Principles of Information Security Management
- Get now
- Learn more
- Discussions
  Jan 27
- Course Description:
1. Security and Risk Management (1 - 2h)

A Strategic Governance and Risk Architecture
Cybersecurity Architecture: Fundamentals of Confidentiality, Integrity, and Availability (12 min)
Risky Business: Strengthening Cybersecurity with Risk Analysis (12 min)
Controls Categories (12 min)
Zero Trust (7 min)
Cyber Risk Management: Essentials for the Practical CISO (1 hr)
2. Asset Security (0.5 - 1h)

Asset Security
Data Security: Protect your critical data (or else) (6 min)
SSD Data destruction (10 min reading)
Google Data Center Security: 6 Layers Deep (2 min)
Data Governance (10 min)
3. Security Architecture and Engineering (3 - 4 hrs)

Security Architecture and Engineering
Cryptography: Crash Course Computer Science (12 min)
The Adventure of Alice and the Encrypted Message (14 min)
Steganography (3 min)
Virtualization Explained (5 min)
Cybersecurity Architecture: Who Are You? Identity and Access Management (30 min)
Cloud security guidance (30 min - reading)
Full SANS Webcast | Decoding the Shared Responsibility Model (49 min)
Buffer Overflows (3 min)
Stack vs Heap Memory - Simple Explanation ( 5 min)
What are hardware security modules (HSM), why we need them and how they work. (7 min)
How Access Control Systems Work | Point Monitor Corporation (6 min)
4 - Communication and Network Security (2 - 3 hrs)

Network Security basics
Understanding the OSI Model (12 min)
Cybersecurity Architecture: Networks (27 min)
Internet Networks & Network Security | Google Cybersecurity Certificate (1 hr)
How does HTTPS work? What's a CA? What's a self-signed Certificate? (11 min)
Kerberos (3 min)
5 - Identity and Access Management (1- 2hr)

Identity and Access Management (12 min)
Cybersecurity Architecture: Who Are You? Identity and Access Management (31 min)
OAuth terminologies and flows explained (24 min)
6. Security Assessment and Testing

Key Terminology
Building a Cybersecurity Framework (8 min)
NIST Cybersecurity Framework 2.0 (5 min)
SOC 1 vs SOC 2 Audits: What’s the Difference? (5 min)
CertMike Explains SOC Audits (8 min)
7 - Security Operations

The Incident Scene & Evidence Collection
Malware (21 min)
Attack Frameworks (8 min)
How Hackers Steal Passwords: 5 Attack Methods Explained (13 min)
Examples: Data resilience, RAID and storage
8- Software Development Security

Software Development Security
Cybersecurity Architecture: Application Security (16 min)
Container Security Explained (6 min)
Threat Modeling in the Age of AI - Susanna Cox (45 min)

Security Architecture and Engineering

3.1 Security Models

Security models provide the formal mathematical rules for enforcing security policies.

Bell-LaPadula: The primary model for confidentiality. It defines two mandatory access control rules: the Simple Security Property (No Read Up), preventing a subject at a lower clearance from reading higher-classification data; and the * (Star) Property (No Write Down), avoiding a subject with higher clearance from writing data to a lower classification, thus preventing data leakage.
Biba: The primary model for integrity. It inverts Bell-LaPadula's rules to prevent the contamination of high-integrity data. It enforces No Read Down (a subject cannot read data from a lower-integrity level) and No Write Up (a subject cannot write data to a higher-integrity level).
Clark-Wilson: Focuses on commercial integrity. It introduces the concept of well-formed transactions and separation of duties to ensure data integrity. Users cannot manipulate data directly; they must use programs that ensure the integrity of the transformation.
Brewer-Nash (Chinese Wall): Designed to prevent conflicts of interest. It dynamically changes a user's access rights based on their previous actions. If a consultant accesses data for Company A, they are blocked from accessing data for Company A's competitor, Company B.

3.2 Cryptography and Key Management

Cryptography is the mathematical science of securing information. It provides confidentiality, integrity, authentication, and non-repudiation.

Symmetric Cryptography uses a single shared secret key for both encryption and decryption. Algorithms like AES (Advanced Encryption Standard), DES, 3DES, Blowfish, and Twofish are examples. Symmetric encryption is computationally efficient and suitable for bulk data encryption. However, it suffers from the key distribution problem: secure exchange of the key is difficult over insecure channels.

Asymmetric Cryptography (Public Key Cryptography) uses a mathematically related pair of keys: a public key (widely distributed) and a private key (kept secret).

Confidentiality: If User A encrypts a message with User B's public key, only User B can decrypt it with their private key.
Authentication/Non-repudiation: If User A encrypts a message (or its hash) with their private key, anyone can verify it with User A's public key. Since only User A has the private key, this proves the origin.
Standard asymmetric algorithms include RSA, Elliptic Curve Cryptography (ECC), Diffie-Hellman (used for key exchange), and El Gamal.

Hashing functions (SHA-256, MD5) are one-way mathematical operations that generate a fixed-length string (message digest) from variable-length input. They are used to verify integrity; any change to the input results in a radically different digest.

Digital Signatures combine hashing and asymmetric cryptography. To sign a message, the sender hashes the message and encrypts the hash with their private key. The recipient decrypts the hash with the sender's public key and re-hashes the received message. If the hashes match, integrity and authenticity are verified.

3.3 Physical Security Principles

Physical security is often the first line of defence. It encompasses Crime Prevention Through Environmental Design (CPTED), which uses the physical environment to influence behaviour.

Perimeter Security: Fences (6-8 feet to deter, higher to prevent), bollards (to stop vehicles), and lighting are critical. Exterior lighting must be designed to eliminate shadows that could hide intruders and to support video surveillance systems.1
Fire Suppression: Systems are categorised by the agent used.

Water-based: Sprinklers are standard, but they damage electronics. Wet pipe systems have water in the pipes at all times (risk of freezing/leakage). Dry pipe systems hold water back with air pressure (delay in discharge). Pre-action systems require a secondary trigger (like a smoke detector) before filling the pipes, minimising accidental discharge risks in data centres.
Gas-based: These systems displace oxygen or interfere with the chemical reaction of fire. Halon was effective but is banned due to ozone depletion. Modern alternatives include FM-200 and Argonite. Safety is a significant concern; gas discharge can asphyxiate humans if not managed correctly.

3.4 System Vulnerabilities

Security engineering must address vulnerabilities across diverse architectures.

Client-based systems: Vulnerable to web-based attacks, malicious applets, and local user compromise.
Industrial Control Systems (ICS) / SCADA: These systems control physical infrastructure (power plants, factories). They often run on legacy hardware where availability is the primary concern, making them difficult to patch. Security must focus on network segmentation and strict access control.1
Internet of Things (IoT): Characterised by low power, low processing capability, and minimal security features. They often lack update mechanisms and use hardcoded credentials, making them easy targets for botnets.1
Cloud Computing: Introduces shared responsibility models. In SaaS (Software as a Service), the provider manages everything but the data. In IaaS (Infrastructure as a Service), the customer manages the OS and applications while the provider manages the hardware.1