ISC CAP CAP – Certified Authorization Professional Version: 4.0 in Karachi, Lahore, Islamabad, Pakistan

ISC CAP CAP – Certified Authorization Professional Version: 4.0

The Certified Authorization Professional (CAP) certification exam is one of the most-demanded and industry-leading IT certification.CAP certification is a proven way to build your career and demonstrate your expertise within the risk management framework (RMF).The Certified Authorization Professional (CAP) is an information security practitioner who advocates for security risk management in pursuit of information system authorization to support an organization’s mission and operations in accordance with legal and regulatory requirements.Candidates have experience includes information systems security-related work performed in pursuit of information system authorization, or work that requires security risk management knowledge and involves direct application of that knowledge.

Requirements

Candidates must have a minimum of 2 years cumulative work experience in 1 or more of the 7 domains of the CAP CBK.
However, a candidate that doesn’t have the required experience to become a CAP may become an Associate of (ISC)² by successfully passing the CAP examination.
The Associate of (ISC)² will then have 3 years to earn the 2 year required experience.

Course Outline

Information Security Risk Management Program

Understand the Foundation of an Organization-Wide Information Security Risk Management Program

Principles of information security
National Institute of Standards and Technology (NIST) Risk Management Framework (RMF)
RMF and System Development Life Cycle (SDLC) integration
Information System (IS) boundary requirements
Approaches to security control allocation
Roles and responsibilities in the authorization process

Understand Risk Management Program Processes

Enterprise program management controls
Privacy requirements
Third-party hosted Information Systems (IS)

Understand Regulatory and Legal Requirements

Federal information security requirements
Relevant privacy legislation
Other applicable security-related mandates

Categorization of Information Systems (IS)

Define the Information System (IS)

Identify the boundary of the Information System (IS)
Describe the architecture
Describe Information System (IS) purpose and functionality

Determine Categorization of the Information System (IS)

Identify the information types processed, stored, or transmitted by the Information System (IS)
Determine the impact level on confidentiality, integrity, and availability for each information type
Determine Information System (IS) categorization and document results

Selection of Security Controls

Identify and Document Baseline and Inherited Controls

Select and Tailor Security Controls

Determine applicability of recommended baseline
Determine appropriate use of overlays
Document applicability of security controls

Develop Security Control Monitoring Strategy

Review and Approve Security Plan (SP)

Implementation of Security Controls

Implement Selected Security Controls

Confirm that security controls are consistent with enterprise architecture
Coordinate inherited controls implementation with common control providers
Determine mandatory configuration settings and verify implementation (e.g., United States Government Configuration Baseline (USGCB), National Institute of Standards and Technology (NIST) checklists, Defense Information Systems Agency (DISA), Security Technical Implementation Guides (STIGs), Center for Internet Security (CIS) benchmarks)
Determine compensating security controls

Document Security Control Implementation

Capture planned inputs, expected behavior, and expected outputs of security controls
Verify documented details are in line with the purpose, scope, and impact of the Information System (IS)
Obtain implementation information from appropriate organization entities (e.g., physical security, personnel security)

Assessment of Security Controls

Prepare for Security Control Assessment (SCA)

Determine Security Control Assessor (SCA) requirements
Establish objectives and scope » Determine methods and level of effort
Determine necessary resources and logistics
Collect and review artifacts (e.g., previous assessments, system documentation, policies)
Finalize Security Control Assessment (SCA) plan

Conduct Security Control Assessment (SCA)

Assess security control using standard assessment methods
Collect and inventory assessment evidence

Prepare Initial Security Assessment Report (SAR)

Analyze assessment results and identify weaknesses
Propose remediation actions

Review Interim Security Assessment Report (SAR) and Perform Initial Remediation Actions

Determine initial risk responses
Apply initial remediations
Reassess and validate the remediated controls

Develop Final Security Assessment Report (SAR) and Optional Addendum

Authorization of Information Systems (IS)

Develop Plan of Action and Milestones (POAM)

Analyze identified weaknesses or deficiencies
Prioritize responses based on risk level
Formulate remediation plans
Identify resources required to remediate deficiencies
Develop schedule for remediation activities

Assemble Security Authorization Package

Compile required security documentation for Authorizing Official (AO)

Determine Information System (IS) Risk

Evaluate Information System (IS) risk
Determine risk response options (i.e., accept, avoid, transfer, mitigate, share)

Make Security Authorization Decision

Determine terms of authorization

Continuous Monitoring

Determine Security Impact of Changes to Information Systems (IS) and Environment

Understand configuration management processes
Analyze risk due to proposed changes
Validate that changes have been correctly implemented

Perform Ongoing Security Control Assessments (SCA)

Determine specific monitoring tasks and frequency based on the agency’s strategy » Perform security control assessments based on monitoring strategy
Evaluate security status of common and hybrid controls and interconnections

Conduct Ongoing Remediation Actions (e.g., resulting from incidents, vulnerability scans, audits, vendor updates)