Module 0: Introduction

Keynote Session by CIS Controls Leadership.

Module 1- Setting Up Your Program

  • Fundamentals
    • Roles and responsibilities (M4)
      • General- Definitions and Org structure
      • Security R&R (M9-SecOps)
      • The CISO as a senior leader
    • Identifying your crown jewels – Data Classification (M7)
    • Risks as the base (M2)
      • General
      • CISO as a Risk Advisor
  • Follow the path- CISO milestones
    • Your first 10 weeks as CISO – explore the existing
      • CISO duties
      • Project management (M5)
      • WWTB (Win with the basics. e.g. CIS Top 20)
    • Security – Current and Future State
      • Developing the culture- Security is everyone’s responsibility
      • Vision Statement (M4)
      • Current State Gap Analysis
    • Identifying your Security budget (M3)
    • Understand your regulatory environment (M11)
      • Definitions
      • Knowing Your regulatory compliance and obligations
      • Compliance process
  • Maintain and Develop
    • Security as a Start Up (M10)
    • Industry Partnerships
    • Board Communications

Module 2 - Security Risk Management

  • Risk Management Strategy
    • Develop comprehensive strategy to manage risk
    • Strategy and Framework
    • Develop Policy, Standards, and Procedures
    • Establishing Controls and Sub Controls
    • Developing Custom Controls
    • Monitoring and updating of the Controls
    • Develop a standard exception process
  • Risk Governance
    • Metrics and Reporting
    • Governance committees
    • Risk register
    • Risk benchmark
  • Risk Assessment
    • Risk Treatment
    • Develop governing program documents (standards & procedures)
    • Vulnerability Assessment
  • Security Awareness Program
    • Empowering All Roles w/ Knowledge
    • Security Awareness Training
    • Developing a new Program
    • Understanding your Organisation
    • Surveying your Landscape
    • Stakeholder Groups/ Role Mapping
    • Vendors & Contractors with badge and network access
    • Role Based Training
    • All Employees training
  • Third Party Risk Management Program
    • Supply Chain or Procurement
    • Contract reviews
    • Security assessments
  • DR and BCP
    • The DR Process
    • NIST 800-34 Contingency Planning Gide
  • Integration with Enterprise Risk Management
  • Physical Security
    • Personnel Security
    • Facility Security
  • Cyber Insurance

Module 3 - Financial Issues in Managing a Security Program

  • Justifying your Budget
    • Formulating Your Budget
    • Information Security as a Business Enabler
  • The Financial Impacts of GRC Requirements
    • Why GRC Matters
    • Costs associated with “Governance” and “Risk” functions
    • Financial Considerations of Compliance
    • Internal/External Audits & Gap Assessments
    • Industry Compliance & Certifications
    • Cyber Liability Insurance
  • Cybersecurity Tools & Testing
  • Personnel Cost
  • Outsourcing vs Insourcing Decision Factors
  • RFP, Vendor Analysis & Procurement
    • Why RFP?
    • The RFP Process
  • Balancing Capex & Opex
    • Definitions
    • Balancing Capex & Opex Objectives
    • Security Budgets – Over- or under-spending

Module 4 - Security Leadership

  • Mission
    • Learning the business
    • Risk appetite
    • Aligning Information Security Risk Management to the Appetite of the Organization
  • Change Enabler/Agent
    • Cyber as a mission enabler
    • Mindset of Corporate Leadership
    • Using Strengths of Culture for Security
    • Cyber security and the role of diversity
  • Holistic Collaboration
    • Developing organization-wide “Cyber Safety” awareness campaign
    • Conduct stakeholder analysis and survey
    • Enlisting Cyber Champions organization wide
    • Embed Cyber into everyone’s roles
    • Holistic Tools Approach
  • Managing Up & Down
    • Understanding the politics
  • Effective Communications
    • The art of storytelling
    • Summarizing data (e.g. not using heatmaps)
    • Win/Win Communication
    • ROI
    • Public speaking & influential/presentation skills
  • CISO Reporting
  • Mentoring and Team Development
  • Constant Negotiations
    • Tactics
    • Stakeholders
  • Cyber Wellness for a modern CISO
    • The modern cyber leaders life
    • Common stressors for CISO
    • Managing Expectations
  • Cyber Activities for an Organisation
    • Team Building (Engagement of whole organization)
    • All Employee Events
    • Cybersecurity Month events
    • Continuing events, training, and awareness activities all year long (not once a year)
  • Managing External Stakeholders Relationships
    • External stakeholders engagement
    • Customer assurance (e.g. financial svcs)

Module 5 - Integrating Security Into Project Management Lifecycle

  • Rationale and Background
    • Meeting of the Minds
    • Security Team as Advisors
    • Develop checklists
    • Types of checklists
  • Understanding the Project Management Lifecycle
    • Phases of Project Management
    • Project Management Methodologies – Waterfall, Kanban, Scrum & XP
  • Portfolio Management
    • A CISO Perspective
    • Facilitate knowledge sharing across teams
    • Effective decision-making
  • Application Development
    • Application types
    • In-house development
    • Commercial
    • Open-source
    • Programming languages
    • Development tools
    • Application security checklist
  • DevSecOps
    • Secure by design
    • Cultural challenges in organizations
    • Cultural shift
    • DevOps security checklist
    • Kubernetes checklist
  • Cloud Environment
    • Cloud roles & responsibilities
    • Overview of PaaS, IaaS, SaaS
    • Shared Responsibilities Model
    • Cloud Computing Reference Architecture
    • CSPM Capabilities
    • Cloud Security Models
    • Cloud Security consolidation project
    • Cloud Security Best Practices
    • Industry use cases for cloud security
    • AWS, Azure and SaaS checklists
  • On-Premise Data Center
    • New Systems Checklist
  • Change Management
    • Types of changes
    • Change Management Process – Overview
    • Approval/Acceptance Process
    • Basic Evaluation Criteria
    • Objectives of Business Impact Analysis: Purpose & Deliverables

Module 6- Incident Response LifeCycle

  • Introduction, Definitions and Overview
  • Phases of Incident Response
    • Incident Management Process
    • OODA Loop – Incident Response
  • Incident Response Plan, Governance, & Risk Management
    • Staffing models, team structure
    • Blue Team vs Red Team vs Purple Team
    • Building an IR team
    • Security Operations Center
    • SOC Member Roles
    • IR plan components, RACI model
    • Tabletop
    • Golden Hour
    • Best Practices – IR
    • Incident Response Checklist
    • Vendor and Incident Management
    • 3rd party IR services
  • Communications
    • Creating a Communication Plan
    • Internal Comms
    • External Comms (partners & customers)
    • After an Incident
  • Legal Implications
    • Legal Considerations
    • Solving the Puzzle
    • Representative Standards
  • Regulatory Implications
    • Unified Compliance Framework
    • GDPR, HIPAA, GLBA, FISMA, PCI-DSS, NYDFS, NERC-CIP, ISO/IEC 27001, NIS Directive 2018: UK, CCPA
  • Tools and Technologies ((detection, prevention, response, recovery, reporting))
    • Defense in Depth
    • Anti-Malware System
    • Anti-Phishing System
    • Network Behavior Monitoring System
    • Code Review System
    • Configuration Review System
    • Identity and Access Management
    • GRC Solution
    • Firewall Solution
    • IDS/IPS Solutions
    • SIEM Solution
    • Threat Intelligence System
    • Vulnerability Scanners
    • Data Leakage Prevention (DLP) System
    • Forensic Tools
    • Digital Forensics and Incident Management
    • Organizing Forensic Capability
    • Digital Forensics & IR Considerations
  • Threats and Cyber Attacks
    • Threat Intelligence
    • Threat Diagnostics & Threat Feeds
    • Standardizing Threat Information
    • Standards for Threat Information Sharing
    • Intro to Vendor Threat Intelligence
  • Contingency Planning and Incident Management
    • Contingency Plans
    • Cost Impacts & Disruption Timelines
    • Contingency Planning – Recovery Sites

Module 7- Protecting your Crown Jewels

  • What is a Crown Jewel
    • Types of Crown Jewels
  • How to Identify Crown Jewels
  • How to Protect Crown Jewels
    • Network Controls
    • Endpoint Protection
    • Access Control
    • Third Party Assurance
    • Data Loss Prevention
    • Threat and Vulnerability Management
    • Business Continuity and Disaster Recovery
    • Data Retention
    • Backup and Recovery
    • Incident Management

Module 8 - Identity and Access Management

  • Fundamentals of IAM
    • Why IAM
    • Subject, Object, access and access controls
    • IAM Policy
    • IAM lifecycle
    • Physical and logical access
    • Difference between Identification, Authentication and Authorization
    • Multi-factor Authentication
    • IAM Security Principals
    • Zero Trust
    • Access control Models – RBAC, MAC , Attribute based access, Discretionary, Rule based
  • High-level Building Blocks
    • IAM Service Components
    • Directory Services
    • Web SSO
    • Federated SSO
    • Identity Governance and Administration
    • Lifecycle Management
    • Governance
    • UEBA with IAM
    • Behaviour Analytics
  • Compliance
    • IAM – Regulatory and Compliance
  • IAM Controls
    • User Accounts and Password Security
    • Separation of Duties (SODs)
    • Recertification
    • Logging and monitoring
    • IAM Token
    • IAM Controls – CIS Standards
    • Digital IoT Devices
    • Human Access Control
    • Assigning and Provisioning control
    • Revocation control
    • Access Control Lists (ACL)
  • How to get IAM right
    • Do’s and Don’ts of IAM
  • Threat to Access Controls
  • Privileged ID Controls
    • Privileged Access Management (PAM)
    • PAM – Best Practices
  • Leading IAM Tools

Module 9 - Security Operations

  • Endpoint Security Controls
    • Defence-in-Depth – Endpoints
    • Detective Controls
      • Antivirus
      • Endpoint Logs
      • Endpoint Detection and Response
      • Sandboxing
    • Preventive Controls
    • Response Controls
  • Network Security Controls
    • Defence-in-Depth – Networks
    • Detective Controls
      • Intrusion Detection/ Prevention System
      • User Behavior Analysis
      • Network Access Control
      • Distributed Denial of Service
    • Preventive Controls
      • Tools – Firewalls
      • Tools – DDoS Protection
      • Tools – Web Security Filtering
      • Tools – Cloud Access Security Broker
      • Tools – Email Security
      • Tools: Trust Zones
      • Tools – Remote Access
  • Application Security Controls
    • Defence-in-Depth – Applications
    • Detective Controls
    • Preventive Controls
    • Responsive controls
  • Configuration Management
    • Configuration Baselines and Standards
    • On-Premise
    • Cloud Management Responsibility Matrix
    • Leverage Cloud Native Tools – IaaS
    • Leverage Third-Party Monitoring Tools
    • Vulnerability Management
    • Inventory Management
    • Vulnerability Detection
    • Vulnerability Triage
    • Vulnerability Remediation
    • Exception Management
  • Operations Management
    • Metrics
    • Documentation
    • Administration
      • Integrations
      • Console Management
        • Console Overload
        • Cost Savings and Budget Implications
        • Integration and Automation Benefits
        • Operational Overhead
        • Logging Support
        • Training Costs
      • Feedback Loops

Module 10 - Business Transformation and Enablement

  • Cloud Transformation
    • Security Implications
    • Cloud-Specific Security Controls
    • Cloud-Access Security Brokers
    • Zero-Trust Architecture
    • Secure Access Service Edge (SASE)
  • Big Data, AI & Analytics
    • Big Data & AI: The relationship
    • Present Landscape of Big Data & AI
    • Future Landscape
  • Supply Chain Transformation
    • How supply-chain capabilities and technologies have evolved
    • Effective digital transformation of a supply chain
    • Supply chain security challenges
  • DevSecOps
    • DevSecOps Mantra
    • DevSecOps vs traditional software development
    • Achieving true security/development integration
    • DevSecOps Testing & Tools
    • DevSecOps Adoption
    • Soft Power
  • Product Security
    • Secure Design & Development (Waterfall, Agile, Hybrid)
    • Secure Operations
      • Operations Aspects of DevOps
    • Practical Threat Modeling
      • STRIDE & Associated Derivations
      • Process for Attack Simulation and Threat Anlaysis (PASTA)
      • Common Vulnerability Scoring System (CVSS)
  • Mergers & Acquisitions
    • Pre-Merger
    • Post-Merger

Module 11 -Legal Issues in Managing a Security Program

  • Cybersecurity Legal Regimes: Multiple, Overlapping, Conflicting Laws
    • What Law Governs Your Security Program?
    • Data Protection Regimes
    • Reasonable Safeguards
    • Why Privacy in a Security Program?
    • Common Types of Protected Information
    • Biometrics
  • Key Governance Policies: Legally Binding Duty of Care for Adequate or Reasonable
    • Duty of Care in Cybersecurity : Unsettled
    • What is reasonable and customary?
    • 16 CFR 314.3 (Federal Trade Commission (FTC))
    • Standards for safeguarding consumer information
    • Industry Guidelines – FTC
  • Dealing with Third Parties: Contractual Obligations and Supply Chain Cybersecurity Legal Issues
    • Security requirements: reflected in contracts?
    • NDAs, MSAs, SOWs
    • Vendor/Contract Management
  • Liability for Directors and Officers: Obligation to Satisfy Oversight of Cybersecurity
  • Data Breach Investigations: Issues of the Fourth Amendment and of Privilege
    • The Basics: The role of counsel during an incident
    • Is your organization appropriately leveraging legal counsel during an incident?
    • Security Incidents and Evidence
    • Search and Seizure Issues
    • Data Breach Notification and Security Incident Notification
  • Regulatory and Compliance Reporting
    • Internal and External Audits
    • What is a HIPAA Business Associate?
    • Contractual obligations
    • Regulatory obligations
  • Information Sharing: Cooperation with Law Enforcement and Sharing Cyber Threat Indicators
    • How CISOs can best work with the FBI (Q&A)
    • Information Sharing & Analysis Centers (ISACs)
    • Resources: Info-sharing groups
    • CERTs and CSIRCs
  • Active Defense: Hacking Back, Cyber Privateers, and the Legal Implications of Innovations in Cybersecurity
    • Principles for responding to an attacker
    • Cybersecurity Information Sharing Act of 2015
    • Data Awaiting Exfiltration
    • Increasing the Cost?
  • Privacy
    • Why privacy and security? Why not ignore privacy?
    • International Agreements on Privacy
    • Biometrics
    • Common Provisions of Privacy LawsCybersecurity Information Sharing Act of 2015