Certified Cyber (Governance Risk and Compliance) Professional - CC(GRC)P, distance learning and online certification program

This program has been designed to provide with the knowledge and skills needed to support firms and organizations in Cyber Governance, Risk and Compliance Management.

Target Audience
The CC(GRC)P certification program is beneficial to:
- Managers and employees working at the strategic, tactical, and operational levels of information security, IT and risk management.
- Information security managers, employees, auditors, and consultants.
- Threat analysts.
- Vulnerability assessment managers, employees, auditors, and consultants.
- Risk and compliance managers, employees, auditors, and consultants.
- IT managers, employees, auditors, and consultants.
- Network, systems and security administrators.
- Senior managers involved in risk and compliance management.
- Data protection and privacy managers, employees, auditors and consultants.
- IT, information security, risk and compliance management vendors, suppliers, and service providers.


Course Synopsis
Part 1: Introduction

- Demand for Cyber Risk / Information Security Professionals … and compensation.
- Introduction to Cyber (Governance, Risk, Compliance).
- From Cyberspace to Information Operations (IO) to Cyber Espionage.
- Cyber risks today, and what is different for organizations and employees.

Part 2: Attacks and Modus Operandi

- Who is the attacker?

- Eleven types of internet security attacks.
- 1. Attacks on the critical infrastructure.
- 2. Attacks on the internet infrastructure.
- 3. Deliberate persistent attacks on specific resources.
- 4. Widespread automated attacks against internet sites.
- 5. Threats, harassment, and other criminal offences involving individual user accounts.
- 6. New types of attacks or new vulnerabilities.
- 7. Botnets.
- 8. Denial of Service (DoS) and Distributed Denial of Service (DDoS).
- 9. Forgery and misrepresentation.
- 10. Compromise of single desktop systems.
- 11. Copyright violations.

Modus Operandi

Step 1 - Collecting information about persons and systems
- Reconnaissance: The research phase used to identify and select targets.
- Looking for information about the systems.
- Looking for information about the persons working in the target organization (or for the target organization).
- Outsourcing and budget cuts can have hidden costs.
- Who has signed a confidentiality agreement? A good list of prime targets for all adversaries.
- Looking at our daily activities from the adversaries' point of view.
- More prime targets: Disgruntled employees, ideologists, employees having a lavish lifestyle, employees having “weaknesses”, lawyers having access to trade secrets and sensitive information.

Step 2 - Identifying possible targets and victims
- Hardware attacks, software attacks.
- Malicious hardware modifications: Acquiring hardware components with a backdoor, and how it affects all other information security policies.
- Phishing, social phishing, spear phishing, watering hole attacks.
- Which systems and which persons? The hit list.

Step 3 - Evaluation, recruitment and testing
- Exploiting more vulnerabilities in certain systems.
- Deciding to work more with certain persons.
- Blackmailing employees: The art and the science.
- Testing the asset.
- The problem with the sleeper agents.

Step 4 - Priviledge escalation
- A. Vertical privilege escalation, where adversaries grant themselves higher privileges.
- B. Horizontal privilege escalation, where adversaries use the identity of other users with similar privileges.
- Obtaining customer account details.
- Internal information, social engineering.

Step 5 - Identification of important clients and stakeholders
- Attackers have access to personal information. What is next?
- Identifying important clients and stakeholders working in the public and the private sector.
- Repeating the process - Steps 1 to 4.

Step 6 - Critical infrastructure
- Creating backdoors.
- Covering their tracks.
- Ticking time bombs and backdoor triggers based on specific input data.
- Selling information in the secondary markets (to other attackers, competitors, spies and the organized crime).

- The deep web.
- The dark web.

- Examples and case studies.

Part 3: Information Warfare, Cyber Espionage

Information Warfare

- The famous paradoxical trinity of Clausewitz.
- Cyberspace – a domain of war.
- Jus ad bellum, jus in bello, jus post bellum.

- Article 2(4) and Article 51, United Nations (UN) Charter.
- Interpretations of Article 2(4) and Article 51.

- From the International Strategy for Cyberspace, to the G7 Finance Ministers and Central Bank Governors, to the Law of War Manual, Cyber Operations.

- Information Operations (IO).
- 1. Electronic warfare (EW).
- 2. Computer network operations (CNO).
- 3. Psychological operations (PSYOP).
- 4. Military deception (MILDEC), and
- 5. Operations security (OPSEC).

- Information Operations and their supporting capabilities.
- 1. Information Assurance.
- 2. Physical Security.
- 3. Physical Attack.
- 4. Counter Intelligence.
- 5. Combat Camera.

- Defensive Information Operations.

- Net-centric warfare.

- Cyberspace and national security.

- Hackers, Spies, or Hybrid Warfare?
- The Gerasimov’s Doctrine.

- Case Studies.

Cyber Espionage.

- Espionage, Intelligence.
- Political, Economic, Military Intelligence.
- Competitive Intelligence vs. Economic or Industrial Espionage.
- From UK, MI5.
- From UK SIS, MI6.
- From UK, Centre for the Protection of National Infrastructure (CPNI).

- Counterintelligence (CI).

- Cyber Espionage.

- Case studies.

- Strategic counterintelligence.

- The Ten Commandments of Counterintelligence (from James M. Olson that served in the Directorate of Operations of the CIA) that apply in Cybersecurity.

- Gentlemen don’t read each other’s mail?

Part 4: Defense

- Cyber Hygiene.

- The U.S. National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

- 1. The Framework Core.
- 2. The Framework Implementation Tiers.
- 3. The Framework Profile.

- The Functions:
- a. Identify.
- b. Protect.
- c. Detect.
- d. Respond.
- e. Recover.

- From ID.AM-1: Physical devices and systems within the organization are inventoried, to ID.AM-6: Cybersecurity roles and responsibilities for the entire workforce and third-party stakeholders (e.g., suppliers, customers, partners) are established.

- From ID.BE-1: The organization’s role in the supply chain is identified and communicated, to ID.BE-5: Resilience requirements to support delivery of critical services are established.

- From ID.GV-1: Organizational information security policy is established, to ID.GV-4: Governance and risk management processes address cybersecurity risks.

- From ID.RA-1: Asset vulnerabilities are identified and documented, to ID.RA-6: Risk responses are identified and prioritized.

- From ID.RM-1: Risk management processes are established, managed, and agreed to by organizational stakeholders, to ID.RM-3: The organization’s determination of risk tolerance is informed by its role in critical infrastructure and sector specific risk analysis.

- From PR.AC-1: Identities and credentials are managed for authorized devices and users, to PR.AC-5: Network integrity is protected, incorporating network segregation where appropriate.

- From PR.AT-1: All users are informed and trained, to PR.AT-5: Physical and information security personnel understand roles & responsibilities.

- From PR.DS-1: Data-at-rest is protected, to PR.DS-7: The development and testing environment(s) are separate from the production environment.

- From PR.IP-1: A baseline configuration of information technology/industrial control systems is created and maintained, to PR.IP-12: A vulnerability management plan is developed and implemented.

- From PR.MA-1: Maintenance and repair of organizational assets is performed and logged in a timely manner, with approved and controlled tools, to PR.MA-2: Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access.

- From PR.PT-1: Audit/log records are determined, documented, implemented, and reviewed in accordance with policy, to PR.PT-4: Communications and control networks are protected.

- From DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed, to DE.AE-5: Incident alert thresholds are established.

- From DE.CM-1: The network is monitored to detect potential cybersecurity events, to DE.CM-8: Vulnerability scans are performed.

- From DE.DP-1: Roles and responsibilities for detection are well defined to ensure accountability, to DE.DP-5: Detection processes are continuously improved.

- RS.RP-1: Response plan is executed during or after an event.

- From RS.CO-1: Personnel know their roles and order of operations when a response is needed, to RS.CO-5: Voluntary information sharing occurs with external stakeholders to achieve broader cybersecurity situational awareness.

- From RS.AN-1: Notifications from detection systems are investigated, to RS.AN-4: Incidents are categorized consistent with response plans.

- From RS.MI-1: Incidents are contained, to RS.MI-3: Newly identified vulnerabilities are mitigated or documented as accepted risks.

- From RS.IM-1: Response plans incorporate lessons learned, to RS.IM-2: Response strategies are updated.

- RC.RP-1: Recovery plan is executed during or after an event.

- From RC.IM-1: Recovery plans incorporate lessons learned, to RC.IM-2: Recovery strategies are updated.

- From RC.CO-1: Public relations are managed, to RC.CO-3: Recovery activities are communicated to internal stakeholders and executive and management teams.

- The Framework Implementation Tiers (“Tiers”).
- From Partial (Tier 1) to Adaptive (Tier 4).

- The Framework Profile.

- Coordination of Framework Implementation.

- Establishing or Improving a Cybersecurity Program.
- Step 1: Prioritize and Scope.
- Step 2: Orient.
- Step 3: Create a Current Profile.
- Step 4: Conduct a Risk Assessment.
- Step 5: Create a Target Profile.
- Step 6: Determine, Analyze, and Prioritize Gaps.
- Step 7: Implement Action Plan.

- Methodology to Protect Privacy and Civil Liberties.

- Governance of cybersecurity risk.

- Awareness and training measures.
- Penetration Testing.

- Guidance from the Securities and Exchange Commission (SEC), Division of Corporation Finance, regarding disclosure obligations relating to cybersecurity risks and cyber incidents.

- The new international standards for cyber security after Regulation (EU) 2016/679 (General Data Protection Regulation).

Part 5: The future

- The attribution problem.
- The second attribution problem.
- Plausible deniability.
- Misinformation, disinformation, deception, fabrication.
- Disinformation management.

- ENISA, Disinformation operations in cyber-space.
- ENISA, Active Defense and Offensive Countermeasures.

Payment
For secure payment we work with PayPal, the faster and safer way to make online payments. With PayPal we minimize the cost of administration and compliance with many national and international laws, regulations and privacy rules and we can keep the cost of the program so low.

Only PayPal receives your credit card number and your financial information. We only receive your full name, your email and your mail address. According to the PayPal rules, you have the option to ask for a full refund up to 60 days after the payment. If you do not want the program for any reason, all you have to do is send us an email and we will refund the payment, no questions asked. You can try our programs risk-free.

When you click "Buy Now" below, you will be redirected to the PayPal web site. Your payment will be received by our strategic partner and service provider, Cyber Risk GmbH (Rebackerstrasse 7, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH may also send certificates to members that live outside the United States. Members living in the States may receive their certificates from out office in Washington DC.

The all-inclusive cost is $297.

 

What is included in the price:

A. The official presentations we use in our instructor-led classes (1,010 slides)

You can find the course synopsis above.

B. Up to 3 Online Exams

You have to pass one exam. If you fail, you must study the official presentations and try again, but you do not need to spend money. Up to 3 exams are included in the price.

To learn more you may visit:
www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

www.risk-compliance-association.com/CC(GRC)P_Certification_Steps_1.pdf

C. Personalized Certificate printed in full color

Processing, printing, packing and posting to your office or home.


Steps - To become a CC(GRC)P

Step 1. For secure payment we work with PayPal, the faster and safer way to make online payments. With PayPal we minimize the cost of administration and compliance with many national and international laws, regulations and privacy rules and we can keep the cost of the program so low.

Only PayPal receives your credit card number and your financial information. We only receive your full name, your email and your mail address. According to the PayPal rules, you have the option to ask for a full refund up to 60 days after the payment. If you do not want the program for any reason, all you have to do is send us an email and we will refund the payment, no questions asked. You can try our programs risk-free.

When you click "Buy Now" below, you will be redirected to the PayPal web site. Your payment will be received by our strategic partner and service provider, Cyber Risk GmbH (Rebackerstrasse 7, 8810 Horgen, Switzerland, Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341). Cyber Risk GmbH may also send certificates to all members that live outside the United States. Members living in the States may receive their certificates from out office in Washington DC.

The all-inclusive cost is $297.

 

Step 2. We will send you the official presentations via email in less than 48 hours.

Step 3. When you are ready to sit for the exam, you may send an email to:

Lyn Spooner - Email: lyn@risk-compliance-association.com

We will create your account, and we will send you a username and password for the online exam.You can sit for the exam any time from your office or home. Your account never expires.

Step 4. If you pass, congratulations. You will learn it immediately after the exam.

You are a Certified Cyber (Governance Risk and Compliance) Professional - CC(GRC)P, and you are entitled to write about your certification in your CV, resume, websites etc. using the name and the logo of the association and the exam.

Step 5. We will send your signed and stamped certificate via standard mail. You will receive it up to 3 months after the day you passed the exam.

Step 6. If you do not pass the exam: Study the official presentations. Try to understand the details. You will have the opportunity to try again.

Step 7. You will have (at no extra cost) a second opportunity to sit for the exam.You can use the same Username, Password and Account information we have sent you. Good Luck!

Step 8. If you do not pass again, you have to study more. You will have (at no extra cost) a third opportunity to sit for the exam. You can use again your Username, Password and Account information we have sent you.

Step 9. If you do not pass, you will have (at no extra cost) another opportunity to sit for the exam, but first you have to learn more. After one year, you can try again (for the 4th time).

For any questions please contact Lyn Spooner at lyn@risk-compliance-association.com


Frequently Asked Questions

1. How comprehensive are the slides? Are they just bullet points?

Answer: The slides are not just bullet points, you can read them, understand and learn. These are the official slides we use in our instructor led classes.

2. Do I need to buy books to pass the exam?

Answer: No. If you study the slides, you can pass the exam. If you fail the first time, you must study more. Print the slides and use Post-it to attach notes like "Espionage, Case Studies" "WannaCry" etc. to know where to find the answer.

3. Is it an open book exam? Why?

Answer: Yes, it is an open book exam. Risk and compliance management is not something you have to memorize, it is something you have to understand and learn.

4. Do I have to sit for the exam soon after receiving the presentations?

Answer: No. You can sit for the exam from your office or home any time in the future. We will create an online account that never expires.

5. Do I have to spend more money in the future to remain certified? Does the certification lose its value after some time?

Answer: No. Your certificate never expires. It will be valid without the need to spend money or to sit for another exam in the future.

6. Ok, the certificate never expires, but things change.

Answer: If a university degree never expires, why should our certificates expire? Yes, things change, and this is the reason you need to become a member of the association. You will receive a weekly newsletter with updates, alerts and opportunities to stay current. There is no cost for that.

7. How many hours do I need to study in order to pass the exam?

Answer: It depends on your knowledge and experience. You must study the presentations carefully. You must go through the slides two or more times to ensure you have learned the details. It takes about 22 hours (average).

8. I want to learn more about the online exam.

Answer: You will be given 90 minutes to complete a 35 question multiple-choice exam. You must score 70% or higher. We do not send sample questions. If you study the presentations carefully, you can score 100%.

To learn more you may visit:
www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf

www.risk-compliance-association.com/CC(GRC)P_Certification_Steps_1.pdf

9. Why should I get certified?

Answer: After the failures of so many organizations during the crisis and the risk that shareholders may sue senior management and the board of directors for gross negligence, firms hire "fit and proper" professionals who can provide evidence that they are qualified.

Organizations need assurance that employees have the knowledge and skills needed to mitigate risks and to accept more responsibility. Supervisors and auditors ask for independent evidence that the process owners are qualified, that the controls can operate as designed, and the persons responsible for these controls have the necessary knowledge and experience.

The marketplace is clearly demanding qualified professionals in risk and compliance management. Certified professionals enjoy industry recognition, have more and better job opportunities, secure the best jobs, and make more money.

It is important to be certified and to belong to professional associations. You prove that you are somebody who cares, learns, and belongs to a global community of professionals.

10. Why should I choose your certification program?

Answer: It is always wise to investigate first. You may search for other risk and compliance management programs.

We strongly believe that our distance learning and online certification programs offer very good value for money:

1. You receive the training material (the official presentations of the instructor-led class).

2. You can pass the exam. There are 3 exams that are included in the price, so you do not have to spend money again if you fail.

3. No re-certification is required. You do not need to spend money in the future to remain certified. Your certificate never expires.

4. You become member of the association and you receive weekly updates, news and alerts.