This course focuses on the essential requirements, design, implementation, operations, testing and management of a corporate cybersecurity program. The program is based on the Framework for Improving Critical Infrastructure Cybersecurity (“The Framework”), which was issued on February 12, 2014, as directed by President Obama in Executive Order 13636. The Executive Order calls for the development of a voluntary Cybersecurity Framework that provides a “prioritized, flexible, repeatable, performance-based, and cost-effective approach” for assisting organizations responsible for critical infrastructure services to manage cybersecurity risk.

This is a three-part on-demand courseTo be eligible for the 5 CPE credit hours, you must attend all three sections of the program. Upon completion you will receive a certificate of attendance that you may submit to your certifying body.

Course price: $295

If you have any questions or concerns, please contact Tom Bechtold at or 503-303-7871.


Lesson 1: The drivers, components and structure of a cybersecurity program

Lesson 1 provides a general understanding of today’s information security landscape including key business, technical, operational and management requirements for developing, implementing and maintaining a corporate cybersecurity program. This lesson includes a summary of the main elements of the NIST Cybersecurity Framework.

Lesson 1: Program Deliverables
     • The Current Threat Landscape
     • Understanding the Risks
     • The NIST Cybersecurity Framework
     • The Controls Factory [Deliverable 1]
     • The Cybersecurity Programs [Deliverable 2]
     • The Vision / Strategy

Lesson 2: Designing a cybersecurity program

Lesson 2 includes the detailed analysis and design requirements of the Controls Factory, introduced in Lesson 1 as the first deliverable. The Controls Factory provides organizations (including cloud providers) with the essential tools, practices and procedures to establish and maintain a cybersecurity program that aligns with the NIST Framework. It includes the flexibility to update components of the Factory as stakeholders learn from emerging threats, new technologies, program enhancements, ongoing operations and testing, etc.

Lesson 2: Controls Factory Components
     • The Threat Office
     • The Controls Office
     • The Technology Center
     • The Operations Center
     • The Testing Center
     • The Program Office
     • The GRC Office

Lesson 3: Building a cybersecurity program

Lesson 3 includes the detailed implementation requirements of the Cybersecurity Programs, introduced in Lesson 1 as the second deliverable. The Cybersecurity Programs provide organizations (including cloud providers) with the threat indicators, controls requirements, technologies, operations, testing and program management capabilities to secure their digital assets (endpoints, networks, servers, etc.) The assets are grouped into programs that align with existing business and IT functions, making it easier for organizations to identify, assess, mitigate and manage their cyber risks and compliance requirements.

Lesson 3: Cybersecurity Program Structure
     • The Infrastructure Security Program
     • The Application Security Program
     • The Information Security Program
     • The Identity and Access Management Program
     • The Crown Jewels Security Program

speaker photo
INSTRUCTOR: Larry Wilson
CISO, University of Massachusetts President’s Office

Larry is responsible for developing, implementing and managing the University of Massachusetts Information Security Policy and Written Information Security Program (WISP). The University program is based on industry best practices ISO 27001 / SANS 20 Critical Controls, and is implemented consistently across all University campuses (Amherst, Boston, Dartmouth, Lowell, Medical School and the President’s Office).

Prior to joining UMASS, Larry was the Vice President, Network Security Manager at State Street. In this role he was responsible for researching, selecting, implementing and overseeing an engineering staff who managed network security technologies / tools including vulnerability scanning, network firewall policy management, intrusion detection, remote access, DNS security, global and local load balancing, etc.

Larry's industry experience includes IT audit manager for Deloitte Enterprise Risk Services (ERS) consulting practice. In this role he managed a staff responsible for developing and completing a Sarbanes Oxley compliance audit for MasterCard International. Larry's team focused on the application level controls and general computer controls for information technology services implemented and managed from the MasterCard data center in St. Louis.

Larry holds a Master of Science degree in Civil / Structural Engineering from the University of New Hampshire. His industry certifications include CISSP, CISA and ISA (PCI Internal Security Assessor). He serves on the Advisory Board for Middlesex Community College and CISO Advisory Board for Oracle. He co-chairs the Massachusetts State University and Community College Information Security Council, and serves as Certification Director for ISACA New England. His major 2013 accomplishments include Finalist for Information Security Executive® (ISE®) of the Year for both the Northeast Region and North America; and a SANS People who made a difference in Cybersecurity in 2013 award recipient.

Larry has been teaching CISA certification training for ISACA for 5 years.