewed to ensure that new applications and/or systems are treated from a holistic perspective, and that controls for all systems are re-evaluated for effectiveness periodically.
By module, the following learning objectives will be accomplished:
Module | Learning Objectives |
---|---|
General Information Security Concepts |
|
Database Vulnerabilities |
|
Risk Mitigation |
|
Patch Management |
|
Penetration Testing and Vulnerability Assessment (Case Study and Lab) |
|
Incident Response |
|
Instructors
This course is developed and supported by a group of instructors with extensive examination experience and expertise in banking technologies. Instructors come from across the Federal Reserve System as well as other regulatory agencies and industry.