Checking date: 26/08/2019


Course: 2019/2020

Computer systems audit and certification
(14340)
Study: Master in Computer Engineering (228)
EPI


Coordinating teacher: RIBAGORDA GARNACHO, ARTURO

Department assigned to the subject: Department of Computer Science and Engineering

Type: Compulsory
ECTS Credits: 6.0 ECTS

Course:
Semester:




Students are expected to have completed
Not applicable
Competences and skills that will be acquired and learning results.
The student must acquire a number of generic skills, knowledge, skills and attitudes, which are described below: Generic transversal competences: - Capacity of analysis and synthesis, - Capacity of organization, - Capacity of abstraction and deduction, - Troubleshooting, - Teamwork, - Ability to apply knowledge to practice. Attitude competences: - Capacity to generate new ideas (creativity), - Critical attitude with regard to current methodologies, - Concern for the quality of programmes and information systems, - Motivation to achieve new goals, - Interest to investigate and seek solutions to new problems encountered in audits and certification of information systems Specific competences of the module: - Ability to secure, manage, audit and certify development quality, processes, systems, services, applications and software products. - Ability to design, develop, manage and evaluate mechanisms for certification and safety of local or distributed information systems. - Ability to apply the principles, regulations and standardization. - Ability to plan, design and implement audit processes and certification of software systems. Learning outcomes: - Knowledge of the methodologies of evaluation and certification of systems and products of T.I. - Knowledge of international agreements on mutual recognition of safety certification and its requirements - Knowledge of national, European and international norms and standards related to the security of information systems, mainly the standards of the ISO / IEC 27000 family - Ability to analyze and evaluate, for its application to a specific system, various audit methodologies. - Ability to carry out an audit of the quality of developments, processes, systems, services, applications and computer products, and their security. - Ability to perform an audit in accordance with current legislation on treatments and systems containing personal data.
Description of contents: programme
1. Standardization, evaluation, certification and accreditation. Legal framework. 2. IT Audit and consulting. 3. Standardization of ISMS (ISMS). 27xxx family. Study of the UNE-ISO / IEC 27000, 27001, 27002. 4. Audit of distributed systems and networks. Audit cybersecurity. 5. Audit of treatments and systems subject to legal compliance 6. Certification of systems and products T.I.
Learning activities and methodology
Magisterial lectures. - Dedicated to the teaching of specific matter-oriented skills. To facilitate the task students will receive class notes and have basic reference documentation, to enable them to further elaborate on those topics which are of most interest. In addition, students will have access to current regulations, standards and legal provisions, in audit and certification of software systems. Individual or in group practices. - Among other activities, students might perform audits of certain components, systems and networks, to then draw conclusions and develop the corresponding reports. They will also carry out the compliance audit of the data protection legislation in real or anonymized fictitious systems. Similarly, given a specific IT field, students shall identify the de facto standards or law governing relevant security matters. Finally, they will carry out audit work of the quality of a computer system. Supervised activities. - Participating in the resolution of practical exercises and case studies. Among other activities, the students will perform the analysis and critical commentary of reports issued by the data control Spanish authority (or other regional and autonomical regulators). Similarly, given a specific IT field, students will have to identify those de facto standards or law governing matters, commenting on the relevant aspects of this normalization. Finally, students will also carry out audits on the quality or on the security of a computer system. Student personal work: - Geared especially to the acquisition of the capacity for self-organization and planning of individual work and learning process.
Assessment System
  • % end-of-term-examination 40
  • % of continuous assessment (assigments, laboratory, practicals...) 60
Basic Bibliography
  • AENOR. UNE-ISO/IEC 27000:2014. UNE-EN ISO/IEC 27001:2017. UNE-EN ISO/IEC 27002:2017.. AENOR. 2014 Y 2015 (según se indica)
  • ISACA. CISA Review Manual (Certified Information Systems Auditor). ISACA.
  • ISACA. CISM (Certified Information Security Manager). ISACA.
  • ISACA . ISACA (Information Systems Audit and Control Association) COBIT . www.isaca.org .
  • ISO/IEC 15408. Common Criteria for Information Technology Security Evaluation. Part 1: Introduction and general model.. ISO/IEC . July 2009
  • JTC1. ISO/IEC. ISO/IEC 27007: 2011. Guidelines for information security management systems auditing. ISO/IEC. 2011
  • PIATTINI, Mario y otros.. Auditoría de Tecnologías y Sistemas de Información.. RA-MA. . Madrid, 2008
Detailed subject contents or complementary information about assessment system of B.T.

The course syllabus and the academic weekly planning may change due academic events or other reasons.


More information: https://cosec.inf.uc3m.es/