LTPC: 2-0-0-2
Course
Description:

This course aims to provide students with a comprehensive understanding of how technology can be leveraged within various business contexts. It covers the integration of technology in different business processes, the impact of technological advancements on business models, and the strategic use of technology to gain competitive advantage. Students will explore case studies, current trends, and practical applications to understand the dynamic relationship between technology and business operations.

Topics to be covered:
Module 1: Organizational Frameworks and Business Models

• Overview of organizational structures and the McKinsey 7-S model.
• Impact of technology on different business models.

Module 2: Business Value Chain

• Understanding the value chain and its components.
• Key steps and technological tools in the procurement to payment cycle.

Module 3: Order to Cash Process

• Enhancing the order to cash process with technology.

Module 4: Organizational Agility and Innovation

• Promoting agility and adaptability through technology.
• Fostering innovation within an organization.

Textbooks:

• 1. Business Model Generation” by Alexander Osterwalder and Yves Pigneur.
• 2. “Digital Transformation: Survive and Thrive in an Era of Mass Extinction” by Thomas M. Siebel
• 3. “Lean Enterprise: How High-Performance Organizations Innovate at Scale” by Jez Humble, Joanne Molesky, and Barry O’Reilly

Reference Books:

• 1. Michael Porter’s Value Chain: Unlock your company’s competitive advantage
• 2. Frameworks for Organizational Design by Harvard University

LTPC: 2-0-0-2
Course Description:

This introductory course lays the foundation for understanding IT risk management and the role of IT general controls (ITGC) in safeguarding an organization’s information systems. Participants will explore the key principles and frameworks around IT general controls including overview of IT risk management, domains of IT audits, and nature, timing, execution, and reporting considerations in IT general controls. The course also covers the essential components of ITGC, such as access controls, change management, and operational controls, and their significance in maintaining the integrity, confidentiality, and availability of IT systems.

Topics to be covered:

Module 1: Overview of ITRM

• Overview of ITRM

Module 2: Introduction to audit, need for ITRM in audit

• Introduction to audit
• Types of audits (goals and objectives)
• Auditor roles and responsibilities
• Attributes of a successful auditor

Module 3: Scoping, planning, execution, and reporting considerations in an audit

• Planning and scoping an audit
• Types of audit reports and reporting considerations

Textbooks and reference books:

• Managing Risk in Information Systems by Darril Gibson
• IT Risk: Turning Business Threats into Competitive Advantage by George Westerman and Richard Hunter
• Risk Management in IT Security: Risk Assessment for Business Processes and Internal Controls by Timothy P. Layton

Other Reference Documents:

• “A Framework for Managing IT Risk” by George Westerman and Richard Hunter, published in Harvard Business Review
• “IT Risk Management: Framework and Best Practices” by Michael Parent and Barbara Reich, published in Journal of Information Technology Management

LTPC: 3-0-0-3
Course Description:

Building on the foundational knowledge from Part 1, this advanced course delves deeper into sophisticated IT risk management strategies and the practical implementation of IT general controls. Participants will learn to design and deploy robust ITGC frameworks tailored to their organization’s needs. The key domains to be covered for IT general controls are logical access, change management, data center, network operations, physical security, incident management controls. Further, the participants will also learn about types of SOC reports and organization’s need for different types of SOC reports.

Topics to be covered:

Module 1: Type of IT controls

• Introduction to IT technology layers (applications, OS, DB, network)
• ITGC domain introduction

Module 2: ITGC – Logical Access Controls

• Passwords control
• User provisioning
• User de-provisioning
• User transfers
• Privileged access
• User access review

Module 3: ITGC – Change Management Controls

• Change management – Development, testing, approval
• Segregation of duties in change management
• Access to implement changes
• Post implementation change review

Module 4: ITGC – Data Center, Network, Operations, Incident Management Controls

• Access to make changes to batch jobs
• Job failure and monitoring
• Data backup configuration testing
• Data backup failure monitoring and resolution
• Two factor authentication
• Network architecture segmentation
• Periodic vulnerability scans

Module 5: ITGC – Other Controls (physical access, incident management, etc.)

• Physical security
• Periodic log review
• Incident management controls

Module 6: SOC1 / 2 / 3 reports

• Introduction to SOC reports, why do organizations need SOC reports
• SOC 1, SOC 2, SOC 3 reports, comparison for scope, and need for each type of SOC report

Textbooks:

• IT Control Objectives for Sarbanes-Oxley: The Importance of IT in the Design, Implementation and Sustainability of Internal Control Over Disclosures and Financial Reporting by IT Governance Institute
• Information Technology Control and Audit by Sandra Senft and Frederick Gallegos

Reference Books:

• N/A

Other Reference Documents:

• “The Role of IT General Controls in Sarbanes-Oxley Compliance” by David A. Hodgson, published in Information Systems Control Journal
• “Understanding IT General Controls” by Thomas P. Murtagh, published in ISACA Journal

LTPC: 3-0-0-3
Course Description:

This comprehensive course equips you with the essential knowledge and skills to navigate the ever-evolving cybersecurity landscape. You’ll gain a solid understanding of core cybersecurity principles, explore the OWASP Top 10 web application security risks, and delve into the collaborative DevSecOps approach for integrating security throughout the software development lifecycle.

Topics to be covered:

Module 1: Introduction to Cybersecurity
What is Cybersecurity? Importance and Scope

• Core Security Concepts: CIA (Confidentiality, Integrity, Availability)
• Types of Cyber Threats and Actors (Malwares, Phishing, Ransomware)
• Impact of Cyberattacks (Data Breaches, Financial Loss, Reputational Damage)
• Introduction to Cybersecurity Frameworks (NIST CSF, ISO 27001)

Module 2: OWASP Top 10 Web Application Security Risks
OWASP and its Role in Web Application Security
In-depth exploration of each OWASP Top 10 risk:

• A1: Injection
• A2: Broken Authentication
• A3: Cross-Site Scripting (XSS)
• A5: Security Misconfigurations
• A6: Vulnerable and Outdated Dependencies
• A7: Cross-Site Request Forgery (CSRF)
• A8: Security Issues in Software Supply Chain
• A9: Security Testing Failures
• A10: Insufficient Logging & Monitoring

Detection, Prevention, and Mitigation Strategies for OWASP Top 10 risks
Hands-on Labs: OWASP Top 10 vulnerability scanning and exploitation simulation.

Module 3: DevSecOps Principles and Practices

• Introduction to DevSecOps: Integrating Security into the SDLC
• Benefits of Implementing DevSecOps
• DevSecOps Pipeline: Security Considerations in Each Development Phase
• Secure Coding Practices
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Infrastructure Security as Code
• Security Automation and Orchestration
• Collaboration between Development, Security, and Operations Teams
• Continuous Integration and Continuous Delivery (CI/CD) with Security
• DevSecOps Tools and Technologies

Textbooks:

• Penetration Testing – A Hands-on Introduction to Hacking” by Georgia Weidman, No starch Press; 1st edition
• The Web Application Handbook” by Dafydd Stuttard and Marcus Pinto, Wiley; 2nd Edition

Reference Books:

• The Hackers Playbook 1, 2 and 3, Peter Tim

LTPC: 4-0-0-4
Course Description:

This module equips you to comprehend and analyze the landscape of cyber and information security regulations and compliances that organisations operate in. The module will help students understand how business models should be underpinned by embedded cyber controls aligned to the organization’s risk posture and leading practices. The content will also examine in detail key Cybersecurity frameworks like ISO 27001, NIST and COBIT with a focus on aligning controls to cybersecurity operational challenges.

Topics to be covered:

Module 1: Key cyber risk frameworks: ISO 27001, NIST

• Domains attached to each framework and framework specific approaches
• Differences between various frameworks
• Risk and controls matrices
• Case studies about business scenarios to showcase how these frameworks apply for industry specific risks. and then link back to the controls that would be needed to.

Module 2: Elements and approach of COBIT 5 framework

Module 3: Overview of regulatory requirements for cyber laws

Overview of key IT and cyber laws in India
• IT Act, 2000
• IT (Amendment) Act, 2008
• EWaste Management Act

Key International regulations
• EU Data Act, 2024
• EU Data Governance Act 2023
• EU Artificial Intelligence Act 2024
• GLBA
• HIPAA

Textbooks:

• Introduction to Cybersecurity: Concepts, Principles, Technologies and Practices by Ajay Singh
• The Cybersecurity Manager’s Guide: The Art of Building Your Security Program (Grayscale Indian Edition) by Todd Barnum
• Iso/Iec 27001: 2022: An introduction to information security and the ISMS standard 15 November 2022 by Steve G Watkins

Reference Books:

• Cybersecurity Awareness Among Students and Faculty, Book by Abbas Moallem.
• Cyber Security ABCs: Delivering awareness, behaviours and culture change – 2020, by Jessica Barker, Adrian Davis, Bruce Hallas and Ciaran Mc Mahon.
• The Ethics of Cybersecurity (The International Library of Ethics, Law and Technology Book 21) 1st ed. 2020 Edition by Markus Christen
• Cybersecurity for Dummies Paperback – 1 February 2020 by Joseph Steinberg (Author)
• Mastering COBIT: A Comprehensive Guide to Learn COBIT by Cybellium Ltd and Kris Hermans
• NIST CSF: https://nvlpubs.nist.gov/nistpubs/CSWP/NIST.CSWP.29.pdf
• NIST 800-53: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

LTPC: 2-0-2-3
Course Description:

This intensive, hands-on course equips you with the expertise to conduct comprehensive vulnerability assessments and penetration testing (VAPT). You’ll gain a deep understanding of various attack sources and methodologies, explore industry-standard tools for vulnerability scanning and exploitation, and develop the practical skills to identify, assess, and exploit vulnerabilities in real-world scenarios.

Topics to be covered:

Module 1: Foundations of VAPT

• Introduction to VAPT: Importance and Scope
• Vulnerability Assessment vs. Penetration Testing (PT)
• Penetration Testing Methodologies (White Box, Black Box, Grey Box)
• Ethical Hacking Principles and Professional Conduct
• VAPT Lifecycle: Planning, Scanning, Exploitation, Reporting, Remediation

Module 2: Sources of Attacks and Reconnaissance

• Understanding Attack Surfaces (Web Applications, Networks, Systems)
• Open-Source Intelligence (OSINT) Gathering Techniques (Public Records, Social Media)
• Network Reconnaissance: Foot printing, Scanning, Enumeratio

Module 3: Exploitation Methodologies

• Common Exploit Types (Buffer Overflow, SQL Injection, XSS)
• Privilege Escalation Techniques (Local, Vertical)
• Post-Exploitation Activities: Maintaining Access, Lateral Movement

Module 4: Penetration Testing Tools and Techniques

• Password Cracking Concepts (Methods, Tools)
• Wireless Network Penetration Testing Concepts (Tools, Techniques)
• Social Engineering Techniques (Phishing, Vishing)
• Web Application Security Testing Concepts (Tools, Techniques)

Module 5: Reporting and Remediation

• VAPT Report Writing: Structure, Content, and Recommendations
• Vulnerability Remediation Strategies and Prioritization
• Post-Penetration Testing Activities: Retesting and Validation

Textbooks:

• Penetration Testing – A Hands-on Introduction to Hacking” by Georgia Weidman, No starch Press; 1st edition
• The Web Application Handbook” by Dafydd Stuttard and Marcus Pinto, Wiley; 2nd Edition

Reference Books:

• The Hackers Playbook 1, 2 and 3, Peter Tim
• Web Application Hacker’s Handbook: Finding and Exploiting Security Flaws” by Dafydd Steffan (2017, Wiley, ISBN: 9781119460507)
• Kali Linux: Assuring Security by Penetration Testing” by Rolling Stone Security (2018, No Starch Press, ISBN: 9781593279304)

LTPC: 2-0-0-2
Course Description:

This module will introduce the various concepts of cloud architecture including benefits, limitations and approaches to adoption. It will also cover in detail the CSA – CCM framework to enhance the student’s understanding of risks, controls and leading practices in this space.

Topics to be covered:

• Overview of Cloud Security Risk
• Definition for cloud
• Benefits of cloud adoption
• Cloud limitations
• Cloud Architecture
• Cloud computing features and characteristics
• Cloud computing deployment models
• Cloud security considerations and audit pointers
• Leading practices for cloud
• Future of Cloud computing
• Cloud security alliance – Cloud control matrix

Business case study
• Define business model risks
• Define controls from CSA – CCM
• General guiding principles for platforms like Azure configurations or AWS configurations in a cloud implementation
• Market changes affecting business environments and impacts on cloud risk.

Textbooks:

• Cloud Computing: Concepts, Technology, Security & Architecture, 2nd Edition – Pearson Paperback – 29 February 2024 by Thomas Erl (Author), Eric Barceló Monroy (Author)
• CSA – CCM https://cloudsecurityalliance.org/research/cloud-controls-matrix

Reference Books:

• Cloud Computing for Dummies, 2ed | e Paperback – 1 November 2020 by Judith Hurwitz , Daniel Kirsch
• Security for Cloud Native Applications: The practical guide for securing modern applications using AWS, Azure, and GCP by Eyal Estrin | 25 March 2024

LTPC: 1-0-2-2
Course Description:

This course equips you with the knowledge and skills to navigate the ever-evolving threat landscape. You’ll delve into various sources of cyber-attacks, explore industry-standard threat intelligence tools, and learn how to leverage this information to proactively defend your organization’s security posture.

Topics to be covered:

Module 1: Introduction to Threat Intelligence (TI)

• What is Threat Intelligence? Importance and Benefits
• The Threat Intelligence Cycle: Collection, Analysis, Dissemination, and Action
• Understanding the Attack Landscape (Types of Threats, Attackers, Motivations)

Module 2: Sources of Cyber Attacks

• Internal Sources: Logs, Incident Reports, Vulnerability Scans
• Open-Source Intelligence (OSINT): Gathering Information from Public Sources
• Commercial Threat Intelligence Feeds: Vendor-provided Threat Data
• Government and Law Enforcement Agencies: Security Advisories and Alerts
• Dark Web Monitoring: Identifying Threats on Hidden Forums and Marketplaces

Module 3: Threat Intelligence Tools and Platforms

• Security Information and Event Management (SIEM) Systems: Centralized Log Collection and Analysis
• Threat Intelligence Platforms (TIPs): Aggregating, Analyzing, & Correlating Threat Data
• Threat Modeling Tools: Identifying Vulnerabilities and Simulating Attack Scenarios
• Vulnerability Scanners: Identifying Security Weaknesses in Systems and Networks
• Web Traffic Analysis Tools: Detecting Malicious Activity on Websites

Module 4: Implementing Threat Intelligence

• Integrating Threat Intelligence into Security Operations
• Threat Alert Prioritization and Response Strategies
• Sharing Threat Intelligence Across Security Teams
• Measuring the Effectiveness of Threat Intelligence Programs

Textbooks:

• Threat Intelligence: Designing and Implementing Effective Programs” by David Bianco, et al. (2016, Wiley, ISBN: 9781118993327)

Reference Books:

• The Art of Cyberwarfare: A Pentagon Insider’s View of Cyber Threats and Countermeasures” by Richard A. Clarke and Robert Knake (2010, HarperCollins, ISBN: 9780061965094)
• Security Information and Event Management (SIEM) Implementation: A Guide for Security Professionals” by Chris Simmons (2017, Syngress, ISBN: 9780128044941)