Cyber Security Training University

Learning Objectives

• Introduction to the Federal Information Security Management Act (FISMA) and the Risk Management Framework (RMF).
• Understanding of the Risk Management Framework for the Authorization Process.
• Understanding of the FISMA and NIST processes for authorizing Federal IT systems.
• Explaining key roles and responsibilities and statutory and regulatory requirements as detailed in federal regulations.
• Application of concepts and principles into real world activities and situations.

Course Schedule

• Certified Authorization Professional Overview and Test-Taking Tips
• Domain 1 – Risk management framework for DOD IT Authorization process.
• Domain 2 – Categorization of information systems and understanding FISMA and NIST processes for authorizing Federal IT systems
• Domain 3 – Selection of security controls
• Domain 4 – Security control implementation
• Domain 5 – Security control assessment
• Domain 6 – Information system authorization
• Domain 7 – Monitoring of security controls
• Review questions and exam simulation

Implementation program for Information Security Management System (ISO 27001)

ISMS implementation course is designed to help and provide individuals with the skills needed in helping an organization manage their Information Security Management System (ISMS) based on ISO/IEC 27001:2013. This course is designed to be completed within 5 days. This short term program involves the ISO requirement and specification overview within the first 2 days, in the succeeding period, individuals are made to go through live cases from different industries. This serves as a means of testing and reviewing their capabilities and skills learned through the course.

• Fundamental principles of Information Security (IS)
• Preparation project plan for the implementation of an ISMS
• Defining the scope of an ISMS
• Development of Information Security policies
• Selection of the approach and methodology for risk assessment
• Risk management: identification, analysis, and treatment of risk
• Drafting the SOA
• Implementation of a document management framework
• Design of controls and procedures
• Implementation of controls
• Development of a training & awareness program and communicating about the information security.
• Incident management (based on guidance from ISO 27035)
• Operations management of an ISMS
• Controlling and Monitoring the ISMS
• Development of metrics and performance indicators
• ISO 27001 Internal Audit
• Management review of an ISMS
• Implementation of a continual improvement program
• Preparing for an audit for ISO 27001 certification

• Introduction and PCI Data Security Standard Overview
• PCI DSS Resources
• PCI DSS Applicability Information
• Relationship between PCI DSS and PA-DSS
• Applicability of PCI DSS to PA-DSS Applications
• Applicability of PCI DSS to Payment Application Vendors
• Scope of PCI DSS Requirements
• Network Segmentation
• Wireless
• Use of Third-Party Service Providers / Outsourcing
• Best Practices for Implementing PCI DSS into Business-as-Usual Processes
• For Assessors: Sampling of Business Facilities/System Components
• Compensating Controls
• Instructions and Content for Report on Compliance
• PCI DSS Assessment Process
• PCI DSS Versions

• Introduction to FedRAMP
• FedRAMP security assessment framework
• FedRAMP overview
• Applicable laws and regulations
• Applicable standards and guidance
• FedRAMP overview
• Authorities
• Purpose
• Governance and stakeholders
• Office of management and budget
• FedRAMP joint authorization board
• National institute of standard and technology
• Department of homeland security
• FedRAMP program management office
• Federal agencies
• Federal chief information officers council
• Third-party assessment organizations
• Cloud service providers
• FedRAMP requirements
• Two authorization paths
• Joint authorization board P-ATO
• FedRAMP agency ATO
• Contractual language
• Using a CSP not listed in the secure repository
• FedRAMP security assessment framework
• Document
• Categorize the information system
• Select security controls
• Implement security controls
• Assess
• Use of a third-party assessment organization
• Use of a non-accredited independent assessor
• Complete the security assessment plan
• Use test case procedures
• Perform security testing
• Authorize
• Analysis of risks
• Plan of action and milestones
• Submission of a security package for authorization
• Authorization letter
• Leveraging FedRAMP security packages
• Revoking an authorization
• Monitor
• Operational visibility
• Change control
• Incident response
• Third party assessment organizations
• Requirements for accreditation
• Becoming an accredited 3PAO
• Appendix A: FedRAMP acronyms
• Appendix B: Summary of FedRAMP stakeholders