- CPA to Cybersecurity
- Posts
- GRC Masterclass Mapping to CISA and CISSP Domains
GRC Masterclass Mapping to CISA and CISSP Domains
Study Note Exerpt
Steve McMichael
July 27, 2024
Hello Cyber Risk Manager, 👋
In Simply Cyber Threat Briefing #673 chat I offered to share a mapping of CISA and CISSP exam objectives to GRC Masterclass chapters. It’s an excerpt from my study notes here.
I hope you find this mapping helpful to advance your GRC Analyst Career Development Plan goals, and let me know if you have any questions or feedback.
Good luck getting after it!
Steve
Table of Contents
Chapter 1. A Cybersecurity Primer
What I Learned
Mindset
🤖 Cybersecurity is a business problem with a large technical component
🤔 To advance the mission, we need to think comprehensively about people, processes and technology
☠️ Around 80% of threats that need consideration are human threats
Methods
The NIST Cybersecurity Framework (CSF)
Helps manage large programs and mature cybersecurity efforts, but it’s not exclusively for large companies; it is designed to be flexible and scalable
Maps to controls from:
NIST Special Publication 800-53
ISO 27001
COBIT (Control Objectives for Information and Related Technologies)
Center for Internet Security (CIS) Critical Security Controls:
ISA/IEC 62443
ANSI/ISA-99
NIST SP800-30 Guide for Conducting Risk Assessments:
Provides a taxonomy of threat sources and super helpful reference information to determine likelihood, impact and residual risk in a comprehensive process
Skills
Understanding what a GRC Analyst does and where GRC fits in a Cybersecurity team
Network communication including the OSI model
Technical Competencies
Domain 2: A6. Enterprise Risk Management
Domain 5: A9. Web-Based Communication Techniques
Domain 1: 1.9. Understand and apply risk management concepts
Domain 4: 4.1. Apply secure design principles in network architectures
Enabling Competencies
Leading: Risk Management
Adding Value: Business Context
Chapter 2. Compliance and Audit Work
What I Learned
Mindset
🗻 Learning your first security standard is a tall hill to climb, but then the rest are quite easy to scale
💙 Audit is a wonderful place to get a foot in the door of a cybersecurity career
🏋️ Start in Compliance and then grow into Risk
🙌 You can add a lot of value on the people and process side if you’re still early ramping up your technical acumen
Frameworks comprehensively cover People, Process and Technology
While technology is a large component, important capabilities like Incident Response communications are very people and process focused
Methods
💡 BIG INSIGHT: CSF Offers a BEST Logical Grouping of Controls
It would be backwards to have compliance driving your cybersecurity risk management program
Why SOC2? Elevator Pitch 🔥(see my hot take)
SOC2 learning materials from the AICPA
Risk Management Framework (RMF)
💡 BIG INSIGHT/”Hard Truth”: RMF steps 1 and 2 can be done quickly, since 80% of systems are typically categorized as "moderate" due to cost and effort of "high" controls
NIST Special Pubs: 800-37, 800-53, 800-53A, 800-53B, 800-60 Vol I , 800-60 Vol II, 800-18, (FIPS) 199, FIPS 200
Audit process 🔥(my hot take in the full study notes)
Test procedures 🔥(my hot take in the full study notes)
Audit workpapers 🔥(my hot take in the full study notes)
Skills
Technical Competencies
Domain 1: Information Systems Auditing Process
Domain 6: Security Assessment and Testing
Enabling Competencies
Acting Ethically & Professionally: Integrity & Trustworthiness, Questioning Mindset, Due Care, Objectivity
Collaborating: Relationship Building, Project Management
Adding Value: Business Context
Solving Problems & Making Decisions: Issue Identification, Analysis
Communicating: Active Listening, Communication
Resume Bullets Unlocked
Prepared, executed, and reported on audit of subset of NIST SP 800-53 cybersecurity controls to include interview, document review, and testing of systems to support compliance audit activities.
Knowledgeable on NIST Cybersecurity Framework and how the Identify, Protect, Detect, Respond, and Recover categories comprise and facilitate an information security program
Chapter 3. Security Awareness Work
Technical Competencies
Domain 5: Protection of Information Assets
B1. Security Awareness Training and Programs
Domain 1: Security and Risk Management
1.12 Establish and maintain a security awareness, education and training program
Domain 7: Security Operations
7.15 Address personnel safety and security concerns
Security training and awareness (e.g., insider threat, social media impacts, two-factor authentication fatigue)
Chapter 4. Cybersecurity Risk Work
What I Learned
Mindset
💙 Of all the things that a GRC practitioner does, risk is at the heart and centre!
🏋️ Put in the work! Quality is more important than quantity, but quantity produces quality.
🧑⚖️You need to have a defensible opinion. Not Willy Nilly statements!
💰️ Apply your business acumen to communicate Return on Security Investment to management
😦 Consider the perspective of “Carl” the grizzled, grumpy System Administrator, or sometimes he’s an avatar for end users in the business
💡 BIG INSIGHT: Enable the business while protecting it from itself!
Methods
NIST SP 800-37 Risk Management Framework (RMF) for Information Systems and Organizations
Prefer the newer, lighter Cybersecurity Framework CSF in commercial industry over the older, heavier, bulkier RMF
FIPS-199: Standards for Security Categorization of Federal Information and Information Systems
💡BIG INSIGHT: Don’t bother!
NIST SP 800-30 Guide for Conducting Risk Assessments
NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
💡BIG INSIGHT: Traditional vs Modern Approaches to Assess Risk
HIPPA Risk Toolkit Template
Simply Cyber GRC Analyst Workbook (SP 800-53 based template)
Skills
Risk Management
Risk Assessment
Authorizing Official (SP-RSK-001)
Security Control Assessor (SP-RSK-002)
Intro to Threat Modelling
Technical Competencies
Domain 2: A6. Enterprise Risk Management
Domain 3: A2. Business Case and Feasibility Analysis
Supporting task 39. Evaluate potential opportunities and threats associated with emerging technologies, regulations and industry practices
1.9 - Understand and apply risk management concepts
1.10 - Understand and apply threat modelling concepts and methodologies
Enabling Competencies
Acting Ethically & Professionally: questioning mindset, due care, objectivity
Leading: risk management
Collaborating: Relationship building
Consistent, level headed conversation vs fantasy scenarios
Managing Self: Initiative
Adding Value: Business context
A business spending money needs data. You can’t just say “trust me”!
Solving Problems & Making Decisions: Issue identification, analysis
Resume Bullets Unlocked
Semi-quantitatively analyzed cybersecurity risk using NIST SP 800-30 methodology to identify highest risk weaknesses for a system
Executed threat modeling exercise to determine higher likelihood threat events to inform cybersecurity risk modeling
Chapter 5. Information Security Governance Work
Technical Competencies
Domain 2: Governance & Management of IT
A1. IT Governance and IT Strategy
A2. IT-Related Frameworks
A3. IT Standards, Policies, and Procedures
A6. Enterprise Risk Management
A8. Laws, Regulations, and Industry Standards affecting the organization
Domain 1: Security and Risk Management
1.3. Evaluate and apply security governance principles
1.4. Understand legal, regulatory, and compliance issues that pertain to information security in a holistic context
1.6. Develop, document, and implement security policy, standards, procedures and guidelines