Prerequisites:

Individuals should have already taken the NIST Cybersecurity Framework (NCSF) Foundation Training course or have significant experience with the NIST Cybersecurity Framework.

Target Audience:

Course Objectives:

Course Outline:

MODULE 1: COURSE INTRODUCTION

• Provides the student with information relative to the course and the conduct of the course in the classroom, virtual classroom, and course materials.

MODULE 2: RISK MANAGEMENT IN THE NIST CSF AND NIST RMF

• Risk Management in the NIST Cybersecurity Framework
• Analyzing the NIST Risk Management Framework
  • Introduction and History
  • Purpose and Use Cases
  • Six Steps
    • 1. Categorize System
    • 2. Select Controls
    • 3. Implement Controls
    • 4. Assess Controls
    • 5. Authorize System
    • 6. Monitor Controls
• Integrating the Frameworks

MODULE 3: REAL WORLD ATTACKS

• Major Cybersecurity Attacks and Breaches
• Cyber Kill Chain
• Mitre ATT&CK Matrix

MODULE 4: THE COMPONENTS OF THE NIST CYBERSECURITY FRAMEWORK

• Tiers and Tier selection
• Current and Target Profiles and the Framework Core
• Deep dive in Informative References
  • Center for Internet Security 20 Critical Security Controls
  • ISO 27001:2013 Information Security Management System (ISMS)
  • ISO 27002:2013 Code of Practice
• Supply Chain Risk Management in the Enterprise

MODULE 5: DEFENSE IN-DEPTH AND THE NIST CYBERSECURITY FRAMEWORK

• Informative References, Subcategories, and Defense in Depth
• Aligning vendor Controls with Subcategories
• Security Operations Center (SOC) activities and Security Information and Event Management solutions in relation to the Framework

MODULE 6: ASSESSING CYBERSECURITY IN THE SUBCATEGORIES

• Creating an Assessment Plan
• Assigning Roles and Responsibilities
• Tiers, Threats, Risks, Likelihoods, and Impact

MODULE 7: CREATING A WRITTEN INFORMATION SECURITY PROGRAM

• The Intersection of Business and Technical Controls
• What is a Written Information Security Program (WISP)?
• Creating a WISP Template
• Aligning Current Profile with a WISP

MODULE 8: A PRACTITIONER’S DEEP DIVE INTO CREATING OR IMPROVING A CYBERSECURITY PROGRAM

• Step 1: Prioritize and Scope
  • Identifying organizational priorities
  • Aiding and influencing strategic cybersecurity implementation decisions
  • Determining scope of the implementation
  • Planning for internal adaptation based on business line/process need
  • Understanding risk tolerance
• Step 2: Orient
  • Identifying systems and applications which support organizational priorities
  • Working with compliance to determine regulatory and other obligations
  • Planning for risk responsibility
• Step 3: Create a Current Profile
  • Assessing – self vs. 3rd party
  • How to measure real world in relation to the Framework
    • Qualitative and quantitative metrics
    • Analysis of the Current State in a sample assessment
    • Implementation Tiers in practice
  • Current Profile and Implementation Tiers
• Step 4: Conduct a Risk Assessment
  • Risk assessment options (3rd party vs internal)
  • Organizational vs. system-level risk assessment
  • Risk assessment and external stakeholders
• Step 5: Create a Target Profile
  • Target Profile and Steps 1-4
  • Determining desired outcomes with Tiers
  • External stakeholder considerations
  • Adding Target Profiles outside the Subcategories
• Step 6: Determine, Analyze, and Prioritize Gaps
  • Defining and determining Gaps
  • Gap analysis and required resources
  • Organizational factors in creating a prioritized action plan
• Step 7: Implement Action Plan
  • Implementation team design from Executives to Technical Practitioners
  • Assigning tasks when priorities conflict
  • Considering compliance and privacy obligations
  • Taking action
  • Reporting and reviewing

MODULE 9: CONTINUOUS CYBERSECURITY IMPROVEMENT

• Creating a continuous improvement plan
• Implementing ongoing assessments