CIS 310 · Information Systems and Cyber Security · Level 300 (Non-Commissioned Officer / Specialist)
A Royal Army College course in handling a cyber incident and keeping a digital state running through disruption.
Course length: 10 hours, studied online and asynchronously at the student's own pace, together with any in-person practical instruction and assessment the course requires.
Foreword
In CIS 201 every member learns to recognise trouble and report it. This course is what happens next. When a report turns out to be real, an account taken over, a device lost, a service down, data exposed, someone has to lead a calm, methodical response that limits the harm, removes the threat, restores the service, protects the nationals whose data is at stake, and learns from the event. And because the Principality is a digital state, the same discipline must answer a larger question: how do essential functions keep running when the systems they depend on are disrupted?
This course teaches both. It follows the recognised incident lifecycle, prepare, detect and analyse, contain and eradicate and recover, and learn, and turns each phase into practical work for a small team. It gives defensive playbooks for the incidents a small force is most likely to meet. And it teaches business continuity and disaster recovery for a digital state: recovery objectives, the order of restoration, and the manual and off-grid floor that keeps the essential work going when the screens go dark. It goes deeper into threat intelligence and knowing the adversary, the preservation of evidence and the investigation of what happened, the crisis communication, notification, and coordination a serious incident demands, and the resilience-by-design that limits the damage before it happens. It draws on recognised standards and on practical blue-team and packet-analysis foundations.
The response to a bad day is decided mostly before it arrives, by preparation, by clean backups, and by a team that has rehearsed. This course builds that readiness. Throughout, it is strictly defensive: limit harm, restore, protect, and learn, never retaliate.
Who this course is for
This course is for members of the Information Systems and Cyber Security speciality who will help lead or carry out incident response and continuity, and for the NCOs who supervise them. It assumes CIS 201, CIS 210, and CIS 220.
What this course covers
| Lesson | Title |
|---|---|
| 01 | Preparing for the Bad Day |
| 02 | Detection and Analysis |
| 03 | Containment, Eradication, and Recovery |
| 04 | Defensive Playbooks for Common Incidents |
| 05 | Continuity and Disaster Recovery |
| 06 | Threat Intelligence and Knowing the Adversary |
| 07 | Evidence, Forensics, and Investigation |
| 08 | Crisis Communication, Notification, and Coordination |
| 09 | Resilience by Design: Limiting the Damage |
| 10 | After the Incident |
How this course fits the catalogue
CIS 310 completes the Information Systems and Cyber Security speciality, above CIS 201, CIS 210, and CIS 220. It works closely with HCR 220 · Emergency Preparedness and Civil Resilience (continuity) and SIG 410 · Communications Planning for Small Forces (resilient and off-grid communications), and draws on SIG 220 (communications security) and PME 210 (records and reporting). It supports NCO and specialist development.
A note on scope
Strictly defensive and lawful: detection, containment, recovery, continuity, and learning, to limit harm and protect Kaharagia's systems, services, and nationals. It is not a course in offensive operations, intrusion, or "hacking back," which are neither taught nor sanctioned.
Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia