Professional Documents
Culture Documents
Introducing Information Security Concepts and Standards in Higher Education
Introducing Information Security Concepts and Standards in Higher Education
Introducing Information Security Concepts and Standards in Higher Education
Abstract – Information security deals with protecting infrastructures. Information security management
data and information in all of its forms. The is an even more complex and difficult task, which
information security topic has been an area of growing involves “using and managing the policies,
research and educational interest for years. Many procedures, processes, control measures and
universities started to incorporate security concepts in
supporting applications, services and technologies
new or existing courses, following the
recommendations of the ISO/IEC 27000 series of
that are needed to protect the information that
standards. Recently, a new CSES2017 curricula in organizations, governments, consumers and citizens
cyber-security education was introduced. rely on to carry out their business and to live their
The article presents its authors’ experience in Lives” [1].
delivering education in information security area The international standards ISO/IEC 27000 were
through courses in several Bulgarian universities. The developed in the year 2000, and have been constantly
main topics and educational methods, covered by the improved since then, in order to meet the needs of
courses are presented and some results are discussed. the modern business for information protecting.
Keywords – Information security, ISO/IEC 27001, The ISO/IEC 27000 family of standards provides
ISO/IEC 27002, Information Security Management the basic recommendations for organizations to
System (ISMS), threat, risk analysis and assessment, handle the security of their information assets.
Intrusion Detection Systems (IDS) and Intrusion ISO/IEC 27001 introduces the concept of
Prevention Systems (IPS). Information Security Management System (ISMS) as
a systematic approach for effectively managing the
1. Introduction security of information. The requirements established
by this standard are designed with respect to its
Information security is a task of global importance compatibility with all types of organizations.
as it affects international trade, electronic trade, This article presents the authors’ experience in
mobile electronic trade, mobile communication, integrating the above mentioned standards in
social media, as well as different systems and information security education in several Bulgarian
services constructing our digital world and national universities. The discussed education is provided in
different programs in Computer Science area at
graduate and undergraduate level.
DOI: 10.18421/TEM83-46
https://dx.doi.org/10.18421/TEM83-46 2. Information Access Management and Control
Corresponding author: Magdalina Todorova, as a part of the Information Security
Faculty of Computer Science and Engineering, Burgas Free Education
University, Bulgaria
Email: magdalinavtodorova@gmail.com The International Standard ISO/IEC 27001
specifies the requirements for establishing,
Received: 29 April 2019. implementing, operating, monitoring, reviewing,
Revised: 06 June 2019. maintaining and improving a documented ISMS
Accepted: 14 June 2019. within the context of the organization’s overall
Published: 28 August 2019. business risks. It specifies requirements for the
© 2019 Daniela Orozova, Kalinka Kaloyanova, implementation of security controls customized to
Magdalina Todorova; published by UIKTEN. This work is the needs of individual organizations or parts thereof
licensed under the Creative Commons Attribution- [2]. The purpose of the ISO/IEC 27001 training is to
NonCommercial-NoDerivs 3.0 License. provide learners with knowledge and skills needed
for assessment compliance and effective
The article is published with Open Access implementation of ISMS for risk protection of the
at www.temjournal.com
organizations. This is our motivation for the and information accessibility. The last three concepts
education in information security area strictly to are defined by the standard ISO/IEC 27001 as
follow the ISO/IEC 27001 standard, as well as the follows:
similar standards for information access management
Confidentiality – “the property that information
and control.
is not made available or disclosed to unauthorized
Information Security courses are provided in most
individuals, entities, or processes”.
Bulgarian universities - Sofia University, Burgas
Integrity – “the property of safeguarding the
Free University, Technical University – Sofia, Varna
accuracy and completeness of assets”.
Free University, etc., mostly for the students in
Information access – “freedom or ability to
Computer Science and Information Technology
identify, obtain and make use of data or information
areas. The courses are provided both for graduate and
effectively”.
for undergraduate level – usually at the end of their
studies. Also, specialized programs on Information
4. Introducing main concepts in the courses
Security were created at graduate level in several
universities. Usually the information security courses are
In this paper we will focus on the education in provided after completing studies in the main topics
information security area provided in two of the in the computer science area - operational systems,
above mention universities – Sofia University and discrete structures, programming, object-oriented
Burgas Free University, which follows similar programming, data bases, computer architectures,
educational principles. The courses gradually and computer networks. The courses focus on
introduce concepts of physical, documental, business different risks and threats for the automated
and personal security, as well as information systems information systems and networks, as well as on the
and networks security. A key element of these actions related to meeting the standards for
courses is the introduction of the standard ISO/IEC information security and information protection,
27001 [2]. The standard can be used as a manual for which the specialists working in this rapidly
information management, providing good practices developing area need to perform. They introduce the
and guidelines for information security area. It also is main rules and activities for management and control
designed for total compliance with other well-known of the information security, good practices, actions
standards, such as ISO 9001 [4], ISO 14001 [5], etc. and assessment of key elements in a system based on
the ISO/IEC 27001 standard [2].
3. Basic terminology Basically, the education follows several steps:
defining existing and potential threats; identifying the
The main information security goal is to protect
subjects which are prone to threats; risk assessment;
data and information from possible harmful
getting to know network and computer-oriented
malicious actions, such as: unauthorized access, use,
systems for intrusion detection/prevention (IDS/IPS);
disclosure, alteration, reading, recording and
studying current methods and tools for protection
destruction; as well as to minimize the damage in
from the known threats. Further in this section they
case of such intrusion. Several basic concepts should
are discussed in more details.
be noted here:
• Information security is defined in [2] as 4.1. Identifying existing and potential threats
“preservation of confidentiality, integrity and First, main concepts like vulnerability and threat
availability of information; in addition, other are introduced, as well as different types of threats.
properties such as authenticity, accountability, non- A threat to a computing system is a set of
repudiation and reliability can also be involved”. circumstances that has the potential to cause loss or
• Computer security is focused on the particular harm as is defined in [3]. More generally speaking, a
work of the computer systems and networks, and the threat is each possibility of random or deliberate
information they process. “Computer security is the unauthorized access to the created, processed, stored
protection of the items you value, called the assets of or transmitted information. These are events or
a computer or computer system [3]”. actions that endanger an object, and occur in case of
• Information protection includes: practices of existing vulnerability.
the management of the risks related to using, A vulnerability is a weakness in the system, for
working, storing and transferring information; the example, in procedures, design, or implementation,
systems and processes used for these. that might be exploited to cause loss or harm [3]. It is
Information security, computer security and a weakness in the system of security measures or in
information protection are interrelated and have the control of their implementation, which can lead
common objectives, such as: confidentiality, integrity to compromise or facilitate compromising of
The risk in business information systems and Further, students study the two groups of IDS:
networks is a measure for quantitative assessment of network-based and computer/host-based IDS [8]:
the possibility for their vulnerabilities to be exploited
towards realization of a threat. As a result, they are - Network-based IDS are used for monitoring and
harmed in the form of different degrees of analysis of data packages, which are transferred
compromising their security. When the necessary through the network. A traditional sensory
measures are taken, they have to be checked for architecture monitors all network traffic, while the
efficiency, i.e. the remaining risk to be acceptable. distributed architecture monitors a specific part of it,
Next, a certification procedure is issued according to in a particular piece of equipment. The main purpose
the Bulgarian legislation. of the network-based IDS is protection from external
Risk appears when there is a threat. As a rule, the attacks.
presence of a given threat is a result of weaknesses in - Computer/host-based IDS use data for analysis,
the security of the information system/network, which origin from computer host journals, i.e. the
which can be explained by the absence of particular data sources for the computer/host-based include
security programming tools or equipment, or by the event logs, application logs, etc.
defects in the mechanisms that implement them. It is The host-based IDS are efficient in identifying
important not only to identify the threats, but also malicious actions on the network, as the data used for
their origin. This can help in choosing additional analysis are located on equipment used by authorized
security tools. After that, risk assessment should be users. Event logs give information about events of
performed [2]. The details in this topic introduced access of files on the particular piece of equipment,
dependence on whether there is a separate course i.e. the host-based IDS aim at identification and
“Risk Analysis and Assessment” at the university [6]. reaction to attacks by inside users, which is the
difference between the two IDS realizations.
4.4. Systems for detecting/preventing intrusion
4.5. Methods and tools for protections from known
threats
The following specific IT security controls and
mechanisms are highlighted in [1]: According to the ISO/IEC 27002 standard [9], the
- Network security (e.g., as found in ISO/IEC education in the field is completed by studying
27033); different methods and tools for protection from
- Applications security (e.g., as found in known threats. Here are listed the basic legal and
ISO/IEC 27034); administrative methods; organizational measures;
- Malware (e.g. as found in NIST SP 800-83); technical, software, and specialized protection tools
- Firewalls, Intrusion Detection Systems and that should be discussed in IS courses.
Intrusion Prevention Systems; The legal methods concern the legal basis used for
- Access control. solving the problems. Each organization has legally-
based documents that address the organization's
Based on these recommendations, our courses defenses.
introduce to the architecture and capabilities of the Administrative methods – these are all decrees,
Intrusion Detection (IDS) and Intrusion Prevention regulations and rules regarding the information
Systems (IPS). Both IDS/IPS are part of the network security in the organization. Also, there must be a
infrastructure. The main difference between them is person to be responsible for the information and
that IDS is a monitoring system, while IPS is a personal data security.
control system [7]. IDS/IPS systems are dynamic The organizational measures can be of various
information security systems, as they can identify types. For example, activities related to: the
intrusion and react; for example, they can emit a personnel recruitment and training; restricted access
sound or light signal, email, etc. Some to the server room, where sensitive and classified
implementations of these systems can email the information is stored; development of procedures on
attacker informing him that he is committing a crime; personal data security, etc.
can switch off the connection with the outside world The technical tools include locks, handles, bars,
by a firewall or even attack the attacker. security alarm system, video surveillance, etc. The
As IDS/IPS identify the possible incidents and software protection is based primarily on identifiers
register information about them, stop the incidents and passwords. They are set up not only for
and inform the security administrators about them, it operational systems, but also for applications, data
is essential for students to understand the importance base, etc.
of these systems, as well as the fact that they are
indispensable for each organization infrastructure.
Specialized protection tools can be realized as Personal data privacy and data security
technical, software or hybrid tools. Such a tool is, for
example, a computer anti-virus program; a firewall The students are introduced to GDPR, which
can be a specialized hardware tool, as well as a piece includes regulatory mechanisms for collecting, using,
of software. processing, storing and providing personal
The student should understand a balance is needed information. In this context, the students are given a
between the value of the protected subject or task to investigate the requirements for protection of
resource and the cost of the protection system. the personal data which the users exchange. This is
related not only to the protection of the property
5. Working on projects in Information Security assets, but also to the possible moral consequences
Courses for the individual [15]. It is established that it is
relatively easy to steal information, especially if it is
Working on projects has been widely embraced in in electronic form, and the consequences may prove
many courses, especially in Computer science area unpredictable. The focus is on the mechanisms of
[10],[11],[12]. Having presented the students with identification, authentication and authorization used
the main concepts in information security, described in the software systems, including Grid security
in Section 4, the learning process continues with approaches and service-oriented applications [16].
team projects, where students apply the obtained Different traditional and personalized models of
theoretical knowledge. The following sections are access control, based on attributes, roles,
dedicated to sample topics and tasks, given to the organization, etc., are presented [17], [18], [19], [20].
students, which they explore and defend in the form The classification of the attacks directed to data
of projects during the seminars. Topics are selected disclosure, provided in [21], is used.
to meet most standards’ requirements and help with
the analysis of learning outcomes based on standards. Attacks on electronic articles and publications