Course Syllabus - Focused on CIS Critical Controls Framework

The course includes the following eleven modules. All twenty CIS critical controls and the sub-controls under them have been mapped to these modules.

Module 0: Introduction

Keynote Session by CIS Controls Leadership.

Module 1- Setting Up Your Program

  • Fundamentals
    • Roles and responsibilities (M4)
      • General- Definitions and Org structure
      • Security R&R (M9-SecOps)
      • Key security roles
    • Identifying your crown jewels – Data Classification (M7)
      • CC#1 Inventory and Control of Hardware Assets
      • CC#2 Inventory and Control of Software Assets
    • Risks as the base (M2)
      • General
      • CISO as a Risk Advisor
      • Base for your Security work plan, budget, etc
      • Setting up CRMC including members from Business, Legal, IT, Audit and Finance
  • Follow the path- CISO milestones
    • Your first 10 weeks as CISO – explore the existing
      • CISO duties
      • Project management (M5)
      • WWTB (Win with the basics. e.g. CIS Top 20)
    • Security – Current and Future State
      • Developing the culture- Security is everyone’s responsibility
      • Vision (M4) [In S6 – Developing the Culture]
      • Assessment of current states based on core dimensions/gap analysis
      • Team analysis – Current and Future State
    • Finance and budget (M3)
      • Identify your budget
    • Understand your regulatory environment (M11)
      • definitions
      • Review of existing policies, standards and procedures
      • Explore compliance, laws and regulations
  • Maintain and Develop
    • Security as a Start Up (M10)
    • Industry Partnerships
    • Board Communications

Module 2 - Security Risk Management

  • Risk Management Strategy
    • Develop comprehensive strategy to manage risk
    • Strategy and Framework
    • Develop Policy, Standards, and Procedures
    • Establishing Controls and Sub Controls
    • Developing Custom Controls
    • Monitoring and updating of the Controls
    • Develop a standard exception process
    • Implement risk strategy
  • Risk Governance
    • Metrics and Reporting
    • Governance committees
    • Risk register
    • Risk benchmark
  • Risk Assessment
    • Develop governing program documents (standards & procedures)
    • Vulnerability Assessment
    • Operating systems (OS)
    • Application security testing
    • Dynamic Application Security Testing (Grey/ Black box Testing)
    • Static Application Security Testing (Source code review/ Whitebox security testing)
    • Network security testing
    • External network security testing
    • Internal network security testing
    • CC#3 Continuous Vulnerability Management
    • Red/Blue and Purple Team Exercises
    • CC#20 Penetration Tests and Red Team Exercises
  • Security Awareness Program
    • All IT &Security Staff
    • All Employees
    • Vendors & Contractors with badge and network access
    • Specialized Role Based
    • CC#17 Implement a Security Awareness and Training Program
  • Third Party Risk Management Program
    • Supply Chain or Procurement
    • Contract reviews
    • Security assessments
    • Residual risk acceptance
  • DR and BCP
    • Develop governing program documents (standards and procedures)
    • Identify essential mission and business functions
    • Define recovery objectives and restoration priorities
    • Test and approve
    • Backups
    • CC#10 Data Recovery Capabilities
  • Integration with Enterprise Risk Management
    • ERM positioned as a value-adding/li>
    • Holistic strategic risk management
  • Physical Security
    • Personnel Security
    • Facility Security
  • Cyber Insurance
    • Cyber Insurance

Module 3 - Financial Issues in Managing a Security Program

  • Justifying your Budget
    • Are you a cost center or are you strategic
    • What investments were made already
    • How your security program can help the company
    • Sell the sizzle, not the steak
    • Top (probably 3-5) most critical areas
      • GRC
        • Risk prioritization
        • Internal & External Audits
        • Gap Assessments
        • Benchmarking Exercises
        • Industry Compliance and Certifications
        • Cyber Insurance
      • Sec Ops, VA/PT
      • Tools (SIEM, PAM, EDR, DLP, MDM, etc.)
      • Services (IAM, SOC, CSIRT, Threat Intelligence, third party cyber risk management, Red Teams, etc.)
      • People
        • Headcount
        • Training & Awareness
  • RFP, Vendor Analysis and Procurement (Negotiations)
    • Why RFP (Request for Proposals)
    • Vendor Analysis
    • The Procurement Process
  • Balancing Capex vs Opex & Budget Process
    • Capital Expenditure
    • Operational Expenditure
    • Balancing Capex vs Opex
    • Overspending or Underspending?

Module 4 - Security Leadership

  • Mission
    • Learning the business
    • Risk appetite
    • Aligning Information Security Risk Management to the Appetite of the Organization
  • Change Enabler/Agent
    • Cyber as a mission enabler
    • Mindset of Corporate Leadership
    • Using Strengths of Culture for Security
    • Diversity in Cyber Workforce & Leadership
  • Holistic Collaboration
    • Developing organization-wide “Cyber Safety” awareness campaign
    • Conduct stakeholder analysis and survey
    • Enlisting Cyber Champions organization wide
    • Embed Cyber into everyone’s roles
    • Holistic Tools Approach
  • Managing 360 Degrees
    • Speaking the language of stakeholders & customers
    • Managing expectations
  • Effective Communications
    • The art of storytelling
    • Summarizing data (e.g. not using heatmaps)
    • Cyber as a value added
    • Win/Win Communication
    • ROI
    • Public speaking & influential/presentation skills
  • CISO Reporting
    • Reports to show leadership and management. (e.g. CIS top 20)
    • Reports from own team/stakeholders
    • “Why am I sharing this info?” (being cognizant of audience)
  • Mentoring and Team Development
    • Formal/Informal Mentoring (internal & external)
    • Cross training & succession planning
    • Hiring & Resourcing
  • Constant Negotiations
    • IT
    • Senior Leadership
    • Business Units
    • Vendors
  • Cyber Wellness & Burnout
    • Holistic CISO Wellness
    • Managing stress & Burnout
    • Managing incidents “well”
    • Managing Expectations
  • Activities
    • Team Building (Engagement of whole organization)
    • All Employee Events
    • Cybersecurity Month events
    • Continuing events, training, and awareness activities all year long (not once a year)
    • Participate in various corporate meetings, events, and activities and present Cyber Safety campaign
    • Make Cyber fun
  • External Stakeholders and their Relationship to them
    • Industry engagement
    • Customer assurance (e.g. financial svcs)
      • Customer types
      • Customers within the organization

Module 5 - Integrating Security Into Project Management Lifecycle

  • Project Management
    • Understanding the project lifecycle
    • Portfolio Management
    • Change Management
  • Application Security
    • Application Development
    • DevSecOps
    • On-Premise Data Center
    • Cloud Environment

Module 6- Incident Response LifeCycle

  • Introduction, Definitions and Overview
  • Phases of Incident Response
    • Preparation
    • Detection and Analysis
    • Containment
    • Eradication
    • Recovery
    • Post-incident Activity
    • Team Structures
    • Incident Response Models
    • OODA Loop – Incident Response
  • Incident Response Plan, Governance, & Risk Management
    • IR plan components, RACI model
    • Tabletop
    • Blue Team vs Red Team vs Purple Team
    • Policies and Standards
    • 3rd party IR services
    • Vendor/Partner/Contract Management
    • Incident Response Best Practices
    • Golden Hour
    • Incident Response Checklist
  • Communications
    • Internal Comms
    • External Comms (partners & customers)
    • PR (general public)
  • Legal Implications
    • Internal Legal vs External Legal Counsel
    • Law Enforcement – when to engage, who should engage LE, cyber attribution
  • Regulatory Implications
    • Reporting requirements
    • State, National, International Regulations
    • PCI? GDPR? HIPAA, CJIS
  • Tools and Technologies ((detection, prevention, response, recovery, reporting))
    • Network Security
    • Endpoint Security
    • Email/Messaging Security
    • Cloud Security
    • Physical Security
    • Active Defense (i.e. Threat Hunting, Deception)
  • Threats and Cyber Attacks
    • Threat Intelligence
  • Contingency Planning and Incident Management
    • Contingency Plans
    • Contingency Planning – Recovery Sites

Module 7- Protecting your Crown Jewels

  • What is a Crown Jewel
    • Types of Crown Jewels
  • How to Identify Crown Jewels
    • Applying the CIA triad, business impact assessment (BIA)
    • Data Classification
    • Applying appropriate Risk Assessment treatment to protect your Crown Jewels
    • Threat Modelling
  • How to Protect Crown Jewels
    • Data Encryption
    • Data Tokenization
    • Types of Encryption
  • Application and Network Controls
    • Multi-factor Authentication
    • Role-based Access
    • Rule of Least Privilege
    • Access Review and Monitoring
  • Data Loss Prevention
    • DLP Across Multiple Channels
  • Data Retention
    • Mandatory Retention
    • Voluntary
  • Contractual Agreements
    • Confidentiality and Security Agreements
    • Business Associate Agreements
  • How to Respond and Recover
    • Respond
    • Recover
  • Backup and Recovery
    • Types of Backups
    • Testing of Backups
    • Periodic Testing
    • Part of DR testing annually at minimum
  • Periodic technical testing and review
    • Network Pen Testing and Vulnerability Scanning
    • Web Application Testing
    • Code Scanning (DAST/SAST)
  • Overall Logging and Monitoring
    • SIEM
    • SOAR
    • SOC/MDR

Module 8 - Identity and Access Management

  • Fundamentals of IAM
    • Why IAM
    • Subject, Object, access and access controls
    • IAM Policy
    • IAM lifecycle
    • Physical and logical access
    • Difference between Identification, Authentication and Authorization
    • Multi-factor Authentication
    • Need to Know
    • Least Privilege
    • Zero Trust Architecture
    • Access control Models – RBAC, MAC , Attribute based access, Discretionary, Rule based
    • IAM controls by design
  • High-level Building Blocks
    • Corporate Directory
      • LDAP or Active Directory
    • Web SSO
      • Internal Application
      • Web Access Management
    • Federated SSO
      • External Applications
      • Cloud Applications
      • Standard based
    • Automated provisioning
      • Directory or HRMS driven
      • Request and approval workflow
      • Provision to on-prem ad SaaS apps
    • Identity Governance
      • Segregation of Duty
      • Attestation / Access certification
      • Audit and Analytics
  • Compliance
    • SOX, GLBA, HIPAA, GDPR, NIST
  • IAM Controls
    • Password – Length, Failed login number, / passphrase/ cognitive password/ OTP
    • SODs
    • Recertification
    • Logging and monitoring
    • Token
    • CC#14 Controlled Access Based on the Need to Know
    • CC#15 Wireless Access and Control
    • Digital IoT Devices Access Control
    • Human Access Control
    • CC#16 Account Monitoring and Control
    • Assigning and Provisioning control
    • Revocation control
    • ACL ( Access Control Lists)
  • How to get IAM right
    • Automation
    • Security
    • Governance
    • Compliance
  • Threat to Access Controls
    • DOS/DDOS, Backdoor Attacks, Spoofing, MITM, Social Engineering, Brute force attack
  • Privileged ID Controls
    • #CC4 – Controlled Use of Administrative Privileges
    • EPV, Break Glass process, Session Management etc.
  • Leading IAM Tools
  • IAM Administration

Module 9 - Security Operations

  • Endpoint Security Controls
    • Detective Controls
      • Tools – Sandboxing
      • Tools – Endpoint Detection and Response/li>
    • Preventive Controls
      • Tools – Application Whitelisting
      • Tools – PFW
      • Tools – HIPS
      • Tools – Anti-virus
    • Response Controls
      • Tools – Anti-virus
  • Network Security Controls
    • Detective Controls
      • Tools – Network Intrusion Detection
      • Tools – User Behavioral Analysis
      • Tools – Network Access Control
    • Preventive Controls
      • Trust Zones – Internet Facing
      • Trust Zones – Internal Facing
      • Tools – Firewalls
      • Tools – DDoS Protection
      • Tools – Web Security Filtering
      • Tools – Cloud Access Security Broker
      • Tools – Remote Access
      • Tools – Email Security
    • Response Controls
      • Tools – Network Access Control
      • Tools – DDoS
  • Application Security Controls
    • Detective Controls
      • WAF
      • RASP
      • Logging & monitoring
      • Anti-malware protection
      • File integrity
      • API gateways
    • Preventive Controls
      • Threat modeling
      • WAF/ perimeter security
      • Source Code Review
      • DAST/IAST
      • Logging & monitoring
      • Security architecture and secure coding
      • IDAM
      • Secure DevOps
      • Encryption and data masking
      • Secrets management
      • Code obfuscation
      • Change management
    • Responsive controls
      • WAF Analysis
      • Application log analysis
      • Threat detection tools
  • Configuration Management
    • Tools – Cloud Access Security Broker
    • Tools – Network Configuration Monitoring
    • Tools – Endpoint Configuration Monitoring
    • Tools – Vulnerability Management
    • Tools – Mobile Device Management
    • Exception Management
      • Approval Process
      • Time Based
      • Risk Register
  • Operations Management
    • Metrics
    • Documentation
      • Runbooks
      • Standard Operating Procedures
    • Administration
      • Integrations
      • Console Management
        • Console Overload
        • Cost Savings and Budget Implications
        • Integration and Automation Benefits
        • Operational Overhead
        • Logging Support
        • Resource and Cost Implications
        • Training Costs
      • Feedback Loops

Module 10 - Business Transformation and Enablement

  • Mergers & Acquisition
    • Pre-Merger
    • Post-Merger
  • Product Security
    • Introduction
    • Dev
    • Ops
    • DevOps
    • Practical Threat Modeling
  • Strategic Changes
    • Introduction
    • Create Business Value
    • Manage Risk – market, financial, legal, operational
    • Reduce Costs
    • Present New Opportunities
    • Create New Realities
  • ICS and IoTs
    • This is not something I know much about .
    • Dealing with unmanaged (or unmanageable devices)
    • Gateway/CPE
  • Blockchain
    • Introduction
    • Business and Governance
    • Process
    • Technology
  • Digital Transformation
    • Introduction
    • Cloud Transformations
    • Network Re-architecture
    • Infrastructure Transformation
    • Big Data, AI, Analytics
    • Smart Manufacturing
    • Supply Chain
    • Responsibility Realignment
    • DevSecOps
  • Security Leadership
    • Introduction
    • Vision & POV
    • Business Accumen
    • Soft Power

Module 11 -Legal Issues in Managing a Security Program

  • Mission
    • Learning the business
    • Risk appetite
    • Aligning Information Security Risk Management to the Appetite of the Organization
  • Change Enabler/Agent
    • Cyber as a mission enabler
    • Mindset of Corporate Leadership
    • Using Strengths of Culture for Security
    • Diversity in Cyber Workforce & Leadership