Board of Directors Governance

  • Strategic Risk
  • Business Risk
  • Risk Culture
  • Risk Appetite Statement
  • Risk Tolerance
  • Key Risk Indicators
  • IT Security Budget
  • Audit & Compliance

Risk Management Committee

  • Operational Risk
  • Key Risk Indicators (KRIs) by Business Unit
  • Key Performance Indicators (KPIs) by Business Unit

Information Security Management

  • Program Plan
  • Roles, Responsibilities & Structure
  • Program Management Office & Security Portfolio Management
  • Operations Handbook

Information Security Governance

  • Security Enterprise Architecture
  • Integrity & Change Control
  • Security Configuration Management

Compliance & Audit

  • FISMA
  • NIST
  • ISO 27001
  • PCI-DSS
  • HIPAA
  • U.S. Federal Goverment Inspectors General

Policy and Process Design

  • CISO-owned
  • Relevant non-CISO-owned

Risk Management

  • National Institute of Standards and Technology (NIST)
  • NIST Cyber Security Framework (CSF)
  • Enterprise Risk Management
  • Enterprise Risk Register
  • IT Programs Risk Register
  • Performing Enterprise Risk Assessment
  • Enterprise Risk Response

Security Engineering and Architecture

  • Tools Effectiveness Assessment
  • Software Supply Chain Risk Management
  • Building Security In
  • Engineering in Resilience
  • CERT® Resilience Management Model (CERT-RMM)
  • Agile Security Architecture
  • Commmon Controls Selection
  • Tool Selection & Implementation

Security Testing

  • Third Party Application / Component Assessment
    • Source & Provenence
    • Sandbox Testing
    • Procurement
    • Open Source Software
    • Strong Authentication
  • Application Security Testing (static & dynamic)
  • Strong Authentication
  • Testing to Security Functional Requirements
  • Penetration Testing
  • Continuous Montoring of Vulnerabilities

Application Development

  • Secure Coding Standards
  • Secure Software/System Development Lifecycle Process
  • Specifying Security Functional Requirements
  • Security Functional Requirements Design Patterns
  • Security Resources for Developers
  • DevSecOps Pipeline & Process

Security Operations Center (SOC)

  • Testing & Mapping Control Effectiveness
  • SOC Design, Tool Selection & Review
  • Incident Response (IR) Procedures
  • Cyber Threat Intelligence Feeds
  • Playbook Development
  • Security Orchestration and Automation Response (SOAR)
  • Threat Hunting
  • MITRE ATT&CKTM Framework
  • Attack Detections
  • AI & Machine Learning Planning & Effectiveness

Identity, Credential and Access Management (ICAM)

  • Identity Proofing
  • Identity Management
  • Device Identity Management
  • Multifactor Authentication Authenticators
  • Credential Issuance
  • Public Key Infrastructure
  • Federation
  • Single Sign On (SSO) & Strong Authentication
  • Access Lifecycle Management
  • Federation of Authoritative Attributes
  • Dynamic / Attribute Based Access Control (DAC/ABAC)
  • User & Entity Behavior Analytics (UEBA)

Privacy

  • Engineering Assessment (Privacy by Design)
  • GDPR
  • Program Management & Customer Care
  • U.S and State Laws
  • International Conventions
  • Downstream Disclosure Controls

Insider Threat Program

  • Establishing an Insider Threat Program
  • Operating an Insider Threat Program

Vendor Risk Management

  • Privacy & Security
  • Contractual Considerations
  • Service Level Agreements
  • Inspections

Security & Performance Reporting

  • Security Operations
  • Identity, Credential and Access Management
  • Continuous Monitoring
  • System Compliance
  • Privacy
  • Key Control Indicators (KCIs)
  • Key Performance Indicators (KPIs)
  • Service Level Agreements (SLAs) – Internal & External
  • Key Risk Indicators (KRIs)
  • Leadership Reporting & Dashboard
  • Executive Dashboard & Reporting

Breach & Disaster Response, Contingency Planning

  • Business Resilience & Impact Assessment
  • Develop Breach & Disaster Response, Contingency Plans
  • Develop Breach Response Communications Plan
  • Periodic Plan Testing Exercises & Updates

Security Innovation

  • Design Thinking
  • Technology Research
  • Tools Research
  • Gap Analysis & Roadmap Definition
  • Digital / Organizational Transformation

MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.
CERT® is a registered mark of Carnegie Mellon University.