Diploma in Information Security Management


Program Description



Obtain the theoretical and practical bases to identify the different services and mechanisms necessary to build a safe operational computer system.

Benefits of the program:

  • You will know all the areas related to information security management.
  • You will analyze the current legislation and regulations related to information security to define the necessary processes and comply with them.
  • You will establish aligned controls that meet the operational risks established by organizations.

Addressed to:

Professionals working in the area of information systems, development, operations, networks and telecommunications, risk management, IT audit, internal control and compliance.

Content of the program

The Diploma in Information Security Management consists of sixteen modules , which total 116 hours of study in total.

Module 1. Introduction to Computer Security (8 hours)

Present the diploma to the user, as well as an overview of computer security, in which the basic concepts of information security are explained, as well as everything related to the topic of access control.

  1. Background and concepts of computer security
  2. Computer security related statistics
  3. Academic options
  4. Certifications and standards in computer security
  5. Access control
  6. Stages of access control
  7. Authentication Mechanisms
  8. Types of access control
  9. Centralized Access Control
  10. Decentralized access control
  11. Single Sign On
  12. Identity management

Module 2. Technologies applied to Information Security (8 hours)

Know the different computer techniques necessary to implement an information security strategy.

  1. Information security versus information security
  2. Cryptology Basics
  3. Perimeter Security Devices
  4. Security in wireless networks
  5. IDS and IPS
  6. Forensic Computing
  7. Malicious software
  8. Web application security
  9. Database Security
  10. Application Security
  11. Penetration tests
  12. Hardening of operating systems

Module 3. The Role of the Information Security Officer (4 hours)

Know the aspects related to the requirements of the security function as well as the interrelation of its components, the vision and skills of the current CISO.

  1. Location of the security function in the organization chart
  2. Organizational structure
  3. Purpose, vision, objectives, goals and plans of the security function
  4. Components of the safety function and its interrelation
  5. Security as a business function
  6. How to sell security
  7. The security budget
  8. Vision and skills of the current CISO

Module 4. Security Architecture (4 hours)

Provide a guide to the steps to follow to establish a security architecture based on CISSP CBKs; in an orderly manner and that offers an overview of its establishment in an organization. Identify the key and critical concepts and principles to secure the infrastructure. Know the main security architecture frameworks.

  1. Introduction to security architecture (AS)
  2. Elements
  3. System architecture
  4. Security System Architecture
  5. Risk analysis
  6. Security policy
  7. AS requirements
  8. Security models
  9. Safety Mode Operation
  10. Trust and assurance
  11. Frameworks in security architecture
  12. Open and closed systems

Module 5. Security Metrics (4 hours)

Provide guidance for the specific development, selection and implementation of metrics to be used in measuring the information performance of security techniques and controls.

  1. Introduction
  2. Definition and history
  3. Benefits
  4. Aspects of safety measurements
  5. Metric types
  6. Organizational considerations
  7. Manageability (management considerations)
  8. Success factors (correctness
  9. Leading indicators against laggards
  10. Quantitative and qualitative properties (Small versus long measurements)
  11. Possible areas of application
  12. Formal measurement models and safety metrics
  13. Collection and historical analysis of data
  14. Evaluation techniques with artificial intelligence
  15. Concrete and practical measurement methods
  16. Intrinsically measurable components

Module 6. Security Policies (8 hours)

Understand and apply the theoretical concepts of information security policies in institutional and business computing systems. Understand information security models and policies to understand and establish the frame of reference and standards or criteria that a secure computer system must meet.

  1. Security models
  2. The military security model (Bell and LaPadula)
  3. The commercial security model (Clark and Wilson)
  4. The financial security model (Brewer and Nash)
  5. Real World Security Policies
  6. Policy consistency
  7. Security policies in the context of an information security management system
  8. Structuring of information security policies
  9. Security Policy Development Project
  10. Mission, norms, policies, procedures and mechanisms

Module 7. Compliance (4 hours)

Recognize and understand the key elements of the compliance function and its relation to computer security. Know the main regulatory bodies, standards and best practices related to computer security.

  1. Compliance Introduction
  2. Compliance function versus other control functions
  3. Compliance versus computer security
  4. Compliance versus risk management
  5. Relationship between compliance and corporate governance
  6. Compliance structure: policies, standards, programs
  7. Main standards, laws, regulations and best practices related to computer security

Module 8. Security in Operations (8 hours)

Provide the basic principles and controls necessary to keep an information system continuously protected according to the level required by the organization. Reflect on the controls that must be incorporated into the organization during its daily operation so as not to over-control or under-control. Describe ways of assessing computer security from a theoretical and practical point of view.

  1. Introduction
  2. Due Care / Due Diligence Principles
  3. Computer security implementation process
  4. Security controls in the organization
  5. ISO 27000 family of standards
  6. Administrative controls
  7. Types of evaluation

Module 9. BCP

Review the concepts used in the DRP / BCP (Disaster Recovery Planning / Business Continuity Planning) and present a methodology for the development and implementation of a recovery plan for the IT service and business continuity in case of disasters.

  1. Introduction to DRP / BCP
  2. Methodology to develop the DRP / BCP
  3. Planning and organization of the DRP / BCP Project
  4. Risk analysis to prevent disasters
  5. Business Impact Analysis (BIA)
  6. IT and user area recovery requirements
  7. The backup scheme
  8. DRP / BCP costs
  9. Backup and recovery strategies
  10. Emergency management
  11. The DRP / BCP document
  12. DRP / BCP test and maintenance
  13. Other aspects of DRP / BCP

Module 10. Physical Security (4 hours)

Know the fundamentals of design and technologies related to the physical security of a data center.

  1. The role of physical security in computer security
  2. Identification of the assets to be protected
  3. Access control
  4. CCTV
  5. Intrusion detection
  6. Power supply and HVAC considerations
  7. Fire detection and suppression

Module 11. Legal and Ethical Aspects (16 hours)

Know all ethical and legal concepts related to information security.

  1. Ethics and information security
  2. ISC2 Code of Ethics
  3. RFC 1087
  4. Privacy and personal data
  5. Legal protection of the software
  6. Definition of cybercrime
  7. Illicit access to computer systems and equipment
  8. Computer programs
  9. Child pornography
  10. Financial crimes

Module 12. Information Security Audit (4 hours)

Know the aspects related to security auditing, as well as the approaches, paradigms, guides, tools and techniques necessary to perform an audit.

  1. General audit concepts
  2. Location of the security audit in the organization chart
  3. Differences between security audit and IT audit
  4. Scope of the security audit
  5. Security audit approaches
  6. Paradigms of the security audit
  7. Types of tests in the security audit
  8. Security audit guides, techniques and tools

Module 13. Security Services Outsourcing (4 hours)

Know the characteristics, conditions for computer security outsourcing, as well as aspects for the development of RFP's and service level agreements for contracting computer security outsourcing services.

  1. Background and origin of outsourcing
  2. The Managed Security Services Providers (MSSP ́s)
  3. Characteristics of IT security outsourcing
  4. Conditions for computer security outsourcing
  5. RFP for contracting services in IT security outsourcing
  6. Content guides for the development of service level agreements for computer security outsourcing
  7. Types of tests in the security audit
  8. Methodology for an IT security outsourcing service agreement
  9. MSSP ́s Market

Module 14. Risk Analysis (4 hours)

Know the basics of risk analysis, as well as the tools, methodologies and techniques used in this area.

  1. Background
  2. Concepts of risk elements
  3. Risk analysis
  4. Risk management or administration
  5. Quantitative Risk Analysis
  6. Qualitative Risk Analysis
  7. Risk Management Drivers
  8. ISO / IEC TR 13335 as a guide for risk identification and prioritization
  9. Methodologies, standards and tools

Module 15. FRAP practice (8 hours)

Know, analyze and work with the FRAP risk analysis methodology with a practical case where participants have the experience of performing a risk analysis, as well as being able to use all the knowledge obtained in the diploma and thus be able to draw up a security strategy Computer based analysis.

  1. Background
  2. FRAP methodology
  3. FRAP and other methodologies
  4. Case study
  5. Security strategy based on risk analysis

Module 16. Trends Security Information (4 hours)

Know the evolution that has had the security of the information until our days, as well as the new technologies and processes related to attacks and defense of systems.

  1. Current state of information security
  2. Evolution of information security
  3. The academy and security science
  4. Computational attacks of the future
  5. Devices and security measures of the future
Last updated Dec 2019

About the School

El Tecnológico de Monterrey es una institución de carácter privado, sin fines de lucro, independiente y ajena a partidos políticos y religiosos. Fue fundado en 1943 gracias a la visión del empresario ... Read More

El Tecnológico de Monterrey es una institución de carácter privado, sin fines de lucro, independiente y ajena a partidos políticos y religiosos. Fue fundado en 1943 gracias a la visión del empresario mexicano Eugenio Garza Sada. Su labor es apoyada por asociaciones civiles integradas por destacados líderes de todo el país, comprometidos con la calidad de la educación superior y con el desarrollo de México. Read less
Monterrey , Buenavista , Mexico City , Zapopan , Puebla City , Mexico City , Santiago de Querétaro , Mexico City , Tampico , San Luis Potosi , Ciudad Juarez , Leon , Saltillo , Cuernavaca , Toluca , Chihuahua , Aguascalientes , Culiacán , Hermosillo , Tijuana , Morelia , Torreón , Cancún , Heroica Veracruz , Ciudad Obregón , Pachuca , Reynosa , Irapuato , Mexicali , Mérida , Oaxaca , Villahermosa , Nogales , Campeche , Mexico City + 34 More Less