Home Cyber “Security auditors should update risk-driven methodologies” urges SANS Institute expert

“Security auditors should update risk-driven methodologies” urges SANS Institute expert

by Brian Sims

The SANS Spring London 2016 event is set to welcome a growing community of security auditors set to refresh their skills on the recently updated AUD507: Auditing and Monitoring Networks, Perimeters and Systems training course, which is one of eight security training tracks run by the organisation in London during February and March.

According to course author and industry expert David Hoelzer: “One of the key struggles that IT auditors face today is assisting senior management to understand the relationship between technical controls and risks to the business that these affect. This training track is organised specifically to provide a risk-driven methodology for tackling the enormous task of designing an enterprise security validation program.”

Hoelzer, a SANS Fellow instructor and author of more than 20 sections of SANS coursework, is an expert in a variety of information security fields, and was recently called upon to serve as an expert witness for the Federal Trade Commission around groundbreaking GLBA Privacy Rule litigation.

Across a 25-year career, Hoelzer has also scripted (and contributed to) more than 15 peer-reviewed books, publications and journal articles on all manner of security topics (including extensive works on audit).

Specification or selection of controls

“In today’s information security world, most enterprises are either already moving towards, or seriously considering moving towards compliance with any number of a variety of security standards that represent Best Practice,” continued Hoelzer.

“One of the key topics covered in this material is an effective, risk-based method for the specification or selection of controls. This skill set allows security professionals to analyse an existing set of controls, a business process, an audit exception or a security incident and identify any missing or ineffective controls. More importantly, perhaps, learners will be able to easily identify what corrective actions can eliminate the problem in the future.”

As a SANS instructor, Hoelzer has trained many security professionals over the years, including Fortune 500 security engineers and managers. He stated: “Auditors, administrators and security managers alike will walk away with a ‘To Do’ list far longer than the one with which they arrive. The overriding aim is to align security operations and auditing with business operations in a way that delivers the biggest return on investment for the host business.”

SANS London Spring 2016 runs from 29 February-5 March. All classes are being run within the Grand Connaught Rooms in the heart of London’s West End.

SANS London 2016: the courses

Many courses at SANS London Spring 2016 boast an associated GIAC examination. SANS is also offering an ‘On Demand’ version of courses at a discounted rate to assist with exam preparation.

The full list of courses includes:

*SEC560: Network Penetration Testing and Ethical Hacking (Erik Van Buggenhout)

*SEC401: Security Essentials ‘Bootcamp-Style’ (Dr Eric Cole)

*SEC504: Hacker Tools, Techniques, Exploits and Incident Handling

*SEC542: Web App Penetration Testing and Ethical Hacking (Pieter Danhieux)

*SEC760: Advanced Exploit Development for Penetration Testers (Jake Williams)

*FOR508: Advanced Digital Forensics and Incident Response (Jess Garcia)

*FOR526: Memory Forensics In-Depth (Alissa Torres)

*AUD507: Auditing and Monitoring Networks, Perimeters and Systems (David Hoelzer)

The event also offers evening socialising and networking opportunities involving SANS instructors and fellow industry peers. Further detail is available at: https://www.SANS.org/event/london-in-the-spring-2016/

About The SANS Institute

The SANS Institute was established back in 1989 as a co-operative research and education organisation. SANS is “the most trusted and, by far, the largest” provider of cyber security training and certification to professionals and commercial institutions worldwide.

Renowned SANS instructors teach over 50 different courses at more than 200 live cyber security training events, as well as online.

An affiliate of The SANS Institute, GIAC validates employee qualifications via 27 hands-on, technical certifications in information security. For its part, The SANS Technology Institute (a regionally-accredited independent subsidiary) offers Master’s degrees in cyber security.

Further information on The SANS Institute and its work designed to help the entire information security community is available at: www.SANS.org

You may also like