GMA-Cybersecurity

Governance, management and auditing of Cybersecurity Course

Prof. (Dino) Cataldo Dell’Accio

Home

Course objectives

The aim of this course is to gradually introduce students to principles, concepts and practices for governing, managing and auditing cybersecurity in accordance with international standards (i.e., International Organization for Standardization - ISO), and generally accepted professional best practices. Particular attention is given to the architecture of effective cybersecurity programs, including the elements and mechanisms that form the basis of cybersecurity management systems adopted by organizations to define scope; identify threats; assess/manage risks; select mitigating controls; self-asses security posture; provide assurance and demonstrate compliance through audits and formal certifications.

The course will enable students to analyze the logical linkages, concepts, frameworks, models pertaining to:

Cybersecurity -> From Information Security -> to Cybersecurity
Governance -> From Corporate Governance -> to ICT Governance -> to Cybersecurity Governance
Management -> From Management to ICT Management -> to Cybersecurity Management
Auditing -> From Audit to Internal Audit -> to ICT Audit -> to Cybersecurity Audit
Putting all together: GRC -> Governance– Risk - Compliance

Application of knowledge and understanding through simulations

A combination of lectures and real case studies reviews will introduce students to the adoption of professional standards, best practices and code of ethics that define objectives and control mechanisms for establishing, governing, operating, monitoring, improving, independently auditing and certifying cybersecurity management systems.

Textbook

Effective Cybersecurity: A Guide to Using Best Practices and Standards, First Edition, By William Stallings

Additional reference books: In addition to the textbook, students are encouraged to consult the following books:

Fundamentals of Information Systems Security: 3^rd Edition by Michael G. Solomon, David Kim - Jones and Bartlett Learning 2016;
IT Governance: 6^th Edition – An international guide to data security and ISO27001/27002 – Alan Calder and Steve Watkins, Kogan Page 2015

Reference materials

ISO/IEC 27000, Information security management systems — Overview and vocabulary
ISO/IEC 27001, Information security management systems — Requirements
ISO/IEC 27002, Code of practice for information security controls
ISO/IEC 27005:2011 Information technology -- Security techniques -- Information security risk management
“OCTAVE Allegro” Information Security Risk Assessment - Carnegie Mellon University/Software Engineering Institute
ISACA standards and best practices
Other relevant reference (i.e., NIST publications)

Student assessment

A final written exam/homework will require students to analyze a real case cybersecurity scenario and develop a plan: Defining the relevant information assets and scope; Analyze threats; Identify and assess risks; Propose mitigating controls; and Recommend continuous improvement mechanisms.

Criteria of the assessment will include:

Knowledge/Understanding: Demonstrated knowledge and understanding of the principles and concepts
Application: Demonstrated ability to apply principles and concepts to the practical case
Communication Demonstrated ability to communicate in clear, succinct and grammatical correct manner
Completeness: Demonstrated ability to complete the homework/exam within the prescribed timeframe responding to all the questions

Report abuse