Certified Chief Information Security Officer (CCISO) Training Course

Domain 1 Governance and Risk Management

1. Define, Implement, Manage, and Maintain an Information Security Governance Programme

• 1.1. Form of Business Organisation
• 1.2. Industry
• 1.3. Organizational Maturity

2. Information Security Drivers

3. Establishing an information security management structure

• 3.1. Organizational Structure
• 3.2. Where does the CISO fit within the organizational structure
• 3.3. The Executive CISO
• 3.4. Nonexecutive CISO

4. Laws/Regulations/Standards as drivers of Organizational Policy/Standards/Procedures

5. Managing an enterprise information security compliance programme

• 5.1. Security Policy
• 5.1.1. Necessity of a Security Policy
• 5.1.2. Security Policy Challenges
• 5.2. Policy Content
• 5.2.1. Types of Policies
• 5.2.2. Policy Implementation
• 5.3. Reporting Structure
• 5.4. Standards and best practices
• 5.5. Leadership and Ethics
• 5.6. EC-Council Code of Ethics

6. Introduction to Risk Management

• 3.1. Organizational Structure
• 3.2. Where does the CISO fit within the organizational structure
• 3.3. The Executive CISO
• 3.4. Nonexecutive CISO

Domain 2 Information Security Controls, Compliance, and Audit Management

1. Information Security Controls

• 1.1. Identifying the Organisation’s Information Security Needs
• 1.1.1. Identifying the Optimum Information Security Framework
• 1.1.2. Designing Security Controls
• 1.1.3. Control Lifecycle Management
• 1.1.4. Control Classification
• 1.1.5. Control Selection and Implementation
• 1.1.6. Control Catalogue
• 1.1.7. Control Maturity
• 1.1.8. Monitoring Security Controls
• 1.1.9. Remediating Control Deficiencies
• 1.1.10. Maintaining Security Controls
• 1.1.11. Reporting Controls
• 1.1.12. Information Security Service Catalogue

2. Compliance Management

• 2.1. Acts, Laws, and Statutes
• 2.1.1. FISMA
• 2.2. Regulations
• 2.2.1. GDPR
• 2.3. Standards
• 2.3.1. ASD—Information Security Manual
• 2.3.2. Basel III
• 2.3.3. FFIEC
• 2.3.4. ISO 00 Family of Standards
• 2.3.5. NERC-CIP
• 2.3.6. PCI DSS
• 2.3.7. NIST Special Publications
• 2.3.8. Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

3. Guidelines, Good and Best Practices

• 3.1. CIS
• 3.1.1. OWASP

4. Audit Management

• 4.1. Audit Expectations and Outcomes
• 4.2. IS Audit Practices
• 4.2.1. ISO/IEC Audit Guidance
• 4.2.2. Internal versus External Audits
• 4.2.3. Partnering with the Audit Organisation
• 4.2.4. Audit Process
• 4.2.5. General Audit Standards
• 4.2.6. Compliance-Based Audits
• 4.2.7. Risk-Based Audits
• 4.2.8. Managing and Protecting Audit Documentation
• 4.2.9. Performing an Audit
• 4.2.10. Evaluating Audit Results and Report
• 4.2.11. Remediating Audit Findings
• 4.2.12. Leverage GRC Software to Support Audits

5. Summary

Domain 3 Security Programme Management & Operations

1. Programme Management

• 1.1. Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies
• 1.1.1. Security Programme Charter
• 1.1.2. Security Programme Objectives
• 1.1.3. Security Programme Requirements
• 1.1.4. Security Programme Stakeholders
• 1.1.5. Security Programme Strategy Development
• 1.2. Executing an Information Security Programme
• 1.3. Defining and Developing, Managing and Monitoring the Information Security Programme
• 1.3.1. Defining an Information Security Programme Budget
• 1.3.2. Developing an Information Security Programme Budget
• 1.3.3. Managing an Information Security Programme Budget
• 1.3.4. Monitoring an Information Security Programme Budget
• 1.4. Defining and Developing Information Security Programme Staffing Requirements
• 1.5. Managing the People of a Security Programme
• 1.5.1. Resolving Personnel and Teamwork Issues
• 1.5.2. Managing Training and Certification of Security Team Members
• 1.5.3. Clearly Defined Career Path
• 1.5.4. Designing and Implementing a User Awareness Programme
• 1.6. Managing the Architecture and Roadmap of the Security Programme
• 1.6.1. Information Security Programme Architecture
• 1.6.2. Information Security Programme Roadmap
• 1.7. Programme Management and Governance
• 1.7.1. Understanding Project Management Practices
• 1.7.2. Identifying and Managing Project Stakeholders
• 1.7.3. Measuring the Effectives of Projects
• 1.8. Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
• 1.9. Data Backup and Recovery
• 1.10. Backup Strategy
• 1.11. ISO BCM Standards
• 1.11.1. Business Continuity Management (BCM)
• 1.11.2. Disaster Recovery Planning (DRP)
• 1.12. Continuity of Security Operations
• 1.12.1. Integrating the Confidentiality, Integrity and Availability (CIA) Model
• 1.13. BCM Plan Testing
• 1.14. DRP Testing
• 1.15. Contingency Planning, Operations, and Testing Programmes to Mitigate Risk and Meet Service Level Agreements (SLAs)
• 1.16. Computer Incident Response
• 1.16.1. Incident Response Tools
• 1.16.2. Incident Response Management
• 1.16.3. Incident Response Communications
• 1.16.4. Post-Incident Analysis
• 1.16.5. Testing Incident Response Procedures
• 1.17. Digital Forensics
• 1.17.1. Crisis Management
• 1.17.2. Digital Forensics Life Cycle

2. Operations Management

• 2.1. Establishing and Operating a Security Operations (SecOps) Capability
• 2.2. Security Monitoring and Security Information and Event Management (SIEM)
• 2.3. Event Management
• 2.4. Incident Response Model
• 2.4.1. Developing Specific Incident Response Scenarios
• 2.5. Threat Management
• 2.6. Threat Intelligence
• 2.6.1. Information Sharing and Analysis Centres (ISAC)
• 2.7. Vulnerability Management
• 2.7.1. Vulnerability Assessments
• 2.7.2. Vulnerability Management in Practice
• 2.7.3. Penetration Testing
• 2.7.4. Security Testing Teams
• 2.7.5. Remediation
• 2.8. Threat Hunting

3. Summary

Domain 4 Information Security Core Competencies

1. Access Control

• 1.1. Authentication, Authorisation, and Auditing
• 1.2. Authentication
• 1.3. Authorisation
• 1.4. Auditing
• 1.5. User Access Control Restrictions
• 1.6. User Access Behaviour Management
• 1.7. Types of Access Control Models
• 1.8. Designing an Access Control Plan
• 1.9. Access Administration

2. Physical Security

• 2.1. Designing, Implementing, and Managing Physical Security Programme
• 2.1.1. Physical Risk Assessment
• 2.2. Physical Location Considerations
• 2.3. Obstacles and Prevention
• 2.4. Secure Facility Design
• 2.4.1. Security Operations Centre
• 2.4.2. Sensitive Compartmented Information Facility
• 2.4.3. Digital Forensics Lab
• 2.4.4. Datacentre
• 2.5. Preparing for Physical Security Audits

3. Network Security

• 3.1. Network Security Assessments and Planning
• 3.2. Network Security Architecture Challenges
• 3.3. Network Security Design
• 3.4. Network Standards, Protocols, and Controls
• 3.4.1. Network Security Standards
• 3.4.2. Protocols

4. Certified Chief

• 4.1.1. Network Security Controls
• 4.2. Wireless (Wi-Fi) Security
• 4.2.1. Wireless Risks
• 4.2.2. Wireless Controls
• 4.3. Voice over IP Security

5. Endpoint Protection

• 5.1. Endpoint Threats
• 5.2. Endpoint Vulnerabilities
• 5.3. End User Security Awareness
• 5.4. Endpoint Device Hardening
• 5.5. Endpoint Device Logging
• 5.6. Mobile Device Security
• 5.6.1. Mobile Device Risks
• 5.6.2. Mobile Device Security Controls
• 5.7. Internet of Things Security (IoT)
• 5.7.1. Protecting IoT Devices

6. Application Security

• 6.1. Secure SDLC Model
• 6.2. Separation of Development, Test, and Production Environments
• 6.3. Application Security Testing Approaches
• 6.4. DevSecOps
• 6.5. Waterfall Methodology and Security
• 6.6. Agile Methodology and Security
• 6.7. Other Application Development Approaches
• 6.8. Application Hardening
• 6.9. Application Security Technologies
• 6.10. Version Control and Patch Management
• 6.11. Database Security
• 6.12. Database Hardening
• 6.13. Secure Coding Practices

7. Encryption Technologies

• 7.1. Encryption and Decryption
• 7.2. Cryptosystems
• 7.2.1. Blockchain
• 7.2.2. Digital Signatures and Certificates
• 7.2.3. PKI
• 7.2.4. Key Management
• 7.3. Hashing
• 7.4. Encryption Algorithms
• 7.5. Encryption Strategy Development
• 7.5.1. Determining Critical Data Location and Type
• 7.5.2. Deciding What to Encrypt
• 7.5.3. Determining Encryption Requirements
• 7.5.4. Selecting, Integrating, and Managing Encryption Technologies

8. Virtualisation Security

• 8.1. Virtualisation Overview
• 8.2. Virtualisation Risks
• 8.3. Virtualisation Security Concerns
• 8.4. Virtualisation Security Controls
• 8.5. Virtualisation Security Reference Model

9. Cloud Computing Security

• 9.1. Overview of Cloud Computing
• 9.2. Security and Resiliency Cloud Services
• 9.3. Cloud Security Concerns
• 9.4. Cloud Security Controls
• 9.5. Cloud Computing Protection Considerations

10. Transformative Technologies

• 10.1. Artificial Intelligence
• 10.2. Augmented Reality
• 10.3. Autonomous SOC
• 10.4. Dynamic Deception
• 10.5. Software-Defined Cybersecurity

11. Summary

Domain 5 Strategic Planning, Finance, Procurement, and Vendor Management

1. Strategic Planning

• 1.1. Understanding the Organisation
• 1.1.1. Understanding the Business Structure
• 1.1.2. Determining and Aligning Business and Information Security Goals
• 1.1.3. Identifying Key Sponsors, Stakeholders, and Influencers
• 1.1.4. Understanding Organisational Financials
• 1.2. Creating an Information Security Strategic Plan
• 1.2.1. Strategic Planning Basics
• 1.2.2. Alignment to Organisational Strategy and Goals
• 1.2.3. Defining Tactical Short, Medium, and Long-Term Information Security Goals
• 1.2.4. Information Security Strategy Communication
• 1.2.5. Creating a Culture of Security

2. Designing, Developing, and Maintaining an Enterprise Information Security Programme

• 2.1. Ensuring a Sound Programme Foundation
• 2.2. Architectural Views
• 2.3. Creating Measurements and Metrics
• 2.4. Balanced Scorecard
• 2.5. Continuous Monitoring and Reporting Outcomes
• 2.6. Continuous Improvement
• 2.7. Information Technology Infrastructure Library (ITIL) Continual Service Improvement (CSI)

3. Understanding the Enterprise Architecture (EA)

• 3.1. EA Types
• 3.1.1. The Zachman Framework
• 3.1.2. The Open Group Architecture Framework (TOGAF)
• 3.1.3. Sherwood Applied Business Security Architecture (SABSA)
• 3.1.4. Federal Enterprise Architecture Framework (FEAF)

4. Finance

• 4.1. Understanding Security Programme Funding
• 4.2. Analysing, Forecasting, and Developing a Security Budget
• 4.2.1. Resource Requirements
• 4.2.2. Define Financial Metrics
• 4.2.3. Technology Refresh
• 4.2.4. New Project Funding
• 4.2.5. Contingency Funding
• 4.3. Managing the information Security Budget
• 4.3.1. Obtain Financial Resources
• 4.3.2. Allocate Financial Resources
• 4.3.3. Monitor and Oversight of Information Security Budget
• 4.3.4. Report Metrics to Sponsors and Stakeholders
• 4.3.5. Balancing the Information Security Budget

5. Procurement

• 5.1. Procurement Programme Terms and Concepts
• 5.1.1. Statement of Objectives (SOO)
• 5.1.2. Statement of Work (SOW)
• 5.1.3. Total Cost of Ownership (TCO)
• 5.1.4. Request for Information (RFI)
• 5.1.5. Request for Proposal (RFP)
• 5.1.6. Master Service Agreement (MSA)
• 5.1.7. Service Level Agreement (SLA)
• 5.1.8. Terms and Conditions (T&C)
• 5.2. Understanding the Organisation’s Procurement Programme
• 5.2.1. Internal Policies, Processes, and Requirements
• 5.2.2. External or Regulatory Requirements
• 5.2.3. Local Versus Global Requirements
• 5.3. Procurement Risk Management
• 5.3.1. Standard Contract Language

6. Vendor Management

• 6.1. Understanding the Organisation’s Acquisition Policies and Procedures
• 6.1.1. Procurement Life cycle
• 6.2. Applying Cost-Benefit Analysis (CBA) During the Procurement Process5
• 6.3. Vendor Management Policies
• 6.4. Contract Administration Policies
• 6.4.1. Service and Contract Delivery Metrics
• 6.4.2. Contract Delivery Reporting
• 6.4.3. Change Requests
• 6.4.4. Contract Renewal
• 6.4.5. Contract Closure
• 6.5. Delivery Assurance
• 6.5.1. Validation of Meeting Contractual Requirements
• 6.5.2. Formal Delivery Audits
• 6.5.3. Periodic Random Delivery Audits
• 6.5.4. Third-Party Attestation Services (TPRM)

7. Summary