Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Information Technology (CIT) at Zayed University. We and Technology Management (College ofBusiness Sciences);
show that these students learned about the procedures for Multimedia Design (College of Communications and
implementing ISO 27001 and participated in hands-on Multimedia Sciences); and Technology and Education
activities involving this standard, which is one of the most (College ofEducation).
widely used in the Information Security field. ISO 27001
The rest of this paper is organized as follows. Section 2 ISO 27001 is the most widely used standard and the most
provides a brief overview of Zayed University and the IT recognized structured methodology dedicated to information
majors it offers. Section 3 discusses the capstone project case security [11, 12]. This standard focuses on the Information
study. The students' learning outcomes are discussed in Security Management Systems (ISMS) standard to ensure
detail and evaluated in section 4. Possible enhancements to integrity, availability, and confidentiality. Moreover, it is
Information Security courses are presented in section 5. known as a management process that can be implemented to
Lastly, conclusion and future work are presented in section 6. evaluate and maintain an Information Security Management
3150
Input Activity Output Input Output ,I
Alist of risks STEP1 Aprioritized list
identified during Determine Risk of risks based Risk Assessment RelXlft
Updated Risk Assessment
i
_ _
Risk Assessment Report,
OUTI STEP2 Summary of Security
potential Information Security Plan,
AOSIC Identify ST&E Report
Risks Report
oontrols that
Information Potential
ma yb e
Seourity Controls
implemented to
Standards Risk Assessment Report,
treM each risk
Information Security Plan, Accreditation Decision
Gu ide
(OUT2) ST&E Report. Summary of
Security Risks Report
(ATO. IATO. DTO)
"
*
OUT2 STEP3 Alist of
i
Decision to Restart
Detennin potential Configuration Management
Security Scans. the Risk Management
- Cost. Effective oontrols along Audit Logs Process
\krify Control of the test along policies, the scope and organization of the ISMS, and its risk
H with the
Implementation
verification date
management framework. They followed the implementation
Pay residual of the ISMS into the Do phase, and monitored the ISMS
risk follow ing
co ntrol
process through the internal audit phase to ensure compliance
implementation and control effectiveness in the Check phase. They also
(OUT7) examined the results in the latter phase and improved the
The outputs STEPS Information phase. See Figure 3 for more details.
I Develop Seourity Plan
from Step The students experienced a great deal of satisfaction in
through 7 Information
Scourity Plan knowing that they can integrate this ISO 27001 model with
ISO 20000, because these standards prioritize security
Fig. 1. ADSIC Infonnation Security Planning management by requiring in-depth risk assessment, impact
analysis, and mitigation planning. The following table
3151
provides further detail on the areas covered by the two c. GASCa Learning Outcomes
standards. The students were enthusiastic about examining one more
case study, which was concerned with ISO 27001
,'
Establish Information Implement and
certification, as the context can differ from one organization
Operate ISMS
.
Security Manage to another. In the case of GASCO, they asked professional
System (ISMS) services firm Deloitte to perform their gap analysis, which
. . -IS Risk Management
Framework
the company began by assessing GASCO's current security
-(ISMS) Policies implementation and
-ISMS Scope and Organization operation
practices against the best practices inspired by ISO 27001,
-IS Risk Manag em ent Framework identifying the gaps in the existing security controls, and
defming the steps required to fill them. Deloitte was also
Maintain and Improve Monitor and Review ISMS
responsible for writing the main ISMS documents for
ISMS
- Corrective and Preventive
-Internal Audit GASCO. The GASCO security team then developed a risk
-Ensure compliance
actions treatment plan, which determined the appropriate
- Controls effectiveness
-Ensure conti n ua l
-Results review management action to take, and the resources,
improvement
responsibilities, and priorities for managing Information
Fig. 3. Injazat PDCA Model Security risks. Finally, they developed the required
The students were aware that, in the integrated ISO approach, documents, as stated in Table 1 for ISO 27001. GASCO
Injazat was able to follow a security and risk management monitored the ISMS and implemented the controls. They also
framework in the Plan phase, while objectives such as began executing the internal ISMS audit. However, they still
identifying scope, writing policies, establishing service needed an ISMS expert to perform the audit for them. They
management and security organization, and developing an chose Deloitte, who planned to carry out risk management
Information Security Risk Management (lSRM) and ITIL testing for GASCO every six months, and then revised the
Service Management Framework were being pursued schedule to every eight months.
concurrently. Injazat explained gap analysis to the students,
in terms of addressing security problems based on its own -Gap Analysis
standards and improve their services even further. The -Risk Treatment
-Internal Audit Program
students also looked at Injazat's forums and training
eTrainine and Awar'rll?SC;
programs, and their diversity awareness campaigns designed
to address the various backgrounds and differing levels of
-tage I (Uesktop) Audit
understanding of its employees. It was fun to see posters sent -Monitor Controls
-Stage II (Final) Audit
to employees from time to time to raise awareness about
Information Security issues.
3152
computer forensics specifically, are discussed. Security 5. Learn and implement simple encryption techniques to
issues at the personal, enterprise, and global level are also protect data and email.
studied. The topics covered in this course are the following: 6. Use examples of Information Security issues, tools, and
Nature and scope of Information Security practices implemented in today's businesses.
Legal, ethical, and professional issues in 7. Use international standards and best practices in the
Information Security Information Security field.
Levels of security needed for different types of
VI. CONCLUSION AND FUTURE WORK
information
Security of technical systems The use of ISO 27001 to teach the topic of Information
Introduction to data encryption techniques Security inspires students to learn more about the PDCA
Introduction to network security issues, including model, ISMS, gap analysis, internal and external audits, and
wireless networks risk assessment. We support this approach with real case
Introduction to Internet security studies from organizations, which help greatly in getting the
Nature of threats - prevention, detection, recovery students interested in the subject. Ten students from our IT
Planning for and implementing Information Security College were engaged in this valuable learning experience.
Personal security We encourage others to try our approach, and hope that it
will help those students as much as it has helped ours. In
Enterprise security
future work, we plan to evaluate the enhanced Information
Topics that can be added to this course, which would be
Security course, and improve the advanced course, CIT 335,
enjoyable for students while they learn the basics about the
Information Security Technologies.
Information Security field, might be:
ISO standards related to Information Security REFERENCES
ISO 27001 [1] Designing and teaching information security curricula. Michael E.
Plan-Do-Check-Act model Whitman, Herbert J. Mattord. New York, USA: ACM, Proceedings of
the Ist Annual Conference on Information Security Curriculum
Gap analysis Development, 2004.
ISMS [2] Workshop on designing and teaching information security curricula.
Michael E. Whitman, Herbert J. Mattord. New York, USA: ACM-SE
Risk assessment
43 Proceedings of the 43rd Annual Southeast Regional Conference,
Internal and external audit programs 2005.
By adding the above topics, a wider range of activities and [3] Teaching the Undergraduate CS Information Security Course. Bradley
case studies could also be covered in this course, such as K. Jensen, Melinda Cline, Carl S. Guynes. New York, USA: ACM
SIGCSE Bulletin Homepage archive, 2006.
writing a case study about an organization obtaining ISO [4] Towards Changes in Information Security Education. Mariana Hentea,
27001 certification, implementing a PDCA model in a Harpal S. Dhillon, Manpreet Dhillon. s.l.: Journal of Information
specific context, conducting a short gap analysis, learning in Technology Education, 2006, vol. 5.
depth about ISMS, creating a risk assessment report, and [5] Mapping information security curricula to professional accreditation
standards. Armstrong, C. J., Armstrong, H. L. s.l.: IEEE SMC
investigating internal and external audit programs more Information Assurance and Security Workshop, 2007.
deeply. All these activities can serve as tools that the students [6] Interactive Teaching Methods in an InformationSecurity Course.
can access after their graduation, as they will be familiar with Jingtao Li, Yiming Zhao, Lei Shi. s.l.: Scalable Computing and
Communications; Eighth International Conference on Embedded
the vocabularies and concepts that are used extensively in the Computing, 2009.
Information Security world. After taking this course, they [7] A Teaching Model Application in the Course of Information Security.
will be able to meet the course requirements, as well as the Chunyan Qiu, Wei Zhao, Jianhua Jiang, Jialing Han. s.l.: IEEE
Computer Society Proceedings of the 20II Third International
employers' requirements:
Workshop on Education Technology and Computer Science, 2011.
1. Address the technical aspects of Information Security for [8] The Design and Analysis of an Information Security Teaching and
Learning Platform. Wang ChangJi, Liao DingFeng, Huang HuaJie. s.l.:
decision makers;
Education Technology and Computer Science, 2009.
2. Investigate and report on how the various levels of the [9] Zayed University Vision. Zayed University. [Online]
Information Security objectives of data confidentiality, http://www.zu.ac.ae/mainlenlexplore_zulindex.aspx.
[ 10 ] College of Information Technology. Zayed University. [Online]
integrity, and availability can be achieved, and at what cost to http://www.zu.ac.ae/mainlen/colleges/colleges/college_information_te
an organization. chnology/index.aspx.
[ 11 ] Exploratory Study on the Innovative Use of ISO Standards For IT
3. Understand the role that an appropriate access control Security in the UAE. Manar Abu Talib, Adel Khelifi, May El Barachi.
policy serves in securing the information resources of an Greece: European, Mediterranean & Middle Eastern Conference on
enterprise. Information Systems (EMCIS2011), 2011.
[ 12] Guide to ISO 27001: UAE Case Study. Manar Abu Talib, May EI
4. Investigate and experience the nature of security Barachi, Adel Khelifi. Canada: Issues in Informing Science and
technologies/threats, such as frrewalls, computer viruses, and Information Technology, Volume 9, 2012.
worms.
3153