Board of Directors Governance
- Strategic Risk
- Business Risk
- Risk Culture
- Risk Appetite Statement
- Risk Tolerance
- Key Risk Indicators
- IT Security Budget
- Audit & Compliance
Risk Management Committee
- Operational Risk
- Key Risk Indicators (KRIs) by Business Unit
- Key Performance Indicators (KPIs) by Business Unit
Information Security Management
- Program Plan
- Roles, Responsibilities & Structure
- Program Management Office & Security Portfolio Management
- Operations Handbook
Information Security Governance
- Security Enterprise Architecture
- Integrity & Change Control
- Security Configuration Management
Compliance & Audit
- FISMA
- NIST
- ISO 27001
- PCI-DSS
- HIPAA
- U.S. Federal Goverment Inspectors General
Policy and Process Design
- CISO-owned
- Relevant non-CISO-owned
Risk Management
- National Institute of Standards and Technology (NIST)
- NIST Cyber Security Framework (CSF)
- Enterprise Risk Management
- Enterprise Risk Register
- IT Programs Risk Register
- Performing Enterprise Risk Assessment
- Enterprise Risk Response
Security Engineering and Architecture
- Tools Effectiveness Assessment
- Software Supply Chain Risk Management
- Building Security In
- Engineering in Resilience
- CERT® Resilience Management Model (CERT-RMM)
- Agile Security Architecture
- Commmon Controls Selection
- Tool Selection & Implementation
Security Testing
- Third Party Application / Component Assessment
- Source & Provenence
- Sandbox Testing
- Procurement
- Open Source Software
- Strong Authentication
- Application Security Testing (static & dynamic)
- Strong Authentication
- Testing to Security Functional Requirements
- Penetration Testing
- Continuous Montoring of Vulnerabilities
Application Development
- Secure Coding Standards
- Secure Software/System Development Lifecycle Process
- Specifying Security Functional Requirements
- Security Functional Requirements Design Patterns
- Security Resources for Developers
- DevSecOps Pipeline & Process
Security Operations Center (SOC)
- Testing & Mapping Control Effectiveness
- SOC Design, Tool Selection & Review
- Incident Response (IR) Procedures
- Cyber Threat Intelligence Feeds
- Playbook Development
- Security Orchestration and Automation Response (SOAR)
- Threat Hunting
- MITRE ATT&CKTM Framework
- Attack Detections
- AI & Machine Learning Planning & Effectiveness
Identity, Credential and Access Management (ICAM)
- Identity Proofing
- Identity Management
- Device Identity Management
- Multifactor Authentication Authenticators
- Credential Issuance
- Public Key Infrastructure
- Federation
- Single Sign On (SSO) & Strong Authentication
- Access Lifecycle Management
- Federation of Authoritative Attributes
- Dynamic / Attribute Based Access Control (DAC/ABAC)
- User & Entity Behavior Analytics (UEBA)
Privacy
- Engineering Assessment (Privacy by Design)
- GDPR
- Program Management & Customer Care
- U.S and State Laws
- International Conventions
- Downstream Disclosure Controls
Insider Threat Program
- Establishing an Insider Threat Program
- Operating an Insider Threat Program
Vendor Risk Management
- Privacy & Security
- Contractual Considerations
- Service Level Agreements
- Inspections
Security & Performance Reporting
- Security Operations
- Identity, Credential and Access Management
- Continuous Monitoring
- System Compliance
- Privacy
- Key Control Indicators (KCIs)
- Key Performance Indicators (KPIs)
- Service Level Agreements (SLAs) – Internal & External
- Key Risk Indicators (KRIs)
- Leadership Reporting & Dashboard
- Executive Dashboard & Reporting
Breach & Disaster Response, Contingency Planning
- Business Resilience & Impact Assessment
- Develop Breach & Disaster Response, Contingency Plans
- Develop Breach Response Communications Plan
- Periodic Plan Testing Exercises & Updates
Security Innovation
- Design Thinking
- Technology Research
- Tools Research
- Gap Analysis & Roadmap Definition
- Digital / Organizational Transformation
MITRE ATT&CK and ATT&CK are trademarks of The MITRE Corporation.
CERT® is a registered mark of Carnegie Mellon University.