RMF for the ISSO / ISSM

OVERVIEW

This 4-day course focuses the student on a broad range of topics related to risk-based planning and implementation for enterprise cybersecurity, examining both internal and external threats. External threats include a variety of threat actors such as nation-states, terrorists, hacktivists, and criminal organizations. Internal threats focus on insider risk, exploring what insider threat means from a cybersecurity perspective, including historical and traditional forms of sabotage and espionage.

This course also analyzes systems development and operational processes, exploring risk mitigation solutions through policies, best practices, operational procedures, and legal regulations. Students will be introduced to national and international policy and legal considerations related to cybersecurity and cyberspace, including privacy, intellectual property, cybercrime, critical infrastructure protection, and cyber warfare.

Additionally, this course is designed to prepare students to sit for and pass the ISC2 Certified in Governance Risk and Compliance (CGRC), with a focus on the Risk Management Framework (RMF) as applied to ISSO and ISSM roles.

WHY YOU SHOULD TAKE THIS COURSE

RMF for the ISSO / ISSM is a structured, risk-based approach to planning, implementing, and operating within a connected environment, aligned with organizational mission and business objectives. It emphasizes that cybersecurity is not a standalone function, but one that requires coordination across the enterprise, including human resources, legal, finance, operations, and technology.

Identifying critical assets and prioritizing their protection requires careful consideration of risk tolerance, budget limitations, and applicable legal and policy requirements. This course provides students with the knowledge and practical insight needed to make informed decisions, while also preparing them to pursue CGRC certification and effectively perform in real-world ISSO and ISSM roles.

WHO SHOULD TAKE THIS COURSE

– Information Systems Security Officers (ISSO)
– Information Systems Security Managers (ISSM)
– Cybersecurity professionals involved in governance, risk, and compliance (GRC)
– IT and security practitioners transitioning into risk management roles

PREREQUISITES

Students should have taken our Information Systems Security Officer course or have equivalent skills and experience.

WHY YOU SHOULD TAKE THIS COURSE

Cybersecurity Risk Management is an informed approach to planning, implementing, and operating in a connected environment using a risk-based methodology aligned with business and mission objectives. This approach recognizes that cybersecurity is not an isolated function, but one that requires coordination across the organization—including human resources, legal, finance, operations, and technology.

Identifying critical assets and prioritizing their protection involves evaluating risk tolerance, budget constraints, and legal and policy requirements. This course equips students with the knowledge and practical understanding needed to support these decisions effectively—while also preparing them for CGRC certification and real-world ISSO/ISSM responsibilities.

Module 1. Course Introduction

• Course objectives, structure, and expectations
• Overview of risk-based cybersecurity
• RMF within the system development lifecycle (SDLC)
• Key success factors for ISSO/ISSM roles

Module 2. ISSO / ISSM Roles and Responsibilities

• ISSO vs ISSM roles and boundaries
• Key stakeholders:
  • Authorizing Official (AO)
  • Security Control Assessor (SCA)
  • System Owner / Information Owner
• Required technical vs managerial skill balance
• Career paths, certifications, and workforce expectations

Knowledge Check

Module 3. ISSO Documentation Requirements

• System Security Plan (SSP) development and maintenance
• Security Assessment Report (SAR) interpretation
• Plan of Action & Milestones (POA&M) management
• Continuous monitoring documentation
• Audit readiness and compliance tracking

 Knowledge Check

Module 4. Cybersecurity Fundamentals for RMF

• Threat landscape:
• Nation-state, criminal, insider, supply chain
• Vulnerability management:
• CVE, CVSS, scoring and prioritization
• Attack surface and system exposure
• Cybersecurity as an intelligence function

Knowledge Check

Module 5. Governance, Legal, and Policy Frameworks

• NIST RMF (SP 800-37 Rev 2) deep dive
• The 7 RMF Steps:
  • Prepare → Categorize → Select → Implement → Assess → Authorize → Monitor
• RMF as a lifecycle vs checklist
• NIST Cybersecurity Framework (CSF) relationship to RMF
• Key regulations and policies:
  • FISMA, OMB guidance
  • Privacy and data protection laws
  • Cybercrime and international considerations
• Risk governance and organizational risk appetite

Knowledge Check

Module 6. Introduction to CGRC Certification

• Course Resources and Downloads
• Overview of CGRC Certification
• Case Study: Strategic GRC Certification Strengthens TechNova’s Global Risk
• Importance of Governance, Risk, and Compliance
• Case Study: TechNova’s Strategic GRC Integration
• Understanding the NIST Risk Management Framework (RMF)
• Case Study: Implementing the NIST RMF
• Examining the Structure of the CGRC Exam
• Case Study: Navigating CGRC Certification
• Study Strategies for CGRC Certification
• Case Study: Mastering the CGRC Certification
• Module Summary

Knowledge Check

Module 7. Fundamental of Information Security Risk Management

•  Module Introduction
•  Overview of Information Security Risk Management
•  Case Study: Enhancing Cybersecurity
•  Risk Management Frameworks and Standards
•  Case Study: TechNova’s Transformation
•  Risk Identification and Analysis
•  Case Study: Risk Identification and Analysis
•  Risk Mitigation Strategies
•  Case Study: Strengthening TechNova’s ISRM
•  Continuous Risk Monitoring
•  Case Study: Enhancing Cybersecurity
•  Module Summary

Knowledge Check

Module 8. Categorization of Information Systems

• Principles of Information System Categorization
• Case Study: Enhancing GRC Practices
• Impact Levels and Security Objectives
• Case Study: Impact Levels and Security Objectives
• Categorization Methods Based on Risk Profiles
• Case Study: Enhancing TechNova’s Information Security
• NIST Guidelines for System Categorization
• Case Study: Enhancing Cybersecurity
• Applying System Categorization in Practice
• Case Study: System Categorization
• Module Summary

Knowledge Check

Module 9. Selection of Security Controls

• Module Introduction
• Overview of Security Controls
• Case Study: Enhancing Data Security at TechNova Corp
• Control Families in the NIST SP 800-53
• Case Study: Enhancing Federal Cybersecurity
• Control Baselines and Tailoring Security Controls
• Case Study: Tailoring Cybersecurity Controls for Healthcare
• Selecting Security Controls Based on System Categorization
• Case Study: Implementing Robust Security Controls in Healthcare
• Documenting Security Control Selections
• Case Study: Strategic Documentation of Security Controls
• Module Summary

Knowledge Check

Module 10. Implementation of Security Controls

• Module Introduction
• Implementing Technical Controls
• Case Study: TechNova’s Comprehensive GRC Framework Overhaul
• Implementing Administrative and Physical Controls
• Case Study: Enhancing TechNova’s Security
• Security Controls and System Development Lifecycle (SDLC)
• Case Study: Securing TechNova’s Financial Application
• Integrating Security into System Architecture
• Case Study: Integrating Security into System Architecture
• Testing and Validating Security Controls
• Case Study: Comprehensive Security Control Validation
• Module Summary

Knowledge Check

Module 11.  Assessment of Controls

• Module Introduction
• Principles of Security Control Assessment
• Case Study: Strengthening Cybersecurity
• Preparing for Security Assessments
• Case Study: Proactive Security Assessment Strategies
• Methods for Assessing Security Controls
• Case Study: Comprehensive Security Control Assessment
• Assessment Tools and Techniques
• Case Study: Comprehensive Security Assessment Strategies
• Reporting Assessment Results
• Case Study: Effective Reporting Strategies
• Module Summary

Knowledge Check

Module 12 Authorization of Information Systems

 Module Introduction

 Overview of the Authorization Process

• Case Study: Securing EHR Systems
• Roles and Responsibilities in System Authorization
• Case Study: Ensuring ERP System Security
• Developing Authorization Packages
• Case Study: Achieving CGRC
• Evaluating Risk Before Authorization
• Case Study: Comprehensive Risk Assessment and Mitigation Strategies
• Maintaining Authorization Documentation
• Case Study: Enhancing ePHI Security
• Module Summary

Knowledge Check

Module 13.  Continuous Monitoring Programs/Strategy

• Module Introduction
• Importance of Continuous Monitoring
• Case Study: Enhancing Risk Management and Efficiency
• Establishing a Continuous Monitoring Strategy
• Case Study: CyberSecure Inc.’s Strategy to Prevent Data Breaches
• Implementing Continuous Monitoring Tools
• Case Study: Implementing Continuous Monitoring Tools
• Reporting and Responding to Security Incidents
• Case Study: The Imperative of Effective Incident Reporting and Response
• Ensuring Ongoing Compliance
• Case Study: FinBank’s Journey Through Automation, Data Analytics, and Leadership
• Module Summary

Knowledge Check

Module 14. Compliance with Governance Frameworks

• Module Introduction
• Understanding Governance in Information Security
• Case Study: Strengthening DataTech Solutions
• Key Compliance Requirements in Cybersecurity
• Case Study: Enhancing Cybersecurity Compliance
• Aligning Organizational Policies with Governance
• Case Study: Aligning Policies with Governance Frameworks
• Measuring Compliance Effectiveness
• Case Study: Enhancing Compliance Effectiveness at GlobalTech Inc
• Auditing Governance and Compliance Programs
• Case Study: Enhancing Governance and Compliance at TechNova
• Module Summary

Knowledge Check

Module 15. Risk Management in Information Systems

• Module Introduction
• Introduction to Risk Management Strategies
• Case Study: Lessons from the 2013 Target Data Breach
• Risk Assessments and Analysis Techniques
• Case Study: Enhancing Risk Management at Carnegie Financial
• Risk Treatment and Mitigation Planning
• Case Study: Lessons from the Equifax Breach
• Establishing Risk Tolerance Levels
• Case Study: Balancing Risk and Reward
• Communicating Risk Management Decisions
• Case Study: Effective Risk Communication and Management
• Module Summary

Knowledge Check

Module 16. Privacy and Data Security in Risk Management

• Module Introduction
• Principles of Data Privacy and Protection
• Case Study: TechNova’s Response to Data Breach
• Regulatory Requirements for Data Security
• Case Study: TechNova Data Breach
• Managing Data Privacy Risks
• Case Study: Integrated Data Privacy Strategies at FinSecure
• Implementing Data Protection Measures
• Case Study: Comprehensive Data Protection Strategy for TechNova
• Ensuring Compliance with Data Privacy Laws
• Case Study: Navigating Data Privacy Challenges
• Module Summary

Knowledge Check

Module 17.  Incident Response and Security Operations

• Module Introduction
• Introduction to Incident Response Frameworks
• Case Study: Incident Response Excellence
• Developing an Incident Response Plan
• Case Study: Enhancing Incident Response
• Detecting and Responding to Security Breaches
• Case Study: FinSecure’s Cybersecurity Resilience
• Incident Response Teams and Their Roles
• Case Study: Enhancing Cybersecurity Resilience
• Post-Incident Analysis and Reporting
• Case Study: TechNova’s Data Breach
• Module Summary

Knowledge Check

Module 18. Cloud Security & Compliance

• RMF in cloud and hybrid environments
• FedRAMP authorization process
• Shared responsibility model (IaaS, PaaS, SaaS)
• Cloud control inheritance and overlays

Knowledge Check

Module 19. Security Policies and Procedures

• Module Introduction
• Developing Security Policies and Procedures
• Case Study: Building a Robust Security Framework
• Implementing Governance Structures in Security
• Case Study: Enhancing Security Governance
• Ensuring Policy Compliance
• Case Study: Strengthening Policy Compliance
• Training and Awareness for Policy Adherence
• Case Study: Enhancing Security Compliance
• Auditing and Revising Security Policies
• Case Study: Strengthening Cybersecurity
• Module Summary

Knowledge Check

Module 20. Legal and Regulatory Compliance

• Module Introduction
• Overview of Key Cybersecurity Regulations
• Case Study: MediSecure Ransomware Attack
• Compliance with Federal and State Laws
• Case Study: Navigating Compliance Complexities
• Understanding International Regulatory Requirements
• Case Study: Global Compliance Challenges
• Legal Aspects of Data Breaches and Security Failures
• Case Study: TechNova’s Wake-Up Call
• Implementing Compliance Controls
• Case Study: Strategic Compliance Controls in Financial Institutions
• Module Summary

Knowledge Check

Module 21.  Risk Communication and Stakeholder Engagement

• Module Introduction
• Identifying Key Stakeholders in Risk Management
• Case Study: Enhancing TechNova’s Growth
• Communicating Risk Effectively Across the Organization
• Case Study: Effective Risk Communication
• Reporting Risk to Executives and Decision Makers
• Case Study: Turning the Tide: Effective Risk Reporting and Cybersecurity
• Creating Risk Dashboards and Metrics
• Case Study: Implementing a Comprehensive Risk Dashboard
• Stakeholder Engagement in Risk Management Decisions
• Case Study: Stakeholder Engagement as a Catalyst for Effective Risk Management
• Module Summary

Knowledge Check

Module 22.  Capstone Case Study

• Case Study: DNC Hack (lack of RMF application)
• Walkthrough of failures across RMF steps
• Applying RMF to prevent similar incidents
• Group discussion and lessons learned

Module 19 Course Summary

Conclusion