Course Syllabus

Module 1- Setting Up Your Program

Fundamentals
- Roles and responsibilities (M4)
  - General- Definitions and Org structure
  - Security R&R (M9-SecOps)
  - The CISO as a senior leader
- Identifying your crown jewels – Data Classification (M7)
- Risks as the base (M2)
  - General
  - CISO as a Risk Advisor
Follow the path- CISO milestones
- Your first 10 weeks as CISO – explore the existing
  - CISO duties
  - Project management (M5)
  - WWTB (Win with the basics. e.g. CIS Top 20)
- Security – Current and Future State
  - Developing the culture- Security is everyone’s responsibility
  - Vision Statement (M4)
  - Current State Gap Analysis
- Identifying your Security budget (M3)
- Understand your regulatory environment (M11)
  - Definitions
  - Knowing Your regulatory compliance and obligations
  - Compliance process
Maintain and Develop
- Security as a Start Up (M10)
- Industry Partnerships
- Board Communications

Module 2 - Security Risk Management

Risk Management Strategy
- Develop comprehensive strategy to manage risk
- Strategy and Framework
- Develop Policy, Standards, and Procedures
- Establishing Controls and Sub Controls
- Developing Custom Controls
- Monitoring and updating of the Controls
- Develop a standard exception process
Risk Governance
- Metrics and Reporting
- Governance committees
- Risk register
- Risk benchmark
Risk Assessment
- Risk Treatment
- Develop governing program documents (standards & procedures)
- Vulnerability Assessment
Security Awareness Program
- Empowering All Roles w/ Knowledge
- Security Awareness Training
- Developing a new Program
- Understanding your Organisation
- Surveying your Landscape
- Stakeholder Groups/ Role Mapping
- Vendors & Contractors with badge and network access
- Role Based Training
- All Employees training
Third Party Risk Management Program
- Supply Chain or Procurement
- Contract reviews
- Security assessments
DR and BCP
- The DR Process
- NIST 800-34 Contingency Planning Gide
Integration with Enterprise Risk Management
Physical Security
- Personnel Security
- Facility Security
Cyber Insurance

Module 3 - Financial Issues in Managing a Security Program

Justifying your Budget
- Formulating Your Budget
- Information Security as a Business Enabler
The Financial Impacts of GRC Requirements
- Why GRC Matters
- Costs associated with “Governance” and “Risk” functions
- Financial Considerations of Compliance
- Internal/External Audits & Gap Assessments
- Industry Compliance & Certifications
- Cyber Liability Insurance
Cybersecurity Tools & Testing
Personnel Cost
Outsourcing vs Insourcing Decision Factors
RFP, Vendor Analysis & Procurement
- Why RFP?
- The RFP Process
Balancing Capex & Opex
- Definitions
- Balancing Capex & Opex Objectives
- Security Budgets – Over- or under-spending

Module 4 - Security Leadership

Mission
- Learning the business
- Risk appetite
- Aligning Information Security Risk Management to the Appetite of the Organization
Change Enabler/Agent
- Cyber as a mission enabler
- Mindset of Corporate Leadership
- Using Strengths of Culture for Security
- Cyber security and the role of diversity
Holistic Collaboration
- Developing organization-wide “Cyber Safety” awareness campaign
- Conduct stakeholder analysis and survey
- Enlisting Cyber Champions organization wide
- Embed Cyber into everyone’s roles
- Holistic Tools Approach
Managing Up & Down
- Understanding the politics
Effective Communications
- The art of storytelling
- Summarizing data (e.g. not using heatmaps)
- Win/Win Communication
- ROI
- Public speaking & influential/presentation skills
CISO Reporting
Mentoring and Team Development
Constant Negotiations
- Tactics
- Stakeholders
Cyber Wellness for a modern CISO
- The modern cyber leaders life
- Common stressors for CISO
- Managing Expectations
Cyber Activities for an Organisation
- Team Building (Engagement of whole organization)
- All Employee Events
- Cybersecurity Month events
- Continuing events, training, and awareness activities all year long (not once a year)
Managing External Stakeholders Relationships
- External stakeholders engagement
- Customer assurance (e.g. financial svcs)

Module 5 - Integrating Security Into Project Management Lifecycle

Rationale and Background
- Meeting of the Minds
- Security Team as Advisors
- Develop checklists
- Types of checklists
Understanding the Project Management Lifecycle
- Phases of Project Management
- Project Management Methodologies – Waterfall, Kanban, Scrum & XP
Portfolio Management
- A CISO Perspective
- Facilitate knowledge sharing across teams
- Effective decision-making
Application Development
- Application types
- In-house development
- Commercial
- Open-source
- Programming languages
- Development tools
- Application security checklist
DevSecOps
- Secure by design
- Cultural challenges in organizations
- Cultural shift
- DevOps security checklist
- Kubernetes checklist
Cloud Environment
- Cloud roles & responsibilities
- Overview of PaaS, IaaS, SaaS
- Shared Responsibilities Model
- Cloud Computing Reference Architecture
- CSPM Capabilities
- Cloud Security Models
- Cloud Security consolidation project
- Cloud Security Best Practices
- Industry use cases for cloud security
- AWS, Azure and SaaS checklists
On-Premise Data Center
- New Systems Checklist
Change Management
- Types of changes
- Change Management Process – Overview
- Approval/Acceptance Process
- Basic Evaluation Criteria
- Objectives of Business Impact Analysis: Purpose & Deliverables

Module 6- Incident Response LifeCycle

Introduction, Definitions and Overview
Phases of Incident Response
- Incident Management Process
- OODA Loop – Incident Response
Incident Response Plan, Governance, & Risk Management
- Staffing models, team structure
- Blue Team vs Red Team vs Purple Team
- Building an IR team
- Security Operations Center
- SOC Member Roles
- IR plan components, RACI model
- Tabletop
- Golden Hour
- Best Practices – IR
- Incident Response Checklist
- Vendor and Incident Management
- 3rd party IR services
Communications
- Creating a Communication Plan
- Internal Comms
- External Comms (partners & customers)
- After an Incident
Legal Implications
- Legal Considerations
- Solving the Puzzle
- Representative Standards
Regulatory Implications
- Unified Compliance Framework
- GDPR, HIPAA, GLBA, FISMA, PCI-DSS, NYDFS, NERC-CIP, ISO/IEC 27001, NIS Directive 2018: UK, CCPA
Tools and Technologies ((detection, prevention, response, recovery, reporting))
- Defense in Depth
- Anti-Malware System
- Anti-Phishing System
- Network Behavior Monitoring System
- Code Review System
- Configuration Review System
- Identity and Access Management
- GRC Solution
- Firewall Solution
- IDS/IPS Solutions
- SIEM Solution
- Threat Intelligence System
- Vulnerability Scanners
- Data Leakage Prevention (DLP) System
- Forensic Tools
- Digital Forensics and Incident Management
- Organizing Forensic Capability
- Digital Forensics & IR Considerations
Threats and Cyber Attacks
- Threat Intelligence
- Threat Diagnostics & Threat Feeds
- Standardizing Threat Information
- Standards for Threat Information Sharing
- Intro to Vendor Threat Intelligence
Contingency Planning and Incident Management
- Contingency Plans
- Cost Impacts & Disruption Timelines
- Contingency Planning – Recovery Sites

Module 7- Protecting your Crown Jewels

What is a Crown Jewel
- Types of Crown Jewels
How to Identify Crown Jewels
How to Protect Crown Jewels
- Network Controls
- Endpoint Protection
- Access Control
- Third Party Assurance
- Data Loss Prevention
- Threat and Vulnerability Management
- Business Continuity and Disaster Recovery
- Data Retention
- Backup and Recovery
- Incident Management

Module 8 - Identity and Access Management

Fundamentals of IAM
- Why IAM
- Subject, Object, access and access controls
- IAM Policy
- IAM lifecycle
- Physical and logical access
- Difference between Identification, Authentication and Authorization
- Multi-factor Authentication
- IAM Security Principals
- Zero Trust
- Access control Models – RBAC, MAC , Attribute based access, Discretionary, Rule based
High-level Building Blocks
- IAM Service Components
- Directory Services
- Web SSO
- Federated SSO
- Identity Governance and Administration
- Lifecycle Management
- Governance
- UEBA with IAM
- Behaviour Analytics
Compliance
- IAM – Regulatory and Compliance
IAM Controls
- User Accounts and Password Security
- Separation of Duties (SODs)
- Recertification
- Logging and monitoring
- IAM Token
- IAM Controls – CIS Standards
- Digital IoT Devices
- Human Access Control
- Assigning and Provisioning control
- Revocation control
- Access Control Lists (ACL)
How to get IAM right
- Do’s and Don’ts of IAM
Threat to Access Controls
Privileged ID Controls
- Privileged Access Management (PAM)
- PAM – Best Practices
Leading IAM Tools

Module 9 - Security Operations

Endpoint Security Controls
- Defence-in-Depth – Endpoints
- Detective Controls
  - Antivirus
  - Endpoint Logs
  - Endpoint Detection and Response
  - Sandboxing
- Preventive Controls
- Response Controls
Network Security Controls
- Defence-in-Depth – Networks
- Detective Controls
  - Intrusion Detection/ Prevention System
  - User Behavior Analysis
  - Network Access Control
  - Distributed Denial of Service
- Preventive Controls
  - Tools – Firewalls
  - Tools – DDoS Protection
  - Tools – Web Security Filtering
  - Tools – Cloud Access Security Broker
  - Tools – Email Security
  - Tools: Trust Zones
  - Tools – Remote Access
Application Security Controls
- Defence-in-Depth – Applications
- Detective Controls
- Preventive Controls
- Responsive controls
Configuration Management
- Configuration Baselines and Standards
- On-Premise
- Cloud Management Responsibility Matrix
- Leverage Cloud Native Tools – IaaS
- Leverage Third-Party Monitoring Tools
- Vulnerability Management
- Inventory Management
- Vulnerability Detection
- Vulnerability Triage
- Vulnerability Remediation
- Exception Management
Operations Management
- Metrics
- Documentation
- Administration
  - Integrations
  - Console Management
    - Console Overload
    - Cost Savings and Budget Implications
    - Integration and Automation Benefits
    - Operational Overhead
    - Logging Support
    - Training Costs
  - Feedback Loops

Module 10 - Business Transformation and Enablement

Cloud Transformation
- Security Implications
- Cloud-Specific Security Controls
- Cloud-Access Security Brokers
- Zero-Trust Architecture
- Secure Access Service Edge (SASE)

Big Data, AI & Analytics
- Big Data & AI: The relationship
- Present Landscape of Big Data & AI
- Future Landscape

Supply Chain Transformation
- How supply-chain capabilities and technologies have evolved
- Effective digital transformation of a supply chain
- Supply chain security challenges
DevSecOps
- DevSecOps Mantra
- DevSecOps vs traditional software development
- Achieving true security/development integration
- DevSecOps Testing & Tools
- DevSecOps Adoption
- Soft Power
Product Security
- Secure Design & Development (Waterfall, Agile, Hybrid)
- Secure Operations
  - Operations Aspects of DevOps
- Practical Threat Modeling
  - STRIDE & Associated Derivations
  - Process for Attack Simulation and Threat Anlaysis (PASTA)
  - Common Vulnerability Scoring System (CVSS)
Mergers & Acquisitions
- Pre-Merger
- Post-Merger

Module 11 -Legal Issues in Managing a Security Program

Cybersecurity Legal Regimes: Multiple, Overlapping, Conflicting Laws
- What Law Governs Your Security Program?
- Data Protection Regimes
- Reasonable Safeguards
- Why Privacy in a Security Program?
- Common Types of Protected Information
- Biometrics

Key Governance Policies: Legally Binding Duty of Care for Adequate or Reasonable
- Duty of Care in Cybersecurity : Unsettled
- What is reasonable and customary?
- 16 CFR 314.3 (Federal Trade Commission (FTC))
- Standards for safeguarding consumer information
- Industry Guidelines – FTC

Dealing with Third Parties: Contractual Obligations and Supply Chain Cybersecurity Legal Issues
- Security requirements: reflected in contracts?
- NDAs, MSAs, SOWs
- Vendor/Contract Management
Liability for Directors and Officers: Obligation to Satisfy Oversight of Cybersecurity
Data Breach Investigations: Issues of the Fourth Amendment and of Privilege
- The Basics: The role of counsel during an incident
- Is your organization appropriately leveraging legal counsel during an incident?
- Security Incidents and Evidence
- Search and Seizure Issues
- Data Breach Notification and Security Incident Notification

Regulatory and Compliance Reporting
- Internal and External Audits
- What is a HIPAA Business Associate?
- Contractual obligations
- Regulatory obligations

Information Sharing: Cooperation with Law Enforcement and Sharing Cyber Threat Indicators
- How CISOs can best work with the FBI (Q&A)
- Information Sharing & Analysis Centers (ISACs)
- Resources: Info-sharing groups
- CERTs and CSIRCs

Active Defense: Hacking Back, Cyber Privateers, and the Legal Implications of Innovations in Cybersecurity
- Principles for responding to an attacker
- Cybersecurity Information Sharing Act of 2015
- Data Awaiting Exfiltration
- Increasing the Cost?

Privacy
- Why privacy and security? Why not ignore privacy?
- International Agreements on Privacy
- Biometrics
- Common Provisions of Privacy LawsCybersecurity Information Sharing Act of 2015

Course Syllabus - Focused on educating security leaders to be prepared for the most critical role in Cyber.

The course includes the following eleven modules. Each module is prepared by a group of CISOs and Security Leaders from all over the world.

Module 1- Setting Up Your Program

Module 2 - Security Risk Management

Module 3 - Financial Issues in Managing a Security Program

Module 4 - Security Leadership

Module 5 - Integrating Security Into Project Management Lifecycle

Module 6- Incident Response LifeCycle

Module 7- Protecting your Crown Jewels

Module 8 - Identity and Access Management

Module 9 - Security Operations

Module 10 - Business Transformation and Enablement

Module 11 -Legal Issues in Managing a Security Program