IS1621: CAP Certification Prep Course

Course Length: 40 hrs

Prerequisites:
The ideal candidate should have the following experience, skills, or knowledge in:
• IT security
• Information assurance
• Information risk management
• Certification
• Systems administration
• One to two years of general technical experience
• Two years of general systems experience
• One to two years of database/systems development/network experience
• Information security policy
• Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms
• Strong familiarity with NIST documentation

Price: $2595

Format: Onsite, online

This course is designed for the information security practitioner who champions system security, commensurate with an organization's mission and risk tolerance while meeting legal and regulatory requirements. The Certified Authorization Professional (CAP) certification course mirrors the National Institute of Standards and Technology (NIST) system authorization process in compliance with the Office of Management and Budget (OMB) Circular A-130, Appendix III.

Gain the skills needed to categorize, implement, authorize, assess, continuously monitor (real-time risk management), and select security controls for information systems that meets federal mandates on requirements and process guidelines.

Background information is covered relating to how the federal Risk Management Framework (RMF) was developed, the expectations set by Congress and OMB, as well as the manner in which the RMF integrates with other information and business processes.

Topics Covered:

• Risk Management Framework (RMF)
• Categorization of Information Systems
• Selection of Security Controls
• Security Control Implementation
• Security Control Assessment
• Information System Authorization
• Monitoring of Security Controls

1. Domain 1 - Describe the Risk Management Framework (RMF)

• Domain Introduction
• Domain Terminology and References
• Historical and Current Perspective of Authorization
• Introducing the Examples Systems
• Introduction to the RMF
• The RMF Roles and Responsibilities
• The RMF Relationship to Other Processes
• Example System Considerations
• End of Domain Review and Questions

2. Domain 2 - RMF Step 1: Categorize Information Systems

• Domain Introduction
• Domain Terminology and References
• RMF Step 1: Roles and Responsibilities
• Preparing to Categorize an Information System
• Categorize the Information System
• Categorizing the Examples System
• Describe the Information System and Authorization Boundary
• Register the Information System
• RMF Step 1: Milestones, Key Activities, and Dependencies
• End of Domain Review and Questions

3. Domain 3 - RMF Step 2: Select Security Controls

• Domain Introduction
• Domain Terminology and References
• RMF Step 2: Roles and Responsibilities
• Understanding FIPS 200
• Introducing SP 800-53
• The Fundamentals
• The Process
• Appendix D - Security Control Baselines
• Appendix E - Assurance and Trustworthiness
• Appendix F - Security Control Catalog
• Appendix G - Information Security Programs
• Appendix H - International Information Security Standards
• Appendix I - Overlay Template
• Appendix J - Privacy Control Catalog
• Identify and Document Common (Inherited) Controls
• System Specific Security Controls
• Continuous Monitoring Strategy
• Review and Approve Security Plan
• RMF Step 2: Milestone Checkpoint
• Example Information Systems
• End of Domain Review and Questions

4. Domain 4 - RMF Step 3: Implement Security Controls

• Domain Introduction
• Domain Terminology and References
• RMF Step 3: Roles and Responsibilities
• Implement Selected Security Controls
• Contingency Planning
• Configuration, Patch and Vulnerability Management
• Firewalls and Firewall Policy Controls
• Interconnecting Information Technology Systems
• Computer Security Incident Handling
• Security Awareness and Training
• Security Considerations in the SDLC
• Malware Incident Prevention and Handling
• Computer Security Log Management
• Protecting Confidentiality of Personal Identifiable Information
• Continuous Monitoring
• Security Control Implementation
• Document Security Control Implementation
• RMF Step 3: Milestone Checkpoint
• End of Domain Review and Questions

5. Domain 5 - RMF Step 4: Assess Security Control

• Domain Introduction
• Domain Terminology and References
• RMF Step 4: Roles and Responsibilities
• Understanding SP 800-115
• Understanding SP 800-53A
• Prepare for Security Control Assessment
• Develop Security Control Assessment Plan
• Assess Security Control Effectiveness
• Develop Initial Security Assessment Report (SAR)
• Review Interim SAR and Perform Initial Remediation Actions
• Develop Final SAR and Optional Addendums
• RMF Step 4 Milestone Checkpoint
• End of Domain Review and Questions

6. Domain 6 - RMF Step 5: Authorize Information System

• Domain Introduction
• Domain Terminology and References
• RMF Step 5: Roles and Responsibilities
• Develop Plan of Action and Milestones (POAM)
• Assemble Security Authorization Package
• Determine Risk Determine the Acceptability of Risk Obtain Security Authorization
• Decision RMF Step 5: Milestone Checkpoint
• End of Domain Review and Questions

7. Domain 7 - RMF Step 6: Monitor Security Controls

• Introduction
• Domain Terminology and References
• RMF Step 6: Roles and Responsibilities
• Understanding SP 800-137
• Determine Security Impact of Changes to System and Environment
• Perform Ongoing Security Control Assessment
• Conduct Ongoing Remediation Actions
• Update Key Documentation
• Perform Periodic Security Status Reporting
• Perform Ongoing Determination and Acceptance
• Decommission and Remove System
• RMF Step 6: Milestone Checkpoint
• End of Domain Review and Questions

Note: This course was formerly numbered IIUSA-623 covering DIACAP and network security.