🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
GSLC
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
GSLC GIAC Certifications Coming Soon

GSLC

The GSLC certification teaches security leaders how to design, govern, and communicate enterprise security programs, integrating policy, risk management, architecture, and vendor oversight to protect organizational assets.

180
Minutes
115
Questions
68/100
Passing Score
$979
Exam Cost

Who Should Take This

Security managers, directors, and senior engineers with at least five years of experience in security program leadership should pursue the GSLC. They need to translate technical controls into strategic policies, align risk management with business goals, and guide cross‑functional teams and internal and external stakeholders. The certification validates their ability to lead comprehensive security initiatives.

What's Covered

1 Security Program Development
2 Security Policy and Standards
3 Risk Management for Leaders
4 Security Architecture and Engineering Management
5 Vendor and Third-Party Risk
6 Security Awareness Program Management
7 Business Continuity and Crisis Communication

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

63 learning goals
1 Security Program Development
3 topics

Security program charter and organizational alignment

  • Implement a security program charter that defines mission, scope, authority, reporting structure, and alignment with enterprise business objectives and risk appetite.
  • Configure a security organizational structure with defined roles including CISO, security architects, analysts, and engineers that maps reporting lines to business units and the board.
  • Analyze competing security program maturity models including CMMI, NIST CSF, and C2M2 to determine the most appropriate framework for an organization's current security posture and improvement trajectory.
  • Design a multi-year security program roadmap that prioritizes capability development, staffing plans, technology investments, and maturity milestones aligned with business growth projections.

Security program metrics and executive reporting

  • Implement a security metrics framework that captures key performance indicators, key risk indicators, and operational metrics aligned with business-relevant outcomes.
  • Evaluate the effectiveness of security metrics by assessing leading versus lagging indicators, data collection fidelity, and correlation between metrics and actual risk reduction outcomes.
  • Design executive-level security dashboards and board reporting packages that translate technical security posture into business risk language suitable for C-suite and board audiences.

Security budget and resource management

  • Apply security budget development techniques including zero-based budgeting, cost-benefit analysis, and TCO modeling to justify security investments to financial stakeholders.
  • Recommend a security staffing strategy that balances in-house expertise, managed security service providers, and contractor augmentation based on organizational risk profile and budget constraints.
2 Security Policy and Standards
3 topics

Policy framework development and governance

  • Implement a security policy hierarchy comprising strategic policies, tactical standards, operational procedures, and supporting guidelines that enforces consistent controls across the enterprise.
  • Apply policy lifecycle management processes including drafting, stakeholder review, approval workflows, version control, periodic review cycles, and exception management procedures.
  • Evaluate policy compliance gaps by comparing current policy coverage against regulatory requirements, industry standards, and organizational risk tolerance to prioritize remediation efforts.
  • Design a policy governance framework that assigns ownership, defines enforcement mechanisms, establishes exception escalation paths, and integrates policy compliance into performance management.

Standards alignment and regulatory mapping

  • Apply industry security standards including ISO 27001, NIST 800-53, CIS Controls, and PCI DSS to develop baseline security requirements appropriate to the organization's industry and risk profile.
  • Analyze regulatory compliance requirements including GDPR, HIPAA, SOX, and CCPA to map control obligations to existing security policies and identify coverage gaps requiring remediation.
  • Recommend a unified compliance framework that consolidates overlapping regulatory and standards requirements into a single control catalog to reduce audit burden and improve governance efficiency.

Acceptable use and data classification policies

  • Implement acceptable use policies covering employee device usage, social media conduct, remote access requirements, and BYOD controls with enforceable sanctions for non-compliance.
  • Apply data classification schemes with defined handling requirements for public, internal, confidential, and restricted data categories across storage, transit, and processing contexts.
  • Evaluate the effectiveness of data classification enforcement by analyzing DLP policy violations, data handling incidents, and user compliance rates to recommend program improvements.
3 Risk Management for Leaders
3 topics

Enterprise risk assessment and treatment

  • Apply quantitative risk analysis techniques including annualized loss expectancy, single loss expectancy, annualized rate of occurrence, and exposure factor to support security investment decisions.
  • Implement an enterprise risk register that captures identified risks, risk owners, likelihood assessments, impact ratings, treatment decisions, and residual risk acceptance documentation.
  • Evaluate competing risk assessment frameworks including FAIR, NIST RMF, ISO 31000, and OCTAVE to determine the most suitable methodology for an organization's decision-making culture and data maturity.
  • Design a risk treatment strategy that balances risk avoidance, mitigation, transfer, and acceptance decisions based on organizational risk appetite, control costs, and regulatory obligations.

Risk communication and appetite governance

  • Apply risk communication techniques that translate technical risk findings into business impact language for executive committees, audit committees, and board risk oversight functions.
  • Analyze organizational risk appetite statements and tolerance thresholds to evaluate whether current risk exposure levels require escalation, additional controls, or formal acceptance by risk owners.
  • Recommend a risk governance model that defines escalation triggers, risk committee charters, risk owner accountability structures, and integration with enterprise risk management functions.

Threat landscape and risk intelligence

  • Implement a threat intelligence program that integrates OSINT feeds, ISAC membership, vendor advisories, and internal telemetry to inform risk assessment and control prioritization decisions.
  • Evaluate emerging threat trends including ransomware evolution, supply chain attacks, nation-state campaigns, and AI-powered threats to assess their potential impact on the organization's risk posture.
4 Security Architecture and Engineering Management
4 topics

Security architecture governance and review

  • Implement a security architecture review process with defined intake criteria, review checklists, approval gates, and exception tracking for new systems and major changes.
  • Analyze security reference architectures including SABSA, TOGAF security extensions, and zero-trust models to evaluate their applicability to the organization's technology landscape and risk profile.
  • Design an enterprise security architecture strategy that defines layered defense principles, technology standards, integration patterns, and governance checkpoints for consistent security posture across hybrid environments.

Cloud security strategy and oversight

  • Apply the shared responsibility model across IaaS, PaaS, and SaaS deployment models to define security control ownership boundaries between the organization and cloud service providers.
  • Evaluate cloud security posture management tools, cloud access security brokers, and cloud workload protection platforms to assess their coverage against organizational cloud security requirements.
  • Recommend a cloud security governance strategy that addresses multi-cloud security standards, data residency requirements, encryption key management, and continuous compliance monitoring.

Network and endpoint security management

  • Apply network segmentation principles including micro-segmentation, DMZ architecture, and zero-trust network access to reduce lateral movement risk across enterprise and cloud environments.
  • Evaluate endpoint detection and response, extended detection and response, and managed detection and response solutions to compare detection coverage, response automation, and integration capabilities.
  • Design an endpoint security strategy that integrates device management, application whitelisting, privilege management, and continuous monitoring across corporate and remote endpoints.

Identity and access management strategy

  • Implement identity governance and administration processes including joiner-mover-leaver workflows, access certification campaigns, role-based access control models, and privileged access management.
  • Analyze authentication strategy options including multi-factor authentication, passwordless authentication, federation protocols, and conditional access to recommend appropriate controls for different user populations.
  • Design an enterprise identity strategy that unifies on-premises directory services, cloud identity providers, and customer identity management under a consistent governance and access model.
5 Vendor and Third-Party Risk
2 topics

Vendor risk assessment and due diligence

  • Implement a vendor security assessment program with standardized questionnaires, risk tiering criteria, evidence collection requirements, and assessment frequency schedules based on vendor criticality.
  • Evaluate vendor security postures by analyzing SOC 2 Type II reports, penetration test findings, compliance certifications, and security incident histories to determine residual third-party risk.
  • Recommend vendor risk treatment actions including contract security addenda, right-to-audit clauses, security SLA requirements, and vendor termination contingency plans for high-risk relationships.

Supply chain and fourth-party risk management

  • Apply supply chain risk management frameworks including NIST C-SCRM, software bill of materials analysis, and open-source component governance to manage upstream dependency risks.
  • Analyze fourth-party risk exposure by mapping critical vendor subcontractor dependencies, assessing concentration risk, and evaluating cascade failure scenarios across the vendor ecosystem.
  • Design a comprehensive third-party risk management program that integrates vendor assessment, continuous monitoring, contractual controls, and incident response coordination across the full vendor lifecycle.
6 Security Awareness Program Management
2 topics

Awareness program design and delivery

  • Implement a security awareness training program with role-based curricula, delivery schedules, completion tracking, and integration into the employee onboarding and annual compliance cycle.
  • Apply phishing simulation and social engineering assessment techniques to measure employee susceptibility, benchmark performance over time, and target remedial training to high-risk populations.
  • Evaluate awareness program effectiveness using metrics including phishing click rates, reporting rates, training completion percentages, and security incident correlation to identify improvement areas.

Security culture and behavior change

  • Implement security champion programs that embed security advocates within business units to promote secure behaviors, facilitate policy adoption, and provide frontline security guidance.
  • Analyze organizational security culture maturity using behavioral indicators, survey data, incident trends, and policy compliance patterns to assess the effectiveness of culture change initiatives.
  • Design a security culture transformation strategy that leverages executive sponsorship, gamification, positive reinforcement, and measurable behavior change objectives to sustain long-term security awareness.
7 Business Continuity and Crisis Communication
3 topics

Business continuity and disaster recovery planning

  • Implement a business impact analysis that identifies critical business processes, maximum tolerable downtime, recovery time objectives, and recovery point objectives for prioritized service restoration.
  • Apply business continuity plan development methodologies including strategy selection, plan documentation, resource allocation, and integration with IT disaster recovery procedures.
  • Evaluate business continuity plan effectiveness through tabletop exercises, functional tests, and full-scale simulations to identify gaps in recovery procedures, communication, and decision-making.
  • Design a resilience strategy that integrates business continuity, disaster recovery, and cyber incident response into a unified framework with defined escalation paths and recovery prioritization.

Crisis communication and incident governance

  • Implement a crisis communication plan with predefined notification templates, stakeholder communication trees, media response protocols, and regulatory disclosure timelines for security incidents.
  • Apply incident escalation and command structures including incident commanders, communication leads, and technical leads to coordinate multi-team response during active security crises.
  • Analyze post-incident reviews to evaluate response effectiveness, identify process breakdowns, measure mean time to detect and respond, and derive actionable improvements for future incident handling.
  • Recommend a crisis governance framework that defines decision authority during incidents, legal counsel engagement triggers, regulatory notification requirements, and reputation management protocols.

Incident response program management

  • Implement an incident response program with defined phases including preparation, detection, containment, eradication, recovery, and lessons learned following NIST SP 800-61 or SANS incident handling guidelines.
  • Evaluate incident response team readiness through capability assessments, exercise outcomes, tool proficiency reviews, and staffing adequacy analysis for various incident severity levels.
  • Optimize incident response operations by recommending automation opportunities, playbook improvements, cross-team coordination enhancements, and metrics-driven response time reduction strategies.

Scope

Included Topics

  • All domains covered by the GIAC Security Leadership Certification (GSLC) aligned with SANS LDR512: Security Program Development, Security Policy and Standards, Risk Management for Leaders, Security Architecture and Engineering Management, Vendor and Third-Party Risk, Security Awareness Program Management, and Business Continuity and Crisis Communication.
  • Executive-level security program governance including building and maturing a security organization, defining security charters, establishing board-level reporting cadences, and aligning security strategy with business objectives.
  • Risk management from a leadership perspective: enterprise risk registers, risk appetite statements, quantitative and qualitative risk frameworks (FAIR, NIST RMF, ISO 31000), risk treatment decision-making, and risk communication to non-technical stakeholders.
  • Security architecture oversight including reference architecture evaluation, secure design review governance, cloud security strategy, zero-trust adoption planning, and technology lifecycle management.
  • Vendor and third-party risk management: vendor due diligence programs, contract security requirements, SLA enforcement, supply chain risk assessment, and fourth-party risk visibility.
  • Security awareness and culture: program design, phishing simulation campaigns, metrics-driven training effectiveness, role-based awareness curricula, and culture change management.
  • Business continuity planning, disaster recovery governance, crisis communication frameworks, incident escalation structures, and executive decision-making during security crises.

Not Covered

  • Hands-on technical implementation of security tools, firewall rules, IDS signatures, or SIEM correlation queries that fall below the leadership abstraction level.
  • Entry-level security fundamentals assumed as prerequisite knowledge for GSLC candidates with 5+ years of security management experience.
  • Vendor-specific product configurations and pricing that do not generalize across the GSLC leadership curriculum.
  • Penetration testing techniques, exploit development, and offensive security skills outside the scope of security leadership decision-making.
  • Academic research methodologies and formal proofs in cryptography or information theory not relevant to security program governance.

Official Exam Page

Learn more at GIAC Certifications

Visit

GSLC is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified

Trademark Notice

GIAC® is a registered trademark of Global Information Assurance Certification (a subsidiary of the SANS Institute). GIAC does not endorse this product.

AccelaStudy® and Renkara® are registered trademarks of Renkara Media Group, Inc. All third-party marks are the property of their respective owners and are used for nominative identification only.