Certified Chief Information Security Officer Certification Course Outline
Domain 1: Governance and Risk Management
Module 1: Define, Implement, Manage, and Maintain an Information Security Governance Program
- Form of Business Organisation
- Industry
- Organisational Maturity
Module 2: Information Security Drivers
Module 3: Establishing an Information Security Management Structure
- Organisational Structure
- Where does the CISO fit within the Organisational Structure
- The Executive CISO
- Nonexecutive CISO
Module 4: Laws/Regulations/Standards as Drivers of Organisational Policy/Standards/Procedures
Module 5: Managing an Enterprise Information Security Compliance Program
- Security Policy
- Necessity of a Security Policy
- Security Policy Challenges
- Policy Content
- Types of Policies
- Policy Implementation
- Reporting Structure
- Standards and Best Practices
- Leadership and Ethics
- EC-Council Code of Ethics
Module 6: Introduction to Risk Management
- Organisational Structure
- Where does the CISO fit within the Organisational Structure
- The Executive CISO
- Nonexecutive CISO
Domain 2: Information Security Controls, Compliance, and Audit Management
Module 7: Information Security Controls
- Identifying the Organisation’s Information Security Needs
- Identifying the Optimum Information Security Framework
- Designing Security Controls
- Control Lifecycle Management
- Control Classification
- Control Selection and Implementation
- Control Catalogue
- Control Maturity
- Monitoring Security Controls
- Remediating Control Deficiencies
- Maintaining Security Controls
- Reporting Controls
- Information Security Service Catalogue
Module 8: Compliance Management
- Acts, Laws, and Statutes
- FISMA
- Regulations
- GDPR
- Standards
- ASD—Information Security Manual
- Basel III
- FFIEC
- ISO 00 Family of Standards
- NERC-CIP
- PCI DSS
- NIST Special Publications
- Statement on Standards for Attestation Engagements No. 16 (SSAE 16)
Module 9: Guidelines, Good and Best Practices
Module 10: Audit Management
- Audit Expectations and Outcomes
- IS Audit Practices
- ISO/IEC Audit Guidance
- Internal versus External Audits
- Partnering with the Audit Organisation
- Audit Process
- General Audit Standards
- Compliance-Based Audits
- Risk-Based Audits
- Managing and Protecting Audit Documentation
- Performing an Audit
- Evaluating Audit Results and Report
- Remediating Audit Findings
- Leverage GRC Software to Support Audits
Domain 3: Security Program Management & Operations
Module 11: Program Management
- Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies
- Security Program Charter
- Security Program Objectives
- Security Program Requirements
- Security Program Stakeholders
- Security Program Strategy Development
- Executing an Information Security Program
- Defining and Developing, Managing and Monitoring the Information Security Program
- Defining an Information Security Program Budget
- Developing an Information Security Program Budget
- Managing an Information Security Program Budget
- Monitoring an Information Security Program Budget
- Defining and Developing Information Security Program Staffing Requirements
- Managing the People of a Security Program
- Resolving Personnel and Teamwork Issues
- Managing Training and Certification of Security Team Members
- Clearly Defined Career Path
- Designing and Implementing a User Awareness Program
- Managing the Architecture and Roadmap of the Security Program
- Information Security Program Architecture
- Information Security Program Roadmap
- Program Management and Governance
- Understanding Project Management Practices
- Identifying and Managing Project Stakeholders
- Measuring the Effectives of Projects
- Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
- Data Backup and Recovery
- Backup Strategy
- ISO BCM Standards
- Business Continuity Management (BCM)
- Disaster Recovery Planning (DRP)
- Continuity of Security Operations
- Integrating the Confidentiality, Integrity and Availability (CIA) Model
- BCM Plan Testing
- DRP Testing
- Contingency Planning, Operations, and Testing Programs to Mitigate Risk and Meet Service Level Agreements (SLAs)
- Computer Incident Response
- Incident Response Tools
- Incident Response Management
- Incident Response Communications
- Post-Incident Analysis
- Testing Incident Response Procedures
- Digital Forensics
- Crisis Management
- Digital Forensics Life Cycle
Module 12: Operations Management
- Establishing and Operating a Security Operations (SecOps) Capability
- Security Monitoring and Security Information and Event Management (SIEM)
- Event Management
- Incident Response Model
- Developing Specific Incident Response Scenarios
- Threat Management
- Threat Intelligence
- Information Sharing and Analysis Centres (ISAC)
- Vulnerability Management
- Vulnerability Assessments
- Vulnerability Management in Practice
- Penetration Testing
- Security Testing Teams
- Remediation
- Threat Hunting
Module 13: Summary
Domain 4: Information Security Core Competencies
Module 14: Access Control
- Authentication, Authorisation, and Auditing
- Authentication
- Authorisation
- Auditing
- User Access Control Restrictions
- User Access Behaviour Management
- Types of Access Control Models
- Designing an Access Control Plan
- Access Administration
Module 15: Physical Security
- Designing, Implementing, and Managing Physical Security Program
- Physical Location Considerations
- Obstacles and Prevention
- Secure Facility Design
- Security Operations Centre
- Sensitive Compartmented Information Facility
- Digital Forensics Lab
- Datacentre
- Preparing for Physical Security Audits
Module 16: Network Security
- Network Security Assessments and Planning
- Network Security Architecture Challenges
- Network Security Design
- Network Standards, Protocols, and Controls
- Network Security Standards
- Protocols
Module 17: Certified Chief
- Network Security Controls
- Wireless (Wi-Fi) Security
- Wireless Risks
- Wireless Controls
- Voice over IP Security
Module 18: Endpoint Protection
- Endpoint Threats
- Endpoint Vulnerabilities
- End User Security Awareness
- Endpoint Device Hardening
- Endpoint Device Logging
- Mobile Device Security
- Mobile Device Risks
- Mobile Device Security Controls
- Internet of Things Security (IoT)
Module 19: Application Security
- Secure SDLC Model
- Separation of Development, Test, and Production Environments
- Application Security Testing Approaches
- DevSecOps
- Waterfall Methodology and Security
- Agile Methodology and Security
- Other Application Development Approaches
- Application Hardening
- Application Security Technologies
- Version Control and Patch Management
- Database Security
- Database Hardening
- Secure Coding Practices
Module 20: Encryption Technologies
- Encryption and Decryption
- Cryptosystems
- Blockchain
- Digital Signatures and Certificates
- PKI
- Key Management
- Hashing
- Encryption Algorithms
- Encryption Strategy Development
- Determining Critical Data Location and Type
- Deciding What to Encrypt
- Determining Encryption Requirements
- Selecting, Integrating, and Managing Encryption Technologies
Module 21: Virtualisation Security
- Virtualisation Overview
- Virtualisation Risks
- Virtualisation Security Concerns
- Virtualisation Security Controls
- Virtualisation Security Reference Model
Module 22: Cloud Computing Security
- Overview of Cloud Computing
- Security and Resiliency Cloud Services
- Cloud Security Concerns
- Cloud Security Controls
- Cloud Computing Protection Considerations
Module 23: Transformative Technologies
- Artificial Intelligence
- Augmented Reality
- Autonomous SOC
- Dynamic Deception
- Software-Defined Cybersecurity
Domain 5: Strategic Planning, Finance, Procurement and Vendor Management
Module 24: Strategic Planning
- Understanding the Organisation
- Understanding the Business Structure
- Determining and Aligning Business and Information Security Goals
- Identifying Key Sponsors, Stakeholders, and Influencers
- Understanding Organisational Financials
- Creating an Information Security Strategic Plan
- Strategic Planning Basics
- Alignment to Organisational Strategy and Goals
- Defining Tactical Short, Medium, and Long-Term Information Security Goals
- Information Security Strategy Communication
- Creating a Culture of Security
Module 25: Designing, Developing, and Maintaining an Enterprise Information Security Program
- Ensuring a Sound Program Foundation
- Architectural Views
- Creating Measurements and Metrics
- Balanced Scorecard
- Continuous Monitoring and Reporting Outcomes
- Continuous Improvement
- Information Technology Infrastructure Library (ITIL) Continual Service Improvement (CSI)
Module 26: Understanding the Enterprise Architecture (EA)
- EA Types
- The Zachman Framework
- The Open Group Architecture Framework (TOGAF)
- Sherwood Applied Business Security Architecture (SABSA)
- Federal Enterprise Architecture Framework (FEAF)
Module 27: Finance
- Understanding Security Program Funding
- Analysing, Forecasting, and Developing a Security Budget
- Resource Requirements
- Define Financial Metrics
- Technology Refresh
- New Project Funding
- Contingency Funding
- Managing the information Security Budget
- Obtain Financial Resources
- Allocate Financial Resources
- Monitor and Oversight of Information Security Budget
- Report Metrics to Sponsors and Stakeholders
- Balancing the Information Security Budget
Module 28: Procurement
- Procurement Program Terms and Concepts
- Statement of Objectives (SOO)
- Statement of Work (SOW)
- Total Cost of Ownership (TCO)
- Request for Information (RFI)
- Request for Proposal (RFP)
- Master Service Agreement (MSA)
- Service Level Agreement (SLA)
- Terms and Conditions (T&C)
- Understanding the Organisation’s Procurement Program
- Internal Policies, Processes, and Requirements
- External or Regulatory Requirements
- Local Versus Global Requirements
- Procurement Risk Management
- Standard Contract Language
Module 29: Vendor Management
- Understanding the Organisation’s Acquisition Policies and Procedures
- Applying Cost-Benefit Analysis (CBA) During the Procurement Process
- Vendor Management Policies
- Contract Administration Policies
- Service and Contract Delivery Metrics
- Contract Delivery Reporting
- Change Requests
- Contract Renewal
- Contract Closure
- Delivery Assurance
- Validation of Meeting Contractual Requirements
- Formal Delivery Audits
- Periodic Random Delivery Audits
- Third-Party Attestation Services (TPRM)