INFORMATION SECURITY AND AUDIT
1. Overview of information security
2. Information and Network Security Policies
3. Cryptography and PKI
4. Network security applications
5. Design Principles
6. Compliance, Evaluation system and Law
7. Malicious logic and attacks
8. Vulnerability analysis and IT Audit
9. Intrusion detection and log analysis
LAB WORK -ISA
SOLVED PRACTICE QUESTIONS

Course Objective 

The main objective of this course is to avail a strong basis for information security and identify  various aspects of information security breaches in an enterprise. After the successful  completion of the course the one will be able to identify the security posture of an  organization, identify various risks and design and develop systems that conform with  acceptable security. One shall also be able to conduct research on security domains. 

1. Overview of information security-6 hrs 

Introduction to information security, Confidentiality, Integrity, Availability,  Authentication, Non-Repudiation, Access control, threats, vulnerabilities, exploits.  Risk, risk analysis, risk management cycle. 

2. Information and Network Security Policies – 8 hrs 

Security policies and objectives, types of policies, confidentiality policies, integrity  policies, hybrid policies, Bell-Lapadula model, Biba integrity model, Clark Wilson  integrity model, Chinese Wall model, clinical information systems 

3. Cryptography and PKI – 6 hrs 

Encryption, symmetric key encryption, common symmetric key algorithms including  DES, 3DES, a-symetric key encryption, RSA elliptic key encryption, Deffie hellman  algorithm for key exchange, Session vs Interchange key, Hash functions, digital  signatures, cryptographic key infrastructure, certificates, X.509, Storing and revoking  keys, key escrow 

4. Network security applications -6hrs 

OSI architecture review, Authentication applications, IP security, VPN, Network  management security, email security, web security, SSL, TLS, Security in mobile  devices, security in virtual environments and the cloud 

5. Design Principles – 6hrs

Overview, principle of least privilege, principle of fail-safe defaults, principle of  economy of mechanism, principle of complete mediation, principle of open design,  principle of separation of privilege, principle of least common mechanism, principle of  psychological acceptability 

6. Compliance, Evaluation system and Law – 8hrs 

Compliance and regulations, PCI DSS, SOX, HIPPA, evaluating systems, goals of  evaluating systems, TCSEC, ITSEC, FIPS, Common Criteria, SSE-CMM, Law and  information security, historical evolution of computer related law in the US. Privacy  law and its significance to information security, the UK DPA and the EU GDPR, ETA of  Nepal 

7. Malicious logic and attacks 4hrs 

Malicious logic, Trojan horses, viruses and types, worms, logic bombs, common  attacks and examples, defenses 

8. Vulnerability analysis and IT Audit 8 hrs 

Introduction, vulnerability assessment tools, penetration testing and objectives,  black-box, grey-box and white-box tests, Information technology audit, objectives, the  IT Audit process, the audit report and its significance 

9. Intrusion detection and log analysis 8hrs 

Intrusion definition, detection systems, prevention systems, log auditing, log  management, incident handling, SIEM, UEBA 

REFERENCES 

• Matt Bishop, “Computer Security, Art and Science”, Second Editions, Pearson  education 

• Mark Merkew, James Breithaupt, “Information Security: Principles and  Practices” First Edition 

• Neal Krawetz, Introduction to Network Security, 

• William Stallings, “Network Security Essentials” Third Edition

 

NEXT