EC-Council: Certified Chief Information Security Officer CCISO Certification Training

Governance, Risk & Compliance

• Governance:

Defining, implementing, managing, and maintaining an information security governance program comprising leadership, organizational structures, and processes.
Aligning information security governance framework with organizational goals/governance (leadership style, philosophy, values, standards, and policies). 
Establishing an information security management structure.
A framework for InfoSec governance monitoring (including cost/benefits analyses of controls/ROI).
Understanding the standards, procedures, directives, policies, regulations, and legal issues affecting the information security program.
The enterprise information security compliance program.

• Risk Management:

    
Creating a risk management program policy and charter.
A risk assessment methodology/framework.
Creating and managing risk register.
Creating risk assessment schedule/checklists.
Risk reporting metrics and processes.

• Compliance:

    
Analyzing and understanding common external laws, regulations, or standards.
Learning the best practices applicable to organizations and organizational ethics.
Familiarizing with international security and risk standards like ISO 27000 and 31000 series.
Implementing/Managing information security strategies, plans, policies, and procedures for reducing regulatory risks.
Understanding the importance of regulatory information security organizations, appropriate industry groups, and stakeholders. 
Information security changes, trends, and best practices.
Understanding/Managing enterprise compliance program controls, information security compliance process/procedures, compliance auditing, and certification programs. 
The information security compliance process and procedures.
Compiling, analyzing, and reporting compliance programs.
Understanding the compliance auditing and cortication programs.
Following organizational ethics.

Information Security Controls & Audit Management

• Information Security Management Controls:

Identifying organizational operational-processes/objectives. 
Designing information systems controls in alignment with operational needs/goals. 
Conducting testing before implementation for ensuring effectiveness.
Identifying/Selecting the resources required to implement and maintain information systems controls (human capital, information, infrastructure, architecture, platforms, operating systems, networks, databases, or applications). 
Designing and implementing information systems controls for mitigating risks. 
Monitoring/Documenting the information systems control performance in meeting organizational objectives by identifying/measuring metrics and key performance indicators.
Designing/Conducting the testing of information security controls for ensuring effectiveness, discovering deficiencies, and ensuring alignment with the organizational risk management program. 
Designing and implementing processes for appropriately remediating deficiencies. 
Evaluating problem management practices to ensure errors are recorded, analyzed, and resolved promptly. 
Assessing/Implementing tools and techniques for automating information systems control processes.
Measuring/Managing/Reporting on security control implementation and effectiveness.

• Audit Management:

Understanding the IT audit process.
Familiarizing with IT audit standards.
Applying information systems audit principles, skills or techniques for reviewing and testing information systems technology and applications to design/implement thorough risk-based IT audit strategies. 
Executing the audit process per established standards. 
Interpreting results against defined criteria for ensuring the information systems are protected, controlled, and effective in supporting organizational objectives.
Evaluating audit results, weighing conclusions' relevancy, accuracy, and perspective against the accumulated evidence.
Assessing the exposures resulting from ineffective or missing control practices and formulating a practical cost-effective plan for improving those areas. 
Developing an IT audit documentation process and sharing reports with stakeholders as the basis for decision-making. 
Ensuring the necessary changes based on the audit findings are effectively implemented on time.

Security Program Management & Operations

• Security Program Management:

Developing a clear project scope statement for each information systems project in alignment with organizational objectives. 
Defining activities needed for successfully executing the information systems program, estimating activity duration, and developing a scheduling/staffing plan.
Developing, managing, and monitoring the information systems program budget.
Estimating and controlling individual project costs. 
Identifying, negotiating, acquiring, and managing the resources for successfully designing/implementing the information systems program (people, infrastructure, and architecture). 
Acquiring, developing, and managing the information security project team.
Assigning precise InfoSec-personnel job functions.
Providing continuous training for effective performance and accountability.
Directing information security personnel.
Establishing communications and team activities between the information systems team and other security-related personnel (technical support, incident management, security engineering).

• Security Program Operations:

Resolving personnel/teamwork issues within time, cost, and quality constraints. 
Identifying, negotiating, and managing vendor agreements and community. 
Participating with vendors/stakeholders for reviewing/assessing recommended solutions and identifying incompatibilities, challenges or issues. 
Evaluating the project management practices/controls to determine whether business requirements are achieved cost-effectively while managing organizational risks. 
Developing a plan to continuously measure the effectiveness of the information systems projects for optimal system performance. 
Identifying stakeholders, managing stakeholders’ expectations, and communicating effectively for reporting progress/performance. 
Ensuring the necessary changes/improvements to information systems processes are implemented as required.

Information Security Core Competencies

• Access Control:

Identifying the criteria for mandatory/discretionary access control.
Understanding different factors helpful in implementing access controls.
Designing an access control plan. 
Implementing and managing an access control plan in alignment with fundamental principles governing the access control systems.
Identifying multiple access control systems such as ID cards and biometrics.
Understanding the importance of warning banners for implementing access rules.
Developing procedures to ensure system users are aware of IA responsibilities before granting access to information systems.

• Social Engineering, Phishing Attacks & Identity Theft:

    
Understanding various social engineering concepts and their roles in insider attacks.
Developing best practices for countering social engineering attacks.
Designing a response plan for identity theft incidences. 
Identifying and designing a plan for overcoming phishing attacks.

• Physical Security:

Identifying standards, procedures, directives, policies, regulations, and laws for physical security. 
Determining the value of physical assets and the impact if unavailable. 
Designing/Implementing/Managing a comprehensive, coordinated, and holistic physical security plan.
Ensuring overall organizational security, covering an audit schedule and performance metrics.

• Disaster Recovery & Business Continuity Planning:

Developing/Implementing/Monitoring business continuity, contingency, and disaster recovery plans in case of disruptive events.
Ensuring plans' alignment with organizational goals/objectives.
Direct contingency planning, operations, and programs for managing risks.
Designing documentation processes as part of the continuity of operations program. 
Designing/Executing a testing and updating plan for the continuity of operations program. 
Understanding the importance of integrating IA requirements into the Continuity of Operations Plan (COOP).

• Firewall, IDS/IPS & Network Defense Systems:

Understanding and managing the network cloud security.
Identifying the appropriate intrusion detection/prevention systems for organizational information security. 
Designing/Developing a program for monitoring firewalls and identifying firewall configuration issues. 
Understanding perimeter defense systems like grid sensors and access control lists on routers, firewalls, and other network devices.
Identifying the basic network architecture, models, protocols, and components such as routers/hubs that play a role in network security.
Understanding network segmentation.
Managing DMZs, VPN, and telecommunication technologies such as PBX/VoIP.
Identifying network vulnerabilities.
Exploring network security controls like using SSL/TLS for transmission security. 
Supporting, monitoring, testing, and troubleshooting issues with hardware/software. 
Managing accounts, network rights, and access to systems/equipment.

• Wireless Security:

Identifying vulnerabilities/attacks associated with wireless networks.
Managing different wireless network security tools.

• Virus, Trojans, Malware & Other Malicious Code Threats:

Assessing the threat of viruses, Trojan, and malware to organizational security.
Identifying sources/mediums of malware infection.
Deploying and managing anti-virus systems.
Developing processes to counter virus, Trojan, and malware threats.
Training security and non-security teams on secure development processes.

• Secure Coding Best Practices & Securing Web Applications:

Developing/Maintaining software assurance programs in alignment with secure coding principles and phases of the System Development Life Cycle (SDLC). 
Understanding system-engineering practices.
Configuring/Running tools that help in developing secure programs.
Understanding software vulnerability analysis techniques.
Learning static code, dynamic code, and software composition analysis.
Installing/Operating IT systems in a test configuration manner that does not alter program codes or compromise security safeguards. 
Identifying web application vulnerabilities/attacks and security tools for countering these attacks.

• OS Hardening:

Identifying various OS vulnerabilities/attacks.
Developing a plan for hardening OS systems.
Understanding system logs, the patch management process, and configuration management for information system security.

• Encryption Technologies:

Understanding encryption/decryption, digital certificates, and critical public infrastructure. 
The key differences between cryptography and steganography. 
Identifying the components of a cryptosystem. 
Developing a plan for information security encryption techniques.

• Vulnerability Assessment & Penetration Testing:

Designing, developing, and implementing a penetration testing program based on penetration testing methodology for ensuring organizational security. 
Identifying the vulnerabilities associated with information systems and legal issues involved in penetration testing. 
Developing pre/post testing procedures.
Developing a plan for pen test reporting and implementation of technical vulnerability corrections. 
Developing vulnerability management systems.

• Threat Management:

Creating and managing a threat management program.
Including threat intelligence, third-party threats, and security bulletins regarding hardware/software, particularly open-source software.

• Incident Response & Computer Forensics:

Developing a plan to identify a potential security violation, and taking appropriate action for reporting the incident.
Complying with system termination procedures and incident reporting requirements related to potential security incidents or actual breaches.
Assessing potential security violations for determining if the network security policies have been breached. 
Assessing the impact and preserving evidence. 
Diagnosing/Resolving IA problems in response to reported incidents.
Designing incident response procedures (testing, tabletop exercises, and playbooks). 
Developing guidelines for determining whether a security incident is indicative of any legal violation that requires special action. 
Identifying the volatile/persistent system information.
Setting-up/Managing forensic labs and programs.
Understanding digital media devices, e-discovery principles/practices, and file systems. 
Developing and managing an organizational digital forensic program.
Establishing, developing, and managing forensic investigation teams.
Designing investigation processes (evidence collection, imaging, data acquisition, and analysis). 
Identifying best practices for acquiring, storing, and processing digital evidence. 
Configuring and utilizing forensic investigation tools. 
Designing anti-forensic techniques.

Strategic Planning, Finance, Procurement & Third-party Management

• Strategic Planning:

Designing/Developing/Maintaining the enterprise information security architecture (EISA) by aligning business processes, IT software/hardware, local/wide area networks, people, operations, and projects with the organizational security strategy.
Performing external/internal analysis of the organization (analysis of customers, competitors, markets and industry environment, risk management, organizational capabilities, performance measurement) and utilizing it for aligning information security programs with organizational objectives. 
Identifying and consulting with key stakeholders to ensure the correct understanding of organizational objectives. 
Defining a forward-looking, visionary, and innovative strategic plan for the role of the information security program with clear objectives/targets supporting the organization's operational needs.
Defining key performance indicators and measuring their effectiveness continuously. 
Assessing and adjusting security resources to ensure they support organizational strategic objectives. 
Monitoring/Updating activities for accountability and progress.

• Finance:

Analyzing, forecasting, and developing the operational budget of the security department. 
Acquiring/Managing the necessary resources for implementing and managing the information security plan. 
Allocating financial resources to projects, processes, and units within the information security program. 
Monitoring/Overseeing the cost management of information security projects and return on investment (ROI) of essential IT infrastructure and security purchases, and ensuring alignment with the strategic plan.
Identifying and reporting financial metrics to stakeholders.
Balancing the IT security investment portfolio based on EISA considerations and enterprise security priorities.
Understanding the acquisition life cycle.
Determining the importance of procurement by performing Business Impact Analysis.
Identifying procurement strategies.
Understanding the value of cost-benefit analysis during procurement of an information system. 
The basic procurement concepts like Statement of Objectives (SOO), Statement of Work (SOW), and Total Cost of Ownership (TCO).
Collaborating with stakeholders (internal clients, lawyers, IT security, privacy professionals, security engineers, suppliers, and others) to procure IT security products and services. 
Including risk-based security requirements in acquisition plans, cost estimates, statements of work, contracts or evaluation factors for service level agreements and other procurement documents.
Designing the vendor selection process and management policy.
Developing contract administration policies directing the evaluation or acceptance of delivered IT security products and services under a contract. 
Developing standards for measuring and reporting key objectives in procurements aligned with IT security policies/procedures.
Understanding the IA security requirements to be included in work statements and other appropriate procurement documents.

• Third-party Management:

Designing the third-party selection process.
The third-party management policy, metrics, and processes.
Designing and managing the third-party assessment process, including ongoing compliance management. 
Developing standards for measuring and reporting critical objectives in procurements aligned with IT security policies and procedures.
Adding risk-based security requirements to acquisition plans, cost estimates, statements of work, contracts, and evaluation factors for service level agreements and other relevant procurement documents. 
Understanding the security/privacy/compliance requirements to be included in Statements of Work (SOW), Master Service Agreements (MSA), and other appropriate procurement documents.