Chief Information Security Officer

Governance 

• Understand procedures, standards, directives, policies, regulations, and legal issues affecting the CISO information security program.  

• Learn, implement, manage and maintain a CISO chief information security officer training program that includes leadership, organizational structures, and processes. 

• Align information security governance framework with organizational goals and governance.  

• Establish information security management structure and chief information security officer roles and responsibilities. 

• Establish a framework for information security governance monitoring (considering cost/benefits analyses of controls and ROI). 

• Understand the enterprise information security compliance program. 

Risk Management 

• Develop a risk management program policy and charter 

• Develop risk reporting metrics and processes  

• Create a risk assessment methodology and framework 

• Develop and manage risk register 

• Create risk assessment schedule and checklists 

Information Security Management Controls 

• Identify the organization’s objective and operational process. 

• Design automated information systems control processes by assessing and implementing tools and techniques. Measure, manage, and report on security control implementation and effectiveness.  

• Create information systems control in alignment with the operational needs and goals and conduct testing prior to implementation to ensure effectiveness 

• Design and implement information systems controls to mitigate risk. Monitor and document the information systems control performance in meeting organizational objectives by identifying and measuring metrics and key performance indicators 

• Design and conduct testing of information security controls to ensure effectiveness, discover deficiencies, and ensure alignment with the organization’s risk management program Design and implement processes to appropriately remediate deficiencies and evaluate problem management practices to ensure that errors are recorded, analyzed, and resolved in a timely manner 

• Identify and select the resources required to effectively implement and maintain information systems controls. Such resources can include human capital, information, infrastructure, and architecture  

Compliance  

• Learn the information security compliance process  

• Compile, analyze, and report compliance programs 

• Learn about international security and risk standards such as ISO 27000 and 31000 series. 

• Understand the compliance auditing and cortication programs  

• Examine and comprehend common external laws, regulations, industry standards, best practices, and ethical guidelines that apply to the organization. 

• Learn implementing information security strategies, plans, policies, and procedures to reduce regulatory risk and how to manage them. 

• Understand the importance of regulatory information security organizations and appropriate industry groups and stakeholders 

• Understand information security changes, trends, and best practices 

• Understand and manage enterprise compliance program controls, information security compliance process and procedures, compliance auditing, and certification programs 

• Learn and follow organizational ethics 

Audit Management 

• Understand and develop an IT audit documentation process, prepare and share reports with relevant stakeholders as the basis for decision making  

• Learn the IT audit process and IT audit standards 

• Apply information systems audit principles, skills and techniques in reviewing and testing information systems technology and applications to design and implement a thorough risk-based IT audit strategy. 

• Implement the audit process following established standards, analyzing results based on defined criteria to ensure information systems are secure, well-controlled, and effectively support the organization’s goals. 

• Assess the exposures resulting from ineffective or missing control practices and formulate a practical and cost-effective plan to improve those areas 

• Assess audit results, weighing the relevancy, accuracy, and perspective of conclusions against the gathered audit evidence 

Security Program Management 

• Define clear roles for chief information security officer role and provide ongoing training to enhance performance and accountability.  

• For each information systems project develop a clear project scope statement in alignment with organizational objectives 

• Build, lead, and oversee an information security project team.  

• Define activities needed to successfully execute the information systems program, estimate activity duration, and develop a schedule and staffing plan 

• Develop, manage and monitor the information systems program budget, estimate and control costs of individual projects 

• Identify, negotiate, acquire and oversees the resources needed for successful design and implementation of the information systems program, for example people, infrastructure, and architecture 

• Supervise chief information security officer roles and responsibilities, facilitate communication, and coordinate activities between the information systems team and other security-related professionals. 

Security Program Operations 

• Learn to recognize key stakeholders, manage their expectations, and maintain clear communication to report progress and performance.  

• Resolve personnel and teamwork issues within time, cost, and quality constraints 

• Identify, negotiate and manage vendor agreement and community 

• Implement necessary updates and enhancements to information system processes as needed. 

• Participate with vendors and stakeholders to review/assess recommended solutions; identify incompatibilities, challenges, or issues with proposed solutions 

• Evaluate the project management practices and controls to determine whether business requirements are achieved in a cost-effective manner while managing risks to the organization and develop a plan to continuously measure the effectiveness of the chief info security officer systems projects to ensure optimal system performance 

Access Control 

• Learn and implement procedures to ensure system users are aware of their responsibilities before granting access to the information systems  

• Identify the criteria for mandatory and discretionary access control, understand the difference 

• Learn about the factors that help in implementation of access controls and design an access control plan 

• Implement and manage an access control plan in alignment with the basic principles that govern the access control systems such as need-to-know 

• Identify different access control systems such as ID cards and biometrics 

• Understand the importance of warning banners for implementing access rules 

  Social Engineering, Phishing Attacks, Identity Theft 

• Larn about various social engineering concepts and their role in insider attacks and develop best practices to counter social engineering attacks 

• Identify and design a plan to overcome phishing attacks 

• Design and develop a response plan to identity theft incidences 

Physical Security 

• Identify standards, procedures, directives, policies, regulations, and laws for physical security   

• Design, implement and oversees a comprehensive, coordinated, and holistic physical security plan to ensure overall organizational security including a scheduled audit and performance metrics 

• Determine the value of physical assets and the impact of its unavailability 

Disaster Recovery and Business Continuity Planning 

• Learn the importance of integration of IA requirements into the Continuity of Operations Plan (COOP).  

• Develop, implement, and monitor business continuity, business recovery, contingency planning, and disaster recovery plans in case of disruptive events and ensure alignment with organizational goals and objectives 

• Direct contingency planning, operations, and programs to manage risk 

• Develop a documentation process as part of the continuity of operations program 

• Design and execute a testing and updating plan for the continuity of operations program 

Firewall, IDS/IPS and Network Defense Systems 

• Identify network vulnerabilities and explore network security controls such as use of SSL and TLS for transmission security  

• Recognize and manage network cloud security 

• Identify the appropriate intrusion detection and prevention systems for organizational information security 

• Learn to manage accounts, network rights, and access to systems and equipment  

• Design and develop a program to monitor firewalls and identify firewall configuration issues 

• Learn perimeter defense systems such as grid sensors and access control lists on routers, firewalls, and other network devices 

• Identify the basic network architecture, models, protocols and components such as routers and hubs that play a role in network security 

• Understand the concept of network segmentation 

• Manage DMZS, VPN and telecommunication technologies such as PBX and VoIP 

• Support, monitor, test, and troubleshoot issues with hardware and software 

Wireless Security 

• Identify vulnerability and attacks associated with wireless networks and manage different wireless network security tools

Virus, Trojans and Malware, and other Malicious Code Threats 

• Assess the threat of virus, Trojan and malware to organizational security and identify sources and mediums of malware infection 

• Deploy and manage anti-virus systems 

• Develop process to counter virus, Trojan, and malware threats including training both security teams and non-security teams on secure development processes 

Secure Coding Best Practices and Securing Web Applications 

• Recognize web application vulnerabilities and attacks and web application security tools to counter attacks  

• Develop and maintain software assurance programs in alignment with the secure coding principles and each phase of System Development Life Cycle (SDLC) 

• Learn about various system-engineering practices 

• Configure and run tools that help in developing secure programs 

• Understand software vulnerability analysis techniques including static code, dynamic code, and software composition analysis. 

• Install and operate the IT systems in a test configuration manner that does not alter the program code or compromise security safeguards 

OS Hardening 

• Identify various OS vulnerabilities and attacks and develop a plan for hardening OS systems  

• Learn system logs, patch management process and configuration management for information system security 

Encryption Technologies 

• Understand the concept of encryption and decryption, digital certificates, public key infrastructure and the key differences between cryptography and steganography 

• Create a plan for information security encryption techniques  

• Identify the different components of a cryptosystem 

Vulnerability Assessment and Penetration Testing 

• Design, develop and manage a penetration testing program based on penetration testing methodology to ensure organizational security 

• Identify different vulnerabilities associated with information systems and legal issues involved in penetration testing 

• Develop pre and post testing procedures 

• Create a plan for pen test reporting and implementation of technical vulnerability corrections  

• Develop vulnerability management systems 

Threat Management 

• Develop and manage a threat management program including threat intelligence, third party threats, and security bulletins regarding hardware and software, particularly open-source software 

Incident Response and Computer Forensics 

• Create a plan to identify a potential security violation and take appropriate action to report the incident 

• Establish guidelines to assess whether a security incident constitutes a legal violation requiring specialized legal action  

• Design investigation processes such as evidence collection, imaging, data acquisition, and analysis 

• Understand the best practices to acquire, store and process digital evidence 

• Learn, configure and use various forensic investigation tools 

• Design anti-forensic techniques  

• Comply with system termination procedures and incident reporting requirements related to potential security incidents or actual breaches 

• Assess potential security violations to determine if the network security policies have been breached, assess the impact, and preserve evidence 

• Diagnose and resolve IA problems in response to reported incidents 

• Design incident response procedures including testing, tabletop exercises, and playbooks 

• Set up and manage forensic labs and programs 

• Gain expertise in digital media devices, e-discovery methodologies, and various file systems. 

• Develop and manage an organizational digital forensic program 

• Establish, develop and manage forensic investigation teams 

• Identify both volatile and persistent system data and oversee the setup of forensic programs. 

Application Security 

• Secure SDLC Model 

• Separation of Development, Test, and Production Environments 

• Application Security Testing Approaches 

• DevSecOps 

• Waterfall Methodology and Security 

• Agile Methodology and Security 

• Other Application Development Approaches 

• Database Security 

• Database Hardening  

• Secure Coding Practices  

• Application Hardening 

• Application Security Technologies 

• Version Control and Patch Management  

Virtualization Security 

• Virtualization Overview 

• Virtualization Risks 

• Virtualization Security Concerns 

• Virtualization Security Controls 

• Virtualization Security Reference Model 

Cloud Computing Security 

• Security and Resiliency Cloud Services  

• Overview of Cloud Computing  

• Cloud Security Concerns 

• Cloud Security Controls 

• Cloud Computing Protection Considerations 

Transformative Technologies 

• Artificial Intelligence  

• Software-Defined Cybersecurity  

• Augmented Reality 

• Autonomous SOC 

• Dynamic Deception 

Strategic Planning 

• Create, implement, and sustain an Enterprise Information Security Architecture (EISA) by integrating business processes, IT infrastructure, networks, personnel, operations, and projects with the organization’s overall security strategy  

• Identify and consult with key stakeholders to ensure understanding of organization’s objectives  

• Define a forward-looking, visionary and innovative strategic plan for the role of the information security program with clear goals, objectives and targets that support the operational needs of the organization 

• Understand and define key performance indicators and measure effectiveness on continuous basis 

• Assess and adjust security resources to ensure they support the organization’s strategic objectives 

• Conduct external analysis of the organization, including customer trends, competitors, market conditions, and industry landscape, alongside internal evaluations such as risk management, organizational capabilities, and performance metrics, to align the information security program with business objectives. 

• Monitor and streamline activities to ensure accountability and progress 

Finance 

• Establish contract administration policies to guide the assessment and approval of IT security products and services delivered under a contract, as well as the security evaluation of IT and software being procured  

• Analyze, forecast and develop the operational budget of the security department 

• Acquire and manage the necessary resources for implementation and management of information security plan 

• Allocate financial resources to projects, processes and units within information security program 

• Monitor and manage cost management of information security projects, return on investment (ROI) of key purchases related to IT infrastructure and security and ensure alignment with the strategic plan 

• Identify and report financial metrics to stakeholders 

• Balance the IT security investment portfolio based on EISA considerations and enterprise security priorities 

• Understand the acquisition life cycle and determine the importance of procurement by performing Business Impact Analysis 

• Recognize different procurement strategies and understand the importance of cost benefit analysis during procurement of an information system 

• Understand the basic procurement concepts such as Statement of Objectives (SOO), Statement of Work (SOW), and Total Cost of Ownership (TCO) 

• Collaborate with various stakeholders (which may include internal client, lawyers, IT security professionals, privacy professionals, security engineers, suppliers, and others) on the procurement of IT security products and services 

• Learn the IA security requirements to be included in statements of work and other appropriate procurement documents 

• Learn and include risk-based security requirements in acquisition plans, cost estimates, statements of work, contracts, and evaluation factors for award, service level agreements, and other pertinent procurement documents 

• Design vendor selection process and management policy 

• Create metrics and reporting standards to track and communicate key procurement objectives in alignment with IT security policies and procedures. 

Third Party Management 

• Develop third party selection process 

• Design third party management policy, metrics, and processes 

• Design and oversee the third-party assessment process including ongoing compliance management 

• Learn the security, privacy, and compliance requirements to be included in Statements of Work (SOW), Master Service Agreements (MSA), and other procurement documents  

• Develop measures and reporting standards to measure and report on key objectives in procurements aligned with IT security policies and procedures 

• Include risk-based security requirements in acquisition plans, cost estimates, statements of work, contracts, and evaluation factors for award, service level agreements, and other pertinent procurement documents