openseced / ism Goto Github PK

Lennart:

Ingen av de tillfrågade hade förberett en presentation att visa på
projektor, utan de tog det muntligt, vilket försvårade tydligheten och
resulterade i att många hoppade över / glömde bort att presentera delar
av uppgiften. Jag vill därför lägga in i uppgiftsbeskrivningen att
senast dagen innan seminariet skall de ha lämnat in en presentation i
moodle, och vi ska också ge tydliga krav vad presentationen skall
innehålla. På så vis blir det enklare för studentera att faktiskt ta del
av varandras arbete och resonemang.

apply the Swedish Civil Contingency Agency’s Framework for Information
Security Management Systems (ISO 27000) to analyse, assess and improve
the information security in an organization.

Are the lectures and assignments aligned with this?

MSB apparently has several versions of the material available at the same time in different places on the website (informationssäkerhet.se).

Can we make the references more concrete or just include the PDFs in the instruction? It's Creative Commons, so that should work. But then it's the updates ...

The material is "loosely related" to the literature, it should be better anchored with citations etc.

Lennart on running risksem:

Jag skrev även ut ett antal dokument åt dem som stöd (bilagor från
verksamhetsanalys och riskanalysdokumenten) Vilket gjorde att alla
följde samma struktur.

Adapt so that it's supports active learning. It should require reading some material in advance, prepare questions and exercises in the slides. Maybe to have the students prepare questions is a good exercise too.

This also requires this session to be more closely are clearly bound to the literature.

Currently all BibTeX-files are the same. They should be cleaned so that only the references used are there.

Last time it was given (Feb 2017), two hours was a bit tight on time. Estimate what is a good amount of time and add it to the instruction for future reference.

Should this be a Pass or Fail assignment? If the students performs the project at a company that already have an ISMS in place, they usually don't find anything to report, nor are they able to give insightful suggestions on how to better the security. This can therefore not be the grading criteria (or part of if at least). The rest is mainly just that they have performed the project and followed the template.

[Lennart's idea] We should change the grouping for the assignments so that students can group themselves. For instance, we should specify in the assignment that everyone having a family name starting with X should be in this group. Or birthdays.

Main point is that it's deterministic and the students can group themselves, and a teacher can verify later if they "cheated".

We should remove the word limits as the focus is not on those. They tend to confuse rather than help.

A lot of security incidents has happened the last few years. We should have more examples from the news.

There is a lot of research on how to do risk analysis, add some references and preferably an overview.

The records management lecture doesn't have any ILO. What's the purpose, what are the students supposed to learn? Do we assess that in some way?

Säkerhetsskyddslagen (2018:585) and Säkerhetsskyddsförordningen (2018:658)

Many of the literature.tex are of more abstractish form anyway. The abstract must contain the literature covered.

Much of the material is in Swedish, this material must be translated to English. Currently:

• msbframework/msbintro
• msbframework/msbforts
• gapproject
• ismsmemo
• risksem

There must also be English language literature.

Perhaps it's good to change from 2\times 45 minutes to independent 45-minute sessions? At least so that it's 45 minutes of talking and the rest is discussion.

Swiss government and military was hacked in 2014. They were very public about it, so there is a report that might be useful as reading material.

I MSBintroföreläsningen så står det att "[Arkivlagen 1990:782] säger att
myndigheter måste diarieföra alla allmänna handlingar. Jag har nu fått
lära mig att detta inte är sant. Det räcker att man kategoriserar
allmänna handlingar. Tove föreslog därför att vi istället bör skriva att
Arkivlagen säger att myndigheter måste arkivera alla allmänna handlingar.