Description

This curriculum spans the design and operational integration of security controls across policy, identity, network, endpoint, cloud, and incident response domains, comparable in scope to a multi-phase organisational security transformation program involving governance alignment, architecture redesign, and continuous monitoring practices.

Module 1: Security Policy Development and Governance Frameworks

Define scope and classification levels for data handling policies based on regulatory requirements such as GDPR, HIPAA, or CCPA.
Select and adapt a governance framework (e.g., NIST CSF, ISO 27001) to align with organizational risk appetite and audit obligations.
Establish cross-functional approval workflows for policy changes involving legal, compliance, and IT leadership.
Integrate security policy enforcement mechanisms into existing change management systems to ensure operational consistency.
Develop exception handling procedures for policy deviations with documented risk acceptance and time-bound review cycles.
Implement automated policy compliance monitoring using configuration management databases (CMDB) and SIEM integrations.

Module 2: Identity and Access Management (IAM) Architecture

Design role-based access control (RBAC) structures aligned with job functions and least privilege principles across hybrid environments.
Deploy multi-factor authentication (MFA) for privileged accounts and remote access, balancing usability and security in high-availability systems.
Integrate on-premises Active Directory with cloud identity providers using federation protocols like SAML or OIDC.
Implement just-in-time (JIT) access for administrative roles using privileged access management (PAM) tools.
Enforce regular access recertification cycles for user accounts, especially for contractors and offboarded employees.
Configure identity synchronization workflows between HR systems and IAM platforms to automate provisioning and deprovisioning.

Module 4: Network Security Infrastructure and Segmentation

Architect network segmentation using VLANs, firewalls, and micro-segmentation to limit lateral movement during breaches.
Deploy next-generation firewalls (NGFW) with deep packet inspection at internet gateways and data center perimeters.
Implement zero-trust network access (ZTNA) for remote users replacing traditional VPNs in distributed environments.
Configure DNS filtering and sinkholing to block communication with known malicious domains.
Establish secure interconnection policies for cloud VPCs and on-premises networks using IPsec or TLS tunnels.
Monitor encrypted traffic using SSL/TLS decryption policies with defined privacy boundaries and lawful interception compliance.

Module 5: Endpoint Detection and Response (EDR) Operations

Select EDR agents based on OS compatibility, resource footprint, and integration capabilities with existing SIEM platforms.
Define detection rules for suspicious behaviors such as process injection, credential dumping, or unusual PowerShell usage.
Configure automated response actions (e.g., isolation, process termination) with approval thresholds to prevent service disruption.
Conduct regular threat-hunting exercises using EDR query interfaces to identify stealthy adversaries.
Manage EDR agent updates and configuration drift through centralized policy enforcement tools.
Integrate EDR alert data into incident response workflows with severity scoring and escalation paths.

Module 6: Security Monitoring and Incident Response

Design log retention policies based on forensic needs, legal requirements, and storage cost constraints.
Correlate security events across network, endpoint, and application logs using SIEM rule sets tailored to organizational assets.
Establish incident classification criteria (e.g., low, medium, high, critical) with predefined communication protocols.
Conduct tabletop exercises simulating ransomware, data exfiltration, and insider threat scenarios.
Integrate threat intelligence feeds (e.g., STIX/TAXII) to enrich alert context and prioritize response efforts.
Document post-incident reviews with root cause analysis and action items tracked in a remediation management system.

Module 7: Secure Configuration and Vulnerability Management

Adopt CIS Benchmarks or DISA STIGs to standardize secure configurations for servers, workstations, and network devices.
Schedule vulnerability scans with minimal production impact using off-peak windows and scan throttling.
Prioritize remediation efforts using CVSS scores combined with asset criticality and exploit availability.
Implement configuration drift detection using automated tools to enforce baseline compliance.
Coordinate patch deployment windows with change advisory boards (CAB) to minimize service outages.
Manage exceptions for unpatchable systems through compensating controls and documented risk acceptance.

Module 8: Cloud Security and Shared Responsibility Models

Map cloud provider responsibilities (e.g., AWS, Azure) against customer-managed controls using shared responsibility matrices.
Enforce encryption of data at rest and in transit for cloud storage services using customer-managed keys (CMKs).
Configure cloud security posture management (CSPM) tools to detect misconfigurations in IAM, storage, and network settings.
Implement secure API access patterns for cloud services using short-lived credentials and scoped permissions.
Monitor cloud-native logs (e.g., AWS CloudTrail, Azure Activity Log) for unauthorized configuration changes.
Design backup and recovery strategies for cloud workloads with geographic redundancy and ransomware protection.