• Macquarie Home »
• Faculty of Science »
• Department of Computing

ITEC854 Security Management

Semester 2, 2011.

Convenor and Lecturer: Milton Baar

Study period: Semester 2

The intent of this course is to provide students with a working knowledge of commercial information security governance requirements, tools and techniques.  The course has a practical focus with Tutorial and Lab work that will include aspects of physical security and hacking, Information Security Architectures and the creation of a dummy company on which the tools and techniques will be developed and tested.

Topics

Introduction & Course Outline

• What is information security
• Comparison between perfect security, technical security and commercial security
• Discussion of risk, threat, likelihood and other terminology
• Hacking, black hat, white hat, grey hat
• Introduction of students, background of education/work experience
• Course outline and expectations for deliverables

Standards and Governance

• Discussion of different standards and frameworks that they will come into contact with, including ISO27001, ISO17799, Sarbanes-Oxley, PCIDSS, ASIC, COBIT, ITIL
• Detailed review of ISO17799 and ISO27001
• Detailed review of SOX and FSRA requirements

Risk Management Concepts

• What is risk
• How can it be measured
• How is it mitigated
• What should be protected
• Introduction to information assets
• The role of an Information Security Officer
• How is risk managed in different industries
• Can risks be accepted, should a business be risk-averse

Threat Workshop

• What are threats
• How are threats measured
• Relationship between threats and likelihood
• Force Majeure, avoidable threats and how a business reacts to each
• Industry specific threats
• Technology specific threats
• Is privacy a threat

Controls Workshop

• What are controls
• Understanding the relationship between threats, likelihood and controls
• Can controls reduce threats

Practical Hacking

• History of hacking, why hack an environment
• What colour hat do you have
• Operating systems and application basics
• Tools and techniques

Practical Hacking – Server Hardening

• Definition of hardening
• Operating system basics
• Network basics
• Application basics
• Procedures……more procedures……..and more procedures…..

Evidence Collection

• Forensics basics
• How to collect
• What to collect
• Roles and responsibilities
• When is it better to leave it alone

Business Continuity Planning and DRP

• BCP and DRP overview
• Why do it
• What can go wrong
• BCP/DRP development process and linkage with TRA

Creating an Enterprise Information Security Framework

• What is an EISF
• How are they assessed (ISO/IEC27001, ITIL, COBIT etc)
• Importance of scope and statement of applicability
• Plan, Do, Check, Act cycle
• Evidence, evidence, evidence
• What is an Information Security Management System

Is your EISF/ISMS certifiable

• Review of ISO/IEC27001 certification process
• What to expect in an audit

Assessment

• In-class quizzes (3) 30%
  • Weeks 4, 9 & 13
• Assignment 20%
  • Due week 7
• Industry Presentation 20%
  • Week 13
• Final Exam 30%

Text
None

Recommended Reading (supplied on Blackboard)

• ISO/IEC17799:2005 Code of practice for information security management
• ISO/IEC27001:2005 Information technology - Security techniques - Information security management systems - Requirements
• HB171-2003 Guidelines for the management of IT evidence
• HB231:2004 Information security risk management guidelines
• COBIT Security Baseline
• ISECOM Open-Source Security Testing Methodology Manual v2.1
• And others!

Staff
Unit Convenor: Milton Baar
milton.baar@mq.edu.au
Phone: (04) 1927 9847
Lecturer:  Milton Baar

Recommended Readings

Study Guide