(¦b®aÆ[¬Ý = 0%¡A¦b®ÕÆ[¬Ý = 100%)
100% ¦b®ÕÆ[¬Ý¤é´Á¤Î®É¶¡¡G
¦Û¥Ñ¿ï¾Ü¡AÂI¿ï¥H¤U¦a°ÏÆ[¬Ý¿ì¤½®É¶¡¤Î¦ì¸m
½Ò®É¡G 24 ¤p®É
¨É¥Î®É´Á¡G 8 ¬P´Á¡C¶i«×¥Ñ±z±±¨î¡A¥i§Ö¥iºC¡C
½Ò°ó¿ý¼v¾É®v¡GFranco
¦b®Õ§K¶O¸ÕÚ»¡Gº 3 ¤p®É¡A½ÐP¹q¥H¤W¦aÂI»P¥»¤¤¤ß¾û¹w¬ù¡C
¥»½Òµ{´£¨Ñ¦b®Õ§K¶O«Ú»¤Î¾É®v¸ÑµªªA°È¡C
(¦b®aÆ[¬Ý = 100%¡A¦b®ÕÆ[¬Ý = 0%)
100% ¦b®aÆ[¬Ý¤é´Á¤Î®É¶¡¡G
¨C¤Ñ 24 ¤p®É¥þ¤ÑÔ¤£¦¸¼Æ¦aÆ[¬Ý
¾Ç¶O¡G$4,480 ³ø¦W phone
¹q¸Ü¡G2332-6544
½Ò®É¡G 24 ¤p®É
¨É¥Î®É´Á¡G 8 ¬P´Á¡C¶i«×¥Ñ±z±±¨î¡A¥i§Ö¥iºC¡C
½Ò°ó¿ý¼v¾É®v¡GFranco
¦b®Õ§K¶O¸ÕÚ»¡Gº 3 ¤p®É¡A½ÐP¹q¥H¤W¦aÂI»P¥»¤¤¤ß¾û¹w¬ù¡C
¥»½Òµ{´£¨Ñ¾É®v¸ÑµªªA°È¡C
¦b·í¤µ¤é¯q½ÆÂøªº°Ó·~Àô¹Ò¤¤¡A¾A·íªºªv²z¡B·ÀIºÞ²z©M¦X³W©Ê¡]Governance, Risk, and Compliance, GRC¡^µ¦²¤¹ï©óºûÅ@¥ø·~ªº¥i«ùÄòµo®i©Mªk«ß¿í±q©Ê¦ÜÃö«n¡C±¹ï¶V¨Ó¶VÄY®mªº³W½dn¨D©M¼ç¦bªº¦w¥þ«Â¯Ù¡A±M·~ªº GRC ª¾ÃѤ£¶È¯à°÷À°§U¥ø·~¦³®ÄºÞ²z·ÀI¡AÁÙ¯à«O»Ù¥ø·~ªº°Ó·~§Q¯q©M«È¤á¸ê®Æªº¦w¥þ¡C
¬°¦¹¡A§Ú̯S§O±À¥X¤F Certified in Governance, Risk and Compliance (CGRC) °ê»Ú»{¥iÃҮѽҵ{¡A¦®¦b¬°±ý²`¤Æ¦b¥ø·~ªv²z¡B·ÀIºÞ²z¤Î¦X³W»â°ì±M·~ª¾ÃѪº¤H¤h´£¨Ñ¥þ±¥B¨t²Îªº°ö°V¡C¥»½Òµ{¥Ñ¨ã¦³Â×´I¸gÅ窺±M®aºë¤ß³]p¡A¥þ±²[»\¤F CGRC »{ÃÒ¦Ò¸Õªº¤jºõ¡A±q²Õ´ªv²zµ²ºcªº«Ø¥ß¡B·ÀIÃѧO»Pµû¦ô¨ì¦X³W©Êµ¦²¤ªº¨î©w¤Î°õ¦æµ¥ÃöÁä»â°ì¡A§¡¦³²`¤JªºåªR¡C
¤¤¤ßªº Certified in Governance, Risk and Compliance (CGRC) °ê»Ú»{¥iÃҮѽҵ{¥Ñ Franco Tsang Äw³Æ¦h®É¡Aºë¤ß½s±Æ¡C¥Ñ¤W°ó¡B·Å²ß¡B¹ê²ß¡B¦Ò¸Õ¬ã²ß¡B°µ¸ÕÃD¦Ü³Ì«á¦Ò¸Õ¡A§¡¬°§A«×¨q³y¡A§@¥X¦³¨t²Îªº½s±Æ¡C°È¨D¯u¥¿±ÐÃѧA¡A¤S¥O§A¦Ò¸Õ¤Î®æ¡C
Yn¦Ò¨ú CGRC¡A¦P¾Ç¶·n¡G
- ¨ã³Æ 2 ¦~ªv²z¡B·ÀIºÞ²z¤Î¦X³W»â°ìªº¤u§@¸gÅç¡C
- ³q¹L CGRC ¦Ò¸Õ¡C (§Ú̳Ʀ³¤j¶q½m²ß¥O¾Çû§ó©ö³q¹L¦Ò¸Õ)
- ³q¹L Endorsement ¹Lµ{¡C(¥»¤¤¤ßªº CGRC ¾Çû¥i¦V¥»¤¤¤ß§K¶O¥Ó½Ð Endorsement ªº¨ó§U¡A¦Ó¥»¤¤¤ß·|«ö·Ó ISC2 «ü¤Þ¨Ó§K¶O´£¨Ñ Endorsement ªA°È)
- ³q¹L ISC2 ªº¼f®Ö¡C
³Æµù¡G¥Ó½ÐªÌ¦p¥¼¨ã¦³¨¬°÷ªº¤u§@¸gÅç¡A¨ÌµM¥i¥H°Ñ¥[¥»½Òµ{¤Î CGRC ¦Ò¸Õ¡A¦Ò¸Õ«á¦¨¬° Associate of ISC2¡A¨Ã©ó¥¼¨Ó 2 ¦~¤º²Ö¿n¨¬°÷ªº¤u§@¸gÅç®É¡A«K¥i¥H¥Ó½Ð¦¨¬° CGRC¡C
½Òµ{¦WºÙ¡G |
Certified in Governance, Risk and Compliance (CGRC) °ê»Ú»{¥iÃҮѽҵ{ - ²ºÙ¡GCGRC Training Course |
½Òµ{®É¼Æ¡G | ¦X¦@ 24 ¤p®É (¦@ 8 °ó) |
¾A¦X¤H¤h¡G | ¥ô¦ó¤H¤h¡AµL¶·¸gÅç¡C |
±Â½Ò»y¨¥¡G | ¥H¼sªF¸Ü¬°¥D¡A»²¥H^»y¡C |
½Òµ{µ§°O¡G | ¥»¤¤¤ß¾É®v¿Ë¦Û½s¼g^¤å¬°¥Dµ§°O¡A¦Ó³¡¥÷^¤å¦rªþ¦³¤¤¤å¹ï·Ó¡C |
1. Franco Tsang (CCIE #19772) ¿Ë¦Û±Ð±Â¡G | ¥»½Òµ{¥Ñ¾Ö¦³ Triple CCIE, CISA, CISM, CRISC, CDPSE, CISSP, ITILv3 Expert, ITIL 4 Managing Professional, ITIL 4 Strategic Leader, PMP µ¥±M·~»{ÃÒªº Franco Tsang ¿Ë¦Û±Ð±Â¡C |
2. Franco Tsang ¿Ë¦Û½s¼gµ§°O¡G | Franco ¿Ë¦Û½s¼gµ§°O¡A¥O§AµL¶·¡u¦º¾S¡v¦p¦r¨å¯ë«p¤Î¤£¾A¦X»´äŪ®Ñ®æ½Õªº®Ñ¥»¡C |
3. ´£¨Ñ¼ÒÀÀ¦Ò¸ÕÃD¥Ø¡G | ¥»¤¤¤ß¬°¾Çû´£¨Ñ¥R¨¬ªº¼ÒÀÀ¦Ò¸ÕÃD¥Ø¡A¨C±ø¦Ò¸ÕÃD¥Ø§¡ªþ¦³¼Ð·Çµª®×¡C¦Ó¸ûÃø²z¸ÑªºÃD¥Ø¡A§¡·|ªþ¦³ Franco ªº¸ÑÄÀ¡C |
4. ²`¤J²L¥X¡G | Franco ·|¦b½Ò°ó¤W²`¤J²L¥X¦aÁ¿¸Ñ¬ÛÃö·§©À¡A°È¨D¥O¦P¾Ç²z¸Ñ©â¶HªººÞ²z·§©À¡C |
5. §K¶O«Åª¡G | ¶Ç²Î½Ò°ó¾Çû¥i©ó½Òµ{µ²§ô«á¤TӤ뤺§K¶O«¬Ý½Ò°ó¿ý¼v¡C |
º¥ý¦Û¦æ«e©¹ ISC2 ºô¯¸«Ø¥ß ISC2 Account ¨Ã¥H¸Ó ISC2 Account µn¤J¡Aµn¤J«á¨Ì±q¸Óºô¯¸«ü¥Ü§¹µ½±zªºÓ¤H¸ê®Æ (¦p©m¦W¡B¹q¸Ü¸¹½X¤Î¹q¶l¦a§}µ¥µ¥)¡C «n¡G±z¥²¶·«ö·Ó¦b¦Ò¸Õ¤¤¤ß¥X¥Üªº¨¥÷ÃÒ¤Wªº¸ê®Æ¨Ó¶ñ¼g±zªº«H®§¡C¦pªG¤£§¹¥þ¤Ç°t¡A±z±NµLªk°Ñ¥[¦Ò¸Õ¡A¥B¤£·|Àò°hÁÙ¥ô¦ó¶O¥Î¡C ´£¥æ ISC2 ªººô¤W¹q¤lªí®æ«á¡A±z±N³Q«©w¦V¨ì Pearson VUE ºô¯¸¡A¦b¨ºùرz±N¯à°÷¦w±Æ¦b¥»¤¤¤ß¦Ò¸Õ¤Îú¥I USD$599 ¤§¦Ò¸Õ¶O¡C ¦Ò¸Õ·í¤é¨ì¹F¥»¤¤¤ß®É¥²¶·¥X¥Ü¤U¦C¨â¶µ¦³®Ä¤§¨¥÷ÃÒ©ú¤å¥ó¡A§_«h¦Ò¥Í¤£¥i¶i¦æ¦Ò¸Õ¡A¦Ó¤wú¥I¤§¦Ò¸Õ¶O¥ç¤£·|°h¦^¡G
¦Ò¸ÕÃD¥Ø¥Ñ¿D¬w¦Ò¸Õ¤¤¤ß¶Ç°e¨ì§AnÀ³¦Òªº¹q¸£¡A¦Ò¸Õ®É¥H¹q¸£§@µª¡C©Ò¦³¦Ò¸ÕÃD¥Ø§¡¬°^¤å¡A¦Ó¦Ò¸ÕÃD¥Ø®æ¦¡¬° 125 ±ø¦h¶µ¿ï¾ÜÃD¡C¦X®æ¤À¼Æ¬° 700 out of 1000 points¡C |
½Òµ{¦WºÙ¡GCertified in Governance, Risk and Compliance (CGRC) °ê»Ú»{¥iÃҮѽҵ{ - ²ºÙ¡GCGRC Training Course |
Domain 1 Security and Privacy Governance, Risk Management, and Compliance Program
1.1 Demonstrate knowledge in security and privacy governance, risk management, and compliance program
1.1.1 Principles of governance, risk management, and compliance
1.1.2 Risk management and compliance frameworks using national and international standards and guidelines for security and privacy requirements (e.g., National Institute of Standards and Technology (NIST), cybersecurity framework, Control Objectives for Information and Related Technology (COBIT), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC))
1.1.3 System Development Life Cycle (SDLC) (e.g., requirements gathering, design, development, testing, and operations/maintenance/disposal)
1.1.4 Information lifecycle for each data type processed, stored, or transmitted (e.g., retaining, disposal/destruction, data flow, marking)
1.1.5 Confidentiality, integrity, availability, non-repudiation, and privacy concepts
1.1.6 System assets and boundary descriptions
1.1.7 Security and privacy controls and requirements
1.1.8 Roles and responsibilities for compliance activities and associated frameworks
1.2 Demonstrate knowledge in security and privacy governance, risk management and compliance program processes
1.2.1 Establishment of compliance program for the applicable framework
1.3 Demonstrate knowledge of compliance frameworks, regulations, privacy, and security requirements
1.3.1 Familiarity with compliance frameworks (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), Cybersecurity Maturity Model Certification)
1.3.2 Familiarity with other national and international laws and requirements for security and privacy (e.g., Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), executive orders, General Data Protection Regulation (GDPR))
Domain 2 Scope of the System
2.1 Describe the system
2.1.1 System name and scope documented
2.1.2 System purpose and functionality
2.2 Determine security compliance required
2.2.1 Information types processed, stored, or transmitted
2.2.2 Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), data protection impact assessment)
2.2.3 Risk impact level determined for system based on the selected framework
Domain 3 Selection and Approval of Framework, Security, and Privacy Controls
3.1 Identify and document baseline and inherited controls
3.2 Select and tailor controls
3.2.1 Determination of applicable baseline and/or inherited controls
3.2.2 Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls)
3.2.3 Specific data handling/marking requirements identified
3.2.4 Control selection documentation
3.2.5 Continued compliance strategy (e.g., continuous monitoring, vulnerability management)
3.2.6 Control allocation and stakeholder agreement
Domain 4 Implementation of Security and Privacy Controls
4.1 Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)
4.1.1 Control implementation aligned with organizational expectations, national or international requirements, and compliance for security and privacy controls
4.1.2 Identification of control types (e.g., management, technical, common, operational control)
4.1.3 Frequency established for compliance documentation reviews and training
4.2 Implement selected controls
4.2.1 Control implementation consistent with compliance requirements
4.2.2 Compensating or alternate security controls implemented
4.3 Document control implementation
4.3.1 Residual security risk or planned implementations documented (e.g., Plan of Action and Milestones (POA&M), risk register)
4.3.2 Implemented controls documented consistent with the organization's purpose, scope, and risk profile (e.g., policies, procedures, plans)
Domain 5 Assessment/Audit of Security and Privacy Controls
5.1 Prepare for assessment/audit
5.1.1 Stakeholder roles and responsibilities established
5.1.2 Objectives, scope, resources, schedule, deliverables, and logistics outlined
5.1.3 Assets, methods, and level of effort scoped
5.1.4 Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies)
5.1.5 Assessment/audit plan finalized
5.2 Conduct assessment/audit
5.2.1 Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, vulnerability scanning)
5.2.2 Evidence verified and validated
5.3 Prepare the initial assessment/audit report
5.3.1 Risks identified during the assessment/audit provided
5.3.2 Risk mitigation summaries outlined
5.3.3 Preliminary findings recorded
5.4 Review initial assessment/audit report and plan risk response actions
5.4.1 Risk response assigned (e.g., avoid, accept, share, mitigate, transfer) based on identified vulnerabilities or deficiencies
5.4.2 Risk response collaborated with stakeholders
5.4.3 Non-compliant findings with newly applied corrective actions reassessed and validated
5.5 Develop final assessment/audit report
5.5.1 Final compliance documented (e.g., compliant, non-compliant, not applicable)
5.5.2 Recommendations documented when appropriate
5.5.3 Assessment report finalized
5.6 Develop risk response plan
5.6.1 Residual risks and deficiencies identified
5.6.2 Risk prioritized
5.6.3 Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk
Domain 6 System Compliance
6.1 Review and submit security/privacy documents
6.1.1 Security and privacy documentation required to support a compliance decision by the appropriate party (e.g., authorizing official, third-party assessment organizations, agency) compiled, reviewed, and submitted
6.2 Determine system risk posture
6.2.1 System risk acceptance criteria
6.2.2 Residual risk determination
6.2.3 Stakeholder concurrence for risk treatment options
6.2.4 Residual risks defined in formal documentation
6.3 Document system compliance
6.3.1 Formal notification of compliance decision
6.3.2 Formal notification shared with stakeholders
Domain 7 Compliance Maintenance
7.1 Perform system change management
7.1.1 Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines)
7.1.2 Proposed changes documented and approved by authorized personnel (e.g., Change Control Board (CCB), technical review board)
7.1.3 Deploy to the environment (e.g., test, development, production) with rollback plan
7.1.4 Changes to the system tracked and compliance enforced
7.2 Perform ongoing compliance activities based on requirements
7.2.1 Frequency established for ongoing compliance activities review with stakeholders
7.2.2 System and assets monitored (e.g., physical and logical assets, personnel, change control)
7.2.3 Incident response and contingency activities performed
7.2.4 Security updates performed and risks remediated/tracked
7.2.5 Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, procedures), and submission/communication to stakeholders when applicable
7.2.6 Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security and privacy)
7.2.7 Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements
7.3 Engage in audits activities based on compliance requirements
7.3.1 Required testing and vulnerability scanning performed
7.3.2 Personnel interviews conducted
7.3.3 Documentation reviewed and updated
7.4 Decommission system when applicable
7.4.1 Requirements for system decommissioning reviewed with stakeholders
7.4.2 System removed from operations and decommissioned
7.4.3 Documentation of the decommissioned system retained and shared with stakeholders
1 Security and Privacy Governance, Risk Management, and Compliance Program
1.1 Demonstrate knowledge in security and privacy governance, risk management, and compliance program
1.1.1 Principles of governance, risk management, and compliance
1.1.1.1 Governance
1.1.1.2 Risk Management
1.1.1.3 Compliance
1.1.1.4 Integration of Governance, Risk Management, and Compliance (GRC)
1.1.1.5 NIST Guidelines Relevant to GRC
1.1.2 Risk management and compliance frameworks using national and international standards and guidelines for security and privacy requirements (e.g., National Institute of Standards and Technology (NIST), cybersecurity framework, Control Objectives for Informtion and Related Technology (COBIT), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC))
1.1.2.1 National Institute of Standards and Technology (NIST)
1.1.2.1.1 NIST Risk Management Framework (RMF)
1.1.2.1.2 NIST Cybersecurity Framework (CSF)
1.1.2.2 Control Objectives for Information and Related Technology (COBIT)
1.1.2.3 International Organization for Standardization/International Electrotechnical Commission (ISO/IEC)
1.1.2.3.1 ISO/IEC 27001: Information Security Management
1.1.2.3.2 ISO/IEC 27002: Code of Practice for Information Security Controls
1.1.3 System Development Life Cycle (SDLC) (e.g., requirements gathering, design, development, testing, and operations/maintenance/disposal)
1.1.3.1 Introduction
1.1.3.2 Phases of SDLC
1.1.3.3 Security and Privacy Integration in SDLC
1.1.4 Information lifecycle for each data type processed, stored, or transmitted (e.g., retaining, disposal/destruction, data flow, marking)
1.1.4.1 Introduction
1.1.4.2 Stages of the Information Lifecycle
1.1.4.3 Data Flow Considerations
1.1.4.4 Retention Policies
1.1.4.5 Disposal and Destruction Techniques
1.1.4.6 Real-Life Example
1.1.4.7 NIST Documents and Relevant Laws
1.1.5 Confidentiality, integrity, availability, non-repudiation, and privacy concepts
1.1.5.1 Confidentiality
1.1.5.2 Integrity
1.1.5.3 Availability
1.1.5.4 Non-Repudiation
1.1.5.5 Privacy
1.1.6 System assets and boundary descriptions
1.1.6.1.1 System assets
1.1.6.1.2 Importance of Identifying System Assets
1.1.6.2 System Boundaries
1.1.6.2.1 Importance of Defining System Boundaries
1.1.7 Security and privacy controls and requirements
1.1.7.1 Types of Security and Privacy Controls
1.1.7.2 Frameworks and Standards
1.1.7.3 Security and Privacy Requirements
1.1.8 Roles and responsibilities for compliance activities and associated frameworks
1.1.8.1 Key Roles in Compliance Activities
1.1.8.2 Legal Counsel
1.1.8.3 Technical Risk Specialists / Consultants
1.1.8.4 Associated Laws and Frameworks
1.2 Demonstrate knowledge in security and privacy governance, risk management and compliance program processes
1.2.1 Establishment of compliance program for the applicable framework
1.2.1.1 Frameworks for Compliance Programs
1.2.1.2 Key Steps in Establishing a Compliance Program
1.3 Demonstrate knowledge of compliance frameworks, regulations, privacy, and security requirements
1.3.1 Familiarity with compliance frameworks (e.g., International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), Federal Risk and Authorization Management Program (FedRAMP), Payment Card Industry Data Security Standard (PCI-DSS), Cybersecurity Maturity Model Certification)
1.3.1.1 ISO/IEC 27001
1.3.1.2 Federal Risk and Authorization Management Program (FedRAMP)
1.3.1.3 Payment Card Industry Data Security Standard (PCI DSS)
1.3.1.4 Cybersecurity Maturity Model Certification (CMMC)
1.3.2 Familiarity with other national and international laws and requirements for security and privacy (e.g., Federal Information Security Modernization Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), executive orders, General Data Prtection Regulation (GDPR))
1.3.2.1 Federal Information Security Modernization Act (FISMA)
1.3.2.2 Health Insurance Portability and Accountability Act (HIPAA)
1.3.2.3 Executive Orders
1.3.2.4 General Data Protection Regulation (GDPR)
2 Scope of the System
2.1 Describe the system
2.1.1 System name and scope documented
2.1.1.1 System Name and Description
2.1.1.2 Scope Documentation
2.1.1.3 Documentation
2.1.2 System purpose and functionality
2.1.2.1 System Purpose
2.1.2.2 System Functionality
2.2 Determine security compliance required
2.2.1 Information types processed, stored, or transmitted
2.2.1.1 Types of Information
2.2.1.2 Data Classification Based on FIPS 199
2.2.1.3 Regulatory Requirements
2.2.1.4 Impact of Information Types on Security Compliance
2.2.1.5 NIST Guidelines Relevant to Information Types
2.2.1.6 Real-Life Examples of Compliance Determination
2.2.2 Security objectives outlined for each information type based on national and international security and privacy compliance requirements (e.g., Federal Information Processing Standards (FIPS), International Organization for Standardization/International Electrotechnical Commission (ISO/IEC), data protection impact assessment)
2.2.2.1 National and International Security Compliance Requirements
2.2.2.2 Data Protection Impact Assessment (DPIA)
2.2.2.3 Implementing Compliance Measures
2.2.2.4 Examples
2.2.3 Risk impact level determined for system based on the selected framework
2.2.3.1 Selected Frameworks for Determining Risk Impact Levels
2.2.3.2 Risk Impact Level Determination Process
2.2.3.3 Implementing Controls Based on Impact Levels
2.2.3.4 Continuous Monitoring and Reassessment
3 Selection and Approval of Framework, Security, and Privacy Controls
3.1 Identify and document baseline and inherited controls
3.1.1 Definition of Baseline Controls
3.1.2 Importance of Baseline Controls
3.1.3 Components of Baseline Controls
3.1.4 Documenting Baseline Controls
3.1.5 Establishing a Baseline
3.1.6 Inherited Controls
3.1.7 NIST Guidelines Relevant to Baseline Controls
3.1.8 Real-Life Examples of Baseline Controls
3.2 Select and tailor controls
3.2.1 Determination of applicable baseline and/or inherited controls
3.2.1.1 Practical Steps for Control Selection and Tailoring
3.2.2 Determination of appropriate control enhancements (e.g., security practices, overlays, mitigating controls)
3.2.2.1 Control Enhancements Overview
3.2.2.1.1 Overlays
3.2.2.1.2 Mitigating Controls
3.2.2.2 Implementation of Control Enhancements
3.2.3 Specific data handling/marking requirements identified
3.2.3.1 NIST Framework and Documents
3.2.3.2 Specific Data Handling Requirements
3.2.3.3 Data Marking Practices
3.2.3.4 Implementation of Data Handling Requirements
3.2.3.5 Compliance and Regulatory Considerations
3.2.4 Control selection documentation
3.2.4.1 NIST Framework and Documents
3.2.4.2 Control Selection Documentation
3.2.4.3 Components of Control Selection Documentation
3.2.4.4 Compliance and Regulatory Considerations
3.2.5 Continued compliance strategy (e.g., continuous monitoring, vulnerability management)
3.2.5.1 NIST Framework and Documents
3.2.5.2 Continued Compliance Strategy
3.2.5.3 Continuous Monitoring
3.2.5.4 Vulnerability Management
3.2.5.5 Compliance and Regulatory Considerations
3.2.6 Control allocation and stakeholder agreement
3.2.6.1 NIST Framework and Documents
3.2.6.2 Control Allocation
3.2.6.3 Stakeholder Agreement
3.2.6.4 Compliance and Regulatory Considerations
4 Implementation of Security and Privacy Controls
4.1 Develop implementation strategy (e.g., resourcing, funding, timeline, effectiveness)
4.1.1 Control implementation aligned with organizational expectations, national or international requirements, and compliance for security and privacy controls
4.1.1.1 NIST Documents for Reference
4.1.1.2 Control Implementation: Alignment with Organizational Expectations
4.1.1.3 Control Implementation: National and International Requirements
4.1.1.4 Control Implementation: Compliance for Security and Privacy Control
4.1.1.5 Examples
4.1.2 Identification of control types (e.g., management, technical, common, operational control)
4.1.2.1 NIST Documents for Reference
4.1.2.2 Management Controls
4.1.2.3 Technical Controls
4.1.2.4 Common Controls
4.1.2.5 Operational Controls
4.1.2.6 Examples
4.1.3 Frequency established for compliance documentation reviews and training
4.1.3.1 NIST Documents for Reference
4.1.3.2 Compliance Documentation Reviews
4.1.3.3 Compliance Training
4.1.3.4 Practical Considerations
4.2 Implement selected controls
4.2.1 Control implementation consistent with compliance requirements
4.2.1.1 NIST Documents for Reference
4.2.1.2 Steps for Implementation
4.2.1.3 Monitoring and Maintenance
4.2.1.4 Examples
4.2.2 Compensating or alternate security controls implemented
4.2.2.1 NIST Documents for Reference
4.2.2.2 Compensating Controls or alternate security controls
4.2.2.3 Situations for Use
4.2.2.4 Steps for Implementation
4.2.2.5 Examples
5 Assessment/Audit of Security and Privacy Controls
5.1 Prepare for assessment/audit
5.1.1 Stakeholder roles and responsibilities established
5.1.1.1 NIST Documents for Reference
5.1.1.2 Stakeholder Roles and Responsibilities
5.1.1.3 Examples
5.1.2 Objectives, scope, resources, schedule, deliverables, and logistics outlined
5.1.2.1 NIST Documents for Reference
5.1.2.2 Objectives
5.1.2.3 Scope
5.1.2.4 Resources
5.1.2.5 Schedule
5.1.2.6 Deliverables
5.1.2.7 Logistics
5.1.2.8 Examples
5.1.3 Assets, methods, and level of effort scoped
5.1.3.1 NIST Documents for Reference
5.1.3.2 Assets
5.1.3.3 Methods
5.1.3.4 Level of Effort
5.1.3.5 Examples
5.1.4 Evidence for demonstration of compliance audited (e.g., previous assessments/audits, system documentation, policies)
5.1.4.1 NIST Documents for Reference
5.1.4.2 Evidence for Demonstration of Compliance
5.1.4.3 Types of Evidence
5.1.4.4 Examples
5.1.5 Assessment/audit plan finalized
5.1.5.1 NIST Documents for Reference
5.1.5.2 Key Steps in Finalizing the Plan
5.2 Conduct assessment/audit
5.2.1 Compliance capabilities verified using appropriate assessment methods: interview, examine, test (e.g., penetration, control, vulnerability scanning)
5.2.1.1 NIST Documents for Reference
5.2.1.2 Assessment Methods
5.2.1.3 Examples
5.2.2 Evidence verified and validated
5.3 Prepare the initial assessment/audit report
5.3.1 Risks identified during the assessment/audit provided
5.3.1.1 NIST Documents for Reference
5.3.1.2 Key NIST Definitions in Risk Management
5.3.1.3 Risk Analysis Approaches
5.3.1.4 Risk Framing
5.3.1.5 Risk Executive Role
5.3.2 Risk mitigation summaries outlined
5.3.2.1 NIST Documents for Reference
5.3.2.2 Key Components of Risk Mitigation
5.3.3 Preliminary findings recorded
5.3.3.1 NIST Documents for Reference
5.3.3.2 Key Components of Preliminary Findings
5.4 Review initial assessment/audit report and plan risk response actions
5.4.1.1 NIST Documents for Reference
5.4.1.2 Risk Response Strategies
5.4.2 Risk response collaborated with stakeholders
5.4.2.1 NIST Documents for Reference
5.4.2.2 Key Steps in Collaborating with Stakeholders
5.4.3 Non-compliant findings with newly applied corrective actions reassessed and validated
5.4.3.1 NIST Documents for Reference
5.4.3.2 Key Steps in Reassessing and Validating Corrective Actions
5.5 Develop final assessment/audit report
5.5.1 Final compliance documented (e.g., compliant, non-compliant, not applicable)
5.5.1.1 NIST Documents for Reference
5.5.1.2 Key Components of Final Assessment/Audit Report
5.5.2 Recommendations documented when appropriate
5.5.2.1 NIST Documents for Reference
5.5.2.2 Key Components of Documenting Recommendations
5.5.3 Assessment report finalized
5.5.3.1 NIST Documents for Reference
5.5.3.2 Key Components of a Finalized Assessment Report
5.6 Develop risk response plan
5.6.1 Residual risks and deficiencies identified
5.6.1.1 Residual Risks
5.6.1.2 Identifying Deficiencies
5.6.2 Risk prioritized
5.6.2.1 Risk Assessment Process
5.6.2.2 Risk Prioritization Techniques
5.6.3 Required resources identified (e.g., financial, personnel, and technical) to determine time required to mitigate risk
5.6.3.1 Identifying Resources
5.6.3.2 Time Estimation for Risk Mitigation
5.6.3.3 Aligning with NIST Guidelines
6 System Compliance
6.1 Review and submit security/privacy documents
6.1.1.1 Key Documents Required
6.1.1.2 Review Process
6.1.1.3 Submission and Approval
6.2 Determine system risk posture
6.2.1 System risk acceptance criteria
6.2.1.1 Establishing Risk Acceptance Criteria
6.2.1.2 Criteria Development Process
6.2.2 Residual risk determination
6.2.2.1 Calculating Residual Risk
6.2.2.2 Evaluation and Analysis
6.2.2.3 Decision-Making and Acceptance
6.2.3 Stakeholder concurrence for risk treatment options
6.2.3.1 Identifying Stakeholders
6.2.3.2 Risk Treatment Options with Stakeholder Concurrence
6.2.4 Residual risks defined in formal documentation
6.2.4.1 Documenting Residual Risks
6.3 Document system compliance
6.3.1 Formal notification of compliance decision
6.3.1.1 Compliance Decision Process
6.3.1.2 Formal Documentation
6.3.2.1 Preparing the Notification
6.3.2.2 Communication Channels
6.3.2.3 Ensuring Clarity and Transparency
7 Compliance Maintenance
7.1 Perform system change management
7.1.1 Changes weigh the impact to organizational risk, operations, and/or compliance requirements (e.g., revisions to baselines)
7.1.1.1 Change Management Process
7.1.1.2 Weighing Impact on Compliance
7.1.1.3 Approval and Implementation
7.1.2.1 Documentation of Proposed Changes
7.1.2.2 Approval Process
7.1.2.3 Criteria for Approval
7.1.3 Deploy to the environment (e.g., test, development, production) with rollback plan
7.1.3.1 Deployment Stages
7.1.3.2 Rollback Plan
7.1.3.3 Risk Management and Compliance
7.1.4 Changes to the system tracked and compliance enforced
7.1.4.1 Change Tracking
7.1.4.2 Compliance Enforcement
7.2 Perform ongoing compliance activities based on requirements
7.2.1 Frequency established for ongoing compliance activities review with stakeholders)
7.2.1.1 Establishing Review Frequency
7.2.1.2 Stakeholder Engagement
7.2.1.3 Conducting Compliance Reviews
7.2.2 System and assets monitored (e.g., physical and logical assets, personnel, change control)
7.2.2.1 Types of Assets Monitored
7.2.2.2 Monitoring Tools and Techniques
7.2.3 Incident response and contingency activities performed
7.2.3.1 Incident Response Activities
7.2.3.2 Contingency Planning
7.2.4 Security updates performed and risks remediated/tracked
7.2.4.1 Security Updates
7.2.4.2 Risk Remediation
7.2.5 Evidence collected, testing performed, documentation updated (e.g., service level agreements, third party contracts, policies, procedures), and submission/communication to stakeholders when applicable
7.2.5.1 Evidence Collection
7.2.5.2 3. Compliance Testing
7.2.5.3 Documentation Updates
7.2.5.4 Communication and Submission
7.2.6 Awareness and training performed, documented, and retained (e.g., contingency, incident response, annual security and privacy)
7.2.6.1 Types of Training
7.2.6.2 Developing Training Programs
7.2.6.3 NIST References
7.2.6.4 Documentation and Retention
7.2.6.5 Evaluation and Continuous Improvement
7.2.7 Revising monitoring strategies based on updates to legal, regulatory, supplier, security and privacy requirements
7.2.7.1 Identifying Updates
7.2.7.2 Revising Monitoring Strategies
7.2.7.3 NIST References
7.3 Engage in audits activities based on compliance requirements
7.3.1 Required testing and vulnerability scanning performed
7.3.1.1 Required Testing
7.3.1.2 Vulnerability Scanning
7.3.1.3 NIST References
7.3.2 Personnel interviews conducted
7.3.2.1 Planning and Preparation
7.3.2.2 Conducting Interviews
7.3.2.3 Analyzing Results
7.3.2.4 NIST References
7.3.3 Documentation reviewed and updated
7.3.3.1 Types of Documentation
7.3.3.2 Review Process
7.3.3.3 Updating Documentation
7.3.3.4 NIST References
7.4 Decommission system when applicable
7.4.1 Requirements for system decommissioning reviewed with stakeholders
7.4.1.1 Key Steps in Reviewing Decommissioning Requirements
7.4.1.2 NIST Documents for Reference
7.4.2 System removed from operations and decommissioned
7.4.2.1 Data Handling
7.4.2.2 System Disconnection
7.4.2.3 Physical and Logical Removal
7.4.2.4 NIST References
7.4.3.1 Key Steps in Documenting and Sharing Information
7.5 Backup Strategies
7.5.1 Types of Backup Strategies
8 Exam topics