CIS 220 · Information Systems and Cyber Security · Level 200 (Phase Two)
A Royal Army College course in guarding the master keys of a digital state: its accounts, its access, and its records.
Course length: 10 hours, studied online and asynchronously at the student's own pace, together with any in-person practical instruction and assessment the course requires.
Foreword
In a state held together by information, identity is the master key. Almost every serious compromise comes down to a credential that was stolen, shared, or never taken away, and almost every protection rests on knowing exactly who may do what, and proving it afterwards. This course is about that master key: how accounts are created, changed, and removed; how access is granted by role and kept to the least that is needed; how the secrets and keys that unlock systems are protected; how the most powerful, privileged access is specially controlled; how identity is federated and trusted across systems; how data is classified and managed through its lifecycle; how a state's records and its nationals' personal data are kept safe and private; and how all of it is logged, reviewed, and accounted for.
It deepens the identity and access material introduced in CIS 210 and turns it into a discipline. It draws on recognised practice, role-based access control, least privilege, separation of duties, the joiner-mover-leaver lifecycle, secrets management, and the principles of data protection, and applies them at the modest scale of a small force that nonetheless guards the registers of a Principality. Throughout, one rule from the specialities framework governs everything: access follows appointment, never merely a qualification.
The work is quiet and unglamorous, and it is where a digital state most often stands or falls. A single orphaned admin account, one shared key, one register left unencrypted, can undo a great deal. This course builds the member who closes those gaps.
Who this course is for
This course is for members of the Information Systems and Cyber Security speciality, and for anyone who will manage accounts, access, keys, or records on behalf of the Army or the Principality. It assumes CIS 201 and CIS 210.
What this course covers
| Lesson | Title |
|---|---|
| 01 | Identity as the Master Key |
| 02 | The Account Lifecycle: Joiner, Mover, Leaver |
| 03 | Authorisation, Roles, and Least Privilege |
| 04 | Protecting Credentials, Keys, and Secrets |
| 05 | Records and Data Security |
| 06 | Privileged Access Management |
| 07 | Federation, Single Sign-On, and Trust Between Systems |
| 08 | Data Classification and the Data Lifecycle |
| 09 | Data Protection and the Privacy of Nationals |
| 10 | Audit, Review, and Accountability |
How this course fits the catalogue
CIS 220 builds on CIS 201 and CIS 210, and is the natural partner of SIG 220 · Communications Security and Digital Discipline. It supports PME 210 · Basic Staff Duties and Written Orders (custody of records) and leads on to CIS 310 · Cyber Incident Response and Continuity. It puts into practice the specialities framework's rule that access follows appointment.
A note on scope and access
Defensive and lawful throughout: protecting accounts, keys, records, and the privacy of nationals. It is not a course in cracking credentials, escalating privilege against systems, or accessing records without authority. No member receives access by completing this course; access follows appointment and is granted only by the authority responsible for the system or record.
Crown Copyright © 2026 | Published by Authority of H.R.H. The Prince of Kaharagia