Course Description
During our award-winning 5-day (ISC)² CAP® Training Camp, students will live, learn,
and take the certification exam at one of our state-of-the-art education centers.
The course is taught by (ISC)² authorized instructors who employ effective (Lecture
| Lab | Review)™ delivery of the curriculum while focusing on preparing you with
the knowledge and skills required to pass the rigorous CAP® examination.
This course is the only boot camp endorsed by (ISC)² to familiarize you with the
CAP Common Body of Knowledge® [CBK]. The Official (ISC)² CAP Training Camp™ encompasses
the Official (ISC)² CAP CBK Review Seminar, Training Camp's Value-Added CAP instruction,
and on-site delivery of the Official CAP Examination.
As an (ISC)² authorized partner, Training Camp incorporates any and all
changes to the CBK immediately for delivery of the most up-to-date, official (ISC)²
curriculum.
About the CAP Credential
The Certified Authorization Professional (CAP) credential is an objective measure
of the knowledge, skills and abilities required for personnel involved in the process
of authorizing and maintaining information systems. Specifically, this credential
applies to those responsible for formalizing processes used to assess risk and establish
security requirements and documentation. Their decisions will ensure that information
systems possess security commensurate with the level of exposure to potential risk,
as well as damage to assets or individuals.
The credential is appropriate for commercial markets, civilian and local governments,
and the U.S. Federal government including the State Department and the Department
of Defense (DoD). Job functions such as authorization officials, system owners,
information owners, information system security officers, and certifiers as well
as all senior system managers apply.
Prerequisites
This course is intended for students who possess two years of general technical
experience, information security policy, or Technical or auditing experience within
the government, the U.S. Department of Defense, the financial or health care industries,
and/or auditing firms. Strong familiarity with NIST documentation is very important.
Learning Objectives
- Understand the Security Authorization of Information Systems -
Security authorization includes a tiered risk management approach to evaluate both
strategic and tactical risk across the enterprise. The authorization process incorporates
the application of a Risk Management Framework (RMF), a review of the organizational
structure, and the business process/mission as the foundation for the implementation
and assessment of specified security controls. This authorization management process
identifies vulnerabilities and countermeasures and determines residual risks. The
residual risks are evaluated and deemed either acceptable or unacceptable. More
controls must be implemented to reduce unacceptable risk. The system may be deployed
only when the residual risks are acceptable to the enterprise.
- Categorize Information Systems - Categorization of the information
system is based on an impact analysis. It is performed to determine the types of
information included within the security authorization boundary, the security requirements
for the information types, and the potential impact on the organization resulting
from a security compromise. The result of the categorization is used as the basis
for developing the security plan, selecting security controls, and determining the
risk inherent in operating the system.
- Establish the Security Control Baseline - The security control
baseline is established by determining specific controls required to protect the
system based on the security categorization of the system. The baseline is tailored
and supplemented in accordance with an organizational assessment of risk and local
parameters. The security control baseline, as well as the plan for monitoring it,
is documented in the security plan.
- Apply Security Controls - The security controls specified in the
security plan are implemented by taking into account the minimum organizational
assurance requirements. The security plan describes how the controls are employed
within the information system and its operational environment. The security assessment
plan documents the methods for testing these controls and the expected results throughout
the systems life-cycle.
- Assess Security Controls - The security control assessment follows
the approved plan, including defined procedures, to determine the effectiveness
of the controls in meeting security requirements of the information system. The
results are documented in the security assessment report.
- Authorize Information System - The residual risks identified during
the security control assessment are evaluated and the decision is made to authorize
the system to operate, deny its operation, or remediate the deficiencies. Associated
documentation is prepared and/or updated depending on the authorization decision.
- Monitor Security Controls - After an Authorization to Operate (ATO)
is granted, ongoing continuous monitoring is performed on all identified security
controls as well as the political, legal, and physical environment in which the
system operates. Changes to the system or its operational environment are documented
and analyzed. The security state of the system is reported to designated officials.
Significant changes will cause the system to reenter the security authorization
process. Otherwise, the system will continue to be monitored on an ongoing basis
in accordance with the organization’s monitoring strategy.
To be successful it is recommended that candidates align references to knowledge
domains and explore interactions and dependencies in processes. Candidates are expected
to apply their work experience and knowledge during the exam and thus must be thoroughly
conversant with NIST Special Publications (SP) and Federal Information Processing
Standards (FIPS). Plan to spend extra time studying the following documents:
- NIST SP 800-37 rev 1: Guide for Applying the Risk Management Framework
to Federal Information Systems: A Security Life Cycle Approach
- NIST SP 800-30: Risk Management Guide for Information Technology
Systems
- NIST SP 800-18 rev 1: Guide for Developing Security Plans for Federal
Information Systems
- NIST SP 800-60: Guide for Mapping Types of Information and Information
Systems to Security Categories: (2 Volumes)
- NIST SP 800-53: Recommended Security Controls for Federal Information
Systems and Organizations
- NIST SP 800-53A: Guide for Assessing the Security Controls in Federal
Information Systems
- FIPS 199: Standards for Security Categorization of Federal Information
and Information Systems
This Course Covers the Following Official (ISC)² Courses:
- Official (ISC)² CAP CBK Review Seminar
This Course Prepares Students for On-Site Delivery of the Following Certification
Exams:
- Official (ISC)² CAP Examination
Official (ISC)² CISSP Training Camp Features:
- Accelerated Learning - With over 11 years of education experience,
we focus on the requirements that you need to pass the exam and be successful in
your career.
- Customized Courseware - Using the most current (ISC)² Official
Courseware, in combination with our propriety exam preparation kits, gives you everything
you need for exam success.
- (ISC)² CISSP Certified, Expert Instructors - The cornerstone for
the success of a quality training program is the instructor's ability to translate
complex technical theories into understandable concepts and applied knowledge. Our
SME are crossed trained directly by (ISC)² for the most current knowledge of the
(ISC)² CBK requirements.
- Certification Guarantee - We protect your investment with our mentoring
programs and value-added post class support.
- On-Site Testing - As an authorized (ISC)² partner, you will take
the (ISC)² CAP exam during our training program, leaving with your certification
exam completed. When you take our Official (ISC)² CAP Training Camp, you will not
have to worry if the local public (ISC)² CAP exams have space, you will be sitting
in our hosted exam.
- Strategic Partnerships -As the largest (ISC)² Authorized Provider
in the world, we have demonstrated our expertise as leading provider of comprehensive
learning solutions on (ISC)² Subject matter, resulting in customer satisfaction
among individuals and companies that use us for training. Our course is not updated
by people who think they know what is on the exam, it is updated by the people that
create the exams.
Is this Course Right for You?
The successful CAP candidate will earn the distinction of being among the few who
have demonstrated their exceptional knowledge in this demanding and rewarding field.
Organizations will benefit from having a staff that is fully educated and certified
to the same level as the auditors and inspectors that will be evaluating them. Along
with proper management support, this highly trained and certified staff member will
be able to improve the security posture of any organization.
Employees with the CAP credential distinguish themselves as certified professionals
in this elite field opening job opportunities. Organizations win by improving their
security posture with “risk based - cost effective” security maintained by highly
trained personnel.
Alternative Training Delivery Methods
Customized Training
Brought to You. Training Camp can customize any of our training courses
to best fit your business requirements, and then deliver them to you at the location
of your choice.