Security Assessment & Authorization

Security Assessment & Authorization (SA&A) Certification Program

Purpose of Course:

The main purpose of this course is to bring a consistent understanding of the SA&A Process across all federal departments and agencies, provincial and city governments, employees and contractors, and major corporations doing business with government organizations.

Why this Course?

Employees and contractors in all levels of government and in all departments and agencies are using processes and procedures, and templates that are as different as every individual. There is an urgent need out there for this course. It’s a mess out there.

This course hopes to eliminate the confusion and bring a common understanding of the SA&A process across the IT and Cyber Security landscape.

Content of Course:

This is a 3 day course.

Day 1 covers the 15 subject areas listed below in a presentation format with questions and answers. Day 2 and 3 are used to perform a Security Assessment and Authorization (SA&A) of a typical system. Participants of the 3 day course will receive a Certificate of Completion, signifying that they are qualified to perform an SA&A of a system, service, or program.

This certificate course is essential for anyone that is required to perform an SA&A of a system, service, or program or just to understand the following subject areas:

1. What is SA&A?

2. IT Security Strategies for addressing your systems, services, or programs

3. Roles and Responsibilities of stakeholders in the SA&A Process – according to GC standards,
directives, and guidelines

4. What is ISSIP (ITSG-33 – Information System Security Implementation Process)?

5. Zoning 101

6. Statement of Sensitivity (SoS)

7. Threat & Risk Assessment (TRA) Process from Harmonized TRA Methodology – includes a
practical step-by-step approach to completing a TRA

8. Business Continuity and Disaster Recovery Plans (BCP/DRP)

9. Criticality of systems, services, or programs

10. Classification of Data

11. Physical Security consideration

12. Encryption Standards

13. ITSG-33 – what you need to know

14. Security Control Profiles & Security Requirements Traceability Matrix (SRTM) – pitfalls to avoid

15. Privacy and a high level look at how to conduct a Privacy Impact Assessment

Who is this course for?

Senior Management and Executives should attend the 1 day presentation.

This will give a detailed understanding of the 15 items listed above. It will give them the tools that they need to make informed decisions that are guaranteed to reduce the cost, resourcing, and schedule of projects.

Projects today are spending a great deal of money and resources on IT Security because those in charge don’t understand what is needed.

Don’t make their mistake.

The 1 day course is essential for anyone that is involved in the decision-making process for projects in any type of industry. Our way of life and how we do business has changed dramatically with the advent of the Internet, email, and the threats associated with that. Senior management cannot ignore IT and Cyber Security challenges in their systems, services, and programs. The SA&A component of IT Security is essential for any project, system, service, or program that involves Information Technology.

This course is essential for Government Employees, particularly those in IT Security positions, project managers, project leads, and those wishing to understand the latest IT and Cyber Security processes and IT Security standards, directives, guidelines, and regulation.

This group should attend the full 3 day
course.

Day 1 is the presentation material. Days 2 and 3 are for completion of the SA&A templates.

Attendees will learn how to perform SA&A for existing or proposed systems, services, or programs. I’ll show you how to assess proposed systems, services or programs. I’ll show you the difference between an assessment and an audit.