712-50 Exam Format | 712-50 Course Contents | 712-50 Course Outline | 712-50 Exam Syllabus | 712-50 Exam Objectives

Exam Name EC-Council Certified Chief Information Security Officer (CCISO)

Exam Code 712-50

Duration 150 mins

Number of Questions 150

Passing Score 72%



Governance and Risk Management

1. Define, Implement, Manage, and Maintain an Information Security Governance Program

- Form of Business Organization

- Industry

- Organizational Maturity



2. Information Security Drivers



3. Establishing an information security management structure

- Organizational Structure

- Where does the CISO fit within the organizational structure

- The Executive CISO

- Nonexecutive CISO



4. Laws/Regulations/Standards as drivers of Organizational Policy/Standards/Procedures



5. Managing an enterprise information security compliance program

- Security Policy



Necessity of a Security Policy

Security Policy Challenges

- Policy Content



Types of Policies

Policy Implementation

- Reporting Structure

- Standards and best practices

- Leadership and Ethics

- EC-Council Code of Ethics



6. Introduction to Risk Management

- Organizational Structure

- Where does the CISO fit within the organizational structure

- The Executive CISO

- Nonexecutive CISO



Information Security Controls, Compliance, and Audit Management

1. Information Security Controls

- Identifying the Organizations Information Security Needs



Identifying the Optimum Information Security Framework

Designing Security Controls

Control Lifecycle Management

Control Classification

Control Selection and Implementation

Control Catalog

Control Maturity

Monitoring Security Controls

Remediating Control Deficiencies

Maintaining Security Controls

Reporting Controls

Information Security Service Catalog

2. Compliance Management

- Acts, Laws, and Statutes



FISMA

- Regulations



GDPR

- Standards



ASD - Information Security Manual

Basel III

FFIEC

ISO 00 Family of Standards

NERC-CIP

PCI DSS

NIST Special Publications

Statement on Standards for Attestation Engagements No. 16 (SSAE 16)

3. Guidelines, Good and Best Practices

- CIS



OWASP

4. Audit Management

- Audit Expectations and Outcomes

- IS Audit Practices



ISO/IEC Audit Guidance

Internal versus External Audits

Partnering with the Audit Organization

Audit Process

General Audit Standards

Compliance-Based Audits

Risk-Based Audits

Managing and Protecting Audit Documentation

Performing an Audit

Evaluating Audit Results and Report

Remediating Audit Findings

Leverage GRC Software to Support Audits

5. Summary



Security Program Management & Operations

1. Program Management

- Defining a Security Charter, Objectives, Requirements, Stakeholders, and Strategies



Security Program Charter

Security Program Objectives

Security Program Requirements

Security Program Stakeholders

Security Program Strategy Development

- Executing an Information Security Program

- Defining and Developing, Managing and Monitoring the Information Security Program



Defining an Information Security Program Budget

Developing an Information Security Program Budget

Managing an Information Security Program Budget

Monitoring an Information Security Program Budget

- Defining and Developing Information Security Program Staffing Requirements

- Managing the People of a Security Program



Resolving Personnel and Teamwork Issues

Managing Training and Certification of Security Team Members

Clearly Defined Career Pat

Designing and Implementing a User Awareness Program

- Managing the Architecture and Roadmap of the Security Program



Information Security Program Architecture

Information Security Program Roadmap

- Program Management and Governance



Understanding Project Management Practices

Identifying and Managing Project Stakeholders

Measuring the Effectives of Projects

- Business Continuity Management (BCM) and Disaster Recovery Planning (DRP)

- Data Backup and Recovery

- Backup Strategy

- ISO BCM Standards



Business Continuity Management (BCM)

Disaster Recovery Planning (DRP)

- Continuity of Security Operations



Integrating the Confidentiality, Integrity and Availability (CIA) Model

- BCM Plan Testing

- DRP Testing

- Computer Incident Response



Incident Response Tools

Incident Response ManagementIncident Response Communications

Post-Incident Analysis

Testing Incident Response Procedures

- Digital Forensics



Crisis Management

Digital Forensics Life Cycle

2. Operations Management

- Establishing and Operating a Security Operations (SecOps) Capability

- Security Monitoring and Security Information and Event Management (SIEM)

- Event Management

- Incident Response Model



Developing Specific Incident Response Scenarios

- Threat Management

- Threat Intelligence



Information Sharing and Analysis Centers (ISAC)

- Vulnerability ManagementThreat Hunting



Vulnerability Assessments

Vulnerability Management in Practice

Penetration Testing

Security Testing Teams

Remediation

3. Summary



Information Security Core Competencies

1. Access Control

- Authentication, Authorization, and Auditing

- Authentication

- Authorization

- Auditing

- User Access Control Restrictions

- User Access Behavior Management

- Types of Access Control Models

- Designing an Access Control Plan

- Access Administration



2. Physical Security

- Designing, Implementing, and Managing Physical Security Program



Physical Risk Assessment

- Physical Location Considerations

- Obstacles and Prevention

- Secure Facility Design



Security Operations Center

Sensitive Compartmented Information Facility

Digital Forensics Lab

Datacenter

- Preparing for Physical Security Audits



3. Network Security

- Network Security Assessments and Planning

- Network Security Architecture Challenges

- Network Security Design

- Network Standards, Protocols, and Controls



Network Security Standards

Protocols

4. Certified Chief

- Network Security Controls

- Wireless (Wi-Fi) Security



Wireless Risks

Wireless Controls

- Voice over IP Security



5. Endpoint Protection

- Endpoint Threats

- Endpoint Vulnerabilities

- End User Security Awareness

- Endpoint Device Hardening

- Endpoint Device Logging

- Mobile Device Security



Mobile Device Risks

Mobile Device Security Controls

- Internet of Things Security (IoT)



Internet of Things Security (IoT)

6. Application Security

- Secure SDLC Model

- Separation of Development, Test, and Production Environments

- Application Security Testing Approaches

- DevSecOps

- Waterfall Methodology and Security

- Agile Methodology and Security

- Other Application Development Approaches

- Application Hardening

- Application Security Technologies

- Version Control and Patch Management

- Database Security

- Database Hardening

- Secure Coding Practices



7. Encryption Technologies

- Encryption and Decryption

- Cryptosystems



Blockchain

Digital Signatures and Certificates

PKI

Key Management

- Hashing

- Encryption Algorithms

- Encryption Strategy Development



Determining Critical Data Location and Type

Deciding What to Encrypt

Determining Encryption Requirements

Selecting, Integrating, and Managing Encryption Technologies

8. Virtualization Security

- Virtualization Overview

- Virtualization Risks

- Virtualization Security Concerns

- Virtualization Security Controls

- Virtualization Security Reference Model



9. Cloud Computing Security

- Overview of Cloud Computing

- Security and Resiliency Cloud Services

- Cloud Security Concerns

- Cloud Security Controls

- Cloud Computing Protection Considerations



10. Transformative Technologies

- Artificial Intelligence

- Augmented Reality

- Autonomous SOC

- Dynamic Deception

- Software-Defined Cybersecurity



11. Summary



Strategic Planning, Finance, Procurement, and Vendor Management

1. Strategic Planning

- Understanding the Organization



Understanding the Business Structure

Determining and Aligning Business and Information Security Goals

Identifying Key Sponsors, Stakeholders, and Influencers

Understanding Organizational Financials

- Creating an Information Security Strategic Plan



Strategic Planning Basics

Alignment to Organizational Strategy and Goals

Defining Tactical Short, Medium, and Long-Term Information Security Goals

Information Security Strategy Communication

Creating a Culture of Security

2. Designing, Developing, and Maintaining an Enterprise Information Security Program

- Ensuring a Sound Program Foundation

- Architectural Views

- Creating Measurements and Metrics

- Balanced Scorecard

- Continuous Monitoring and Reporting Outcomes

- Continuous Improvement

- Information Technology Infrastructure Library (ITIL) Continual Service Improvement (
CSI)


3. Understanding the Enterprise Architecture (EA)

- EA Types



The Zachman Framework

The Open Group Architecture Framework (TOGAF)

Sherwood Applied Business Security Architecture (SABSA)

Federal Enterprise Architecture Framework (FEAF)

4. Finance

- Understanding Security Program Funding

- Analyzing, Forecasting, and Developing a Security Budget



Resource Requirements

Define Financial Metrics

Technology Refresh

New Project Funding

Contingency Funding

- Managing the information Security Budget



Obtain Financial Resources

Allocate Financial Resources

Monitor and Oversight of Information Security Budget

Report Metrics to Sponsors and Stakeholders

Balancing the Information Security Budget

5. Procurement

- Procurement Program Terms and Concepts



Statement of Objectives (SOO)

Statement of Work (SOW)

Total Cost of Ownership (TCO)

Request for Information (RFI)

Request for Proposal (RFP)

Master Service Agreement (MSA)

Service Level Agreement (SLA)

Terms and Conditions (T&C)

- Understanding the Organizations Procurement Program



Internal Policies, Processes, and Requirements

External or Regulatory Requirements

Local Versus Global Requirements

- Procurement Risk Management



Standard Contract Language

6. Vendor Management

- Understanding the Organizations Acquisition Policies and Procedures



Procurement Life cycle

- Applying Cost-Benefit Analysis (CBA) During the Procurement Process5

- Vendor Management Policies

- Contract Administration Policies



Service and Contract Delivery Metrics

Contract Delivery Reporting

Change Requests

Contract Renewal

Contract Closure

- Delivery Assurance



Validation of Meeting Contractual Requirements

Formal Delivery Audits

Periodic Random Delivery Audits

Third-Party Attestation Services (TPRM)