Information Security Management

Teachers

Included in study programs

Teaching results

Knowledge:
• A comprehensive view of information security management through the content definition of information security, knowledge of legislation and models related to information security, identification of information assets, analysis of information risks and knowledge of effective security measures to ensure the information security of the enterprise.
Competence:
• effectively use essential information about information security management to achieve optimal information security for the enterprise,
• assess the information assets of the enterprise,
• evaluate information security risks to the enterprise,
• propose solutions and defend recommendations to enhance enterprise information security,
• assess the effectiveness and efficiency of security measures and the project of information security management of the enterprise.
Skill:
• analyze the vulnerability of the enterprise's information assets,
• quantitatively and qualitatively analyze security risks,
• design organizational, competence and technical security measures to eliminate security incidents,
• develop a project of information security of the enterprise,
• prepare the enterprise for information security management audit and certification.

Indicative content

Thematic definition of exercises:
1. Information security management of the enterprise.
2. Legislation, norms and standards of information security management.
3. Information assets of the enterprise.
4. Security incidents in enterprises.
5. Information security risk.
6. Information security risk management.
7. Security measures.
8. Information security management models.
9. Information security project for the enterprise I. (initial phase)
10. Information security project for the enterprise II. (implementation phase)
11. Audit of information security management.
12. Certification of information security management.
13. Lecture by a practice representative.

Support literature

Basic literature:
1. TIPTON, Harold F. - NOZAKI, Micki Krause. Information Security Management Handbook. Volume 6. Milton Park, Abingdon : Auerbach Publications, 2016. 504 s. ISBN 9781138199750.
2. Zákon č. 18/2018 Z. z. o ochrane osobných údajov a o zmene a doplnení niektorých zákonov.
3. Zákon č. 69/2018 Z. z. o kybernetickej bezpečnosti a o zmene a doplnení niektorých zákonov.
4. STN ISO/IEC 27001: 2014: Informačné technológie – Bezpečnostné metódy – Systémy riadenia informačnej bezpečnosti – Požiadavky.
5. ČERMÁK, Miroslav. Řízení informačních rizik v praxi. Brno : Tribun EU, 2009. s. 136. ISBN 978-80-7399-731-1.
6. ONDRÁK, Viktor. – SEDLÁK, Petr – MAZÁLEK, Vladimír. Problematika ISMS v manažerské informatice. Brno : Akademické nakladatelství CERM, 2014. s. 378. ISBN 9788072048724.
7. STRNÁD, Ondrej. Riadenie rizík informačnej bezpečnosti. Ostrava : Amos, 2010. 238 s. ISBN 9788090452398.
8. STRNÁD, Ondrej. Systém riadenia informačnej bezpečnosti. Ostrava : Amos, 2013. 262 s. ISBN 978-80-87691-03-8.
Supplementary literature:
1. CSIRT.SK. Informačná bezpečnosť – Štandardy a legislatíva. Bratislava, 2021. Dostupné na internete: < https://www.csirt.gov.sk/informacna-bezpecnost/standardy-a-legislativa-813.html>.
2. CSIRT.SK. Štandardy informačnej bezpečnosti. Bratislava, 2020. Dostupné na internete: .
4. KOSTRECOVÁ, Eva. Informačná bezpečnosť. Bratislava : STU, 2013. 83 s. ISBN 9788022739276.
5. NBÚ SR. 2016. Strategické dokumenty. Bratislava: Národný bezpečnostný úrad, 2020. Dostupné na internete: < https://www.nbu.gov.sk/kyberneticka-bezpecnost/strategicke-dokumenty/index.html >.
6. VACULÍK, Juraj. Manažment bezpečnosti informačného systému. Žilina : Edis, 2018. 288 s. ISBN 9788055414621.

Syllabus

Thematic definition of exercises: 1. Information security management of the enterprise. Information security - background, objectives and requirements. Attributes of information security. Subject of information security protection, IS assets, structure and framework of information security management. Concepts of cyber security in the Slovak Republic. 2. Legislation, norms and standards of information security management. National and international standards defining information security management - Cyber Security Act, Criminal Law, GDPR, Public Administration Information Systems Act, ISO/IEC 27000 Council Standards, COBIT process framework, ITIL. National Cyber Security Strategy. Information security management system certification. 3. Information assets of the enterprise. Analysis of enterprise information assets, classification, types and categories of information assets. Valuation of information assets. Vulnerability analysis. 4. Security incidents in enterprises. Security threats, incidents, categories of security incidents. Security threat life cycle. Sources of security incidents, likelihood of security incidents and threats in the enterprise. Detection of security incidents in the enterprise. Cyber threat trends. 5. Information security risk. Information security vulnerabilities and risks. Evaluation and assessment of security risks - qualitative and quantitative analysis of information security risks. Risk level. Risk metrics. 6. Information security risk management. Impact of information security risk on management and economic indicators of the enterprise. Risk management plan. Mitigation of information security risks. 7. Security measures. Requirements for security measures. Types and categories of security measures. Organizational, competency and technical security measures. Measures to eliminate and mitigate security risks. Adequate security vs. acceptable cost, effectiveness and efficiency of security measures. 8. Information security management models - PDCA model, Activate-Adapt-Anticipate, Confidentiality-Integrity-Availability, TQISM, ISSRM Domain Model, General Impact Factor Model, BMIS Model, Information Security Management System Process Maps, Cybersecurity Framework. 9. Information security project for the enterprise I. (initial phase) - content, structure and documentation. Information security management system planning for the enterprise. Detection and analysis of security risks. Quantitative and qualitative risk analysis. Continuous assessment - verification of knowledge and skills students acquired during the semester. 10. Information security project for the enterprise II. (implementation phase) - implementation and operation of the information security system. Monitoring and review. Feedback. Maintenance and Improvement. 11. Audit and certification of information security management. Role of security audit, importance and benefits of security audit for the enterprise. Possibilities of security audit implementation. Certification of information systems - types of certification, role and importance of certification, benefits of certification for the enterprise, stages of certification.

Requirements to complete the course

30 % continuous written work, 70 % combined examination

Student workload

78 h (participation in seminars 26 h, preparation for continuous written work 26 h, preparation for exam 26 h)

Language whose command is required to complete the course

Slovak

Date of approval: 11.03.2024

Date of the latest change: 14.05.2022