712-50 Exam Information and Guideline
EC-Council Certified CISO (CCISO)
Below are complete topics detail with latest syllabus and course outline, that will help you good knowledge about exam objectives and topics that you have to prepare. These contents are covered in questions and answers pool of exam.
Exam Name EC-Council Certified Chief Information Security Officer (CCISO)
Exam Code 712-50
Duration 150 mins
Number of Questions 150
Passing Score 72%
Governance and Risk Management
1. Define, Implement, Manage, and Maintain an Information Security Governance Program
- Form of Business Organization
- Industry
- Organizational Maturity
2. Information Security Drivers
3. Establishing an information security management structure
- Organizational Structure
- Where does the CISO fit within the organizational structure
- The Executive CISO
- Nonexecutive CISO
4. Laws/Regulations/Standards as drivers of Organizational Policy/Standards/Procedures
5. Managing an enterprise information security compliance program
- Security Policy
Necessity of a Security Policy
Security Policy Challenges
- Policy Content
Types of Policies
Policy Implementation
- Reporting Structure
- Standards and best practices
- Leadership and Ethics
- EC-Council Code of Ethics
6. Introduction to Risk Management
- Organizational Structure
- Where does the CISO fit within the organizational structure
- The Executive CISO
- Nonexecutive CISO
Information Security Controls, Compliance, and Audit Management
1. Information Security Controls
- Identifying the Organizations Information Security Needs
Identifying the Optimum Information Security Framework
Designing Security Controls
Control Lifecycle Management
Control Classification
Control Selection and Implementation
Control Catalog
Control Maturity
Monitoring Security Controls
Remediating Control Deficiencies
Maintaining Security Controls
Reporting Controls
Information Security Service Catalog
2. Compliance Management
- Acts, Laws, and Statutes
FISMA
- Regulations
GDPR
- Standards
ASD - Information Security Manual
Basel III
FFIEC
ISO 00 Family of Standards
NERC-CIP
PCI DSS
NIST Special Publications
Statement on Standards for Attestation Engagements No. 16 (SSAE 16)
3. Guidelines, Good and Best Practices
- CIS
OWASP
4. Audit Management
- Audit Expectations and Outcomes
- IS Audit Practices
ISO/IEC Audit Guidance
Internal versus External Audits
Partnering with the Audit Organization
Audit Process
General Audit Standards
Compliance-Based Audits
Risk-Based Audits
Managing and Protecting Audit Documentation
Performing an Audit
Evaluating Audit Results and Report
Remediating Audit Findings
Leverage GRC Software to Support Audits
5. Summary
Security Program Management & Operations
1. Program Management
- Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies
Security Program Charter
Security Program Objectives
Security Program Requirements
Security Program Stakeholders
Security Program Strategy Development
- Executing an Information Security Program
- Defining and Developing, Managing and Monitoring the Information Security Program
Defining an Information Security Program Budget
Developing an Information Security Program Budget
Managing an Information Security Program Budget
Monitoring an Information Security Program Budget
- Defining and Developing Information Security Program Staffing Requirements
- Managing the People of a Security Program
Resolving Personnel and Teamwork Issues
Managing Training and Certification of Security Team Members
Clearly Defined Career Pat
Designing and Implementing a User Awareness Program
- Managing the Architecture and Roadmap of the Security Program
Information Security Program Architecture
Information Security Program Roadmap
- Program Management and Governance
Understanding Project Management Practices
Identifying and Managing Project Stakeholders
Measuring the Effectives of Projects
- Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)
- Data Backup and Recovery
- Backup Strategy
- ISO BCM Standards
Business Continuity Management (BCM)
Disaster Recovery Planning (DRP)
- Continuity of Security Operations
Integrating the Confidentiality, Integrity and Availability (CIA) Model
- BCM Plan Testing
- DRP Testing
- Computer Incident Response
Incident Response Tools
Incident Response ManagementIncident Response Communications
Post-Incident Analysis
Testing Incident Response Procedures
- Digital Forensics
Crisis Management
Digital Forensics Life Cycle
2. Operations Management
- Establishing and Operating a Security Operations (SecOps) Capability
- Security Monitoring and Security Information and Event Management (SIEM)
- Event Management
- Incident Response Model
Developing Specific Incident Response Scenarios
- Threat Management
- Threat Intelligence
Information Sharing and Analysis Centers (ISAC)
- Vulnerability ManagementThreat Hunting
Vulnerability Assessments
Vulnerability Management in Practice
Penetration Testing
Security Testing Teams
Remediation
3. Summary
Information Security Core Competencies
1. Access Control
- Authentication, Authorization, and Auditing
- Authentication
- Authorization
- Auditing
- User Access Control Restrictions
- User Access Behavior Management
- Types of Access Control Models
- Designing an Access Control Plan
- Access Administration
2. Physical Security
- Designing, Implementing, and Managing Physical Security Program
Physical Risk Assessment
- Physical Location Considerations
- Obstacles and Prevention
- Secure Facility Design
Security Operations Center
Sensitive Compartmented Information Facility
Digital Forensics Lab
Datacenter
- Preparing for Physical Security Audits
3. Network Security
- Network Security Assessments and Planning
- Network Security Architecture Challenges
- Network Security Design
- Network Standards, Protocols, and Controls
Network Security Standards
Protocols
4. Certified Chief
- Network Security Controls
- Wireless (Wi-Fi) Security
Wireless Risks
Wireless Controls
- Voice over IP Security
5. Endpoint Protection
- Endpoint Threats
- Endpoint Vulnerabilities
- End User Security Awareness
- Endpoint Device Hardening
- Endpoint Device Logging
- Mobile Device Security
Mobile Device Risks
Mobile Device Security Controls
- Internet of Things Security (IoT)
Internet of Things Security (IoT)
6. Application Security
- Secure SDLC Model
- Separation of Development, Test, and Production Environments
- Application Security Testing Approaches
- DevSecOps
- Waterfall Methodology and Security
- Agile Methodology and Security
- Other Application Development Approaches
- Application Hardening
- Application Security Technologies
- Version Control and Patch Management
- Database Security
- Database Hardening
- Secure Coding Practices
7. Encryption Technologies
- Encryption and Decryption
- Cryptosystems
Blockchain
Digital Signatures and Certificates
PKI
Key Management
- Hashing
- Encryption Algorithms
- Encryption Strategy Development
Determining Critical Data Location and Type
Deciding What to Encrypt
Determining Encryption Requirements
Selecting, Integrating, and Managing Encryption Technologies
8. Virtualization Security
- Virtualization Overview
- Virtualization Risks
- Virtualization Security Concerns
- Virtualization Security Controls
- Virtualization Security Reference Model
9. Cloud Computing Security
- Overview of Cloud Computing
- Security and Resiliency Cloud Services
- Cloud Security Concerns
- Cloud Security Controls
- Cloud Computing Protection Considerations
10. Transformative Technologies
- Artificial Intelligence
- Augmented Reality
- Autonomous SOC
- Dynamic Deception
- Software-Defined Cybersecurity
11. Summary
Strategic Planning, Finance, Procurement, and Vendor Management
1. Strategic Planning
- Understanding the Organization
Understanding the Business Structure
Determining and Aligning Business and Information Security Goals
Identifying Key Sponsors, Stakeholders, and Influencers
Understanding Organizational Financials
- Creating an Information Security Strategic Plan
Strategic Planning Basics
Alignment to Organizational Strategy and Goals
Defining Tactical Short, Medium, and Long-Term Information Security Goals
Information Security Strategy Communication
Creating a Culture of Security
2. Designing, Developing, and Maintaining an Enterprise Information Security Program
- Ensuring a Sound Program Foundation
- Architectural Views
- Creating Measurements and Metrics
- Balanced Scorecard
- Continuous Monitoring and Reporting Outcomes
- Continuous Improvement
- Information Technology Infrastructure Library (ITIL) Continual Service Improvement (
CSI)
3. Understanding the Enterprise Architecture (EA)
- EA Types
The Zachman Framework
The Open Group Architecture Framework (TOGAF)
Sherwood Applied Business Security Architecture (SABSA)
Federal Enterprise Architecture Framework (FEAF)
4. Finance
- Understanding Security Program Funding
- Analyzing, Forecasting, and Developing a Security Budget
Resource Requirements
Define Financial Metrics
Technology Refresh
New Project Funding
Contingency Funding
- Managing the information Security Budget
Obtain Financial Resources
Allocate Financial Resources
Monitor and Oversight of Information Security Budget
Report Metrics to Sponsors and Stakeholders
Balancing the Information Security Budget
5. Procurement
- Procurement Program Terms and Concepts
Statement of Objectives (SOO)
Statement of Work (SOW)
Total Cost of Ownership (TCO)
Request for Information (RFI)
Request for Proposal (RFP)
Master Service Agreement (MSA)
Service Level Agreement (SLA)
Terms and Conditions (T&C)
- Understanding the Organizations Procurement Program
Internal Policies, Processes, and Requirements
External or Regulatory Requirements
Local Versus Global Requirements
- Procurement Risk Management
Standard Contract Language
6. Vendor Management
- Understanding the Organizations Acquisition Policies and Procedures
Procurement Life cycle
- Applying Cost-Benefit Analysis (CBA) During the Procurement Process5
- Vendor Management Policies
- Contract Administration Policies
Service and Contract Delivery Metrics
Contract Delivery Reporting
Change Requests
Contract Renewal
Contract Closure
- Delivery Assurance
Validation of Meeting Contractual Requirements
Formal Delivery Audits
Periodic Random Delivery Audits
Third-Party Attestation Services (TPRM)