Description

This curriculum spans the breadth of a multi-phase security assessment engagement, addressing the same technical, procedural, and stakeholder challenges encountered when conducting enterprise-wide systems reviews across hybrid environments, third-party dependencies, and evolving regulatory demands.

Module 1: Defining Scope and Stakeholder Alignment

Selecting which business units and IT systems to include in the review based on regulatory exposure and incident history.
Negotiating access to critical systems with department heads who control operational authority but resist external scrutiny.
Documenting assumptions about system interdependencies when architectural diagrams are outdated or missing.
Establishing data classification thresholds to determine which systems require deeper inspection.
Resolving conflicts between legal requirements for data retention and security policies mandating minimization.
Deciding whether to include third-party vendors in scope based on their access level and contractual obligations.

Module 2: Inventory and Asset Classification

Reconciling discrepancies between CMDB records and actual deployed systems discovered during network sweeps.
Classifying cloud-hosted workloads when ownership is distributed across development teams with no centralized tagging policy.
Determining whether legacy systems without vendor support should be flagged as high-risk or maintained with compensating controls.
Handling shadow IT systems identified during discovery that lack formal change management documentation.
Assigning ownership to orphaned systems where original project teams have disbanded or left the organization.
Integrating asset data from OT environments that use proprietary protocols incompatible with standard inventory tools.

Module 3: Threat Modeling and Risk Prioritization

Choosing between STRIDE and PASTA methodologies based on the organization’s development lifecycle and threat landscape.
Adjusting risk scores for systems exposed to the internet when DDoS mitigation capabilities are limited by ISP contracts.
Deciding whether insider threat scenarios warrant additional monitoring given privacy and labor regulations.
Mapping discovered vulnerabilities to MITRE ATT&CK techniques to prioritize remediation based on observed adversary behavior.
Revising threat models after identifying undocumented data flows between departments during interviews.
Deferring high-severity risks on business-critical systems due to unavailability of maintenance windows.

Module 4: Access Control and Identity Governance

Identifying excessive privileges in role-based access control models due to role creep over multiple organizational changes.
Enforcing least privilege on shared service accounts when applications lack support for individual authentication.
Integrating on-premises identity stores with cloud IAM systems without introducing single points of failure.
Handling just-in-time access requests for critical systems during incident response without bypassing approval workflows.
Addressing orphaned accounts from terminated employees that persist due to delays in HR-to-IT synchronization.
Implementing multi-factor authentication on legacy systems that do not support modern authentication protocols.

Module 5: Logging, Monitoring, and Detection Efficacy

Configuring log retention periods to meet compliance requirements while managing storage costs in centralized SIEM environments.
Filtering out noise in alerting systems caused by misconfigured applications generating excessive benign events.
Validating that critical security events from cloud platforms are ingested into on-premises monitoring tools.
Assessing detection coverage gaps when EDR agents are disabled on high-performance computing systems.
Responding to alerts on systems with no documented owner or operational runbook.
Calibrating correlation rules to reduce false positives without increasing the risk of missing coordinated attacks.

Module 6: Incident Response Preparedness and Testing

Updating incident playbooks to reflect changes in system architecture after recent cloud migration.
Conducting tabletop exercises that include non-security teams such as PR and legal to test cross-functional coordination.
Identifying single points of failure in response workflows where only one person has access to decryption keys.
Testing backup restoration procedures on systems with large datasets where recovery time exceeds RTO.
Documenting communication protocols for notifying regulators within mandated timeframes during breach scenarios.
Assessing whether IR tools can operate effectively in air-gapped environments during containment phases.

Module 7: Compliance Mapping and Audit Readiness

Mapping control implementations to multiple regulatory frameworks (e.g., GDPR, HIPAA, PCI-DSS) without duplicating effort.
Providing evidence of control effectiveness for systems managed by third parties who restrict audit access.
Resolving discrepancies between policy documentation and actual configurations during pre-audit walkthroughs.
Preparing for auditor requests for real-time monitoring data when logs are aggregated with a 15-minute delay.
Justifying control exceptions for systems with compensating measures in place but no formal risk acceptance.
Archiving audit evidence in tamper-evident storage to meet non-repudiation requirements.

Module 8: Continuous Review and Control Evolution

Scheduling recurring review cycles for high-risk systems without disrupting mission-critical operations.
Integrating findings from red team exercises into the control improvement backlog with tracked remediation timelines.
Updating system diagrams and trust boundaries after infrastructure changes are deployed outside change control.
Measuring control drift by comparing current configurations against baseline snapshots from previous reviews.
Adjusting review frequency based on changes in threat intelligence, business strategy, or system ownership.
Automating evidence collection for recurring controls to reduce manual effort during subsequent assessments.