DXC Security Training...DXC Technology’s Security Training (via Saltbush Training) is an...

DXC Security Training

DXC Technology’s Security Training (via Saltbush Training) is an accredited Registered Training Organisation RTO number 40822.

We can conduct training needs analysis and specifically design or tailor a training course for your business. We offer in-house, off-site and on-line training delivery options.

DXC can offer training in a range of courses including:

• Inforsec Registered Assessors Program (IRAP)

• ISM Fundamentals

• Cyber Security Incident Management

• Vulnerability Testing

• Web Application Secure Coding

• Security Awareness.

For more information, visit DXC Security Training website at dxc.technology/au/security/training.

About DXC SecurityIn Australia and New Zealand, the constant evolution of cyber security threats and shortage of cyber security skills has made it increasingly challenging for organisations to secure their businesses. DXC Technology has worked closely with its clients to protect their businesses by developing strategies, processes and solutions. We are one of the few companies in the world that can provide end-to-end security solutions — from expert advisory services to fully managed security operations.

At DXC, we believe the value of cybersecurity is in its enablement. To help our clients operate securely in today’s environment, we offer expertise and services through our Government certified Security Operations Centres (SOCs). Our global network of SOCs is staffed by an international team who efficiently deliver integrated, 24x7x365 security services.

For more information, visit the DXC Security website at dxc.technology/au/security.

About DXC Security Training

Table of contents

About DXC Security Training 2

About DXC Technology 3

Inforsec Registered Assessors Program (IRAP) 4

ISM Fundamentals 6

Cyber Security Incident Management 7

Vulnerability Testing 8

Web Application Secure Coding 9

e-Learning Security Awareness Courses 10


3

DXC.technology is the world’s leading independent, end-to-end IT services company, helping clients harness the power of innovation to thrive on change. Created by the merger of CSC and the Enterprise Services business of Hewlett Packard Enterprise, DXC.technology serves nearly 6,000 private and public-sector clients across 70 countries.

The company’s technology independence, global talent and extensive partner network combine to deliver powerful next-generation IT services and solutions. DXC.technology is recognized among the best corporate citizens globally.

About DXC Technology

For more information, visit DXC.technology’s website at dxc.technology/au.

IRAP is a program of activities sponsored by the Australian Signals Directorate (ASD) culminating in the endorsement and registration of individuals as competent to assess information security systems in accordance with Australian Government information security standards and policy documents.

IRAP provides the framework to endorse individuals from the private and public sectors to provide cyber security assessment services to Australian governments. Endorsed IRAP Assessors can provide an independent assessment of ICT security, suggest mitigations and highlight residual risks. IRAP Assessors may provide assessment up to the TOP SECRET level for:

Candidates qualifying as IRAP registered assessors are endorsed to carry out the following types of assessment work:

• Gateway certifications

• Cloud services

• Network/system assessments

• Gatekeeper assessments

• FedLink audits, and

• FedLink connection assessments

IRAP Application Form

To be eligible for IRAP Assessor training and examinations you must provide:

• An up to date CV indicating the dates for each engagement or project

• minimum of a Baseline security clearance (Australian citizenship required) – see Australian Government Security Vetting Agency for further details

• Find out more about the IRAP Program

• two certifications - one from Category A and one from Category B

• With some cloud services being more deeply integrated than others, benchmarking cloud risk is extremely challenging compared with the same exercise for an on-site architecture where most of the data is in the organisation’s servers and data centres

Category A Category B

• CISM

• CISSP

• GSLC

• CISA

• CRISC

• CSNA

• ISO 27001 Lead Auditor

• PCI QSA

INFORSEC Registered Assessors Program (IRAP)


IRAP registered assessors undertake Mandatory Annual Training. This is done through a maintenance program that provides assurance that assessors have satisfactorily completed any mandatory training maintenance requirements throughout the 12 months of their registration and are up to date with ISM/policy changes. The performance of work within the scope of the Program carried out by assessors will also be subject to review at the time of re-registration.

Saltbush Training has been providing training to IRAP assessors since the program’s inception in 1997. Saltbush currently offers an online version of the IRAP refresher. This course is only available to current IRAP assessors after the Information Security Manual (ISM) is released annually.

INFORSEC Registered Mandatory Annual Training Assessor Program (IRAP MAT) Find out more about the IRAP program.

For more information, please contact us at [email protected]

5

This two-day seminar will give you an understanding of the security requirements stipulated by the Australian Signals Directorate (ASD) while introducing you to the Information Security Manual (ISM) and how it should best be used within your organisation.

Course outline

From Incident Response Plans to ICT Security Standards, the Saltbush ISM Fundamentals course is your go-to for getting up to speed on the standard for all government ICT systems.

Topics covered include:

• Security Governance. Includes management structures, forum sand frameworks

• Security Policy. The over-arching policy, its purpose and basic content

• Security Risk Management. The difference between strategic and operational risk and the purpose of the Security Risk Management Plan in the secure management of systems

• Incident Response Plan. This baseline document allows System Managers to tap into and leverage the organisations’ systematic approach to responding to incidents

• System Security Plans. The SSP defines the way administrative and technical controls are to be employed

• Standard Operating Procedures. The SOP is a detailed work instruction – a ’how to do it‘ document. We’ll look at who needs them and for what tasks

• Accreditation and Certification. We’ll look at what this is and who is responsible for it

• Change Management. The role of security in any change to an ICT system is explored

• Security Awareness Training. A key tool that ensures the success of any security strategy

• ICT Security Standards. We’ll touch on ASD’s requirements for gateways, hardware selection, software security, access control, network security, cryptography and data transfer.

ISM Fundamentals Course

Who should attend

• IT Security Advisers, Security Executives, System Managers, Security Administrators

• All of your team members who need to become more security aware.

Your presenter

Your presenter is a highly skilled security specialist enabling you to make your ICT Security problems a thing of the past. Your presenter will be selected from our pool of Certificate IV qualified trainers, all of whom have considerable hands-on security experience to support the training they deliver.



7

For more information, visit DXC.technology’s website at dxc.technology/au.

Cyber Security Incident Management Course

This one-day course will help you to safeguard your business against the worst ICT Security problems. It will ensure that your Computer Incident Response Team has the skills to handle a cyber-security incident.

Course outline

This course will highlight how to detect an incident, the process for declaring and responding to a security incident and will help attendees workshop their own response procedure.


• What constitutes an information security Incident

• Distinguishing the different incident classes and discussing strategies to deal with them

• How to harness the human based detection systems within your organisation

• What technologies are available to detect security incidents and how to best deploy them in your network

• How to develop response plans to cater for the various incident types

• Tips on how to preserve forensic evidence and when and who to call for help

• Understanding options for involving external actors including the AFP.

Who should attend

• IT Security Advisers and Managers that have a need to establish an Incident Response Plan for their organisations and how this will impact their compliance programs

• Security Executives, System Managers, Security Administrators or in fact anyone who needs to appreciate the complexities of detecting and responding to security incidents.

Your presenter

Your presenter is a highly skilled security specialist enabling you to make your ICT Security problems a thing of the past. Your presenter will be selected from our pool of Certificate IV qualified trainers, all of whom have considerable hands-on security experience to support the training they deliver.Your presenter will be selected from our pool of Certificate IV qualified trainers, all of whom have considerable hands-on security experience to support the training they deliver.


The Vulnerability Testing course provides real, hands on skills in assessing vulnerabilities in applications. Using the industry standard Open Web Application Security Project (OWASP) testing methodology, you will learn valuable and practical techniques to test for weaknesses in applications.

Course outline

Course Outline The Vulnerability Testing Course will teach participants to test for web application vulnerabilities within various environments including those of the Australian Government. Testing will involve practical exercises where participants will search for, discover, verify and exploit web application vulnerabilities in a hands on laboratory environment.


• Understanding the OWASPv4 Test Guide. This willcover methodology for assessing vulnerabilities andall vulnerability types as categorised by OWASPv4including: Information Gathering; ConfigurationManagement; Identity Management; Authentication;Autherisation; Session Management; Input Validation;Error Handling; Weak Cryptography; Business Logic;Client-side

• Focused, hands-on vulnerability exploitation exercisesusing multiple tools

• Techniques to mitigate discovered vulnerabilities

• Reporting vulnerabilities

• Measuring vulnerability severity.

Vulnerability Testing Course

• Designers of Internet applications and those responsible for deployment of web-based applications

• Developers responsible for the production of code

• Security Practitioners such as IT Security Advisers

• Security Managers and Officers, System

• Administrators and IT Operations Managers

Your presenter


Pre-requisites

This is not a class for non-technical students. Participants require some basic knowledge of high level programing languages like PHP and Java. They will require significant knowledge of HTML, HTTP and JavaScript. They will also be required to be familiar with Linux operating systems.


Who should attend


Web Application Secure Coding Course

The Web Application Secure Coding course covers the most prevalent and dangerous security defects in today’s applications, supplying hands on and actionable guidelines to remediate against these common defects.

Course outline

From common vulnerabilities and their potential consequences to how to avoid these vulnerabilities, this course is a hands-on exercise in secure coding. With practical exercises to exploit or hack common vulnerabilities, students will obtain valuable experience as both an attacker and defender of web applications.


• Injection flaws, such as SQL, Operating System and LDAP injection

• Broken Authentication and Session Management

• Cross-Site Scripting

• Insecure Direct Object References

• Security Misconfiguration

• Sensitive Data Exposure

• Missing Function Access Control

• Cross-Site Request Forgery

• Using Components with Known Vulnerabilities

• Unvalidated Redirects and Forwards

• An overview of the OWASP Testing Guide v3.0 methodology

• An overview of the OWASP Developer Guide 2013 methodology

• Hands-on vulnerability exploitation (hacking) exercises using the OWASP WebGoat tool

• Hands-on vulnerability patching exercises using the OWASP WebGoat tool and others.

Who should attend

• Designers of Internet systems and those responsible for deployment of Internet connected infrastructure

• Developers responsible for the production of code

• IT security practitioners and reviewers responsible for assessing the security of deployed systems

• Fraud and security investigations staff seeking an understanding of common attack vectors.

Your presenter


9

Pre-requisites

Each participant must have their own Windows laptop with at least 4GB of RAM.


In order to effectively secure your assets and information your staff must be aware, comprehend and, most importantly, follow the IT Policies, Plans and Procedures that you have so thoughtfully created.

Education is the key. Informing your employees how to be Cyber security aware is essential. eLearning is one of the most efficient ways to improve the IT culture within your organization. eLearning can be tailored to your needs to bring an effective security mindset into your company. Whether you are a large or small enterprise, we can assist you to implement the most constructive security awareness course for your business.

Our eLearning content includes a suite of training modules produced by cyber security experts with a breadth of knowledge constantly updated by their currently involvement ‘at the coalface’ of cyber technology. Our training helps you to:

• Adopt a security attitude that starts at home and carries through to the workplace

• Foster a security awareness program that will start a culture change

• Reduce the organisation’s exposure to information risks and security threats through improved employee training, awareness and reduced click-through rates

• Improve executive awareness of threats and increase support for threat remediation activities

• Provide metrics and up-to-date material that is relevant to staff.

• All our courses are WCAG compliant and can be delivered as a SCORM compliant zip file with flexible delivery options of us hosting on our Learning Management System or on your Learning Management System. We make our courses interactive, relevant to those attending and engaging. If you required follow-up, course success can be managed through our continuous improvement tracking.

E-learning Security Awareness Course

Who should attend

• All of your team members who need to become more security aware.

Your presenter



www.dxc.technology

About DXC Technology

DXC Technology (DXC: NYSE) is the world’s leading independent, end-to-end IT services company, serving nearly 6,000 private and public-sector clients from a diverse array of industries across 70 countries. The company’s technology independence, global talent and extensive partner network deliver transformative digital offerings and solutions that help clients harness the power of innovation to thrive on change. DXC Technology is recognized among the best corporate citizens globally. For more information, visit www.dxc.technology.

© 2018 DXC Technology Company. All rights reserved. MD_8761a-19. August 2018

DXC Security Training...DXC Technology’s Security Training (via Saltbush Training) is an...

Documents

Transcript of DXC Security Training...DXC Technology’s Security Training (via Saltbush Training) is an...