Torque IT – The Technology Skills Factory Courses Offered (ISC)2

Torque IT – The Technology Skills Factory Courses Offered (ISC)2 Introduction

In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish holistic security programs that assure the protection of organisations information assets. CISSP is the most globally recognised certification in the information security market. Required by the world’s most security-conscious organisations, CISSP is the industry-leading credential that assures you have the deep technical and managerial knowledge and experience to effectively design, engineer, and manage the overall security posture of an organisation. The vendor-neutral CISSP certification is the ideal credential for those with proven deep technical and managerial competence, skills, experience, and credibility to design, engineer, implement, and manage their overall information security program to protect organisations from growing sophisticated attacks.

Backed by (ISC)², the globally recognised, non-profit organisation dedicated to advancing the information security field, the CISSP was the first credential in the field of information security to meet the stringent requirements of ISO/IEC Standard 17024. Not only is the CISSP an objective measure of excellence, but also a globally recognised standard of achievement.

Target Audience

This training course is intended for professionals who have at least 5 years of recent full-time professional work experience in 2 or more of the 8 domains of the CISSP CBK and are pursuing CISSP training and certification to acquire the credibility and mobility to advance within their current information security careers. The training course is ideal for those working in positions such as, but not limited to:

• Security Consultant
• Security Manager
• IT Director/Manager
• Security Auditor
• Security Architect
• Security Analyst
• Security Systems Engineer
• Chief Information Security Officer
• Director of Security
• Network Architect

Torque IT – The Technology Skills Factory Courses Offered (ISC)2 Prerequisites

The knowledge and skills that a learner must have before attending this course is as follows:

• A firm understanding and good knowledge base of Information Security Principles, Concepts and Best Practices.
• While there are no formal prerequisites to attend the course, there are prerequisites to be met before a delegate can attempt the CISSP exam. **See below under Associated Certifications and Exams for more details.

Torque IT – The Technology Skills Factory Courses Offered (ISC)2 Course Objectives

On completion of this program, the participants will be able to:

• Understand and apply the concepts of risk assessment, risk analysis, data classification, and security awareness and Implement risk management and the principles used to support it (Risk avoidance, Risk acceptance, Risk mitigation, Risk transference).
• Apply a comprehensive and rigorous method for describing a current and/or future structure and behaviour for an organization’s security processes, information security systems, personnel, and organizational sub-units so that these practices and processes align with the organization’s core goals and strategic direction and address the frameworks and policies, concepts, principles, structures, and standards used to establish criteria for the protection of information assets, as well as to assess the effectiveness of that protection and establish the foundation of a comprehensive and proactive security program to ensure the protection of an organization’s information assets.
• Apply a comprehensive and rigorous method for describing a current and/or future structure and behaviour for an organization’s security processes, information security systems, personnel, and organizational sub-units so that these
  practices and processes align with the organization’s core goals and strategic direction and examine the principles, means, and methods of applying mathematical algorithms and data transformations to information to ensure its integrity, confidentiality, and authenticity.
• Understand the structures, transmission methods, transport formats, and security measures used to provide confidentiality, integrity, and availability for transmissions over private and public communications networks and media and identify risks that can be quantitatively and qualitatively measured to support the building of business cases to drive proactive security in the enterprise.
• Offer greater visibility into determining who or what may have altered data or system information, potentially affecting the integrity of those asset and match an entity, such as a person or a computer system, with the actions that entity takes against valuable assets, allowing organizations to have a better understanding of the state of their security posture.
• Plan for technology development, including risk, and evaluate the system design against mission requirements, and identify where competitive prototyping and other evaluation techniques fit in the process.
• Protect and control information processing assets in centralized and distributed environments and execute the daily tasks required to keep security services operating reliably and efficiently.
• Understand the Software Development Life Cycle (SDLC) and how to apply security to it, and identify which security control(s) are appropriate for the development environment, and assess the effectiveness of software security.

Torque IT – The Technology Skills Factory Courses Offered (ISC)2 Course Content

Domain 1 – Security and Risk Management

• Understand and apply concepts of confidentiality, integrity and availability
• Apply security governance principles through:
  – Alignment of security function to strategy, goals, mission, and objectives (e.g., business case, budget and resources)
  – Organizational processes (e.g., acquisitions,
  divestitures, governance committees)
  – Security roles and responsibilities
  – Control frameworks
  – Due care
  – Due diligence
• Compliance
  – Legislative and regulatory compliance
  – Privacy requirements compliance
• Understand legal and regulatory issues that pertain to
  information security in a global context
  – Computer crimes
  – Licensing and intellectual property (e.g., copyright, trademark, digital-rights management)
  – Import/export controls
  – Trans-border data flow
  – Privacy
  – Data breaches
• Understand professional ethics
• Develop and implement documented security policy,
  standards, procedures, and guidelines
• Understand business continuity requirements
• Contribute to personnel security policies
• Understand and apply risk management concepts
• Understand and apply threat modelling
• Integrate security risk considerations into acquisition strategy and practice
• Establish and manage information security education, training, and awareness

​Domain 2 – Asset Security

• Classify information and supporting assets (e.g., sensitivity, criticality)
• Determine and maintain ownership (e.g., data owners, system owners, business/mission owners)
• Protect privacy
• Ensure appropriate retention (e.g., media, hardware, personnel)
• Determine data security controls (e.g., data at rest, data in transit)
• Establish handling requirements (markings, labels, storage, destruction of sensitive information)

​Domain 3 – Security Engineering

• Implement and manage engineering processes using secure design principles
• Understand the fundamental concepts of security models (e.g., Confidentiality, Integrity, and Multi-level Models)
• Select controls and countermeasures based upon systems security evaluation models
• Understand security capabilities of information systems (e.g., memory protection, virtualization, trusted platform module, interfaces, fault tolerance)
• Assess and mitigate the vulnerabilities of security architectures, designs, and solution elements
• Assess and mitigate vulnerabilities in web-based systems (e.g., XML, OWASP)
• Assess and mitigate vulnerabilities in mobile systems
• Assess and mitigate vulnerabilities in embedded devices and cyber-physical systems (e.g.,network-enabled devices, Internet of things (loT))
• Apply cryptography
• Apply secure principles to site and facility design
• Design and implement physical security

​Domain 4 – Communications and Network Security

• Apply secure design principles to network architecture (e.g., IP & non-IP protocols, segmentation)
• Secure network components
• Design and establish secure communication channels
• Prevent or mitigate network attacks

Domain 5 – Identity and Access Management

• Control physical and logical access to assets
• Manage identification and authentication of people and devices
• Integrate identity as a service (e.g., cloud identity)
• Integrate third-party identity services (e.g., on-premise)
• Implement and manage authorization mechanisms
• Prevent or mitigate access control attacks
• Manage the identity and access provisioning lifecycle (e.g., provisioning, review)

Domain 6 – Security Assessment and Testing

• Design and validate assessment and test strategies
• Conduct security control testing
• Collect security process data (e.g., management and operational controls)
• Analyze and report test outputs (e.g., automated, manual)
• Conduct or facilitate internal and third party audits

Domain 7 – Security Operations

• Understand and support investigations
• Understand requirements for investigation types
• Conduct logging and monitoring activities
• Secure the provisioning of resources
• Understand and apply foundational security operations concepts
• Employ resource protection techniques
• Conduct incident management
• Operate and maintain preventative measures
• Implement and support patch and vulnerability management
• Participate in and understand change management processes (e.g., versioning, baselining, security impact analysis)
• Implement recovery strategies
• Implement disaster recovery processes
• Test disaster recovery plans
• Participate in business continuity planning and exercises
• Implement and manage physical security
• Participate in addressing personnel safety concerns (e.g., duress, travel, monitoring)

​Domain 8 – Software Development Security

• Understand and apply security in the software development lifecycle
• Enforce security controls in development environments
• Assess the effectiveness of software security
• Assess security impact of acquired software

Associated Certifications & Exam

The CISSP draws from a comprehensive, up-to-date, global common body of knowledge that ensures security leaders have a deep knowledge and understanding of new threats, technologies, regulations, standards, and practices. The CISSP exam tests one’s competence in the 8 domains of the CISSP CBK, which cover:

• Security and Risk Management
• Asset Security
• Security Engineering
• Communications and Network Security
• Identity and Access Management
• Security Assessment and Testing
• Security Operations
• Software Development Security

**Candidates must have a minimum of 5 years cumulative paid full-time work experience in 2 or more of the 8 domains of the CISSP. Earning a 4-year college degree or regional equivalent or an additional credential from the (ISC)² approved list will waive 1 year of the required experience. Only a 1 year experience exemption is granted for education**

CISSP Exam Information:

• Length of exam: 6 hours
• Number of questions: 250
• Question format: Multiple choice and advanced innovative questions
• Passing grade: 700 out of 1000 points
• Exam availability: English, French, German, Brazilian Portuguese, Spanish, Japanese, Simplified Chinese,
  Korean, Visually impaired
• Testing center: Pearson Vue Testing Center