Certified Cyber Governance, Risk and Compliance GRC Professional

Cybersecurity has become a major priority for companies and organizations around the world. There are millions of cybersecurity positions open and unfilled, and a shortage of cyber security talent. Companies and organizations need cybersecurity professionals equipped with the knowledge, skills, and abilities to stay ahead of, and to cope with, evolving threats and vulnerabilities.

Cybersecurity risk management comprises the full range of activities undertaken to protect IT and data from unauthorized access and other cyber threats, to maintain awareness of cyber threats, to detect anomalies and incidents adversely affecting IT and data, and to mitigate the impact of, respond to, and recover from incidents. Effective risk management involves more than just protecting IT and data currently in place. It also requires planning so that maintenance, improvements, and modernization occur in a coordinated way and with appropriate regularity.

Objectives:

The CC(GRC)P program has been designed to provide with the knowledge and skills needed to understand and support firms and organizations in cyber risk and compliance management. The course provides with the skills needed to pass the Certified Cyber (Governance Risk and Compliance) Professional – CC(GRC)P exam.

Target Audience:

Managers and employees working at the strategic, tactical, and operational levels of information security, IT and risk management.
Information security manager, employees, auditors, and consultant.
Threat analysts.
Vulnerability assessment manager, employees, auditors, and consultants.
Risk and compliance manager, employees, auditors, and consultants.
IT manager, employees, auditors, and consultants.
Network, systems and security administrators.
Senior managers involved in risk and compliance management.
Data protection and privacy manager, employees, auditors and consultants.
IT, information security, risk and compliance management vendor, suppliers, and service providers.

Course Outline:

Part 1: Introduction

Demand for Cyber Risk / Information Security Professionals … and compensation.
Introduction to Cyber (Governance, Risk, Compliance).
From Cyberspace to Information Operations (IO) to Cyber Espionage.
Cyber risks today, and what is different for organizations and employees.

Part 2: Attacks and Modus Operandi

Who is the attacker?
Eleven types of internet security attacks.
Attacks on the critical infrastructure.
Attacks on the internet infrastructure.
Deliberate persistent attacks on specific resources.
Widespread automated attacks against internet sites.
Threats, harassment, and other criminal offences involving individual user accounts.
New types of attacks or new vulnerabilities.
Denial of Service (DoS) and Distributed Denial of Service (DDoS).
Forgery and misrepresentation.
Compromise of single desktop systems.
Copyright violations.

Modus Operandi

Step 1 – Collecting information about persons and systems

Reconnaissance: The research phase used to identify and select targets.
Looking for information about the systems.
Looking for information about the persons working in the target organization (or for the target organization).
Outsourcing and budget cuts can have hidden costs.
Who has signed a confidentiality agreement? A good list of prime targets for all adversaries.
Looking at our daily activities from the adversaries’ point of view.
More prime targets: Disgruntled employees, ideologists, employees having a lavish lifestyle, employees having “weaknesses”, lawyers having access to trade secrets and sensitive information.

Step 2 – Identifying possible targets and victims

Hardware attacks, software attacks.
Malicious hardware modifications: Acquiring hardware components with a backdoor, and how it affects all other information security policies.
Phishing, social phishing, spear phishing, watering hole attacks.
Which systems and which persons? The hit lists.

Step 3 – Evaluation, recruitment and testing

Exploiting more vulnerabilities in certain systems.
Deciding to work more with certain persons.
Blackmailing employees: The art and the science.
Testing the asset.
The problem with the sleeper agents.

Step 4 – Privilege escalation

Vertical privilege escalation, where adversaries grant themselves higher privileges.
Horizontal privilege escalation, where adversaries use the identity of other users with similar privileges.
Obtaining customer account details.
Internal information, social engineering.

Step 5 – Identification of important clients and stakeholders

Attackers have access to personal information. What is next?
Identifying important clients and stakeholders working in the public and the private sector.
Repeating the process – Steps 1 to 4.

Step 6 – Critical infrastructure

Creating backdoors.
Covering their tracks.
Ticking time bombs and backdoor triggers based on specific input data.
Selling information in the secondary markets (to other attackers, competitors, spies and the organized crime).

Part 3: Information Warfare, Cyber Espionage

Information Warfare

The famous paradoxical trinity of Clausewitz.
Cyberspace – a domain of war.
Jus ad bellum, just in bello, jus post bellum.
Article 2(4) and Article 51, United Nations (UN) Charter.
Interpretations of Article 2(4) and Article 51.
From the International Strategy for Cyberspace, to the G7 Finance Ministers and Central Bank Governors, to the Law of War Manual, Cyber Operations.
Information Operations (IO).
Information Operations and their supporting capabilities.
Defensive Information Operations.
Net-centric warfare.
Cyberspace and national security.
Hackers, Spies, or Hybrid Warfare?
The Gerasimov’s Doctrine- Case Studies.

Cyber Espionage

Espionage, Intelligence.
Political, Economic, Military Intelligence.
Competitive Intelligence vs. Economic or Industrial Espionage.
From UK, MI5.
From UK SIS, MI6.
From UK, Centre for the Protection of National Infrastructure (CPNI).
Counterintelligence (CI).
Cyber Espionage.
case studies.
Strategic counterintelligence.
The Ten Commandments of Counterintelligence (from James M. Olson that served in the Directorate of Operations of the CIA) that apply in Cybersecurity.
Gentlemen don’t read each other’s mail.

Part 4: Defense

Cyber Hygiene.
The U.S. National Institute of Standards and Technology Cybersecurity
Framework (NIST CSF).
The Functions:
internal stakeholders and executive and management teams.
The Framework Implementation Tiers (“Tiers”).
From Partial (Tier 1) to Adaptive (Tier 4).
The Framework Profile.
Coordination of Framework Implementation.
Establishing or Improving a Cybersecurity Program.
Methodology to Protect Privacy and Civil Liberties.
Governance of cybersecurity risk.
Awareness and training measures.
Penetration Testing.
Guidance from the Securities and Exchange Commission (SEC), Division of Corporation Finance, regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
The new international standards for cyber security after Regulation (EU) 2016/679 (General Data Protection Regulation).