Home/ Majors directory/Cybersecurity/Information Security Audit
Information Security Audit
Major: Cybersecurity
Code of subject: 6.125.04.E.124
Credits: 3.00
Department: Information Security
Lecturer: Associate Professor, Ph.D. Garanyuk Petro
Semester: 6 семестр
Mode of study: денна
Завдання: The study of an educational discipline involves the formation of competencies in students of education:
general competences:
1. ZK 1. Ability to apply knowledge in practical situations.
2. ZK 2. Knowledge and understanding of the subject area and understanding of the profession
3. ZK 5. Ability to search, process and analyze information
Learning outcomes: As a result of the study of the academic discipline, the student must be able to demonstrate the following learning outcomes:
As a result of studying the academic discipline, the student must be able to demonstrate the following learning outcomes:
1. ZN 15. Mastering the methods of general scientific analysis in the field of information technologies and information security;
2. ZN 21. Knowledge of new domestic and international information security standards.
3. ZN 22. Knowledge of the main models of vulnerabilities, threats and attacks to substantiate options for building an automated information security monitoring system for information and communication systems and its main components
Required prior and related subjects: Regulatory and legal support, standards and policy of information and cybernetic security
International standards and practices in the field of information security
Summary of the subject: The current state of the organization's information security audit gives comprehensive answers to a number of questions that arise during its implementation, in particular, how to conduct an audit, what procedures to use, what results an audit can lead to, who has the right to conduct such an audit, how to evaluate the audit results, etc. .d.
Therefore, an important component of business development is the automation of business processes using computer equipment and telecommunication systems, which is accompanied by a rapid increase in the amount of information that is received, processed, transmitted and stored electronically in information systems. In this regard, information systems become key in ensuring the effective development of an enterprise, company, or firm.
Опис: Introduction. Basics of building information security systems. The purpose and tasks of information security.
Threats to information security and their sources. Analysis of information risks of the organization. 1
Practical and laboratory work - reproductive method, heuristic method, independent work - research method
Practical and laboratory work - reproductive method, heuristic method, independent work - research method 1
Concept of information security audit. Information security audit program.
Planning the information security audit procedure. Types of audit. 1
Active audit. Expert audit.
Audit for compliance with standards. The concept of a complex audit of the security of information systems. 1
Main areas of information security audit. Control and analysis of audit groups, requirements for auditors.
Conducting an information security audit. Algorithm for the organization's security audit. 1
List of data required for information security audit. Recommendations for the preparation of reporting documents.
Evaluating the results of an audit or self-assessment of the organization's information security status. Interpretation of audit results or self-assessment of the organization's information security status. 1
Concept of information security audit. Information security audit program.
Standard "Criteria for evaluating the reliability of computer systems" (Orange Book). Harmonized criteria of European countries. 1
Basic concepts of General criteria. Information technology evaluation methodology according to General criteria.
Assessment of the level of trust in the functional security of information technology. Overview of classes and families of the General Criteria. 1
German BSI standard. British Standard BS 7799. International Standard ISO 17799.
Information security audit for compliance with the international standard ISO/IEC 17799:2000 (BS 7799-1:2000). 1
The COBIT standard. Audit of information security for compliance with requirements. Association of audit and management of information systems (requirements of the SOVIT standard).
An example of conducting an information security audit of the payroll calculation and issuance subsystem. Standards and guidelines developed as part of the SCORE project. 1
National Information Security Audit Standards and Guidelines GAO/AIMD-12.19.6 "Guidelines for the Audit of Federal Information Systems Controls."
Audit planning when applying FISCAM provisions. Assessment and testing in the application of FISCAM provisions. Final audit document when applying FISCAM provisions. 1
Tasks and content of work during the information security audit of the corporate system. Practical approaches to the analysis and evaluation of the current state of IS of the organization.
Security audit of the external perimeter of the corporate network. Examination of the external perimeter of the network for security. 1
Audit of allocated premises. The preparatory stage of the audit of the allocated premises.
The stage of direct audit of the allocated premises. The final stage of the audit of the allocated premises. 1
Security audit of individual IT infrastructure objects. Technical examination of information security products and solutions.
Peculiarities of information security audit of organizations that use outsourcing. Features of IS audit in the banking system. 1
Methodical recommendations of the NBU regarding the implementation of the IS management system and risk assessment methodology. Preparation for the introduction of ISMS. Description of existing infrastructure and security measures. Risk analysis. Assessing the risks of working out the documentation. The model for evaluating the processes of the audit object. The accuracy of the assessment of the processes of the audit object. Models (algorithms) for calculating information security indicators. 1
Assessment methods and criteria: Current control, which consists of the performance of laboratory work and the defense of reports, the performance and defense of control work, an oral survey, and the assessment of activity during practical classes. Examination control, which consists of a written survey and an oral component.
Критерії оцінювання результатів навчання: Current control (40 points):
1. Laboratory classes - 35 points.
2. Practical classes - 5 points.
Examination control (60 points):
written component - 55 points
oral component - 5 points
Порядок та критерії виставляння балів та оцінок: 100–88 points – (“excellent”) is awarded for a high level of knowledge (some inaccuracies are allowed) of the educational material of the component contained in the main and additional recommended literary sources, the ability to analyze the phenomena being studied in their interrelationship and development, clearly, succinctly, logically, consistently answer the questions, the ability to apply theoretical provisions when solving practical problems; 87–71 points – (“good”) is awarded for a generally correct understanding of the educational material of the component, including calculations, reasoned answers to the questions posed, which, however, contain certain (insignificant) shortcomings, for the ability to apply theoretical provisions when solving practical tasks; 70 – 50 points – (“satisfactory”) awarded for weak knowledge of the component’s educational material, inaccurate or poorly reasoned answers, with a violation of the sequence of presentation, for weak application of theoretical provisions when solving practical problems; 49-26 points - ("not certified" with the possibility of retaking the semester control) is awarded for ignorance of a significant part of the educational material of the component, significant errors in answering questions, inability to apply theoretical provisions when solving practical problems; 25-00 points - ("unsatisfactory" with mandatory re-study) is awarded for ignorance of a significant part of the educational material of the component, significant errors in answering questions, inability to navigate when solving practical problems, ignorance of the main fundamental provisions.
Recommended books: 1. Romaka VA, Dudykevych VB, Garasym YR, Garanyuk PI Textbook "Information Security Management Systems" NU "Lviv Polytechnic" Lviv, 2012-230 p
2. Romaka VA, Lagun AE, Garasim YR, Rak TS, Samotiy VV, Rybiy MM Textbook "Information Security Audit" LSU BJD, 2015-362 p .;
3. International standards ISO 17799-2000, ISO'IEC 27001-2005, ISO'IEC 27002-2007
4. Alan Calder & Steve Watkins. Information Security Risk Management for ISO 27001 / ISO 17799. - IT Governance Publishing, 2007
Уніфікований додаток: Lviv Polytechnic National University ensures the realization of the right of persons with disabilities to obtain higher education. Inclusive educational services are provided by the Service of accessibility to learning opportunities "Without restrictions", the purpose of which is to provide permanent individual support for the educational process of students with disabilities and chronic diseases. An important tool for the implementation of the inclusive educational policy at the University is the Program for improving the qualifications of scientific and pedagogical workers and educational and support staff in the field of social inclusion and inclusive education. Contact at: St. Karpinsky, 2/4, 1st floor, room 112
E-mail: nolimits@lpnu.ua
Websites: https://lpnu.ua/nolimits https://lpnu.ua/integration
Академічна доброчесність: The policy regarding the academic integrity of the participants of the educational process is formed on the basis of compliance with the principles of academic integrity, taking into account the norms "Regulations on academic integrity at the Lviv Polytechnic National University" (approved by the academic council of the university on June 20, 2017, protocol No. 35).