Certified Cyber (Governance Risk and Compliance) Professional, Prep Class
09:00 - 17:00
Cyber Risk GmbH (Handelsregister des Kantons Zürich, Firmennummer: CHE-244.099.341) invites you in the preparation class for the Certified Cyber (Governance Risk and Compliance) Professional - CC(GRC)P certification program. It has been designed to provide with the knowledge and skills needed to support firms and organizations in Cyber (Governance, Risk and Compliance) Management.
What is included in the price:
A. One-day (09:00-17:00) instructor-led training. Coffee, refreshments, snacks, and lunch are included in the cost. Instructor: George Lekatis, general manager of Cyber Risk GmbH and president of the International Association of Risk and Compliance Professionals (IARCP).
His background and some testimonials: http://www.cyber-risk-gmbh.com/George_Lekatis_Testimonials.pdf
B. The official presentations (1,010 slides).
C. Up to 3 Online Exams. You must pass one exam. If you fail, you must study the official presentations and try again, but you do not need to spend money. Up to 3 exams are included in the price.
To learn more you may visit: www.risk-compliance-association.com/Questions_About_The_Certification_And_The_Exams_1.pdf
D. Personalized Certificate. Processing, printing, packing and posting to your office or home.
For any questions please contact Lyn Spooner at firstname.lastname@example.org
Frequently Asked Questions about the program
1. Do I need to buy books? Are there any other expenses?
Answer: No. There is no other cost, now or in the future, for this program.
2. Is it an open book exam? Why?
Answer: Yes, it is an open book exam. Risk and compliance management is not something you have to memorize, it is something you must understand and learn.
3. Do I have to sit for the exam soon after the class?
Answer: No. You can sit for the exam from your office or home anytime in the future. We will create an online account that never expires.
4. Do I have to spend more money in the future to remain certified?
Answer: No. Your certificate never expires.
5. How many hours do I need to study to pass the exam?
Answer: It depends on your knowledge and experience. You must study the presentations carefully. You must go through the slides two or more times to ensure you have learned the details. It takes about 24 hours (average).
6. Are there any prerequisites for this program?
Answer: There are no prerequisites.
Frequently Asked Questions about the instructor-led training
1. What's the refund policy?
Answer: 100% refund is possible for a ticket if canceled 7 days before the event.
2. Do I have to bring my printed ticket to the event?
3. Can I update my registration information?
4. Is my registration fee or ticket transferrable?
5. Is it ok if the name on my ticket or registration doesn't match the person who attends?
The International Association of Risk and Compliance Professionals (IARCP - 1200 G Street NW, Suite 800, Washington DC 20005, USA, www.risk-compliance-association.com) is a business unit of Compliance LLC, incorporated in Wilmington NC and offices in Washington DC, a provider of risk and compliance training and executive coaching in 36 countries. Several business units of Compliance LLC are very successful associations that offer standard, premium and lifetime membership, weekly or monthly updates, training, certification, Authorized Certified Trainer (ACT) programs and other services to their members.
Event planning is dynamic and hectic. No one likes dealing with a last-minute venue change. In the unlikely event we have to change the venue, we will transfer the event to a 5-star hotel as near as possible to the original venue. We will refund your payment if you do not agree with this change for any reason (no questions asked).
We will neither take any photos of the audience nor publish any names or photos on social media.
The CC(GRC)P certification program is beneficial to:
- Managers and employees working at the strategic, tactical, and operational levels of information security, IT and risk management.
- Information security managers, employees, auditors, and consultants.
- Threat analysts.
- Vulnerability assessment managers, employees, auditors, and consultants.
- Risk and compliance managers, employees, auditors, and consultants.
- IT managers, employees, auditors, and consultants.
- Network, systems and security administrators.
- Senior managers involved in risk and compliance management.
- Data protection and privacy managers, employees, auditors, and consultants.
- IT, information security, risk and compliance management vendors, suppliers, and service providers.
Part 1: Introduction
- Demand for Cyber Risk / Information Security Professionals … and compensation.
- Introduction to Cyber (Governance, Risk, Compliance).
- From Cyberspace to Information Operations (IO) to Cyber Espionage.
- Cyber risks today, and what is different for organizations and employees.
Part 2: Attacks and Modus Operandi
- Who is the attacker?
- Eleven types of internet security attacks.
- 1. Attacks on the critical infrastructure.
- 2. Attacks on the internet infrastructure.
- 3. Deliberate persistent attacks on specific resources.
- 4. Widespread automated attacks against internet sites.
- 5. Threats, harassment, and other criminal offenses involving individual user accounts.
- 6. New types of attacks or new vulnerabilities.
- 7. Botnets.
- 8. Denial of Service (DoS) and Distributed Denial of Service (DDoS).
- 9. Forgery and misrepresentation.
- 10. Compromise of single desktop systems.
- 11. Copyright violations.
Step 1 - Collecting information about persons and systems
- Reconnaissance: The research phase used to identify and select targets.
- Looking for information about the systems.
- Looking for information about the persons working in the target organization (or for the target organization).
- Outsourcing and budget cuts can have hidden costs.
- Who has signed a confidentiality agreement? A good list of prime targets for all adversaries.
- Looking at our daily activities from the adversaries' point of view.
- More prime targets: Disgruntled employees, ideologists, employees having a lavish lifestyle, employees having “weaknesses”, lawyers having access to trade secrets and sensitive information.
Step 2 - Identifying possible targets and victims
- Hardware attacks, software attacks.
- Malicious hardware modifications: Acquiring hardware components with a backdoor, and how it affects all other information security policies.
- Phishing, social phishing, spear phishing, watering hole attacks.
- Which systems and which persons? The hit list.
Step 3 - Evaluation, recruitment, and testing
- Exploiting more vulnerabilities in certain systems.
- Deciding to work more with certain persons.
- Blackmailing employees: The art and the science.
- Testing the asset.
- The problem with the sleeper agents.
Step 4 - Privilege escalation
- A. Vertical privilege escalation, where adversaries grant themselves higher privileges.
- B. Horizontal privilege escalation, where adversaries use the identity of other users with similar privileges.
- Obtaining customer account details.
- Internal information, social engineering.
Step 5 - Identification of important clients and stakeholders
- Attackers have access to personal information. What is next?
- Identifying important clients and stakeholders working in the public and the private sector.
- Repeating the process - Steps 1 to 4.
Step 6 - Critical infrastructure
- Creating backdoors.
- Covering their tracks.
- Ticking time bombs and backdoor triggers based on specific input data.
- Selling information in the secondary markets (to other attackers, competitors, spies and the organized crime).
- The deep web.
- The dark web.
- Examples and case studies.
Part 3: Information Warfare, Cyber Espionage
- The famous paradoxical trinity of Clausewitz.
- Cyberspace – a domain of war.
- Jus ad bellum, jus in bello, jus post bellum.
- Article 2(4) and Article 51, United Nations (UN) Charter.
- Interpretations of Article 2(4) and Article 51.
- From the International Strategy for Cyberspace, to the G7 Finance Ministers and Central Bank Governors, to the Law of War Manual, Cyber Operations.
- Information Operations (IO).
- 1. Electronic warfare (EW).
- 2. Computer network operations (CNO).
- 3. Psychological operations (PSYOP).
- 4. Military deception (MILDEC), and
- 5. Operations security (OPSEC).
- Information Operations and their supporting capabilities.
- 1. Information Assurance.
- 2. Physical Security.
- 3. Physical Attack.
- 4. Counter Intelligence.
- 5. Combat Camera.
- Defensive Information Operations.
- Net-centric warfare.
- Cyberspace and national security.
- Hackers, Spies, or Hybrid Warfare?
- The Gerasimov’s Doctrine.
- Case Studies.
- Espionage, Intelligence.
- Political, Economic, Military Intelligence.
- Competitive Intelligence vs. Economic or Industrial Espionage.
- From UK, MI5.
- From UK SIS, MI6.
- From the UK, Centre for the Protection of National Infrastructure (CPNI).
- Counterintelligence (CI).
- Cyber Espionage.
- Case studies.
- Strategic counterintelligence.
- The Ten Commandments of Counterintelligence (from James M. Olson that served in the Directorate of Operations of the CIA) that apply in Cybersecurity.
Part 4: Defense
- Cyber Hygiene.
- The U.S. National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
- 1. The Framework Core.
- 2. The Framework Implementation Tiers.
- 3. The Framework Profile.
- The Functions:
- a. Identify.
- b. Protect.
- c. Detect.
- d. Respond.
- e. Recover.
- The Framework Profile.
- Coordination of Framework Implementation.
- Establishing or Improving a Cybersecurity Program.
- Step 1: Prioritize and Scope.
- Step 2: Orient.
- Step 3: Create a Current Profile.
- Step 4: Conduct a Risk Assessment.
- Step 5: Create a Target Profile.
- Step 6: Determine, Analyze, and Prioritize Gaps.
- Step 7: Implement Action Plan.
- Methodology to Protect Privacy and Civil Liberties.
- Governance of cybersecurity risk.
- Awareness and training measures.
- Penetration Testing.
- Guidance from the Securities and Exchange Commission (SEC), Division of Corporation Finance, regarding disclosure obligations relating to cybersecurity risks and cyber incidents.
- The new international standards for cybersecurity after Regulation (EU) 2016/679 (General Data Protection Regulation).
Part 5: The future
- The attribution problem.
- The second attribution problem.
- Plausible deniability.
- Misinformation, disinformation, deception, fabrication.
- Disinformation management.
- ENISA, Disinformation operations in cyber-space.
- ENISA, Active Defense, and Offensive Countermeasures.
The instructor will conclude the class with sample questions, that give the candidates a good understanding of what is needed for the exam.