Certified Information Security Systems Officer - C)ISSP/C)ISSO Course Outline

(5 Days)

Overview

The CISSO addresses the broad range of industry best practices, knowledge and skills expected of a security manager/officer. The candidate will learn in-depth theory pertaining to the practical implementation of core security concepts, practices, monitoring and compliance in the full panorama of IS management. Through the use of a risk-based approach, the CISSO is able to implement and maintain cost-effective security controls that are closely aligned with both business and industry standards.

Whether you’re responsible for the management of a Cyber Security team, a Security Officer, an IT auditor or a Business Analyst, the C)ISSO certification course is an ideal way to increase your knowledge, expertise and skill.

M2’s vendor neutral Certified Information Systems Security Officer certification training was a direct initiative of the DND – Department of National Defence of Canada in cooperation with the DOD – Department of Defense of the United States; defined in the dual initiative titledCANUS CDISM MOU -ID#: 1974100118 found at: http://www.state.gov/documents/organization/111449.pdf. In the CANUS CDISM MOU, it stated the following:

  1. The CDRSN National Information System Security Officer (ISSO) is the focal point for all security issues pertaining to this network.
  2. The Director Information Management Security (DIMSECUR) is the DND authority for security assessment of the CDRSN, including the approval of Interim Authority to Process (IAP) and Authority to Communicate.

With these initiatives in mind, Mile2 created the Certified ISSO.

The CISSO addresses the broad range of industry best practices, knowledge and skills expected of a security manager/officer. The candidate will learn in-depth theory pertaining to the practical implementation of core security concepts, practices, monitoring and compliance in the full panorama of IS management. Through the use of a risk-based approach, the CISSO is able to implement and maintain cost-effective security controls that are closely aligned with both business and industry standards.

Whether you’re responsible for the management of a Cyber Security team, a Security Officer, an IT auditor or a Business Analyst, the C)ISSO certification course is an ideal way to increase your knowledge, expertise and skill.

Prerequisites

Prerequisites

1 Year experience in at least 2 modules or

1 year in IS Management

At Course Completion

Upon completion, Certified Information Systems Security Officer students will not only be able to establish industry acceptable Cyber Security & IS management standards with current best practices but also be prepared to competently take the CISSO exam.

The CISSO certification has been validated by theNSA CNSSI-4012, National Information Assurance as well as the Training Standard for Senior System Managers and NSTISSI – 4011, National Training Standard for Information Systems Security (INFOSEC).

Course Outline

Module 1 – Risk Management

What Is the Value of an Asset?

What Is a Threat Source/Agent?

What Is a Threat?

What Is a Vulnerability?

Examples of Some Vulnerabilities that Are Not Always Obvious

What Is a Control?

What Is Likelihood?

What Is Impact?

Control Effectiveness

Risk Management

Purpose of Risk Management

Risk Assessment

Why Is Risk Assessment Difficult?

Types of Risk Assessment

Different Approaches to Analysis

Quantitative Analysis

ALE Values Uses

Qualitative Analysis – Likelihood

Qualitative Analysis – Impact

Qualitative Analysis – Risk Level

Qualitative Analysis Steps

Management’s Response to Identified Risks

Comparing Cost and Benefit

Cost of a Countermeasure

Module 2 – Security Management

Enterprise Security Program

Building A Foundation

Planning Horizon Components

Enterprise Security – The Business Requirements

Enterprise Security Program Components

Control Types

“Soft” Controls

Technical or Logical Controls

Physical Controls

Security Roadmap

Senior Management’s Role in Security

Negligence and Liability

Security Roles and Responsibilities

Security Program Components

Security and the Human Factors

Employee Management

Human Resources Issues

Importance to Security?

Recruitment Issues

Termination of Employment

Informing Employees About Security

Enforcement

Security Enforcement Issues

Module 3 – Authentication

Agenda

Access Control Methodology

Access Control Administration

Accountability and Access Control

Trusted Path

Who Are You?

Authentication Mechanisms

Strong Authentication

Authorization

Access Criteria

Fraud Controls

Access Control Mechanisms

Agenda

Biometrics Technology

Biometrics Enrollment Process

Downfalls to Biometric Use

Biometrics Error Types

Biometrics Diagram

Biometric System Types

Agenda

Passwords and PINs

Password “Shoulds”

Password Attacks

Countermeasures for Password Cracking

Cognitive Passwords

One-Time Password Authentication

Agenda

Synchronous Token

Asynchronous Token Device

Cryptographic Keys

Passphrase Authentication

Memory Cards

Smart Card

Agenda

Single Sign-on Technology

Different Technologies

Scripts as a Single Sign-on Technology

Directory Services as a Single Sign-on Technology

Thin Clients

Kerberos as a Single Sign-on Technology

Tickets

Kerberos Components Working Together

Major Components of Kerberos

Kerberos Authentication Steps

Why Go Through All of this Trouble?

Issues Pertaining to Kerberos

SESAME as a Single Sign-on Technology

Federated Authentication

Agenda

IDS

Network IDS Sensors

Types of IDSs

Behavior-Based IDS

IDS Response Mechanisms

IDS Issues

Trapping an Intruder

Module 4 – Access Control

Role of Access Control

Definitions

More Definitions

Layers of Access Control

Layers of Access Controls

Access Control Mechanism Examples

Access Control Characteristics

Preventive Control Types

Control Combinations

Administrative Controls

Controlling Access

Other Ways of Controlling Access

Technical Access Controls

Physical Access Controls

Accountability

Information Classification

Information Classification Criteria

Declassifying Information

Types of Classification Levels

Models for Access

Discretionary Access Control Model

Enforcing a DAC Policy

Mandatory Access Control Model

MAC Enforcement Mechanism – Labels

Where Are They Used?

Role-Based Access Control (RBAC)

Acquiring Rights and Permissions

Rule-Based Access Control

Access Control Matrix

Access Control Administration

Access Control Methods

Remote Centralized Administration

RADIUS Characteristics

RADIUS

TACACS+ Characteristics

Diameter Characteristics

Decentralized Access Control Administration

Module 5 – Security Models and Evaluation Criteria

System Protection – Trusted Computing Base

System Protection– Reference Monitor

Security Kernel Requirements

Security Modes of Operation

System Protection– Levels of Trust

System Protection– Process Isolation

System Protection – Layering

System Protection – Application Program Interface

System Protection- Protection Rings

What Does It Mean to Be in a Specific Ring?

Security Models

State Machine

Information Flow

Bell-LaPadula

Rules of Bell-LaPadula

Biba

Clark-Wilson Model

Non-interference Model

Brewer and Nash – Chinese Wall

Take-Grant Model

Trusted Computer System Evaluation Criteria (TCSEC)

TCSEC Rating Breakdown

Evaluation Criteria – ITSEC

ITSEC Ratings

ITSEC – Good and Bad

Common Criteria

Common Criteria Components

First Set of Requirements

Second Set of Requirements

Package Ratings

Common Criteria Outline

Certification vs. Accreditation

Module 6 – Operations Security

Operations Issues

Role of Operations

Administrator Access

Computer Operations – Systems Administrators

Security Administrator

Operational Assurance

Audit and Compliance

Some Threats to Computer Operations

Specific Operations Tasks

Product Implementation Concerns

Logs and Monitoring

Records Management

Change Control

Resource Protection

Contingency Planning

System Controls

Trusted Recovery

Fault-Tolerance Mechanisms

Duplexing, Mirroring, Check Pointing

Redundant Array of Independent Disks (RAID)

Fault Tolerance

Redundancy Mechanism

Backups

Backup Types

Remote Access

Facsimile Security

Email Security

Before Carrying Out Vulnerability Testing

Vulnerability Assessments

Methodology

Penetration Testing

Penetration Testing