Certified Chief Information Security Officer (CCISO)

 

Course Overview

The CCISO Certification is an industry-leading, security certification program that recognizes the real-world experience necessary to succeed at the highest executive levels of information security. Bringing together all the components required for a C-Level position, the CCISO program combines audit management, governance, IS controls, human capital management, strategic program development, and the financial expertise vital to leading a highly successful information security program. The job of the CISO is far too important to be learned by trial and error. Executive-level management skills are not areas that should be learned on the job.

The material in the CCISO Program assumes a high-level understanding of technical topics and doesn’t spend much time on strictly technical information, but rather on the application of technical knowledge to an information security executive’s day-to-day work. The CCISO aims to bridge the gap between the executive management knowledge that CISOs need and the technical knowledge that many sitting and aspiring CISOs have. This can be a crucial gap as a practitioner endeavors to move from mid-management to upper, executive management roles. Much of this is traditionally learned as on the job training, but the CCISO Training Program can be the key to a successful transition to the highest ranks of information security management.

Who should attend

This course is designed for the aspiring or sitting upper-level manager striving to advance his or her career by learning to apply their existing deep technical knowledge to business problems.

Outline: Certified Chief Information Security Officer (CCISO)

Domain 01 - Governance


1. Define, Implement, Manage, and Maintain an Information Security Governance Program

  • 1.1. Form of Business Organization
  • 1.2. Industry
  • 1.3. Organizational Maturity

2. Information Security Drivers

3. Establishing an information security management structure

  • 3.1. Organizational Structure
  • 3.2. Where does the CISO fit within the organizational structure?
  • 3.3. The Executive CISO
  • 3.4. Nonexecutive CISO

4. Laws/Regulations/Standards as drivers of Organizational Policy/ Standards/ Procedures

  • 4.1. NIST Risk Management Guidance
  • 4.2. NIST RMF

5. Managing an enterprise information security compliance program

  • 5.1. Security Policy
  • 5.1.1 Necessity of a Security Policy
  • 5.1.2 Security Policy Challenges
  • 5.2. Policy Content
  • 5.2.1 Types of Policies
  • 5.2.2 Policy Implementation
  • 5.3. Reporting Structure
  • 5.4. Standards and best practices
  • 5.5. Leadership and Ethics
  • 5.6. EC-Council Code of Ethics

6. Risk Management

  • 6.1. The Essentials of Risk Management

7. Risk mitigation, risk treatment, and acceptable risk

  • 7.1. Risk Treatment
  • 7.2. Risk Treatment Options
  • 7.2.1 Risk Modification or Mitigation
  • 7.2.2 Risk Retention or Acceptance
  • 7.2.3 Risk Avoidance or Elimination
  • 7.2.4 Risk Sharing or Transfer
  • 7.3. Risk Categories

8. Risk management frameworks

  • 8.1. ISO 27005
  • 8.2. Context Establishment
  • 8.3. Risk Assessment
  • 8.3.1 Risk Assessment: ISO 27005 Section 8
  • 8.4. Risk Treatment
  • 8.5. Risk Acceptance
  • 8.6. Risk Feedback
  • 8.7. Risk Monitoring and Review
  • 8.8. Risk Communication and Consultation

9. NIST

  • 9.1. NIST Risk Management and Assessment
  • 9.2. NIST Risk Management Hierarchy
  • 9.3. NIST Risk Assessment Process

10. Other Frameworks and Guidance (ISO 31000, TARA, OCTAVE, FAIR, COBIT, and ITIL)

  • 10.1. ISO 31000
  • 10.2. Threat Agent Risk Assessment (TARA)
  • 10.3. Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) Allegro
  • 10.4. Factor Analysis of Information Risk (FAIR)
  • 10.5. COBIT Risk Management
  • 10.6. ITIL Risk Management

11. Risk management plan implementation

  • 11.1. Context Establishment
  • 11.2. Risk assessments
  • 11.2.1 Risk Identification
  • 11.2.2 Risk Analysis
  • 11.2.3 Risk Evaluation
  • 11.3. Risk Treatment
  • 11.3.1 Risk Modification
  • 11.3.2 Risk Retention
  • 11.3.3 Risk Avoidance
  • 11.3.4 Risk Sharing
  • 11.3.5 Residual Risk
  • 11.4. Risk Acceptance
  • 11.5. Risk Management Feedback Loops
  • 11.5.1 Risk Communication and Consultation
  • 11.5.2 Risk Monitoring and Review

12. Ongoing third-party risk management

  • 12.1. Ongoing Risk Management
  • 12.2. Disposition
  • 12.2.1 Type of Sanitization

13. Risk management policies and processes

14. Conclusion

Domain 2 - Security Risk Management, Controls, & Audit Management

1. INFORMATION SECURITY CONTROLS

  • 1.1. Identifying the Organization’s Information Security Needs
  • 1.1.1. Identifying the Optimum Information Security Framework
  • 1.1.2. Designing Security Controls
  • 1.1.3. Control Lifecycle Management
  • 1.1.4. Control Classification
  • 1.1.5. Control Selection and Implementation
  • 1.1.6. Control Catalog
  • 1.1.7. Control Maturity
  • 1.1.8. Monitoring Security Controls
  • 1.1.9. Remediating Control Deficiencies
  • 1.1.10. Maintaining Security Controls
  • 1.1.11. Reporting Controls
  • 1.1.12. Information Security Service Catalog

2. COMPLIANCE MANAGEMENT

  • 2.1. Acts, Laws, and Statutes
  • 2.2. Regulations
  • 2.3. Standards

3. GUIDELINES, GOOD AND BEST PRACTICES

  • 3.1. CIS

4. AUDIT MANAGEMENT

  • 4.1. Audit Expectations and Outcomes
  • 4.2. IS Audit Practices

5. SUMMARY

6. REFERENCES

Domain 03 - Security Program Management and Operations

1. PROGRAM MANAGEMENT

  • 1.1. Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies
  • 1.1.1. Security Program Charter
  • 1.1.2. Security Program Objectives
  • 1.1.3. Security Program Requirements Model
  • 1.1.4. Security Program Stakeholders
  • 1.1.5. Security Program Strategy Development
  • 1.3. Defining and Developing, Managing and Monitoring the Information Security Program
  • 1.3.1. Defining an Information Security Program Budget
  • 1.3.2. Developing an Information Security Program Budget
  • 1.3.3. Managing an Information Security Program Budget
  • 1.3.4. Monitoring an Information Security Program Budget
  • 1.4. Defining and Developing Information Security Program Staffing Requirements
  • 1.5. Managing the People of a Security Program
  • 1.5.1. Resolving Personnel and Teamwork Issues [2].
  • 1.5.2. Managing Training and Certification of Security Team Members
  • 1.5.3. Clearly Defined Career Path
  • 1.5.4. Designing and Implementing a User Awareness Program
  • 1.6. Managing the Architecture and Roadmap of the Security Program
  • 1.6.1. Information Security Program Architecture
  • 1.6.2. Information Security Program Roadmap
  • 1.7. Program Management and Governance
  • 1.7.1. Understanding Project Management Practices and Controls
  • 1.7.2. Identifying and Managing Project Stakeholders
  • 1.7.3. Measuring the Effectives of Projects
  • 1.8. Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
  • 1.9. Data Backup and Recovery
  • 1.10. Backup Strategy
  • 1.11. ISO BCM Standards
  • 1.11.1. Business Continuity Management (BCM)
  • 1.11.2. Disaster Recovery Planning (DRP)
  • 1.12. Continuity of Security Operations
  • 1.12.1. Integrating the Confidentiality, Integrity and Availability (CIA) Model
  • 1.13. BCM Plan Testing
  • 1.14. DRP Testing
  • 1.15. Contingency Planning, Operations, and Testing Programs to Mitigate Risk and Meet Service Level Agreements (SLAs)
  • 1.16. Computer Incident Response
  • 1.16.1. Incident Response Tools
  • 1.16.2. Incident Response Management
  • 1.16.3. Incident Response Communications
  • 1.16.4. Post-Incident Analysis
  • 1.16.5. Testing Incident Response Procedures
  • 1.17. Digital Forensics
  • 1.17.1. Crisis Management
  • 1.17.2. Digital Forensics Life Cycle

2. OPERATIONS MANAGEMENT

3. Summary

4. References

Domain 04 - Information Security Core Concepts

1. ACCESS CONTROL

  • 1.1. Authentication, Authorization, and Auditing
  • 1.2. Authentication
  • 1.3. Authorization
  • 1.4. Auditing
  • 1.5. User Access Control Restrictions
  • 1.6. User Access Behavior Management
  • 1.7. Types of Access Control Models
  • 1.8. Designing an Access Control Plan
  • 1.9. Access Administration

2. PHYSICAL SECURITY

  • 2.1. Designing, Implementing, and Managing Physical Security Program
  • 2.1.1. Physical Risk Assessment
  • 2.2. Physical Location Considerations
  • 2.3. Obstacles and Prevention
  • 2.4. Secure Facility Design
  • 2.4.1. Security Operations Center
  • 2.4.2. Sensitive Compartmented Information Facility
  • 2.4.3. Digital Forensics Lab
  • 2.4.4. Datacenter
  • 2.5. Preparing for Physical Security Audits

3. NETWORK SECURITY

  • 3.1. Network Security Assessments and Planning
  • 3.2. Network Security Architecture Challenges
  • 3.3. Network Security Design
  • 3.4. Network Standards, Protocols, and Controls
  • 3.4.1. Network Security Standards
  • 3.4.2. Protocols
  • 3.4.3. Network Security Controls
  • 3.5. Wireless (Wi-Fi) Security
  • 3.5.1. Wireless Risks
  • 3.5.2. Wireless Controls
  • 3.6. Voice over IP Security

4. ENDPOINT PROTECTION

  • 4.1. Endpoint Threats
  • 4.2. Endpoint Vulnerabilities
  • 4.3. End User Security Awareness
  • 4.4. Endpoint Device Hardening
  • 4.5. Endpoint Device Logging
  • 4.6. Mobile Device Security
  • 4.6.1. Mobile Device Risks
  • 4.6.2. Mobile Device Security Controls
  • 4.7. 4.7 Internet of Things Security
  • 4.7.1. Protecting IoT Devices

5. APPLICATION SECURITY

  • 5.1. Secure SDLC Model
  • 5.2. Separation of Development, Test, and Production Environments
  • 5.3. Application Security Testing Approaches
  • 5.4. DevSecOps
  • 5.5. Waterfall Methodology and Security
  • 5.6. Agile Methodology and Security
  • 5.7. Other Application Development Approaches
  • 5.8. Application Hardening
  • 5.9. Application Security Technologies
  • 5.10. Version Control and Patch Management
  • 5.11. Database Security
  • 5.12. Database Hardening
  • 5.13. Secure Coding Practices

6. ENCRYPTION TECHNOLOGIES

  • 6.1. Encryption and Decryption
  • 6.2. Cryptosystems
  • 6.2.1. Blockchain
  • 6.2.2. Digital Signatures and Certificates
  • 6.2.3. PKI
  • 6.2.4. Key Management
  • 6.3. Hashing
  • 6.4. Encryption Algorithms
  • 6.5. Encryption Strategy Development
  • 6.5.1. Determining Critical Data Location and Type
  • 6.5.2. Deciding What to Encrypt
  • 6.5.3. Determining Encryption Requirements
  • 6.5.4. Selecting, Integrating, and Managing Encryption Technologies

7. VIRTUALIZATION SECURITY

  • 7.1. Virtualization Overview
  • 7.2. Virtualization Risks
  • 7.3. Virtualization Security Concerns
  • 7.4. Virtualization Security Controls
  • 7.5. Virtualization Security Reference Model

8. CLOUD COMPUTING SECURITY

  • 8.1. Overview of Cloud Computing
  • 8.2. Security and Resiliency Cloud Services
  • 8.3. Cloud Security Concerns
  • 8.4. Cloud Security Controls
  • 8.5. Cloud Computing Protection Considerations

9. TRANSFORMATIVE TECHNOLOGIES

  • 9.1. Artificial Intelligence
  • 9.2. Augmented Reality
  • 9.3. Autonomous SOC
  • 9.4. Dynamic Deception
  • 9.5. Software-Defined Cybersecurity

10. Summary

11. References

Domain 05 - Strategic Planning, Finance, Procurement and Vendor Management

1. STRATEGIC PLANNING

  • 1.1. Understanding the Organization
  • 1.1.1. Understanding the Business Structure
  • 1.1.2. Determining and Aligning Business and Information Security Goals
  • 1.1.3. Identifying Key Sponsors, Stakeholders, and Influencers
  • 1.1.4. Understanding Organizational Financials
  • 1.2. Creating an Information Security Strategic Plan
  • 1.2.1. Strategic Planning Basics
  • 1.2.2. Alignment to Organizational Strategy and Goals
  • 1.2.3. Defining Tactical Short, Medium, and Long Term Information Security Goals
  • 1.2.4. Information Security Strategy Communication
  • 1.2.5. Creating a Culture of Security

2. Designing, Developing, and Maintaining an Enterprise Information Security Program

  • 2.1. Ensuring a Sound Program Foundation
  • 2.2. Architectural Views
  • 2.3. Creating Measurements and Metrics
  • 2.4. Balanced Scorecard
  • 2.5. Continuous Monitoring and Reporting Outcomes
  • 2.6. Continuous Improvement
  • 2.7. Information Technology Infrastructure Library (ITIL) Continual Service Improvement (CSI)

3. Understanding the Enterprise Architecture (EA)

  • 3.1. EA Types
  • 3.1.1. The Zachman Framework
  • 3.1.2. The Open Group Architecture Framework (TOGAF)
  • 3.1.3. Sherwood Applied Business Security Architecture (SABSA)
  • 3.1.4. Federal Enterprise Architecture Framework (FEAF)

4. FINANCE

  • 4.1. Understanding Security Program Funding
  • 4.2. Analyzing, Forecasting, and Developing a Security Budget
  • 4.2.1. Resource Requirements
  • 4.2.2. Define Financial Metrics
  • 4.2.3. Technology Refresh
  • 4.2.4. New Project Funding
  • 4.2.5. Contingency Funding
  • 4.3. Managing the information Security Budget
  • 4.3.1. Obtain Financial Resources
  • 4.3.2. Allocate Financial Resources
  • 4.3.3. Monitor and Oversight of Information Security Budget
  • 4.3.4. Report Metrics to Sponsors and Stakeholders
  • 4.3.5. Balancing the Information Security Budget

5. PROCUREMENT

  • 5.1. Procurement Program Terms and Concepts
  • 5.1.1. Statement of Objectives (SOO)
  • 5.1.2. Statement of Work (SOW)
  • 5.1.3. Total Cost of Ownership (TCO)
  • 5.1.4. Request for Information (RFI)
  • 5.1.5. Request for Proposal (RFP)
  • 5.1.6. Master Service Agreement (MSA)
  • 5.1.7. Service Level Agreement (SLA)
  • 5.1.8. Terms and Conditions (T&C)
  • 5.2. Understanding the Organization’s Procurement Program
  • 5.2.1. Internal Policies, Processes, and Requirements
  • 5.2.2. External or Regulatory Requirements
  • 5.2.3. Local Versus Global Requirements
  • 5.3. Procurement Risk Management
  • 5.3.1. Standard Contract Language

6. VENDOR MANAGEMENT

  • 6.1. Understanding the Organization’s Acquisition Policies and Procedures
  • 6.1.1. Procurement Life cycle
  • 6.2. Applying Cost-Benefit Analysis (CBA) During the Procurement Process
  • 6.3. Vendor Management Policies
  • 6.4. Contract Administration Policies
  • 6.4.1. Service and Contract Delivery Metrics
  • 6.4.2. Contract Delivery Reporting
  • 6.4.3. Change Requests
  • 6.4.4. Contract Renewal
  • 6.4.5. Contract Closure
  • 6.5. Delivery Assurance
  • 6.5.1. Validation of Meeting Contractual Requirements
  • 6.5.2. Formal Delivery Audits
  • 6.5.3. Periodic Random Delivery Audits
  • 6.5.4. Third-Party Attestation Services (TPRM)

7. Summary

8. References

Prices & Delivery methods

Online Training

Duration
5 days

Price
  • US $ 2,799
Enroll now
Request a date
Classroom Training

Duration
5 days

Price
  • United States: US $ 2,799
Enroll now
Request a date

Click on town name or "Online Training" to book Schedule

This is an Instructor-Led Classroom course
Instructor-led Online Training:   This is an Instructor-Led Online (ILO) course. These sessions are conducted via WebEx in a VoIP environment and require an Internet Connection and headset with microphone connected to your computer or laptop. If you have any questions about our online courses, feel free to contact us via phone or Email anytime.
This is a FLEX course, which is delivered simultaneously in two modalities. Choose to attend the Instructor-Led Online (ILO) virtual session or Instructor-Led Classroom (ILT) session.
*   This class is delivered by a vendor or third party partner.

United States

 Online Training 09:00 Eastern Daylight Time (EDT) * Enroll
Online Training 09:00 Eastern Standard Time (EST) * Enroll