Security Policies and Security Management

Professors Stefanos Gritzalis
Konstantinos Lambrinoudakis
Eleni-Laskarina Makri
Course category Core
Course ID DS-801
Credits 5
Lecture hours 3 hours
Lab hours 2 hours
Digital resources View on Aristarchus (Open e-Class)

Learning Outcomes

The purpose of the course is to familiarize the students with the concepts of the field of information systems security and to acquire knowledge, experience and skills of implementation of information security policies and information security management methodologies.
In this context, the learning outcomes of the course, after its successful completion, are that the students will be able:

  • to understand the problem of information security as a management problem and the need for information security management systems.
  • to know the basic concepts of information security, risk analysis, business continuity, security incident management, and information security measurement.
  • to analyse and evaluate information security risks using the methodology of ISO / IEC 27005: 2011.
  • to design management systems, information security policies, business continuity plans, disaster recovery plans, and information security measurement processes, and justifying his / her choices.

Course Contents

  • Introductory issues: The issue of information security, the need to protect information, information protection framework, standards and standardization, basic concepts of information security.
  • Information security management systems: Information security as a management problem, basic concepts and necessity of information security management systems, ISO 27k series of standards, ISO / IEC 27001: 2013.
  • Risk analysis, assessment and management: The concept of risk, risk management as a methodology, ISO / IEC 27005: 2011.
  • Organizational framework for information security: Security policies, policy hierarchy, feasibility of existence, information security policy, thematic policies, other elements of the organizational framework, desirable policy characteristics, policy cycle, policy development competence.
  • Management of security incidents: Basic concepts – Incident life cycle – Concerns, purpose and objectives of the incident handling process, case types, incident handling group, case management process phases.
  • Business Continuity and Disaster Recovery: Basic concepts, necessity of business continuity planning, types of projects and relationships between them, the disaster recovery planning process, investment level.
  • Security Assurance: Basic concepts, types of security metrics, the security measurement process.

Recommended Readings

Associated scientific Journals

  • IEEE Security and Privacy Magazine, IEEE
  • International Journal of Information Security, Springer
  • Computers and Security, Elsevier
  • Requirements Engineering, Springer
  • IEEE Transactions on Software Engineering, IEEE
  • Security and Communication Networks, Wiley