IT Cybersecurity Audit

Major: Administration of Cybersecurity Systems
Code of subject: 7.125.04.O.003
Credits: 4.00
Department: Information Security
Lecturer: ssoc., Ph.D. N. Lakh Yu.V.
Semester: 1 семестр
Mode of study: денна
Learning outcomes: RS3. Conduct research and/or innovation activities in the field of information security and/or cyber security, as well as in the field of technical and cryptographic protection of information in cyberspace. PH11. Analyze, control and ensure the effective functioning of the system for managing access to information resources in accordance with the established strategy and policy of information security and/or cyber security of the organization. RS13. Research, develop, implement and use methods and means of cryptographic and technical information protection of business/operational processes, as well as analyze and provide an assessment of the effectiveness of their use in information systems, objects of information activity and critical infrastructure. RS15. Clearly and unambiguously convey own conclusions on information security and/or cyber security issues, as well as the knowledge and explanations that justify them to staff, partners and others.
Required prior and related subjects: Previous: Methods and means of information protection Legal provision of information security State secret protection systems Accompanying: Information security risk management Management in the field of information protection Management of information security incidents
Summary of the subject: 1. Introduction. Basics of building information security systems. The purpose and tasks of information security. Threats to information security and their sources. Analysis of information risks of the organization. 2. Methods of assessing information risks of the organization. Management of information risks. Information security system construction model. Development of the concept of ensuring information security. 3. Concept of information security audit. Information security audit program. Planning the information security audit procedure. Types of audit. 4. Main areas of information security audit. Control and analysis of audit groups, requirements for auditors. Conducting an information security audit. Algorithm for the organization's security audit. 5. Assessment of audit results. List of data required for information security audit. Recommendations for the preparation of reporting documents. Evaluating the results of an audit or self-assessment of the organization's information security status. Interpretation of audit results or self-assessment of the organization's information security status. 6. Standards. Concept of information security audit. Information security audit program. Standard "Criteria for evaluating the reliability of computer systems" (Orange Book). Harmonized criteria of European countries. The work of the "blue" team on the protection of information on the Internet. 7. Basic concepts of General evaluation criteria. Information technology evaluation methodology according to General criteria. Assessment of the level of trust in the functional security of information technology. Overview of classes and families of the General Criteria. 8. International standards. German BSI standard. British Standard BS 7799. International Standard ISO 17799. Information security audit for compliance with the international standard ISO/IEC 17799:2000 (BS 7799-1:2000). 9. Standards and libraries. GAAP, ISACA, COBIT, ISO, ITIL, NIST, etc. 10. National Standards and Guidelines for Auditing Information Security GAO/AIMD-12.19.6 "Guidelines for Auditing Federal Information Systems Management Tools." Audit planning when applying the provisions of FISCAM. Assessment and testing in the application of FISCAM provisions. 11. Audit of corporate organizations. Laboratory approaches to the analysis and assessment of the current state of IS of the organization. Security audit of the external perimeter of the corporate network. Examination of the external perimeter of the network for security. 12. Audit of allocated premises. The preparatory stage of the audit of the allocated premises. The stage of direct audit of the allocated premises. The final stage of the audit of the allocated premises. 13. Security audit of individual IT infrastructure objects. Technical examination of information security products and solutions. Features of IS audit in the banking system. 14. Audit of information security of banking institutions. Methodological recommendations of the National Bank of Ukraine regarding the implementation of the IS management system and risk assessment methodology. Preparation for the introduction of ISMS. 15. Evaluation of information security audit. The model for evaluating the processes of the audit object. The accuracy of the assessment of the processes of the audit object. Models (algorithms) for calculating information security indicators.
Assessment methods and criteria: Performance and protection of laboratory work -65 Control work -35
Recommended books: 1. White A., Clark B. Blue Team Field Manual (BTFM). Published January 13th 2017 by Create space Independent Publishing Platform. - 134 pp. Web resource - https://it.b-ok2.org/book/3382257/0b54cd 2. Murdoch D. Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases (V1.02): A Condensed Guide for the Security Operations Team. Create Space Independent Publishing Platform. – July, 2019. – 258pp. 3. Kurylo A. P. Audyt ynformatsyonnoy bezopasnosty / A. P. Kurylo, S. L. Zefyrov, V. B. Holovanov y dr. – M. : Yzdatel?skaya hruppa «BDTS-press», 2006. – 304 s. 4. Zamula O.A. Zakhyst derzhavnykh sekretiv. Navchal?nyy posibnyk dlya studentiv spetsial?nostey napryamku „Informatsiyna bezpeka" Kharkiv. KHNURE, 2003 - 208 s.; 5. DSTU ISO 19011:2003. Nastanovy shchodo zdiysnennya audytiv system upravlinnya yakistyu i ekolohichnoho upravlinnya. – K. : Derzhspozhyvstandart Ukrayiny, 2004. – 31 s.; 6. Sheshukova T. H. Audyt: teoryya y praktyka prymenenyya mezhdunarodnykh standartov / T. H. Sheshukova, M. A. Horodylov. – M. : Fynansy y statystyka, 2005. – 184 s.; 7. Petrenko S.A., Petrenko A.A. Audyt bezopasnosty ynternet. - M. : DMK Prese, 2002-416 s.; 8. Zehzhda D.P., Yvashko A.M. Osnovy bezopasnosty ynformatsyonnykh system. - M. : Horyachaya lynyya - Tekhnokom. 2000 452 s.; 9. Petrenko S.A "Audyt bezopasnosty Internet", "Tekhnolohyy zashchyty ynformatsyy", "Ynformatsyonnaya bezopasnost? predpryyatyya"; 10. Zakon Ukrayiny “Pro informatsiyu”; 11. Mizhnarodnyy standart ISO'IEC 27002-2007 12. Mizhnarodnyy standart ISO'IEC 27001-2005 Показати більше 1 489 / 5 000 Результати перекладу 1. White A., Clark B. Blue Team Field Manual (BTFM). Published January 13th 2017 by Create space Independent Publishing Platform. - 134 pp. Web resource - https://it.b-ok2.org/book/3382257/0b54cd 2. Murdoch D. Blue Team Handbook: SOC, SIEM, and Threat Hunting Use Cases (V1.02): A Condensed Guide for the Security Operations Team. Create Space Independent Publishing Platform. - July, 2019. - 258pp. 3. Kurylo A.P. Audit of information security / A.P. Kurylo, S.L. Zefirov, V.B. Golovanov and others - M.: Izdatelskaya gruppa "BDC-press", 2006. - 304 p. 4. Zamula O.A. Protection of state secrets. Study guide for students majoring in "Information Security" Kharkiv. KHNURE, 2003 - 208 p.; 5. DSTU ISO 19011:2003. Guidelines for conducting audits of quality management systems and environmental management. - K.: Derzhspozhivstandard of Ukraine, 2004. - 31 p.; 6. Sheshukova T. G. Audit: theory and practice of application of international standards / T. G. Sheshukova, M. A. Horodylov. - Moscow: Finance and Statistics, 2005. - 184 p.; 7. Petrenko S.A., Petrenko A.A. Internet security audit. - M.: DMK Press, 2002-416 p.; 8. Zeghda D.P., Ivashko A.M. Fundamentals of information security systems - M.: Hotline - Technocom. 2000, 452 pp.; 9. S.A. Petrenko "Internet Security Audit", "Information Protection Technologies", "Enterprise Information Security"; 10. Law of Ukraine "On Information"; 11. International standard ISO'IEC 27002-2007 12. International standard ISO'IEC 27001-2005