Description
The subject is divided in two blocks, Audit and Security. Block 1 (Audit) In the development of the subject the pupils will acquire knowledge of the different Standards of the Technologies of Information, recognized throughout the world, such as the COBIT (Control of the objectives of the Technologies of Information) and the ISO/IEC 27001:2005 (System of Management of Security of Information). As well as, the Spanish norm LOPD (Organic Law of Protection of Information) and the diverse methodologies for the accomplishment of Analysis of Risks, Plan of Continuity of the Business, Analysis of Impact to the Business and the accomplishment of the different Audits related to the Technologies of Information. Block 2 (Security) The necessary basic concepts are studied to make the Administration of the Computer Security in the business environment, detecting risks and threats, knowing the legal responsibilities and the available technology and qualifying the student to design the answer to apply before a hypothetical disaster in the company.
Type Subject
Optativa
Semester
First
Credits
5.00
Previous Knowledge

None

Objectives

The students that study the subject acquire the knowledge, and develop the following abilities:

Objective Block 1 (Audit)

1. To learn the fundamental concepts of the Standard COBIT (Control of the Objectives of the Technologies of Information) in order to apply them in their future organizations.

2. To develop your knowledge in the areas of: the Processes of the Audit of the Systems of Information, the Control of the Technologies of the Information, the Administration of the Life Cycle of Systems and Infrastructure, of the Delivery and Support of the Technologies of Information, the Protection of the Assets of Information and of the Continuity of the Business and Recovery from Disasters as the basis of the training to obtain the International Certification CISA (Certified Auditor in Systems of Information).

3. To learn the fundamental concepts of the Standard ISO/IEC 27001:2005 (System of Management of Security of the Information) to be able to apply them in your future organizations.

4. To understand the fundamental concepts of the Norm LOPD (The Organic Law of Protection of Information) to be able to apply them in your future organizations.

5. To understand(include) the diverse methodologies existing in the realization of Risk Analysis, Plan of Continuity of the Business, Analysis of Impact to the Business.

6. To develop the knowledge and sufficient skills to be capable of realizing the different Audits related to the Technologies of Information.

Targets Block 2 (Security)

To dominate the relative basic concepts to the Computer Security, and to develop a global vision of the decisive factors of a sure environment.

1. To acquire the capacity to identify the assets of the company, the risks and the threats to the Security through the elaboration of a Risk Analysis.

2. To know the legal requirements, the directives and the current legislation as regards Security of the Information through the use of the existent tools (Political of Security, Standard, Guides and Procedures).

3. To acquire the capacity to align the security with the strategy of the business by means of the definition of critical factors of success, KPI's i KGI's.

4. To dominate the definition of definition of a Disaster Recovery Plan (DRP) in the business environment.

Contents

The Subject has four parts whose detailed themes are the following:

A. COBIT (Control of the Objectives of the Technologies of Information).

A1. HISTORY AND PRECEDENTS.

A2. EXECUTIVE SUMMARY.

A3. REFERENTIAL FRAME.

A4. OBJECTIVES OF CONTROL:
4.1. Planning and Organization.
4.2. Acquisition and Organization.
4.3. Delivery of Services and Support.
4.4. Monitoring.

B. CISA (Certified Information Systems Auditor).

B.1. AUDITING PROCESS OF INFORMATION SYSTEMS:
5.1. Introduction.
5.2. Standards and Directives.
5.3. Analysis of Risks.
5.4. Internal controls.
5.5. Execution of Audit of IS

B.2. IT GOVERNANCE:
6.1. Corporate government.
6.2. Strategy, Policies and Procedures of information system.
6.3. Administration of Risks.
6.4. Organizational Structure and Responsibilities of information system.
6.5. Audit of the IT Governance.

B.3. ADMINISTRATION OF LIFE CYCLE OF SYSTEMS AND INFRASTRUCTURE:
7.1. Structure of the Project management.
7.2. Administration of the Project management.
7.3. Strategies and Methods for the Development of Software.
7.4. Acquisition of Infrastructures.
7.5. Maintenance of IS.
7.6. Improvement of the Processes.
7.7. Controls of Application.
7.8. Audit of the Development, Acquisition and System maintenance.

B.4. DELIVERY AND SUPPORT OF IT:
8.1. Operations of the IS
8.2. Hardware of the IS.
8.3. Architecture and Software of the IS.
8.4. Infrastructure of the Networks of the IS.
8.5. Audit of the Infrastructure and of the Operations.

B.5. SAFETY OF THE ASSETS OF INFORMATION:
9.1. Management of the Security of the Information.
9.2. Control of the Logical, Physical and Environmental Access.
9.3. Security of the Infrastructure of the Network.
9.4. Audit of the Information.

B.6. CONTINUITY OF THE BUSINESS AND DISASTER RECUPERATION:
10.1. Business continuity plan/ Disaster recuperation
10.2. Audit of the Business continuity plan / Disasters recuperation.

C. The ISO/IEC 27001:2005 (System of Management of Information Security):
11.1. Legislation in force on the ISO/IEC 27001:2005.
11.2 Objectives of the ISO/IEC 27001:2005
11.3 Policies of the ISO/IEC 27001:2005
11.4 Controls of the ISO/IEC 27001:2005
11.5 Audit of the ISO/IEC 27001:2005

D. LOPD (The Organic Law of Protection of Information):
12.1. Legislation in force on the LOPD.
12.2. Objectives of the LOPD.
12.3. Policies and Controls of the LOPD / COBIT.
12.4. Audit of the LOPD.

The Block 2 (Security) contemplates the following paragraphs:

1. Disaster Recovery Plan
a. General concepts
b. Process of production (elaboration)

2. Importance of the Security in the TIC
a. Objectives and determinant factors
b. Global vision general Risks
c. Global vision - Threats and types of assaults
d. Hacking. Capacity of the threats and.
e. Current situation in safety incidents
f. The Virus
g. The physical Security
h. Internet

2. Prevention and technological solutions

3. Legal requirements of Security in the TIC
a. Boards(Directives) and Laws
b. Basic aspects of the LOPD and LSSI
c. Responsibilities and sanctions

4. Security management necessity
a. Costs
b. Outline of a secure system
c. Functions of a secure system

5. Basic management of the Security
a. General vision - Plan of Security
b. Regulation and Certifications

6. Analysis of Risks
a. General concepts
b. Methodologies (Magerit)

7. Security Policies
a. Standards, Guides and regulations
b. Methodology of Implementation

8. The Security and the strategic control of the organization
a. FCE, KGI and KPI's
b. Managed Security

9. Conclusions

Methodology

Block 1 (Audit)

The aim of the program is that the student, once he has finished the course, be able to apply all of the knowledge acquired in his future work. The main load of the course work will be presented during class hours. To accomplish this, the following formative method is proposed:

The classes will be divided in two parts: first, theoretical, which will include the use of color slides and the transmission of the practical experience of the teacher in different aspects of the subject and, second, practical, including work in groups and presentations authorized by the teacher to reinforce the exposed concepts.

Class attendance by the student is fundamental to acquire knowledge, to perform the various practical works, and to participate actively in the classes taught by the professor.

Upon finishing the course, there will be a test-type examination and/or individual final paper to evaluate the knowledge acquired during the course.

Block 2 (Security)

We will cover the matter of the course starting from the present sessions whose attendance will be controlled. In the classes we will give explanations of the basics topics with interaction and the students' participation in the dynamics of the classes. In those that we will revise the given documentation. The documentation of the subject contains all the slides used in the sessions with information enlarged on the same ones.

Complementary documentation will exist, and a mandatory central work will be carried out in groups, that will be good to evaluate the subject. At same time will be two optional singular works guided to tinge each student's note. To read the documentation in advance will help you to carry out interesting questions, and to make easy working in the projects that cover in class or outside of class.
As far as possible we will dedicate time in the classes to outline and to develop the workgroup project.

Evaluation

Block 1 (Audit) 50% of the grade:

The methods of evaluation used in the subject are:

C. Examinations- test type
E. Individual works
F. Group work
I. Oral Presentations
J. Participation in class

The objective of the course is that the student acquires the knowledge previously mentioned and that he is capable of applying it in his future professional life; for this reason, the criteria of evaluation will assume that the knowledge is assimilated and does not contribute an additional work load.

Based on the aforementioned, participation in class will be very positively valued as it enriches, widens and helps to fix the knowledge taught in class; works will be realized in groups and there will be oral presentations in class of the material covered (the practical application of the acquired knowledge guarantees the applicability of the theoretical concepts); the final evaluation of the course will be a test-type examination including all of the educational material covered or an individual Final paper. Those students who wish to improve their grade may both take the test-examination and write a final paper.

Method of Punctuation:

20 % Participation in Class.
20 % Class attendance
20 % Group work and oral presentations in class
40 % Test of Final comprehension and /or Individual Final paper.

Note: In case of doing both the Final test and the individual Final paper the exercise will be calculated as an additional 20%.

Bloc 2 (Security) 50% of the mark:

The evaluation methods used in the subject are:

C. Test exams
E. Individual works
F. Group works
I. Presentations
J. Participation in class

A - The Qualification base will be calculated from the evaluation of the mandatory group work (To prepare the Disaster Recovery Plan). (70%)

B - The participation, interactivity and the delivery of the optional works will be the way to adjust and to personalize the note. (30%)

C - It is mandatory the attendance to class, and the non attendance to three classes will suppose that the student won't be evaluated.

Evaluation Criteria

Block 1 (Audit)

Objective 1: The student must demonstrate his capacity of analysis, synthesis, organization and planning in order to accomplish the Group work and his respective presentations. [F,I].

Objective 2: The student must demonstrate that he knows the fundamental concepts of the different standards, regulations, methodologies and diverse types of audits in the test-typeExamination, his individual work and class participation. [C, E, J].

Objective 3: The student must demonstrate his oral and written communication skills in the different methods of evaluation of the subject. [E, F, I, J].

Objective 4: In the interpersonal area, the student´s ability to develop his critical and self-critical capacity will be evaluated, as well as, his ability to improve his interdisciplinary skills in team work. [F, I].

Objective 5: The student must understand the different technologies in order to design and manage the technological projects and have the ability to apply the knowledge acquired in practice. [F, I].

Bloc 2 (Security)

Approaches that are used to evaluate the results obtained by the student.

Objective 1: To dominate the basic concepts to develop a Disaster Recovery Plan. The students will elaborate the DRP or of the company defined in their Work in Group, or of the company where they work applying the methods and knowledge studied in class. (D,F,I,J).

Objective 2: To take conscience of the problem and the importance of the Information Security. To understand the existent problems and the importance of the security, an Risk Analisys will be prepared. This work it will be optional. (D,F,J).

Objective 3: To be qualified to evaluate the risks to consider in our business environment. With the object of understanding the tools and existent methods to exercise an effective and efficient Security administration, it will be prepared a Security Policies work . This work will be optional. (F,J).

Objective 4: To be qualified to manage the Information Security in the business environment. The student's capacity to adapt from a dynamic way to the scenario of the company will be reflected in how are integrated in each one of the presented works the analyzed concepts. (D,F,J).

Basic Bibliography

Block 1 (Audit)

Notes of the Seminario Auditoria Informática of the course: Valentín Faura.
Study guides of the Seminario Auditoria Informáticas of the course: Valentín Faura.

Bloc 2 (Security)

William Caelli, Dennis Longley and Michael Shain. Information Security for Managers. M Stockton Press
William Caelli, Dennis Longley, Michael Shain.Information Security Handbook. Macmillan Publishers, Ltf.
Ken Wong and Steve Watt. Managing Information Security. Elsevier Advanced Technology

Additional Material

Block 1 (Audit)

1. COBIT. IT Governance Institute.
2. MANUAL DE PREPARACIÓN AL EXAMEN CISA. ISACA.
3. ISO/IEC 27001:2005.
4. Ley Orgánica 15/1999, de 13 de enero de Protección de Datos de Carácter Personal (LOPD).
5. RD 994/1999, de 11 de junio que aprobó el Reglamento de Medidas de Seguridad.

Bloc 2 (Security)

Data Security Management. Auerbach Publishers.
William E. Perry and Javier F. Kuong. EDP Risk Analysis and Controls Justification. MAP
D.W. Davies and W. L. Price. Security for Computer Networks. John Wiley and Sons.
Seguridad Informática y Comunicaciones.
Firma Electrónica. Propietat Intelectual. Leyes. LORTAD. Reglament. MHAbogados.