IT Governance: Mastering Security & Risk Management

Packt via Coursera

Go to class Write review

Details

Go to class

Provider

Coursera
Pricing

Paid Course
Languages

English
Certificate

Certificate Available
Effort

26 weeks, 1 hour a week
Sessions

Self-Paced
Level

Intermediate
Subtitles

English

Found in

Overview

AI, Data Science & Cloud Certificates from Google, IBM & Meta — 40% Off

One plan covers every Professional Certificate on Coursera. 40% off Coursera Plus Annual.

Unlock All Certificates

This course offers an in-depth understanding of IT governance, focusing on information security, risk management, and frameworks such as ISO 27001. It provides actionable insights into securing your IT systems and aligning with international regulations. This course provides a comprehensive overview of IT governance and information security, focusing on practical frameworks like ISO 27001 and real-world risk management strategies. It equips learners with the knowledge to build and maintain secure IT environments while aligning security practices with business goals. Designed for professionals seeking to enhance their expertise, it offers actionable insights and expert guidance. This course is ideal for IT professionals, information security managers, and those involved in cybersecurity. A foundational understanding of IT systems and security concepts is recommended. Learners will gain the skills to strengthen their organization's security posture and align it with regulatory requirements. This course provides a structured approach to understanding and implementing IT governance, with a focus on information security frameworks and best practices, guiding readers through various security threats and solutions. © Alan Calder and Steve Watkins 2002, 2003, 2005, 2008, 2012, 2015, 2020, 2024. The authors have asserted the rights of the author under the Copyright, Designs and Patents Act, 1988, to be identified as the authors of this work. Editions one, two, three, four, five, six and seven published by Kogan Page. This edition published in the United Kingdom in 2024 by IT Governance Publishing. Every possible effort has been made to ensure that the information contained in this book is accurate at the time of going to press, and the publisher and the author cannot accept responsibility for any errors or omissions, however caused. Any opinions expressed in this book are those of the author, not the publisher. Websites identified are for reference only, not endorsement, and any website visits are at the reader’s own risk. No responsibility for loss or damage occasioned to any person acting, or refraining from action, as a result of the material in this publication can be accepted by the publisher or the author. Apart from any fair dealing for the purposes of research or private study, or criticism or review, as permitted under the Copyright, Designs and Patents Act 1988, this publication may only be reproduced, stored or transmitted, in any form, or by any means, with the prior permission in writing of the publisher or, in the case of reprographic reproduction, in accordance with the terms of licences issued by the Copyright Licensing Agency. Enquiries concerning reproduction outside those terms should be sent to the publisher at the following address: IT Governance Publishing Ltd Unit 3, Clive Court Bartholomew’s Walk Cambridgeshire Business Park Ely, Cambridgeshire CB7 4EA United Kingdom www.itgovernancepublishing.co.uk

Syllabus

Why is Information Security Necessary?

This module explores the growing importance of information security in today's digital landscape, examining the increasing threats to organizational data and the impact of cyber crime and cyber warfare. Learners will also review key legislation shaping information security practices and understand why robust security measures are essential for organizations.

The Corporate Governance Code, the FRC Guidance on Risk Management, and Sarbanes–Oxley

This module explores the evolution and key principles of corporate governance frameworks, focusing on the UK Corporate Governance Code, the FRC Guidance on Risk Management, and the Sarbanes-Oxley Act. Learners will examine how these regulations shape risk management, internal controls, and compliance in organizations. The module also introduces the COSO ERM Framework as a standard for effective risk oversight.

ISO 27001

This module introduces the ISO/IEC 27001 standard and its role within the broader ISO/IEC 27000 series, highlighting the benefits of certification and best practices for implementing an information security management system (ISMS). Learners will explore structured approaches to ISMS implementation, integration with other management systems, and the importance of leadership and communication in achieving compliance.

Organizing Information Security

This module explores how organizations can effectively structure and manage their information security programs in alignment with ISO 27001. Learners will examine key roles, responsibilities, and processes, including management reviews, cross-functional forums, and the importance of specialist advice and external contacts. By the end, participants will understand how to coordinate information security efforts across an organization.

Information Security Policy and Scope

This module explores the foundational elements of crafting an effective information security policy, emphasizing the critical role of top management commitment and clear policy statements. Learners will examine the importance of defining key security terms and aligning policy with recognized standards such as ISO 27001. By the end, participants will understand how to articulate and scope an information security policy within an organizational context.

The Risk Assessment and Statement of Applicability

This module guides learners through the process of conducting an information security risk assessment in alignment with ISO 27001, including defining boundaries, identifying critical assets, and evaluating threats and vulnerabilities. Learners will also explore how to select appropriate controls and develop a Statement of Applicability and risk treatment plan. By the end, participants will understand how to document and justify security decisions within an ISMS framework.

Mobile and Remote Working

This module explores the key principles and controls for managing mobile devices and enabling secure remote work in accordance with ISO 27002 standards. Learners will gain insights into developing effective policies and operational procedures to support remote and hybrid working environments.

Human Resources Security

This module explores the critical role of human resources in supporting information security management systems (ISMS) according to ISO 27001 and ISO 27002 standards. Learners will examine best practices for employee screening, employment terms, ongoing management responsibilities, and disciplinary processes to ensure organizational security. By the end, participants will understand how HR policies and procedures contribute to a secure information environment.

Asset Management

This module explores the principles and practices of managing information assets within an organization, focusing on asset classification, acceptable use policies, and secure handling procedures. Learners will gain insights into international classification systems and the implementation of controls for different asset sensitivity levels.

Exchanges of Information

This module explores best practices and policies for secure information exchange within and between organizations, focusing on compliance with relevant legislation. Learners will examine formal agreements, email and social media usage, and strategies for managing internet use to protect information integrity and confidentiality. Practical guidance on developing and enforcing acceptable use policies is also provided.

Access Control

This module explores the principles and practices of restricting access to sensitive information within organizations. Learners will examine common hacker techniques, industry standards like ISO 27002, and the balance between security and operational needs. By the end, you'll understand how to implement and evaluate effective access control policies.

User Access Management

This module explores the principles and best practices for managing user access within information systems, focusing on formal processes for assigning and revoking access rights. Learners will examine key ISO 27002 controls related to access control and secret authentication information, such as passwords. By the end, participants will understand how to implement secure and compliant user access management procedures.

Supplier Relationships

This module explores the critical role of supplier relationships in supply chain risk management, with a focus on information security. Learners will examine best practices for integrating security controls into supplier agreements, managing risks in the ICT supply chain, and adapting to changes in third-party services. By the end, participants will understand how to safeguard organizational assets through effective supplier management.

Physical and Environmental Security

This module explores the principles and best practices for safeguarding physical assets and environments in accordance with ISO 27002. Learners will examine entry controls, secure area requirements, and strategies to mitigate risks from environmental and external threats. By the end, participants will understand how to implement effective physical and environmental security measures within an organization.

Equipment Security

This module explores best practices for safeguarding organizational equipment, including protection against physical threats, utility failures, and data breaches. Learners will examine ISO 27002 controls related to equipment security, cabling, and secure disposal or reuse of assets. Practical strategies for minimizing risks and ensuring business continuity are emphasized.

System and Application Access Control

This module explores strategies for preventing unauthorized access to systems and applications by implementing effective access restrictions and secure authentication processes. Learners will gain an understanding of key ISO 27002 controls and best practices for safeguarding information services.

Cryptography

This module introduces the principles and policies behind cryptographic controls for information protection. Learners will explore the role of digital signatures in ensuring authenticity and integrity of electronic documents, and understand how cryptographic decisions fit into broader risk assessment processes.

Operations Security

This module explores the essential practices for maintaining secure and effective operations within an information security management system. Learners will examine the importance of documented procedures, structured change management, and robust information backup strategies aligned with ISO 27001 and ISO 27002 standards. By the end, participants will understand how these controls contribute to organizational resilience and compliance.

Controls Against Malicious Software (Malware)

This module explores essential strategies for detecting, preventing, and responding to various forms of malicious software, including viruses, phishing, and mobile threats. Learners will gain practical knowledge about anti-malware tools, user awareness, and the evolving landscape of cyber attacks targeting both computers and handheld devices.

Networks Security

This module explores essential strategies for securing organizational networks, including network segmentation, secure wireless deployment, and controlled access to network services. Learners will examine best practices for managing routers, switches, and extranets in alignment with ISO 27001 and ISO 27002 standards. By the end, participants will understand how to implement and evaluate effective network security controls.

System Acquisition, Development, and Maintenance

This module explores the processes and challenges involved in acquiring, developing, and maintaining information and communication technology (ICT) systems, with a focus on security considerations. Learners will examine key issues in e-commerce security and review essential security technologies and controls relevant to modern organizations.

Development and Support Processes

This module explores how information security is integrated throughout the systems development lifecycle, emphasizing secure architecture, engineering principles, and structured security testing. Learners will gain practical knowledge of best practices for embedding security controls in development and acceptance processes.

Monitoring and Information Security Incident Management

This module explores the integration of monitoring, logging, and incident management within information security frameworks, focusing on ISO 27002 controls. Learners will discover best practices for protecting log data, establishing incident response procedures, and leveraging incident reports for continual improvement. Practical guidance on reporting events and software malfunctions is also provided.

Business and Information Security Continuity Management

This module explores how organizations can ensure the continuity of both business operations and information security during major disruptions. Learners will examine best practices for business continuity planning, including risk assessment, plan development, testing, and maintenance, with a focus on integrating information security into every stage.

Compliance

This module explores key compliance requirements for information security management, focusing on major UK, EU, and US legislation, as well as international standards related to data protection and organizational records. Learners will gain an understanding of how to identify, interpret, and implement compliance controls within an ISO 27001 framework.

The ISO 27001 audit

This module guides learners through the ISO 27001 audit process, emphasizing the significance of certification and the steps involved in the initial audit stages. Participants will gain insights into how organizations prepare for and undergo formal assessments of their Information Security Management Systems (ISMS).