- Learn to control information security risks within an organization in an holistic fashion (procedural, organizational and technical).
- Getting familiar with the leading standards in this area, their shortcomings and practical implementation guidelines.
- To learn to map policies to technical countermeasures and vice versa.
- To learn how to write and enforce security policies.
- To learn some basic techniques in security auditing.
- Getting an idea of the practical aspects of information security.
- Getting inspiration for further scientific research.
Information security deals with the preservation of the confidentiality, integrity and availability of information. The leading standard on information security is ISO 27001 that defines the notion of a Information Security Management System (ISMS). This is a means for the management of an organization to be in control of the information security risks. Fundamental within ISO 27001 is that information security is considered to be a 'process' and not a 'product' one can simply buy. The process allows management to ensure that others within their organization are implementing security controls that are effective.
One of the difficulties of the information security process is its multidisciplinary nature: it needs to grasp security requirements from the organization business processes (where the managers typically are not savvy on information security) and to translate them to security controls. These controls can be of various types, including ICT technical or cryptographic but also related to personnel security (e.g. screening) or physical security (e.g. ‘locks’). The multidisciplinary nature of information security is reflected in the different areas ISO 27001 refers to. Moreover, the process needs to check that the operational effectiveness of the chosen controls is satisfactory and to adapt the controls (or the surrounding framework leading to the controls) if required.
Within the course this process is explored both from a theoretical and a practical level never losing sight of the computer science perspective. To this end the course also has several 'hands-on' exercises including conducting an EDP audit, a network audit and a network penetration. The course provides the basic information on information security required by the security officer of an organization, by IT security auditors and by IT security consultants. As information security is still a rapidly evolving topic (some might argue it is even still in its infancy) the course can also provide inspiration for further scientific research.
The course starts with introduction of security management based on ISO27001 and then follows the different areas of ISO 27001. In each class one of these areas is discussed in more detail, in many cases by experts from the field, e.g. on ‘lock-picking’, ‘hacking’ etc.