Description

This curriculum spans the end-to-end workflow of enterprise security assessments, comparable in scope to a multi-phase advisory engagement that integrates compliance alignment, technical testing, and organisational coordination across legal, IT, and executive functions.

Module 1: Defining Assessment Scope and Objectives

Selecting which business units, systems, and data classifications to include based on regulatory exposure and operational criticality.
Negotiating assessment boundaries with legal and compliance teams to avoid unauthorized access to regulated data.
Determining whether assessments will be announced or unannounced to balance operational transparency with realism.
Documenting executive-level risk tolerance thresholds to align assessment depth with strategic priorities.
Identifying third-party vendors in scope and validating contractual rights to conduct assessments.
Establishing communication protocols for handling findings that involve executive-level systems or sensitive projects.

Module 2: Regulatory and Compliance Framework Alignment

Mapping control requirements from multiple frameworks (e.g., NIST, ISO 27001, GDPR) to avoid redundant testing.
Deciding which controls to test in full versus sampling due to resource constraints and audit timelines.
Resolving conflicts between jurisdiction-specific regulations when assessing multinational systems.
Documenting control exceptions with risk acceptance forms signed by data owners and legal counsel.
Integrating compliance assessment findings into existing SOX or HIPAA control reporting cycles.
Updating control mappings when new regulations are enacted or existing ones are revised.

Module 3: Threat Modeling and Risk Prioritization

Conducting STRIDE or PASTA-based analysis on critical applications to identify high-impact attack vectors.
Assigning likelihood scores using historical incident data and threat intelligence feeds.
Adjusting risk ratings based on compensating controls already in place but undocumented.
Facilitating risk ranking workshops with business stakeholders who lack technical security knowledge.
Deciding whether to outsource threat modeling for specialized systems (e.g., industrial control).
Revisiting threat models after major architectural changes such as cloud migration or API exposure.

Module 4: Vulnerability Scanning and Penetration Testing

Scheduling scans during maintenance windows to avoid disrupting production transaction systems.
Configuring scanners to exclude sensitive systems (e.g., medical devices) based on operational risk.
Validating false positives from automated tools through manual verification or authenticated testing.
Choosing between black-box, gray-box, and white-box testing based on application complexity and access levels.
Managing third-party penetration testers' access and ensuring their activities are logged and monitored.
Coordinating with network teams to temporarily adjust IDS/IPS rules during active testing phases.

Module 5: Control Testing and Validation

Designing test procedures for detective controls such as SIEM alerting and log retention policies.
Sampling access review records to verify that periodic entitlement reviews are conducted as required.
Testing multi-factor authentication enforcement across cloud and on-premises systems.
Assessing firewall rule effectiveness by attempting controlled traffic from unauthorized zones.
Verifying encryption at rest and in transit for databases containing PII using configuration checks and packet analysis.
Documenting control gaps where policies exist but implementation is inconsistent across departments.

Module 6: Reporting and Findings Management

Classifying findings using CVSS or DREAD scoring to prioritize remediation efforts.
Redacting sensitive system names and IP addresses in reports shared with non-technical executives.
Assigning ownership of findings to specific individuals with documented escalation paths for delays.
Integrating findings into existing ticketing systems (e.g., ServiceNow) to track remediation progress.
Deciding which findings to escalate immediately based on exploitability and data exposure.
Producing separate technical and executive summaries to meet audience-specific communication needs.

Module 7: Remediation Oversight and Follow-Up

Scheduling retesting windows that align with patch deployment cycles and change management approvals.
Validating fix completeness by checking not only the original vulnerability but related configurations.
Accepting temporary compensating controls when permanent fixes require system redesign.
Escalating unresolved high-risk items to risk committees after predefined time thresholds.
Updating risk registers and dashboards to reflect remediated and residual risks.
Conducting root cause analysis on recurring vulnerabilities to address systemic weaknesses.

Module 8: Continuous Assessment Integration

Integrating vulnerability scanning into CI/CD pipelines with automated policy gates for code promotion.
Configuring automated alerts for drift from baseline configurations in cloud environments.
Rotating assessment focus areas quarterly to cover different systems and controls over time.
Adjusting assessment frequency based on system criticality and threat landscape changes.
Using threat intelligence to trigger ad hoc assessments after disclosure of zero-day exploits.
Archiving assessment artifacts to meet retention requirements for audits and legal discovery.