IT Security. Building an ISMS (information security management system)

The course summarizes and systematizes the long-term experience of the Training Center specialists in the development of information security systems, analytical surveys of the largest computer networks of Ukraine.

Special attention is paid to the technology of ensuring information security, the rational distribution of functions and the organization of effective interaction on information protection issues of all units and employees who use and ensure the functioning of automated systems. Issues of development of normative-methodical and organizational-administrative documents are considered in detail, taking into account the requirements of Ukrainian legislation and international standards, necessary for the implementation of the considered technology.

Students will be taught safety requirements taking into account international standards:

ISO / IEC 27000: 2009 Definitions and basic principles. First unification with COBIT and ITIL standards.

ISO / IEC 27001: 2005 Information technology. Methods of ensuring security. Information security management systems. Requirements (Formerly BS 7799-2: 2005)

ISO / IEC 27002: 2005 Information technology. Methods of ensuring security. Code of Practice for Information Security Management (formerly ISO/IEC 17799:2005).

ISO / IEC 27003: 2007 Information technology. Methods of ensuring security. Guide to the implementation of the information security management system.

ISO / IEC 27004: 2007 Information technology. Methods of ensuring security. Measuring the effectiveness of the information security management system.

ISO / IEC 27005: 2007 Information technology. Methods of ensuring security. Information security risk management (based on BS 7799-3: 2006).

ISO / IEC 27006: 2007 Information technology. Methods of ensuring security. Requirements for audit and certification bodies of information security management systems.

ISO / IEC 27007 Guidance for ISMS auditor (Draft).

ISO/IEC 27011:2008 Guidance on information security management for telecommunications.

Payment Card Industry Data Security Standard (PCI DSS) v.2.0 (if applicable)

ISO / IEC 38500: 2008 Corporate management of information technologies;

DSTU ISO / IEC TR 13335-1: 2003 Information technologies. Information technology security management recommendations. Part 1. Concepts and models of security in IT;

DSTU ISO / IEC TR 13335-2: 2003 Information technologies. Information technology security management recommendations. Part 2. IT security management and planning;

DSTU ISO / IEC TR 13335-5: 2005 Information technologies. Information technology security management recommendations. Part 5. Recommendations for the management of network security.

Module 1. Security of information systems
Basic concepts of information technology security. Subjects of information relations, their interests and security, ways of harming them. Basic terms and definitions. Private ownership, integrity, availability. Requirements for information security (IS). Information security management system (ISMS). Conceptual model of IS. The general structure of the IT support fund. Types of processed information. Object-oriented approach to IS. Objects, goals and tasks of protection of information systems.
Information security threats. Classification. The main sources and ways of implementation of threats. Models of violators. Approaches to the analysis and management of risks, to the categorization of resources and the definition of requirements for the level of ensuring information security. Ukrainian and international standards and criteria for system security.
Information security measures. Typology. Basic principles of construction of protection systems. Principles of countering threats.
Basic protective mechanisms. Measures to ensure IS.
Basic mistakes in the construction of protected information systems

Module 2. Legal basis of ensuring information security
Laws of Ukraine and other legal documents that regulate the relations of subjects in the information sphere and the activities of information protection organizations. Protection of restricted access information, rights and obligations of subjects. Licensing of activities, certification of means of protection and attestation of information systems. Requirements of the governing documents of the NBU, the State Security Service of Ukraine and the State Security Service of Ukraine. The question of the legality of the use of cryptographic protection of information.

Module 3. Organization of protection measures and methods
Risk assessment and processing, Risk assessment process. Risk processing process.
Process components. Status setting. Information security risk assessment process. Information security risk analysis. Information security risk assessment. Information security risk management. Information security risk acceptance. The risk of information security of the communication system. Information security risk of monitoring and review. Approaches to information security risk assessment.
Security policy.
Organization of information security. Internal organization. Ensuring security in the presence of access to information systems of third-party organizations
Asset management. Liability for assets. Classification of information.
Security issues related to personnel res