Detailed Course Outline
Domain 01 - Governance
1. Define, Implement, Manage, and Maintain an Information Security Governance Program
- 1.1. Form of Business Organization
- 1.2. Industry
- 1.3. Organizational Maturity
2. Information Security Drivers
3. Establishing an information security management structure
- 3.1. Organizational Structure
- 3.2. Where does the CISO fit within the organizational structure?
- 3.3. The Executive CISO
- 3.4. Nonexecutive CISO
4. Laws/Regulations/Standards as drivers of Organizational Policy/ Standards/ Procedures
- 4.1. NIST Risk Management Guidance
- 4.2. NIST RMF
5. Managing an enterprise information security compliance program
- 5.1. Security Policy
- 5.1.1 Necessity of a Security Policy
- 5.1.2 Security Policy Challenges
- 5.2. Policy Content
- 5.2.1 Types of Policies
- 5.2.2 Policy Implementation
- 5.3. Reporting Structure
- 5.4. Standards and best practices
- 5.5. Leadership and Ethics
- 5.6. EC-Council Code of Ethics
6. Risk Management
- 6.1. The Essentials of Risk Management
7. Risk mitigation, risk treatment, and acceptable risk
- 7.1. Risk Treatment
- 7.2. Risk Treatment Options
- 7.2.1 Risk Modification or Mitigation
- 7.2.2 Risk Retention or Acceptance
- 7.2.3 Risk Avoidance or Elimination
- 7.2.4 Risk Sharing or Transfer
- 7.3. Risk Categories
8. Risk management frameworks
- 8.1. ISO 27005
- 8.2. Context Establishment
- 8.3. Risk Assessment
- 8.3.1 Risk Assessment: ISO 27005 Section 8
- 8.4. Risk Treatment
- 8.5. Risk Acceptance
- 8.6. Risk Feedback
- 8.7. Risk Monitoring and Review
- 8.8. Risk Communication and Consultation
9. NIST
- 9.1. NIST Risk Management and Assessment
- 9.2. NIST Risk Management Hierarchy
- 9.3. NIST Risk Assessment Process
10. Other Frameworks and Guidance (ISO 31000, TARA, OCTAVE, FAIR, COBIT, and ITIL)
- 10.1. ISO 31000
- 10.2. Threat Agent Risk Assessment (TARA)
- 10.3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro
- 10.4. Factor Analysis of Information Risk (FAIR)
- 10.5. COBIT Risk Management
- 10.6. ITIL Risk Management
11. Risk management plan implementation
- 11.1. Context Establishment
- 11.2. Risk assessments
- 11.2.1 Risk Identification
- 11.2.2 Risk Analysis
- 11.2.3 Risk Evaluation
- 11.3. Risk Treatment
- 11.3.1 Risk Modification
- 11.3.2 Risk Retention
- 11.3.3 Risk Avoidance
- 11.3.4 Risk Sharing
- 11.3.5 Residual Risk
- 11.4. Risk Acceptance
- 11.5. Risk Management Feedback Loops
- 11.5.1 Risk Communication and Consultation
- 11.5.2 Risk Monitoring and Review
12. Ongoing third-party risk management
- 12.1. Ongoing Risk Management
- 12.2. Disposition
- 12.2.1 Type of Sanitization
13. Risk management policies and processes
14. Conclusion
Domain 2 - Security Risk Management, Controls, & Audit Management
1. INFORMATION SECURITY CONTROLS
- 1.1. Identifying the Organization’s Information Security Needs
- 1.1.1. Identifying the Optimum Information Security Framework
- 1.1.2. Designing Security Controls
- 1.1.3. Control Lifecycle Management
- 1.1.4. Control Classification
- 1.1.5. Control Selection and Implementation
- 1.1.6. Control Catalog
- 1.1.7. Control Maturity
- 1.1.8. Monitoring Security Controls
- 1.1.9. Remediating Control Deficiencies
- 1.1.10. Maintaining Security Controls
- 1.1.11. Reporting Controls
- 1.1.12. Information Security Service Catalog
2. COMPLIANCE MANAGEMENT
- 2.1. Acts, Laws, and Statutes
- 2.2. Regulations
- 2.3. Standards
3. GUIDELINES, GOOD AND BEST PRACTICES
- 3.1. CIS
4. AUDIT MANAGEMENT
- 4.1. Audit Expectations and Outcomes
- 4.2. IS Audit Practices
5. SUMMARY
6. REFERENCES
Domain 03 - Security Program Management and Operations
1. PROGRAM MANAGEMENT
- 1.1. Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies
- 1.1.1. Security Program Charter
- 1.1.2. Security Program Objectives
- 1.1.3. Security Program Requirements Model
- 1.1.4. Security Program Stakeholders
- 1.1.5. Security Program Strategy Development
- 1.3. Defining and Developing, Managing and Monitoring the Information Security Program
- 1.3.1. Defining an Information Security Program Budget
- 1.3.2. Developing an Information Security Program Budget
- 1.3.3. Managing an Information Security Program Budget
- 1.3.4. Monitoring an Information Security Program Budget
- 1.4. Defining and Developing Information Security Program Staffing Requirements
- 1.5. Managing the People of a Security Program
- 1.5.1. Resolving Personnel and Teamwork Issues [2].
- 1.5.2. Managing Training and Certification of Security Team Members
- 1.5.3. Clearly Defined Career Path
- 1.5.4. Designing and Implementing a User Awareness Program
- 1.6. Managing the Architecture and Roadmap of the Security Program
- 1.6.1. Information Security Program Architecture
- 1.6.2. Information Security Program Roadmap
- 1.7. Program Management and Governance
- 1.7.1. Understanding Project Management Practices and Controls
- 1.7.2. Identifying and Managing Project Stakeholders
- 1.7.3. Measuring the Effectives of Projects
- 1.8. Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
- 1.9. Data Backup and Recovery
- 1.10. Backup Strategy
- 1.11. ISO BCM Standards
- 1.11.1. Business Continuity Management (BCM)
- 1.11.2. Disaster Recovery Planning (DRP)
- 1.12. Continuity of Security Operations
- 1.12.1. Integrating the Confidentiality, Integrity and Availability (CIA) Model
- 1.13. BCM Plan Testing
- 1.14. DRP Testing
- 1.15. Contingency Planning, Operations, and Testing Programs to Mitigate Risk and Meet Service Level Agreements (SLAs)
- 1.16. Computer Incident Response
- 1.16.1. Incident Response Tools
- 1.16.2. Incident Response Management
- 1.16.3. Incident Response Communications
- 1.16.4. Post-Incident Analysis
- 1.16.5. Testing Incident Response Procedures
- 1.17. Digital Forensics
- 1.17.1. Crisis Management
- 1.17.2. Digital Forensics Life Cycle
2. OPERATIONS MANAGEMENT
3. Summary
4. References
Domain 04 - Information Security Core Concepts
1. ACCESS CONTROL
- 1.1. Authentication, Authorization, and Auditing
- 1.2. Authentication
- 1.3. Authorization
- 1.4. Auditing
- 1.5. User Access Control Restrictions
- 1.6. User Access Behavior Management
- 1.7. Types of Access Control Models
- 1.8. Designing an Access Control Plan
- 1.9. Access Administration
2. PHYSICAL SECURITY
- 2.1. Designing, Implementing, and Managing Physical Security Program
- 2.1.1. Physical Risk Assessment
- 2.2. Physical Location Considerations
- 2.3. Obstacles and Prevention
- 2.4. Secure Facility Design
- 2.4.1. Security Operations Center
- 2.4.2. Sensitive Compartmented Information Facility
- 2.4.3. Digital Forensics Lab
- 2.4.4. Datacenter
- 2.5. Preparing for Physical Security Audits
3. NETWORK SECURITY
- 3.1. Network Security Assessments and Planning
- 3.2. Network Security Architecture Challenges
- 3.3. Network Security Design
- 3.4. Network Standards, Protocols, and Controls
- 3.4.1. Network Security Standards
- 3.4.2. Protocols
- 3.4.3. Network Security Controls
- 3.5. Wireless (Wi-Fi) Security
- 3.5.1. Wireless Risks
- 3.5.2. Wireless Controls
- 3.6. Voice over IP Security
4. ENDPOINT PROTECTION
- 4.1. Endpoint Threats
- 4.2. Endpoint Vulnerabilities
- 4.3. End User Security Awareness
- 4.4. Endpoint Device Hardening
- 4.5. Endpoint Device Logging
- 4.6. Mobile Device Security
- 4.6.1. Mobile Device Risks
- 4.6.2. Mobile Device Security Controls
- 4.7. 4.7 Internet of Things Security
- 4.7.1. Protecting IoT Devices
5. APPLICATION SECURITY
- 5.1. Secure SDLC Model
- 5.2. Separation of Development, Test, and Production Environments
- 5.3. Application Security Testing Approaches
- 5.4. DevSecOps
- 5.5. Waterfall Methodology and Security
- 5.6. Agile Methodology and Security
- 5.7. Other Application Development Approaches
- 5.8. Application Hardening
- 5.9. Application Security Technologies
- 5.10. Version Control and Patch Management
- 5.11. Database Security
- 5.12. Database Hardening
- 5.13. Secure Coding Practices
6. ENCRYPTION TECHNOLOGIES
- 6.1. Encryption and Decryption
- 6.2. Cryptosystems
- 6.2.1. Blockchain
- 6.2.2. Digital Signatures and Certificates
- 6.2.3. PKI
- 6.2.4. Key Management
- 6.3. Hashing
- 6.4. Encryption Algorithms
- 6.5. Encryption Strategy Development
- 6.5.1. Determining Critical Data Location and Type
- 6.5.2. Deciding What to Encrypt
- 6.5.3. Determining Encryption Requirements
- 6.5.4. Selecting, Integrating, and Managing Encryption Technologies
7. VIRTUALIZATION SECURITY
- 7.1. Virtualization Overview
- 7.2. Virtualization Risks
- 7.3. Virtualization Security Concerns
- 7.4. Virtualization Security Controls
- 7.5. Virtualization Security Reference Model
8. CLOUD COMPUTING SECURITY
- 8.1. Overview of Cloud Computing
- 8.2. Security and Resiliency Cloud Services
- 8.3. Cloud Security Concerns
- 8.4. Cloud Security Controls
- 8.5. Cloud Computing Protection Considerations
9. TRANSFORMATIVE TECHNOLOGIES
- 9.1. Artificial Intelligence
- 9.2. Augmented Reality
- 9.3. Autonomous SOC
- 9.4. Dynamic Deception
- 9.5. Software-Defined Cybersecurity
10. Summary
11. References
Domain 05 - Strategic Planning, Finance, Procurement and Vendor Management
1. STRATEGIC PLANNING
- 1.1. Understanding the Organization
- 1.1.1. Understanding the Business Structure
- 1.1.2. Determining and Aligning Business and Information Security Goals
- 1.1.3. Identifying Key Sponsors, Stakeholders, and Influencers
- 1.1.4. Understanding Organizational Financials
- 1.2. Creating an Information Security Strategic Plan
- 1.2.1. Strategic Planning Basics
- 1.2.2. Alignment to Organizational Strategy and Goals
- 1.2.3. Defining Tactical Short, Medium, and Long Term Information Security Goals
- 1.2.4. Information Security Strategy Communication
- 1.2.5. Creating a Culture of Security
2. Designing, Developing, and Maintaining an Enterprise Information Security Program
- 2.1. Ensuring a Sound Program Foundation
- 2.2. Architectural Views
- 2.3. Creating Measurements and Metrics
- 2.4. Balanced Scorecard
- 2.5. Continuous Monitoring and Reporting Outcomes
- 2.6. Continuous Improvement
- 2.7. Information Technology Infrastructure Library (ITIL) Continual Service Improvement (CSI)
3. Understanding the Enterprise Architecture (EA)
- 3.1. EA Types
- 3.1.1. The Zachman Framework
- 3.1.2. The Open Group Architecture Framework (TOGAF)
- 3.1.3. Sherwood Applied Business Security Architecture (SABSA)
- 3.1.4. Federal Enterprise Architecture Framework (FEAF)
4. FINANCE
- 4.1. Understanding Security Program Funding
- 4.2. Analyzing, Forecasting, and Developing a Security Budget
- 4.2.1. Resource Requirements
- 4.2.2. Define Financial Metrics
- 4.2.3. Technology Refresh
- 4.2.4. New Project Funding
- 4.2.5. Contingency Funding
- 4.3. Managing the information Security Budget
- 4.3.1. Obtain Financial Resources
- 4.3.2. Allocate Financial Resources
- 4.3.3. Monitor and Oversight of Information Security Budget
- 4.3.4. Report Metrics to Sponsors and Stakeholders
- 4.3.5. Balancing the Information Security Budget
5. PROCUREMENT
- 5.1. Procurement Program Terms and Concepts
- 5.1.1. Statement of Objectives (SOO)
- 5.1.2. Statement of Work (SOW)
- 5.1.3. Total Cost of Ownership (TCO)
- 5.1.4. Request for Information (RFI)
- 5.1.5. Request for Proposal (RFP)
- 5.1.6. Master Service Agreement (MSA)
- 5.1.7. Service Level Agreement (SLA)
- 5.1.8. Terms and Conditions (T&C)
- 5.2. Understanding the Organization’s Procurement Program
- 5.2.1. Internal Policies, Processes, and Requirements
- 5.2.2. External or Regulatory Requirements
- 5.2.3. Local Versus Global Requirements
- 5.3. Procurement Risk Management
- 5.3.1. Standard Contract Language
6. VENDOR MANAGEMENT
- 6.1. Understanding the Organization’s Acquisition Policies and Procedures
- 6.1.1. Procurement Life cycle
- 6.2. Applying Cost-Benefit Analysis (CBA) During the Procurement Process
- 6.3. Vendor Management Policies
- 6.4. Contract Administration Policies
- 6.4.1. Service and Contract Delivery Metrics
- 6.4.2. Contract Delivery Reporting
- 6.4.3. Change Requests
- 6.4.4. Contract Renewal
- 6.4.5. Contract Closure
- 6.5. Delivery Assurance
- 6.5.1. Validation of Meeting Contractual Requirements
- 6.5.2. Formal Delivery Audits
- 6.5.3. Periodic Random Delivery Audits
- 6.5.4. Third-Party Attestation Services (TPRM)
7. Summary
8. References