norsk norsk&engelsk / norwegian&english

Course Description IMT4111 - Security Management (2005/2006)

LevelPostgraduate
ECTS Credits10
DurationSpring
Second half of semester
LanguageNorwegian alternatively english
Prerequisite(s) 
Aim

Good practice of information security requires management involvement, skills, well-defined procedures, adequate methods/tools, necessary physical and technical measures, and last not least an adapted organisation and motivated and responsible employees. This course will enable managers and security managers to better meet these challenges and to cope with the managerial responsiblities of information security in an effective way.

The candidate should after attending the course
- fully understand the complete information security value-chain
- fully understand the importance of and challenges and possibilities regarding management focus on information security
- be able to create, maintain and develop a security culture based on good attitudes, necessary security awareness and motivation among the employees
- be able to establish and run a suitable and business related security management organizaton
- enjoy the knowledge to master essential standards, frameworks, principles and methods regarding risk management and risk analysis
- have a thorough understanding of system analysis methods applied to information security.

Content

The course consists of two sections:
1) Fundamentals of Security Management (30%)
2) Case Studies in Security Management (70%).

The first section, Fundamentals of Security Management, is based on self-study (reading specified book chapters, papers and reports). It is evaluated through an examination based on multiple-choice questions (counting 30% to the total course grade). Note, however, that passing this exam is a requirement to continue with the second section.

The following topics from Mark Merkow & Jim Breithaupt “Information Security: Principles and Practices”, Pearson Prentice Hall, 2005, ISBN 0-13-154729-1 should be read by the students:

1. Information security principles of success (Ch. 2, p. 19-33)
2. Security management (Ch. 4, p. 59-82) with the American HIPAA regulations replaced/complemented by Norwegian national regulations or the EU privacy directive (see e.g. http://www.cdt.org/privacy/eudirective/EU_Directive_.html)
3. Business Continuity Planning and Disaster Recovery Planning (Ch. 6, p. 123-133)
4. Physical security control  (Ch. 8, p. 165-180)
5. Operations security (Ch. 9, p. 187-198)
6. Application development security (Ch. 13, p. 295-310)
7. Securing the future (Ch. 14, p. 317-324)

Some topics (e.g. 1 and 6) are a refreshment of stuff that has been treated in previous courses.

In addition, students should read the BS7799/ISO17799 standard. Also, a few journal papers and reports on topics related to the second section (“Case Studies in Security Management”) will be assigned. Estimated number of pages for papers/reports ca. 40 pages.

The second section, Case Studies in Security Management, counts 70%.

The following cases will be analyzed using system dynamics analysis tools (an introduction to system dynamics will be given).

• Security risks in the transition to eOperations
• A case of insider attack
• Lifecycle of software vulnerabilities
• Improving the performance of incident response teams
• Quality improvement processes and information security

Case reports and system dynamics models will be provided as needed.

The second section will be evaluated through a project.

Study MethodsSelf-study for the first course section, Fundamentals of Security Management. Lectures, projects and exercises for the second course section, Case Studies in Security Management.
AssessmentMultiple Choice Test(s) (counts 30%)
Evaluation of Project(s) (counts 70%)
Note that it is required to pass the examination of the first section of the course in order to be able to take the second section.
Grading SystemAlphabetical Scale, A (best) - F (fail)
Course RequirementsAttending the lectures and carrying out exercises & projects is essential since case studies are based on active participation and group discussion.