Course Category: Paid

GRC Program Design, Implementation, and Administration

Scenario
You have recently been asked to lead your organization’s Governance, Risk, and Compliance (GRC) Program. You have never worked with a GRC Program before, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your GRC skills up-to-date and answer any questions you have.

GRC at a glance
The Bernard Institute for Cybersecurity Excellence GRC Program responds to the need for a proactive and systemic approach to compliance with Laws, Regulations, and Contracts. While implementing the GRC Program, we will develop procedures accepted by thousands of public and private sector organizations. The GRC program will provide oversite for selecting a comprehensive set of security and privacy safeguards for all types of computing platforms onsite and in the Cloud; mobile systems; industrial and process control systems; and Internet of Things (IoT) devices. The Bernard Institute for Cybersecurity Excellence GRC Program will give the Executive Team, Board of Directors, Customers, and Strategic Partners the necessary assurance in today’s connected digital world. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks, limit the damage from attacks when they occur, and make the systems resilient and survivable.

GRC Lessons:

• Governance
• Risk Management
• Continual Improvement
• Communications
• Training and Awareness
• Internal /External Audit
• Document Management
• Records Management

NIST SP 800 53-5 Implementation Project

Scenario
You have recently been asked to lead a project that will bring your organization into compliance with NIST Special Publication 800-53 (Revision 5). You have never worked with NIST Special Publication 800-53 (Revision 5), so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your NIST SP 800 53-5 skills up-to-date and answer any questions you have.

NIST SP 800-53-5 at a glance
NIST Special Publication 800-53 (Revision 5) responds to the need for a proactive and systemic approach to develop and make available to a broad base of public and private sector organizations a comprehensive set of security and privacy safeguarding measures for all types of computing platforms, including general purpose computing systems; cyber-physical systems; cloud and mobile systems; industrial and process control systems; and Internet of Things (IoT) devices. Those safeguarding measures include security and privacy controls to protect the critical and essential operations and assets of organizations and the personal privacy of individuals. The ultimate objective is to make the information systems we depend on more penetration resistant to attacks, limit the damage from attacks when they occur, and make the systems resilient and survivable.

NIST Special Publication 800-53 (Revision 5) subjects

• Access control
• Awareness and training
• Audit and accountability
• Assessment, authorization, and monitoring
• Configuration management
• Contingency planning
• Identification and authentication
• Individual participation
• Incident response
• Maintenance
• Media protection
• Privacy Authorization
• Physical and environmental protection
• Planning
• Program management
• Personnel security
• Risk assessment
• System and services acquisition
• System and communications protection

PCI DSS Implementation Project

Scenario
You have recently been asked to lead a project that will bring your organization into compliance with PCI DSS. You have never worked with PCI DSS, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your PCI DSS skills up-to-date and answer any questions you have.

PCI DSS at a Glance
The PCI DSS security requirements apply to all system components included in or connected to the cardholder data environment. The cardholder data environment (CDE) comprises people, processes, and technologies that store or transmit cardholder data or sensitive authentication data. “System components” include networks, servers, computing, and applications. Examples of system components include but are not limited to the following:

• Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection servers) the CDE.
• Virtualization components include virtual machines, switches/routers, appliances, applications/desktops, and hypervisors.
• Network components include firewalls, switches, routers, wireless access points, network appliances, and other security appliances.
• Server types include web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).
• Applications include all purchased and custom applications, including internal and external (for example, Internet) applications.
• Any other component or device located within or connected to the CDE.

SOC 2 Type 2 Implementation Project

Scenario
You have recently been asked to lead a project that will bring your organization into compliance with SOC 2 Type 2. You have never worked with SOC 2 Type 2, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your SOC 2 Type 2 skills up-to-date and answer any questions you have.

SOC 2 Type 2 at a Glance
Soc2 Type 2 reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and Privacy. This report is used by prospective customers and strategic partners to assure them controls of your service organization protect the security, availability, and processing integrity of information transmitted, processed, and archived on the service organization’s systems is secure. Like a SOC 1 report, there are two types of reports: A type 2 report on management’s description of a service organization’s system and the suitability of the design and operating effectiveness of controls. Use of these reports is restricted.

These reports can play an essential role in the following:

• Oversight of the organization
• Vendor management programs
• Internal corporate governance and risk management processes
• Regulatory oversight

SAP HANA HEC IMS Implementation Project

Scenario
You have recently been asked to lead a project that will bring your organization into compliance with SAP HANA HEC IMS. You have never worked with SAP HANA HEC IMS, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your SAP HANA HEC IMS skills up-to-date and answer any questions you have.

SAP HANA HEC at a glance
SAP HANA HEC provides complete data security as the data remains encrypted during transmission, storage, and processing. This framework provides the infrastructure and manages services. Cloud service hosts Business Suite software, which includes HANA custom and out-of-the-box applications and NetWeaver Business Warehouse software, on a single instance of the HANA in-memory database platform. This move offered customers an easier, more comprehensive way to deploy SAP HANA than on-premises.

• SAP HEC (HANA Enterprise Cloud) is a managed, private cloud hosting service for SAP HANA and its related applications.
• The commonality shared between SAP HCP, and HEC is that both are variations of the HANA cloud technology; the two products use different service models.
• HCP offers a platform-as-a-service tool intended for application development.
• HEC is an infrastructure-as-a-service tool that enables companies to run SAP-based operations in a hosted environment.
• IMS (Integrated Management System) is built with ISO/IEC 27001 ISMS as the parent, ISO 9001, and ISO 22301 as children integrated into ISO/IEC 27001 ISMS.
• HANA HEC also provides Triple C key performance indicators for security configuration, cyber security, and compliance.

NIST Cybersecurity Framework Implementation Project

Scenario
You have recently been asked to lead a project that will bring your organization into compliance with NIST Cybersecurity Framework. You have never worked with NIST Cybersecurity Framework, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your NIST Cybersecurity Framework skills up-to-date and answer any questions you have.

NIST CSF at a Glance
The NIST Cybersecurity Framework (CSF) is based on existing standards, guidelines, and practices for organizations to manage better and reduce cybersecurity risks. Public and private organizations of all sectors and sizes worldwide widely use it. The CSF is a living document; it will be refined, improved, and evolved to keep pace with increasing cybersecurity risks, technology, threat, and policy trends, integrate lessons learned, and establish best practices as standard practice. NIST intends to use a public-private dialogue to guide the effort to update the CSF.

The Framework offers a flexible way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions. It applies to organizations relying on technology, whether their cybersecurity focus is primarily on information technology (IT), industrial control systems (ICS), cyber-physical systems (CPS), or connected devices, more generally, including the Internet of Things (IoT). The Framework can assist organizations in addressing cybersecurity as it affects the privacy of customers, employees, and other parties. The Framework’s outcomes also serve as workforce development and evolution activities targets.

Building from those standards, guidelines, and practices, the Framework provides a common taxonomy and mechanism for organizations to:

1) Describe their current cybersecurity posture.

2) Describe their target state for cybersecurity.

3) Identify and prioritize opportunities for improvement within the context of a continuous and repeatable process.

4) Assess progress toward the target state.

5) Communicate among internal and external stakeholders about cybersecurity risk.

ISO/IEC 27001 ISMS Implementation Project

Scenario
You have recently been asked to lead a project to bring your organization into compliance with ISO/IEC 27001 ISMS. You have never worked with ISO/IEC 27001 ISMS, so you need help.

Solution
Register with the Bernard Institute for Cybersecurity Excellence. We can get your ISO/IEC 27001 ISMS skills up-to-date and answer any questions you have.

ISO/IEC 27001 ISMS at a Glance
The information security management system (ISMS) preserves information confidentiality, integrity, and availability by applying a risk management process. Customers, strategic partners, and interested parties have confidence that cybersecurity risks are adequately managed when they see the ISO/IEC 27001 ISMS Certification. ISMS Annex A integrates into the organization’s governance structure and operational processes. Following certification, privacy, and security is considered during the initial design of processes, information systems, and controls. The organization’s customers needs can scale with ISMS. Clauses 4 to 10 are mandatory for certification; Annex A provides the flexibility for operational integration.

Clause 4 – 10 Mandatory Management System Control
4. Context of the organization
5. Leadership
6. Planning
7. Support
8. Operation
9. Performance evaluation
10. Improvement

Annex A Discretionary – Risk Justified Controls
5. Organizational controls
6. People controls
7. Physical controls
8. Technological controls

This is the perfect course if you aspire to become a CISO or CIO.  Regardless of your background, you will take away valuable skills. You will also learn valuable tactics based on decades of experience that will drive your cybersecurity career forward. After you complete this course, you will be ready to lead your organization’s cybersecurity program. This course will provide cybersecurity skills for professionals in cybersecurity jobs looking for a promotion to that top job. This course will teach you how to plan, implement and maintain a steady-state scalable Cybersecurity Program. Our course will prepare you to confidently take command of the Cybersecurity Program and build solid relationships with your Executive Team and Board of Directors.

The target audience for this course is:

● (Aspiring) Professionals that are new to the Cybersecurity profession.

● (Transitioning) Professionals with skills from non-cybersecurity disciples who want to start a new Cybersecurity career.

● (Enhanced Expertise) Professionals with skills from non-cybersecurity disciples who want to start a new Cybersecurity career.