Information Security Management

Syllabus

Thematic definition of exercises: 1. Information security management of the enterprise. Information security - background, objectives and requirements. Attributes of information security. Subject of information security protection, IS assets, structure and framework of information security management. Concepts of cyber security in the Slovak Republic. 2. Legislation, norms and standards of information security management. National and international standards defining information security management - Cyber Security Act, Criminal Law, GDPR, Public Administration Information Systems Act, ISO/IEC 27000 Council Standards, COBIT process framework, ITIL. National Cyber Security Strategy. Information security management system certification. 3. Information assets of the enterprise. Analysis of enterprise information assets, classification, types and categories of information assets. Valuation of information assets. Vulnerability analysis. 4. Security incidents in enterprises. Security threats, incidents, categories of security incidents. Security threat life cycle. Sources of security incidents, likelihood of security incidents and threats in the enterprise. Detection of security incidents in the enterprise. Cyber threat trends. 5. Information security risk. Information security vulnerabilities and risks. Evaluation and assessment of security risks - qualitative and quantitative analysis of information security risks. Risk level. Risk metrics. 6. Information security risk management. Impact of information security risk on management and economic indicators of the enterprise. Risk management plan. Mitigation of information security risks. 7. Security measures. Requirements for security measures. Types and categories of security measures. Organizational, competency and technical security measures. Measures to eliminate and mitigate security risks. Adequate security vs. acceptable cost, effectiveness and efficiency of security measures. 8. Information security management models - PDCA model, Activate-Adapt-Anticipate, Confidentiality-Integrity-Availability, TQISM, ISSRM Domain Model, General Impact Factor Model, BMIS Model, Information Security Management System Process Maps, Cybersecurity Framework. 9. Information security project for the enterprise I. (initial phase) - content, structure and documentation. Information security management system planning for the enterprise. Detection and analysis of security risks. Quantitative and qualitative risk analysis. Continuous assessment - verification of knowledge and skills students acquired during the semester. 10. Information security project for the enterprise II. (implementation phase) - implementation and operation of the information security system. Monitoring and review. Feedback. Maintenance and Improvement. 11. Audit and certification of information security management. Role of security audit, importance and benefits of security audit for the enterprise. Possibilities of security audit implementation. Certification of information systems - types of certification, role and importance of certification, benefits of certification for the enterprise, stages of certification.