2. Module information
• Lectures: ERD171 (Dr Xiaoqi Ma)
• Seminars: ABK010
• Module webpage: NOW
• Course book: Dhillon, G. (2006) Principles of Information
Systems Security: Texts and Cases, Wiley,
ISBN: 0471450561.
Computer Security Management
Page 2
3. Module information (cont.)
• Assessment:
– Coursework (50%)
Seminar presentation and related report on a new security technology or
process change
– Exam (50%)
Examination of knowledge of variety of strategies, processes, laws, and ethical
dilemmas, and their related value to specific cases.
• Please note: seminars start next week!
Computer Security Management
Page 3
4. Module overview
• Threats and Risk Management
– Develop awareness of threats, such as denial of service and modification
attacks, and of hacker motivation and techniques.
– Apply risk management (assessment and control) to address the threats to
enable business continuity management.
• Security Strategy and Management
– Defining information security and the security systems life cycle and the
computer security function within an organisation.
– Developing IT security strategy, governance and policy to enable audits and
compliance.
– Cost Justification of security decisions
• Ethics & law in computer security
– Credentials of Information Security Professionals
– Key laws including current case law, and how organisations should develop
policies to address them.
Computer Security Management
Page 4
5. Management
• In order to be able to manage something:
– Need to be able to measure this something!
• In order to be able to measure something:
– Need to know what this something actually is!
• So: what is ‘computer security’?
Computer Security Management
Page 5
6. Information security requirements
• Confidentiality
– Protecting sensitive information from unauthorised disclosure or intelligible
interception
• Integrity
– Safeguarding the accuracy and completeness of information (and software)
• Availability
– Ensuring that information (and vital services) are available to users when
required
• Authentication
– Ensuring that information is from the source it claims to be from
• Non repudiation
– Prevents an entity from denying having performed a particular action related to
data
Computer Security Management
Page 6
7. Computer security: protection of information
related assets
• Data
• Hardware
– Computer
– Network infrastructure
• Software
– System software
– Application software
• Intangible assets
– Reputation of organisation
– Goodwill of customers
• etc
Computer Security Management
Page 7
8. Some definitions
• Harm
– Something happens to an asset that we do not want to happen
• Threat
– Possible source of harm
• Attack
– Threatening event (instance of a threat)
• Attacker
– Someone or something that mounts a threat
• Vulnerability
– Weakness in the system (asset) that makes an attack more likely to successes
• Risk
– Possibility that a threat will affect the business or organisation
Computer Security Management
Page 8