Expected learning outcomes
Good practice of information security requires management involvement, skills, well-defined procedures, adequate methods/tools, necessary physical and technical measures, and last not least an adapted organisation and motivated and responsible employees. This course will enable managers and security managers to better meet these challenges and to cope with the managerial responsiblities of information security in an effective way.
The candidate should after attending the course
- fully understand the complete information security value-chain
- fully understand the importance of and challenges and possibilities regarding management focus on information security
- be able to create, maintain and develop a security culture based on good attitudes, necessary security awareness and motivation among the employees
- be able to establish and run a suitable and business related security management organizaton
- enjoy the knowledge to master essential standards, frameworks, principles and methods regarding risk management and risk analysis
- have a thorough understanding of system analysis methods applied to information security.
The course consists of two sections:
1) Fundamentals of Security Management (30%)
2) Case Studies in Security Management (70%).
The first section, Fundamentals of Security Management, is based on self-study (reading specified book chapters, papers and reports). It is evaluated through an examination based on multiple-choice questions (counting 30% to the total course grade). Note, however, that passing this exam is a requirement to continue with the second section.
The following topics from Mark Merkow & Jim Breithaupt Information Security: Principles and Practices", Pearson Prentice Hall, 2005, ISBN 0-13-154729-1 should be read by the students:
1. Information security principles of success (Ch. 2, p. 19-33)
2. Security management (Ch. 4, p. 59-82) with the American HIPAA regulations replaced/complemented by Norwegian national regulations or the EU privacy directive (see e.g. http://www.cdt.org/privacy/eudirective/EU_Directive_.html)
3. Business Continuity Planning and Disaster Recovery Planning (Ch. 6, p. 123-133)
4. Physical security control (Ch. 8, p. 165-180)
5. Operations security (Ch. 9, p. 187-198)
6. Application development security (Ch. 13, p. 295-310)
7. Securing the future (Ch. 14, p. 317-324)
Some topics (e.g. 1 and 6) are a refreshment of stuff that has been treated in previous courses.
In addition, students should read the BS7799/ISO17799 standard. Also, a few journal papers and reports on topics related to the second section (Case Studies in Security Management") will be assigned. Estimated number of pages for papers/reports ca. 40 pages.
The second section, Case Studies in Security Management, counts 70%.
The following cases will be analyzed using system dynamics analysis tools (an introduction to system dynamics will be given).
- Security risks in the transition to eOperations
- A case of insider attack
- Lifecycle of software vulnerabilities
- Improving the performance of incident response teams
- Quality improvement processes and information security
Case reports and system dynamics models will be provided as needed.
The second section will be evaluated through a project.
Teaching Methods (additional text)
Self-study for the first course section
Fundamentals of Security Management. Lectures
projects and exercises for the second course section
Case Studies in Security Management.
Form(s) of Assessment
Multiple Choice Test(s)
Evaluation of Project(s)
Form(s) of Assessment (additional text)
Multiple-choice examination for the first part of the course (weight 30%)
Multiple-choice examination for the second part of the course (weight 20%)
Evaluation of Project (weight 50%)
The multiple-choice examination for the first part of the course must be passed in order to take the second part of the course
Alphabetical Scale, A(best) – F (fail)
Attending the lectures and carrying out exercises & projects is essential since case studies are based on active participation and group discussion.