Description

This curriculum spans the design and operationalization of security controls across risk assessment, identity management, network and endpoint security, data protection, incident response, compliance, and secure development, reflecting the integrated scope of a multi-phase security transformation program typically led by enterprise security teams in collaboration with IT, compliance, and business units.

Module 1: Risk Assessment and Control Selection

Conduct asset classification exercises to determine which systems require encryption at rest based on data sensitivity and regulatory scope.
Select NIST SP 800-53 controls appropriate for a hybrid cloud environment, balancing compliance requirements with operational feasibility.
Perform threat modeling using STRIDE to prioritize controls for a new customer-facing web application.
Document risk acceptance decisions for legacy systems where compensating controls are impractical or cost-prohibitive.
Integrate third-party vendor risk scoring into control selection for supply chain security.
Define risk tolerance thresholds in collaboration with business unit leaders to guide control implementation priorities.

Module 2: Access Control Architecture and Identity Management

Design role-based access control (RBAC) structures aligned with organizational job functions and segregation of duties (SoD) requirements.
Implement just-in-time (JIT) privileged access using a PAM solution for cloud administration accounts.
Enforce multi-factor authentication (MFA) policies across SaaS applications, including exception handling for legacy systems.
Integrate identity providers (IdPs) with on-premises and cloud applications using SAML or OIDC standards.
Establish access review cycles for high-privilege roles with automated workflows and audit logging.
Configure conditional access policies in Azure AD or equivalent to block logins from high-risk countries or unmanaged devices.

Module 3: Network Security and Segmentation

Design micro-segmentation policies for data center workloads using host-based firewalls and zero-trust principles.
Implement firewall rule reviews to decommission stale rules and reduce attack surface in enterprise networks.
Deploy network intrusion detection systems (NIDS) at key network boundaries with tuned signature sets to minimize false positives.
Configure VLANs and ACLs to isolate payment card data environments (CDE) in compliance with PCI DSS.
Establish secure remote access via IPsec or SSL VPNs with endpoint compliance checks before granting network access.
Integrate DNS filtering services to block connections to known malicious domains at the network level.

Module 4: Endpoint Security and Device Hardening

Enforce disk encryption on all corporate laptops using BitLocker or FileVault with escrowed recovery keys.
Deploy EDR agents across endpoints and configure automated response actions for ransomware indicators.
Implement application allowlisting for critical systems where traditional antivirus is insufficient.
Standardize OS image builds with CIS benchmark settings applied during provisioning.
Configure mobile device management (MDM) policies to enforce passcode strength and remote wipe capabilities.
Disable unnecessary services and ports on servers during deployment to reduce exploitation risk.

Module 5: Security Monitoring and Incident Response

Define SIEM correlation rules to detect lateral movement patterns such as multiple failed logins followed by a successful login.
Establish log retention policies that meet legal requirements while managing storage costs and query performance.
Integrate threat intelligence feeds into SOAR platforms to automate enrichment of security alerts.
Conduct tabletop exercises to validate incident response playbooks for ransomware and data exfiltration scenarios.
Configure packet capture and network flow logging for forensic readiness on critical network segments.
Design escalation paths and communication templates for coordinating response across legal, PR, and IT teams.

Module 6: Data Protection and Encryption Strategies

Classify data at rest using automated discovery tools to identify unprotected sensitive information in file shares.
Implement tokenization for credit card data in databases to reduce scope of PCI DSS compliance.
Deploy DLP policies to prevent unauthorized transfer of intellectual property via email or USB devices.
Configure TLS 1.2+ enforcement for all internal service-to-service communications.
Manage encryption key lifecycle in a hardware security module (HSM) with role-based access and audit logging.
Evaluate format-preserving encryption (FPE) for legacy applications that cannot handle encrypted field length changes.

Module 7: Security Governance and Compliance

Map implemented controls to regulatory frameworks such as HIPAA, GDPR, or SOC 2 for audit readiness.
Develop control testing procedures for internal auditors to validate effectiveness of security configurations.
Negotiate control exceptions with business units when technical constraints prevent full compliance.
Track control deficiencies in a risk register with remediation timelines and ownership assignments.
Produce executive-level dashboards summarizing control coverage, incident trends, and audit findings.
Coordinate with legal and compliance teams to update policies following changes in data protection regulations.

Module 8: Secure Software Development and Change Management

Integrate SAST and DAST tools into CI/CD pipelines with pass/fail gates based on severity thresholds.
Enforce code review requirements for changes affecting authentication, access control, or data handling.
Implement change advisory board (CAB) processes to evaluate security impact of production deployments.
Require threat modeling for all new application features involving user input or external integrations.
Configure web application firewalls (WAF) with custom rules to protect applications during patching cycles.
Archive and version control all infrastructure-as-code templates to support audit and rollback capabilities.