Official (ISC)² CBK Training Seminars for the CAP

Provided by

About the course

CAP Course Overview

This course is designed for the information security practitioner who champions system security commensurate with an organization's mission and risk tolerance, while meeting legal and regulatory requirements. It conceptually mirrors the NIST system authorization process in compliance with the Office of Management and Budget (OMB) Circular A-130, Appendix III.  Led by an (ISC)² authorized instructor, the CAP training seminar provides a comprehensive review of information systems security concepts and industry best practices, covering the 7 domains of the CAP CBK:

  • Risk Management Framework (RMF)
  • Categorization of Information Systems
  • Selection of Security Controls
  • Security Control Implementation
  • Security Control Assessment
  • Information System Authorization
  • Monitoring of Security Controls

Several types of activities are used throughout the course to reinforce topics and increase knowledge retention. These activities include open-ended questions from the instructor to the students, group assignments, matching and poll questions, group activities, open/closed questions, and group discussions. Each activity was developed to support the learning appropriate to the course topic.

This training course will help candidates review and refresh their information security knowledge and help identify areas they need to study for the CAP exam and features:

  • Official (ISC)² courseware
  • Taught by an authorized (ISC)² instructor
  • Student Guide in electronic format
  • Interactive Online Flash Cards
  • Collaboration with classmates
  • Real-world learning activities and scenarios
Who should attend?

The course is intended for students who have at least one full year of experience using the federal Risk Management Framework (RMF) or comparable experience gained from the ongoing management of information system authorizations, such as ISO 27001.

The CAP certification is an objective measure of the knowledge, skills, and abilities required for personnel involved in the process of authorizing and maintaining information systems. Specifically, this credential applies to those responsible for formalizing processes used to assess risk and establish security requirements and documentation. Their decisions will ensure that information systems possess security commensurate with the level of exposure to potential risk and damage to assets or individuals.  CAP is appropriate for commercial markets, civilian and local governments, and the U.S. Federal government, including the State Department and the Department of Defense (DoD). See CAP and DoD 8570. Job functions such as authorization officials, system owners, information owners, information system security officers, certifiers, and senior system managers are great fits as CAPs.

The ideal candidate should have the following experience, skills, or knowledge in:

  • IT security
  • Information assurance
  • Information risk management
  • Certification
  • Systems administration
  • One to two years of general technical experience
  • Two years of general systems experience
  • One to two years of database/systems development/network experience
  • Information security policy
  • Technical or auditing experience within government, the U.S. Department of Defense, the financial or health care industries, and/or auditing firms
  • Strong familiarity with NIST documentation
Learning Objectives

After completing this course, the participant will be able to:

  • Describe the historical legal and business considerations that required the development of the RMF, including related mandates
  • Identify key terminology and associated definitions
  • Describe the Risk Management Framework components, including the starting point inputs (architectural description and organization inputs)
  • Describe the core roles defined by the RMF, including primary responsibilities and supporting roles for each RMF step
  • Describe the core federal statutes, OMB directives, information processing standards (FIPS) and Special Publications (SP), and Department of Defense and Intelligence Community instructions that form the legal mandates and supporting guidance required to implement the RMF
  • Identify and understand the related processes integrated with the RMF
  • Identify key references related to RMF Step 1 - Categorize
  • Identify the roles, requirements, and processes to register an information system
  • Identify key references related to RMF Step 2 - Select
  • Identify requisites for establishing information system security controls
  • Identify key references related to RMF Step 3 - Implement
  • Identify key references related to RMF Step 4 - Assess
  • Identify key references related to RMF Step 5 - Authorize
  • Identify the roles, requirements and processes associated with conducting remediation and completing the final security assessment report
  • Identify key references related to RMF Step 6 - Authorize
  • Identify the roles, requirements, and processes associated with preparing the plan of action and milestones (POA&M) for an information system
  • Identify key references related to RMF Step 7 - Monitor
  • Identify the roles, requirements and processes to formally dispose of an information system

Related article

As we become more reliant on digital technologies, the cyber security industry has grown in order to protect organisations against online attacks. ...