homepage
Open menu
Contact Sales

SEC566: Implementing and Auditing CIS Controls

GIAC Critical Controls Certification (GCCC)
GIAC Critical Controls Certification (GCCC)
Register Now Course Demo
  • In Person (5 days)
  • Online
30 CPEs

High-profile cybersecurity attacks indicate that offensive attacks are outperforming defensive measures. Cybersecurity engineers, auditors, privacy, and compliance team members are asking how they can practically protect and defend their systems and data, and how they should implement a prioritized list of cybersecurity hygiene controls. In SANS SEC566, students will learn how an organization can defend its information by using a vetted cybersecurity control standard. Students will specifically learn how to implement, manage, and assess security control requirements defined by the Center for Internet Security's (CIS) Controls. Students will gain direct knowledge of the CIS Controls and ecosystem of tools to implement CIS controls across organizations complex networks, including cloud assets. 17 Lab Exercises and a program management simulation.

Course Authors:
Brian Ventura
Brian Ventura
Certified Instructor
What You Will LearnSyllabusCertificationPrerequisitesLaptop RequirementsAuthor StatementReviewsTraining & Pricing

What You Will Learn

What are CIS Controls?

The CIS Controls (formerly known as Critical Security Controls) are a recommended set of prioritized cyber defense best practices. They provide specific and actionable ways to protect against today's most pervasive and dangerous attacks. SANS provides CIS Controls v8 training, research, and certification. Version 8, released in May 2021, is a Change to the Entire Controls Ecosystem and provides backwards compatibility with previous versions and a migration path for users of prior versions to move to v8. Whether you use the CIS Controls or another control framework to guide your security improvement program, it is critical to understand that a controls list is simply a starting point. With the release of version 8, CIS added new tools and guides to the CIS controls ecosystem to help organizations:

  • Implement, track, measure, and assess controls.
  • Prioritize controls based on evolving threats.
  • Justify investment in CIS Controls implementation.
  • Implement CIS Controls best practices for mobile devices and applications.
  • Apply CIS Controls best practices to cloud environments.
  • Comply with multiple frameworks by providing a map of regulatory frameworks

"All week long I have been noting the topics and items I want to bring back to my team to improve various operations. This content is perfectly aligned with the work I am doing. So yes, this was an excellent course." - Thad Zeitler, Athena Health

Organizations need to defend their information systems and there are many solutions, requirements and tools to navigate. Which solutions should be implemented first? What will reduce the most risk and defend against the most common attacks? SANS and CIS have mapped the most common and likely threats and attacks to a prioritized list of mitigations called the CIS Controls. These controls are regularly reviewed to ensure they continue to mitigate the the ever evolving threat and surface-area landscape. By following the CIS Controls, organizations will reduce cyber risk, measure, and report on residual risk.

SEC566 will enable you to master the specific and proven techniques and tools needed to implement and audit the controls defined in the Center for Internet Security's (CIS) Controls, Students will gain direct knowledge of the CIS Controls and ecosystem of tools to implement CIS controls across organizations complex networks, including cloud assets and third party risk. Additional tools to measure both CIS Control coverage as well as assess risk throughout the program will be provided. This in-depth, hands-on critical security controls training will teach security practitioners to understand not only how to stop a threat, but why the threat exists, and how to ensure that security measures deployed today will be effective against the next generation of threats. SEC566 shows security professionals how to implement the CIS Controls in an existing network through cost-effective automation. For auditors, CIOs, and risk officers, this course is the best way to understand how you will measure cybersecurity control effectiveness. In addition, CIS Controls are mapped to other frameworks to ensure compliance as well as security leveraging the CIS Controls.

"The course content is very thorough and helps paint the picture of the CIS Controls that my organization follows." - Matt S., US Military

BUSINESS TAKEAWAYS:

  • Efficiently reduce the most important cyber-related risks
  • Align compliance requirements with security and business goals and solutions
  • Report the status of cybersecurity defense efforts to senior leadership in clear, business terms
  • Enjoy peace of mind that your organization has a comprehensive strategy for defense and compliance

SKILLS LEARNED:

  • Apply security controls based on actual threats that are measurable, scalable, and reliable in stopping known attacks and protecting your organization's important information and systems
  • Understand the importance of each control and how it is compromised if ignored
  • Explain the defensive goals that result in quick wins and increased visibility of network and systems
  • Identify and use tools that implement controls through automation
  • Create a scoring tool to measure the effectiveness of each control
  • Employ specific metrics to establish a baseline and measure the effectiveness of security controls
  • Competently map CIS Controls to compliance and standards such as PCI-DSS, the NIST Cybersecurity Framework (CSF), ISO 27000, and more
  • Audit each of the CIS Controls with specific, proven templates, checklists, and scripts provided to facilitate the audit process

"A comprehensive walk through of the Critical Security Controls, not just focusing on the 'what', but more importantly the 'why'. Its been an invaluable learning experience for me." - Justin Cornell, LOM (UK) Limited

HANDS-ON CIS CONTROLS TRAINING:

During this course, students will participate in hands-on lab exercises that illustrate the concepts discussed in class. The goal of these labs is to complement and enhance the understanding of the defenses discussed in the course and to provide practical examples of how the Controls can be applied in a practical, real-world scenario. Throughout the course there is a Cyber42 simulation to practice responding to real-world events affecting the organizations cybersecurity program and defenses.

Section 1: Preparing Student Laptops for Class, How to Use the AuditScripts CIS Control Initial Assessment Tool, Asset Inventory with Microsoft PowerShell

Section 2: How to Use Veracrypt to Encrypt Data at Rest, How to Use Mimikatz to Abuse Privileged Access, Understanding Windows Management Instrumentation (WMI) for Baselining

Section 3: How to Use Microsoft AppLocker to Enforce Application Control, Using PowerShell to Test for Software Updates, How to Use the CIS-CAT Tool to Audit Configurations, CIS Navigator, How to Parse Nmap Output with PowerShell

Section 4: How to Use GoPhish to Perform Phishing Assessments, How to Use Nipper to Audit Network Device Configurations, How to Use Wireshark to Detect Malicious Activity, Testing Data Loss Prevention

Section 5: Tabletop Exercise Building, CIS-RAM Risk Register and Prioritization

SYLLABUS SUMMARY:

Section 1: Students will learn an overview of CIS Controls and resources to for addressing cybersecurity risk.

Section 2: Students will learn the core principles of data protection and Identity and Access Management (IAM), prioritizing the CIS Controls.

Section 3: Students will learn the core principles of vulnerability and configuration management, prioritizing the CIS Controls.

Section 4: Students will learn the core principles of endpoint security and network based defenses, prioritizing the CIS Controls.

Section 5: Students will learn the core principles of key cybersecurity governance and operational practices, prioritizing the CIS Controls.

ADDITIONAL FREE RESOURCES:

WHAT YOU WILL RECEIVE:

  • Printed and electronic courseware
  • MP3 audio files of the complete course lecture
  • Access to the Cyber42 web app

WHAT COMES NEXT:

Syllabus (30 CPEs)

Download PDF
  • Overview

    Students will learn the background and context for Version 8 of the CIS Controls. In addition, students will learn about the ecosystem of tools and resources to implement, measure, assess and report on the security program. These foundational concepts are key to prioritizing implementation of controls to address the ever-changing threat landscape. Focus will be placed on the evolving network landscape and how to apply the CIS Controls in modern environments, including cloud and IoT technologies. Students will learn how to prioritize control implementation based on CIS Implementation Groups.

    In this first course section we will establish baseline knowledge of key terms used in the defensive domains. In addition, we will take a deep dive into cover Control #1, the Inventory and Control of Enterprise Assets. Any time a new device is installed on a network, there are risks of exposing the network to unknown vulnerabilities or hampering its operation. Malicious code can take advantage of new hardware that is not configured and patched with appropriate security updates at the time of installation. Attackers can use these vulnerable systems to install backdoors before they are hardened. In automating CIS Control #1, it is critical that all devices be included in an accurate and up-to-date inventory control system. Any device not in the database should not be allowed to be connected to the network. Some organizations maintain asset inventories by using specific large-scale enterprise commercial products or by using free solutions to periodically track and sweep the network.

    Exercises
    • Preparing Student Laptops for Class
    • How to Use the AuditScripts CIS Critical Control Initial Assessment Tool
    • Asset Inventory with Microsoft PowerShell
    Topics
    • Understanding the CIS Critical Controls
    • Understanding the resources and tools related to the CIS Controls
    • Understand control effectiveness against common threats leveraging Mitre ATT&CK
    • Understanding and practicing control assessments
    • CIS Control #1: Inventory and Control of Enterprise Assets
  • Overview

    During Section 2, the course will begin to cover the defensive domains of software control, data protection, identification and authentication, and access control management. Students will learn how identity and access control promotes data protection. Specifically, in Section 2 of the course students will learn the following defensive domains:

    Inventory and Control of Software Assets

    An organization without the ability to inventory and control the programs installed on its computer has more vulnerable systems and is more likely to be attacked. Furthermore, poorly managed machines are more likely to be outdated and to have needless software that introduces potential security flaws. Compromised systems become a staging point for attackers to collect sensitive information. In order to combat this threat, an organization should scan its network and identify known or responding applications. Commercial software and asset inventory tools are widely available. The best tools provide an inventory check of hundreds of common applications by leveraging standardized application names like those found in the Common Platform Enumeration (CPE) specification. These inventory tools pull the latest version of the application as well as pull information about the patch level of each installed program. In addition to inventory checks, tools that implement allow lists and deny lists of programs are included in many modern end-point protection security suites.

    Data Protection

    The loss of protected and sensitive data is a serious threat to business operations consumer privacy, and potentially, national security. While some data is leaked or lost as a result of theft or espionage, the vast majority of these problems result from poorly understood data practices, including a lack of effective policy architectures and user error. The term "Data Loss Prevention" (DLP) refers to a comprehensive approach covering the people, processes, and systems that identify, monitor, and protect data in use (e.g., endpoint actions), data in motion (e.g., network actions), and data at rest (e.g., data storage) through deep content inspection and with a centralized management framework. Commercial DLP solutions are available to look for exfiltration attempts and detect other suspicious activities associated with a protected network holding sensitive information. The system must be capable of identifying unauthorized data that leaves the organization's systems whether via network file transfers or removable media.

    Account Management

    The most common method attackers use to infiltrate a target enterprise is through a misuse of account privileges whether those of a normal business user or privileged account. An attacker can easily convince a workstation user to open a malicious e-mail attachment, download and open a file from a malicious site, or surf to a site that automatically downloads malicious content. If the user is logged in as an administrator, the attacker has full access to the system. Built-in operating system features can extract lists of accounts with super-user privileges, both locally on individual systems and on overall domain controllers. These accounts should be monitored and tracked very closely.

    Access Control Management

    Some organizations do not carefully identify and separate sensitive data from less sensitive data publicly available information within an internal network. In many environments, internal users have access to all or most of the information on the network. Once attackers have penetrated such a network, they can easily find and exfiltrate important information with little resistance. The Access Management Control is often implemented using the built-in separation of administrator accounts from non-administrator accounts. The system must be able to detect all attempts by users to access files without the appropriate privileges and must generate an alert or e-mail for administrative personnel. This includes information on local systems or network accessible file shares.

    Exercises
    • How to use Microsoft AppLocker to enforce Application Control
    • How to Use Veracrypt to Encrypt Data at Rest
    • How to Use Mimikatz to Abuse Privileged Access
    • Understanding Windows Management Instrumentation (WMI) for Baselining
    Topics
    • CIS Control #2: Inventory and Control of Software Assets
    • CIS Control #3: Data Protection
    • CIS Control #5: Account Management
    • CIS Control #6: Access Control Management
  • Overview

    During Section 3 , the course will cover the defensive domains of configuration management, email and web browser integrity, vulnerability management, and audit and accountability. Specifically, students will learn the following defensive domains:

    Continuous Vulnerability Management

    Soon after security researchers and vendors discover and report new vulnerabilities, attackers create or update exploit code and launch it against targets of interest. Any significant delays finding or fixing software with critical vulnerabilities provides ample opportunity for persistent attackers to break through and gain control of vulnerable machines. A large number of vulnerability scanning tools are available to evaluate the security configuration of systems. The most effective vulnerability scanning tools compare the results of the current scan with previous scans to determine how the vulnerabilities in the environment have changed over time. All machines identified by the asset inventory system must be scanned for vulnerabilities.

    Secure Configuration of Enterprise Assets and Software

    Default configurations of software are often geared to ease-of-deployment and ease-of-use and not security, leaving some systems exploitable in their default state. Attackers attempt to exploit both network-accessible services and client software using various forms of malware. Without the ability to inventory and control installed and running, enterprises make their systems more vulnerable. Organizations can implement this control by developing a series of images and secure storage servers for hosting these standard images. Configuration management tools can be employed to measure the settings of the installed software and to look for deviations from the standard image configurations used by the organization.

    Audit Log Management

    At times, audit logs provide the only evidence of a successful attack. Many organizations keep audit records for compliance purposes but rarely review them. When audit logs are not reviewed, organizations do not know their systems have been compromised. Attackers rely on this. Most free and commercial operating systems, network services, and firewall technologies offer logging capabilities. Such logging should be activated, and logs should be sent to centralized logging servers. The system must be capable of logging all events across the network. The logging must be validated across both network and host-based systems.

    Email and Web Browser Protections

    Web browsers and email clients are very common points of entry and attack because of their high technical complexity and flexibility, and their direct interaction with users and within the other systems and websites. Content can be crafted to entice of spoof users into taking actions that greatly increase risk and allow for introduction of malicious code, loss of valuable data, and other attacks. Organizations must minimize the attack surface and the opportunities for attackers to manipulate human behavior through their interaction with web browsers and email systems.

    Exercises
    • Using PowerShell to Test for Software Updates
    • How to Use the CIS-CAT Tool to Audit Configurations
    • How to Parse Nmap Output with PowerShell
    • How to use GoPhish to perform phishing simulations
    Topics
    • CIS Control #7: Continuous Vulnerability Management
    • CIS Control #4: Secure Configuration of Enterprise Assets and Software
    • CIS Control #8: Audit Log Management
    • CIS Control #9: Email and Web Browser Protections
  • Overview

    Section 4 will cover the defensive domains of system integrity, system and communications protection, configuration management, and media protection. Specifically, during this section of the course, students will learn the following cybersecurity controls: malware defense, network and endpoint detection and response, data recovery, and network device management

    Malware Defenses

    Malicious software is an integral and dangerous aspect of Internet threats because it targets end users and organizations via web browsing, e-mail attachments, mobile devices, and other vectors. Malicious code may tamper with a system's components, capture sensitive data, and spread infected code to other systems. To ensure anti-virus signatures are up-to-date, effective organizations use automation including the built-in administrative features of enterprise endpoint security suites to verify that anti-virus, anti-spyware, and host-based Intrusion Detection Systems (IDS) features are active on every managed system. They also run automated assessments daily and review the results to find and mitigate systems that have deactivated such protections or do not have the latest malware definitions. The system must identify any malicious software that is either installed or has been attempted to be installed, or executed, or attempted to be executed, on a computer system.

    Data Recovery

    When attackers compromise machines, they often make significant changes to configurations and software. Sometimes attackers also make subtle alterations of data stored on compromised machines, potentially jeopardizing organizational effectiveness with polluted information. Once per quarter, a testing team should evaluate a random sample of system backups by attempting to restore them onto a test bed environment. The restored systems should be verified to ensure that the operating system, application, and data from the backup are all intact and functional.

    Network Infrastructure Management

    Attackers penetrate defenses by searching for electronic holes and misconfigurations in firewalls, routers, and switches. Once these network devices have been exploited, attackers can gain access to target networks, redirect traffic to a malicious system masquerading as a trusted system, and intercept and alter data while in transmission. Organizations can use commercial tools that will evaluate the rule set of network filtering devices in order to determine whether they are consistent or in conflict and to provide an automated check of network filters. Additionally, these commercial tools search for errors in rule sets. Such tools should be run each time significant changes are made to firewall rule sets, router access control lists, or other filtering technologies.

    Network Monitoring and Defense

    By attacking Internet-facing systems, attackers can create a relay point or bridgehead to break into other networks or internal systems. Automated tools can be used to exploit vulnerable entry points into a network. To control the flow of traffic through network borders and to look for attacks and evidence of compromised machines, boundary defenses should be multi-layered. These boundaries should consist of firewalls, proxies, DMZ perimeter networks, and network-based intrusion prevention systems and intrusion detection systems. Organizations should regularly test these sensors by launching vulnerability-scanning tools. These tools verify that the scanner traffic triggers an appropriate alert. The captured packets of the Intrusion Detection Systems (IDS) sensors should be reviewed using an automated script each day to ensure that log volumes are within expected parameters, are formatted properly, and have not been corrupted.

    Exercises
    • How to use CIS Navigator to map controls between Frameworks, Compliance and CIS Controls
    • How to Use Nipper to Audit Network Device Configurations
    • How to Use Wireshark to Detect Malicious Activity
    • How to Use Wireshark and Ngrep to emulate Data Loss Prevention
    Topics
    • CIS Control #10: Malware Defenses
    • CIS Control #11: Data Recovery
    • CIS Control #12: Network Infrastructure Management
    • CIS Control #13: Network Monitoring and Defense
  • Overview

    Section 5 will cover the defensive domains of security awareness , service provider management, application development security, incident management, and penetration testing. Specifically during this section of the course, students will learn about the following cybersecurity domains:

    Security Awareness and Skills Training

    An organization hoping to effectively identify and respond to attacks effectively relies on its employees and contractors to find the gaps and fill them. A solid security skills assessment program can provide actionable information to decision-makers about where security awareness needs to be improved. It can also help determine proper allocation of limited resources to improve security practices. The key to upgrading skills is measurement - not with certification examinations, but with assessments that show both the employee and the employer where knowledge is sufficient and where there are gaps. Once the gaps have been identified, those employees who have the requisite knowledge can be called upon to mentor the employees who do not. The organization can also develop training programs that directly maintain employee readiness.

    Service Provider Management

    More and more organizations use third-party service providers to supplement their technology needs or services. Examples of service providers include outsourced consultants, IT providers, payroll providers, electronic billing providers, manufacturers, and more. Third parties can introduce additional risks to the security posture of organizations through remote connections, business-to-business networks, and the sharing and processing of data.

    Application Software Security

    Criminal organizations frequently attack vulnerabilities in both web-based and non-web-based application software. In fact, it is a top priority for criminals. Application software is vulnerable to remote compromise in three ways:

    • It does not properly check the size of user input
    • It fails to sanitize user input by filtering out potentially malicious character sequences
    • It does not properly initialize and clear variables properly

    To avoid attacks, internally developed and third-party application software must be carefully tested to find security flaws. Source code testing tools, web application security scanning tools, and object code testing tools have proven useful in securing application software. Another useful tool is manual application security penetration testing by testers who have extensive programming knowledge and application penetration testing expertise. The system must be capable of detecting and blocking an application-level software attack, and must generate an alert or send e-mail to enterprise administrative personnel.

    Incident Response Management

    Without an incident response plan, an organization may not discover an attack in the first place. Even if the attack is detected, the organization may not follow proper procedures to contain damage, eradicate the attacker's presence, and recover in a secure fashion. Thus, the attacker may have a major impact even though detected, causing more damage, infecting more systems, and possibly exfiltrating more sensitive data than would otherwise be possible. After defining detailed incident response procedures, the incident response team should engage in periodic scenario-based training, including working through a series of attack scenarios that are fine-tuned to the threats and vulnerabilities the organization faces.

    Penetration Testing

    Attackers penetrate networks and systems through social engineering and by exploiting vulnerable software and hardware. Penetration testing involves mimicking the actions of computer attackers and exploiting them to determine what kind of access an attacker can gain. Each organization should define a clear scope and the rules of engagement for penetration testing and red team analyses. The scope of such projects should include, at a minimum, systems with the highest value information and production processing functionality.

    Exercises
    • How to build robust Incident Response Tabletop Exercises
    • How to use CIS Risk Assessment Model (CIS-RAM) to identify, prioritize and report on residual risk
    Topics
    • CIS Control #14: Security Awareness and Skills Training
    • CIS Control #15: Service Provider Management
    • CIS Control #16: Application Software Security
    • CIS Control #17: Incident Response Management
    • CIS Control #18: Penetration Testing

GIAC Critical Controls Certification

The GIAC Critical Controls Certification (GCCC) certification is based on the CIS Critical Security Controls, a prioritized, risk-based approach to security. This certification ensures that candidates have the knowledge and skills to implement and execute the CIS Critical Controls recommended by the Center for Internet Security, and perform audits based on the standard.

  • Background, purpose, and implementation of the CIS Critical Security Controls and related security standards; auditing principles
  • Inventory and control of enterprise assets; inventory and control of software assets; data protection; secure configuration of enterprise assets and software; account management
  • Access control management; continuous vulnerability management; audit log management; email and web browser protections; malware defenses; data recovery; Network infrastructure management
  • Network monitoring and defense; security awareness and skills training; service provider management; application software security; incident response management; penetration testing
More Certification Details

Prerequisites

SEC566 covers all of the core areas of security and assumes a basic understanding of technology, networks, and security. For those who are new to the field and have no background knowledge, SEC275: Foundations - Computers, Technology and Security or SEC301: Introduction to Cyber Security would be the recommended starting point. While these courses are not a prerequisite for SEC566, they do provide the introductory knowledge to help maximize the experience with SEC566.

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC566 SYSTEM HARDWARE REQUIREMENTS

  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 8GB of RAM or more is required.
  • 64GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY SEC566 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Microsoft Office (any version) or OpenOffice installed on your host. Note that you can download Office Trial Software online (free for 30 days).
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

If you have additional questions about the laptop specifications, please contact laptop_prep@sans.org

Author Statement

"Understanding the threat landscape is complex. Understanding what to do next in addressing threats can be overwhelming when faced with the myriad of technologies and tools available. To further complicate the program, organizations must meet various Compliance and Framework requirements. These competing approaches beg the questions: Are we doing the right thing to protect our organization? What is the most important thing to do next?

In SEC566: Implementing and Auditing CIS Controls, we aim to teach you how to answer those questions on a regular basis. The CIS Controls are a prioritized list of the most important, foundational safeguards to address the attacks occurring today and expected in the future. We hope to help students defend their information systems by the implementation of foundational safeguards. Students will learn how to align with and map CIS Controls directly into compliance and framework requirements. Students will also be able to measure control implementation and effectiveness, then report back to leadership at each level."

-Brian Ventura

Ways to Learn

  • OnDemand

Cybersecurity learning – at YOUR pace! OnDemand provides unlimited access to your training wherever, whenever. All labs, exercises, and live support from SANS subject matter experts included.

  • Live Online

The full SANS experience live at home! Get the ultimate in virtual, interactive SANS courses with leading SANS instructors via live stream. Following class, plan to kick back and enjoy a keynote from the couch.

  • In Person (5 days)

Did someone say ALL-ACCESS? On-site immersion via in-classroom course sessions led by world-class SANS instructors fill your day, while bonus receptions and workshops fill your evenings.

Who Should Attend SEC566?

  • Information Assurance Auditors
  • System Implementers or Administrators
  • Compliance Analysts
  • IT Administrators
  • Department of Defense (DoD) personnel or contractors
  • Federal agencies or clients
  • Private sector organizations looking to improve information assurance processes and secure their systems
  • Security vendors and consulting groups looking to stay current with frameworks for information assurance

NICE Framework Work Roles:

  • Security Control Assessor(OPM 612)

"I would recommend this course to anyone that is going to be a ISSO or ISSM or CISO." - Matthew S., US Military

See prerequisites

Need to justify a training request to your manager?

Use this justification letter template to share the key details of this training and certification opportunity with your boss.

Download the Letter

Related Programs

Masters Program
Masters Program
This course and certification can be applied to a master's degree program at the SANS Technology Institute.

Reviews

SEC566 was very valuable for me. I thought I knew about security controls but this course has shown me that all I knew was the basics. I now have in-depth knowledge in this area.
Noureen Njoroge
CISCO Systems
Very valuable because it focuses on what matters and provides practical and easy ways to improve security posture.
Antonio Sannino
P&G
SEC566 is truly providing the foundation to elevate my organization's security posture. It has given me the tools to secure our environment and explain why we need to in the first place.
Keri Powell
Textron
I will be able to take this back to my organization and use it right away.
Beth Cann
MIT Lincoln Laboratory
After attending this class, I now have this rejuvenated desire to get back to work, tweek my vulnerability scanner, and run my scans.
Jason Hinojosa
Rush Enterprises
    Africa/Abidjan
    Africa/Accra
    Africa/Addis Ababa
    Africa/Algiers
    Africa/Asmara
    Africa/Asmera
    Africa/Bamako
    Africa/Bangui
    Africa/Banjul
    Africa/Bissau
    Africa/Blantyre
    Africa/Brazzaville
    Africa/Bujumbura
    Africa/Cairo
    Africa/Casablanca
    Africa/Ceuta
    Africa/Conakry
    Africa/Dakar
    Africa/Dar es Salaam
    Africa/Djibouti
    Africa/Douala
    Africa/El Aaiun
    Africa/Freetown
    Africa/Gaborone
    Africa/Harare
    Africa/Johannesburg
    Africa/Juba
    Africa/Kampala
    Africa/Khartoum
    Africa/Kigali
    Africa/Kinshasa
    Africa/Lagos
    Africa/Libreville
    Africa/Lome
    Africa/Luanda
    Africa/Lubumbashi
    Africa/Lusaka
    Africa/Malabo
    Africa/Maputo
    Africa/Maseru
    Africa/Mbabane
    Africa/Mogadishu
    Africa/Monrovia
    Africa/Nairobi
    Africa/Ndjamena
    Africa/Niamey
    Africa/Nouakchott
    Africa/Ouagadougou
    Africa/Porto-Novo
    Africa/Sao Tome
    Africa/Timbuktu
    Africa/Tripoli
    Africa/Tunis
    Africa/Windhoek
    America/Adak
    America/Anchorage
    America/Anguilla
    America/Antigua
    America/Araguaina
    America/Argentina/Buenos Aires
    America/Argentina/Catamarca
    America/Argentina/ComodRivadavia
    America/Argentina/Cordoba
    America/Argentina/Jujuy
    America/Argentina/La Rioja
    America/Argentina/Mendoza
    America/Argentina/Rio Gallegos
    America/Argentina/Salta
    America/Argentina/San Juan
    America/Argentina/San Luis
    America/Argentina/Tucuman
    America/Argentina/Ushuaia
    America/Aruba
    America/Asuncion
    America/Atikokan
    America/Atka
    America/Bahia
    America/Bahia Banderas
    America/Barbados
    America/Belem
    America/Belize
    America/Blanc-Sablon
    America/Boa Vista
    America/Bogota
    America/Boise
    America/Buenos Aires
    America/Cambridge Bay
    America/Campo Grande
    America/Cancun
    America/Caracas
    America/Catamarca
    America/Cayenne
    America/Cayman
    America/Chicago
    America/Chihuahua
    America/Coral Harbour
    America/Cordoba
    America/Costa Rica
    America/Creston
    America/Cuiaba
    America/Curacao
    America/Danmarkshavn
    America/Dawson
    America/Dawson Creek
    America/Denver
    America/Detroit
    America/Dominica
    America/Edmonton
    America/Eirunepe
    America/El Salvador
    America/Ensenada
    America/Fort Nelson
    America/Fort Wayne
    America/Fortaleza
    America/Glace Bay
    America/Godthab
    America/Goose Bay
    America/Grand Turk
    America/Grenada
    America/Guadeloupe
    America/Guatemala
    America/Guayaquil
    America/Guyana
    America/Halifax
    America/Havana
    America/Hermosillo
    America/Indiana/Indianapolis
    America/Indiana/Knox
    America/Indiana/Marengo
    America/Indiana/Petersburg
    America/Indiana/Tell City
    America/Indiana/Vevay
    America/Indiana/Vincennes
    America/Indiana/Winamac
    America/Indianapolis
    America/Inuvik
    America/Iqaluit
    America/Jamaica
    America/Jujuy
    America/Juneau
    America/Kentucky/Louisville
    America/Kentucky/Monticello
    America/Knox IN
    America/Kralendijk
    America/La Paz
    America/Lima
    America/Los Angeles
    America/Louisville
    America/Lower Princes
    America/Maceio
    America/Managua
    America/Manaus
    America/Marigot
    America/Martinique
    America/Matamoros
    America/Mazatlan
    America/Mendoza
    America/Menominee
    America/Merida
    America/Metlakatla
    America/Mexico City
    America/Miquelon
    America/Moncton
    America/Monterrey
    America/Montevideo
    America/Montreal
    America/Montserrat
    America/Nassau
    America/New York
    America/Nipigon
    America/Nome
    America/Noronha
    America/North Dakota/Beulah
    America/North Dakota/Center
    America/North Dakota/New Salem
    America/Nuuk
    America/Ojinaga
    America/Panama
    America/Pangnirtung
    America/Paramaribo
    America/Phoenix
    America/Port-au-Prince
    America/Port of Spain
    America/Porto Acre
    America/Porto Velho
    America/Puerto Rico
    America/Punta Arenas
    America/Rainy River
    America/Rankin Inlet
    America/Recife
    America/Regina
    America/Resolute
    America/Rio Branco
    America/Rosario
    America/Santa Isabel
    America/Santarem
    America/Santiago
    America/Santo Domingo
    America/Sao Paulo
    America/Scoresbysund
    America/Shiprock
    America/Sitka
    America/St Barthelemy
    America/St Johns
    America/St Kitts
    America/St Lucia
    America/St Thomas
    America/St Vincent
    America/Swift Current
    America/Tegucigalpa
    America/Thule
    America/Thunder Bay
    America/Tijuana
    America/Toronto
    America/Tortola
    America/Vancouver
    America/Virgin
    America/Whitehorse
    America/Winnipeg
    America/Yakutat
    America/Yellowknife
    Antarctica/Casey
    Antarctica/Davis
    Antarctica/DumontDUrville
    Antarctica/Macquarie
    Antarctica/Mawson
    Antarctica/McMurdo
    Antarctica/Palmer
    Antarctica/Rothera
    Antarctica/South Pole
    Antarctica/Syowa
    Antarctica/Troll
    Antarctica/Vostok
    Arctic/Longyearbyen
    Asia/Aden
    Asia/Almaty
    Asia/Amman
    Asia/Anadyr
    Asia/Aqtau
    Asia/Aqtobe
    Asia/Ashgabat
    Asia/Ashkhabad
    Asia/Atyrau
    Asia/Baghdad
    Asia/Bahrain
    Asia/Baku
    Asia/Bangkok
    Asia/Barnaul
    Asia/Beirut
    Asia/Bishkek
    Asia/Brunei
    Asia/Calcutta
    Asia/Chita
    Asia/Choibalsan
    Asia/Chongqing
    Asia/Chungking
    Asia/Colombo
    Asia/Dacca
    Asia/Damascus
    Asia/Dhaka
    Asia/Dili
    Asia/Dubai
    Asia/Dushanbe
    Asia/Famagusta
    Asia/Gaza
    Asia/Harbin
    Asia/Hebron
    Asia/Ho Chi Minh
    Asia/Hong Kong
    Asia/Hovd
    Asia/Irkutsk
    Asia/Istanbul
    Asia/Jakarta
    Asia/Jayapura
    Asia/Jerusalem
    Asia/Kabul
    Asia/Kamchatka
    Asia/Karachi
    Asia/Kashgar
    Asia/Kathmandu
    Asia/Katmandu
    Asia/Khandyga
    Asia/Kolkata
    Asia/Krasnoyarsk
    Asia/Kuala Lumpur
    Asia/Kuching
    Asia/Kuwait
    Asia/Macao
    Asia/Macau
    Asia/Magadan
    Asia/Makassar
    Asia/Manila
    Asia/Muscat
    Asia/Nicosia
    Asia/Novokuznetsk
    Asia/Novosibirsk
    Asia/Omsk
    Asia/Oral
    Asia/Phnom Penh
    Asia/Pontianak
    Asia/Pyongyang
    Asia/Qatar
    Asia/Qostanay
    Asia/Qyzylorda
    Asia/Rangoon
    Asia/Riyadh
    Asia/Saigon
    Asia/Sakhalin
    Asia/Samarkand
    Asia/Seoul
    Asia/Shanghai
    Asia/Singapore
    Asia/Srednekolymsk
    Asia/Taipei
    Asia/Tashkent
    Asia/Tbilisi
    Asia/Tehran
    Asia/Tel Aviv
    Asia/Thimbu
    Asia/Thimphu
    Asia/Tokyo
    Asia/Tomsk
    Asia/Ujung Pandang
    Asia/Ulaanbaatar
    Asia/Ulan Bator
    Asia/Urumqi
    Asia/Ust-Nera
    Asia/Vientiane
    Asia/Vladivostok
    Asia/Yakutsk
    Asia/Yangon
    Asia/Yekaterinburg
    Asia/Yerevan
    Atlantic/Azores
    Atlantic/Bermuda
    Atlantic/Canary
    Atlantic/Cape Verde
    Atlantic/Faeroe
    Atlantic/Faroe
    Atlantic/Jan Mayen
    Atlantic/Madeira
    Atlantic/Reykjavik
    Atlantic/South Georgia
    Atlantic/St Helena
    Atlantic/Stanley
    Australia/ACT
    Australia/Adelaide
    Australia/Brisbane
    Australia/Broken Hill
    Australia/Canberra
    Australia/Currie
    Australia/Darwin
    Australia/Eucla
    Australia/Hobart
    Australia/LHI
    Australia/Lindeman
    Australia/Lord Howe
    Australia/Melbourne
    Australia/NSW
    Australia/North
    Australia/Perth
    Australia/Queensland
    Australia/South
    Australia/Sydney
    Australia/Tasmania
    Australia/Victoria
    Australia/West
    Australia/Yancowinna
    Brazil/Acre
    Brazil/DeNoronha
    Brazil/East
    Brazil/West
    CET
    CST6CDT
    Canada/Atlantic
    Canada/Central
    Canada/Eastern
    Canada/Mountain
    Canada/Newfoundland
    Canada/Pacific
    Canada/Saskatchewan
    Canada/Yukon
    Chile/Continental
    Chile/EasterIsland
    Cuba
    EET
    EST
    EST5EDT
    Egypt
    Eire
    Etc/GMT
    Etc/GMT+0
    Etc/GMT+1
    Etc/GMT+10
    Etc/GMT+11
    Etc/GMT+12
    Etc/GMT+2
    Etc/GMT+3
    Etc/GMT+4
    Etc/GMT+5
    Etc/GMT+6
    Etc/GMT+7
    Etc/GMT+8
    Etc/GMT+9
    Etc/GMT-0
    Etc/GMT-1
    Etc/GMT-10
    Etc/GMT-11
    Etc/GMT-12
    Etc/GMT-13
    Etc/GMT-14
    Etc/GMT-2
    Etc/GMT-3
    Etc/GMT-4
    Etc/GMT-5
    Etc/GMT-6
    Etc/GMT-7
    Etc/GMT-8
    Etc/GMT-9
    Etc/GMT0
    Etc/Greenwich
    Etc/UCT
    Etc/UTC
    Etc/Universal
    Etc/Zulu
    Europe/Amsterdam
    Europe/Andorra
    Europe/Astrakhan
    Europe/Athens
    Europe/Belfast
    Europe/Belgrade
    Europe/Berlin
    Europe/Bratislava
    Europe/Brussels
    Europe/Bucharest
    Europe/Budapest
    Europe/Busingen
    Europe/Chisinau
    Europe/Copenhagen
    Europe/Dublin
    Europe/Gibraltar
    Europe/Guernsey
    Europe/Helsinki
    Europe/Isle of Man
    Europe/Istanbul
    Europe/Jersey
    Europe/Kaliningrad
    Europe/Kiev
    Europe/Kirov
    Europe/Lisbon
    Europe/Ljubljana
    Europe/London
    Europe/Luxembourg
    Europe/Madrid
    Europe/Malta
    Europe/Mariehamn
    Europe/Minsk
    Europe/Monaco
    Europe/Moscow
    Europe/Nicosia
    Europe/Oslo
    Europe/Paris
    Europe/Podgorica
    Europe/Prague
    Europe/Riga
    Europe/Rome
    Europe/Samara
    Europe/San Marino
    Europe/Sarajevo
    Europe/Saratov
    Europe/Simferopol
    Europe/Skopje
    Europe/Sofia
    Europe/Stockholm
    Europe/Tallinn
    Europe/Tirane
    Europe/Tiraspol
    Europe/Ulyanovsk
    Europe/Uzhgorod
    Europe/Vaduz
    Europe/Vatican
    Europe/Vienna
    Europe/Vilnius
    Europe/Volgograd
    Europe/Warsaw
    Europe/Zagreb
    Europe/Zaporozhye
    Europe/Zurich
    GB
    GB-Eire
    GMT
    GMT+0
    GMT-0
    GMT0
    Greenwich
    HST
    Hongkong
    Iceland
    Indian/Antananarivo
    Indian/Chagos
    Indian/Christmas
    Indian/Cocos
    Indian/Comoro
    Indian/Kerguelen
    Indian/Mahe
    Indian/Maldives
    Indian/Mauritius
    Indian/Mayotte
    Indian/Reunion
    Iran
    Israel
    Jamaica
    Japan
    Kwajalein
    Libya
    MET
    MST
    MST7MDT
    Mexico/BajaNorte
    Mexico/BajaSur
    Mexico/General
    NZ
    NZ-CHAT
    Navajo
    PRC
    PST8PDT
    Pacific/Apia
    Pacific/Auckland
    Pacific/Bougainville
    Pacific/Chatham
    Pacific/Chuuk
    Pacific/Easter
    Pacific/Efate
    Pacific/Enderbury
    Pacific/Fakaofo
    Pacific/Fiji
    Pacific/Funafuti
    Pacific/Galapagos
    Pacific/Gambier
    Pacific/Guadalcanal
    Pacific/Guam
    Pacific/Honolulu
    Pacific/Johnston
    Pacific/Kiritimati
    Pacific/Kosrae
    Pacific/Kwajalein
    Pacific/Majuro
    Pacific/Marquesas
    Pacific/Midway
    Pacific/Nauru
    Pacific/Niue
    Pacific/Norfolk
    Pacific/Noumea
    Pacific/Pago Pago
    Pacific/Palau
    Pacific/Pitcairn
    Pacific/Pohnpei
    Pacific/Ponape
    Pacific/Port Moresby
    Pacific/Rarotonga
    Pacific/Saipan
    Pacific/Samoa
    Pacific/Tahiti
    Pacific/Tarawa
    Pacific/Tongatapu
    Pacific/Truk
    Pacific/Wake
    Pacific/Wallis
    Pacific/Yap
    Poland
    Portugal
    ROC
    ROK
    Singapore
    Turkey
    UCT
    US/Alaska
    US/Aleutian
    US/Arizona
    US/Central
    US/East-Indiana
    US/Eastern
    US/Hawaii
    US/Indiana-Starke
    US/Michigan
    US/Mountain
    US/Pacific
    US/Samoa
    UTC
    Universal
    W-SU
    WET
    Zulu
    Filters:
    Training Formats
          Location
          Dates

          Register for SEC566

          Loading...