COURSE SYLLABUS

Course Designator/Course Number:               IT 4823

Course Title:         INFORMATION SECURITY ADMINISTRATION

Instructor:             Mr. Bob Brown

HTTP Link:            http://www.spsu.edu/cs/faculty/bbrown/it4823/f05

Course Length:   40 contact hours. 2.5 hours per week for 16 weeks; approximately 80 hours reading, research and writing outside class.

Textbook:   Whitman, Michael E. and Herbert J. Mattors (2005) Principles of Information Security, Second Edition. Thompson, Course Technology.  ISBN: 0-619-21625-5. (For Fall, ’05.)

Bishop, Matt (2005) Introduction to Computer Security.  Addison-Wesley. (For Spring ’06 forward.)

Course Description/Objectives:

The student develops knowledge of he principles of information assurance at the policy, procedural, and technical levels to prepare the student for a role as a business decision-makers.  Real-world examples from the text and current events will be used to demonstrate the applicability of the techniques of information assurance.

 

Prerequisites:  IT 1124 Advanced Programming Principles, CS 3153 Database Systems, IT 3124 Hardware and Software Concepts.

This course will teach students:

·      The role of policy in driving information security.

·      The fundamental attributes that define information security: confidentiality, integrity, and availability

·      Identification of an organization’s information assets, including people, hardware, software, and data.

·      The role of risk management in information security.

·      The proper balance between technical controls and procedural controls.

·      The necessity of physical security controls and how to implement them.

·      The roles of awareness, training, end education in information security.

·      The need to make information security an ongoing part of daily operations.


Course Learning Outcomes

After completion of this course (IT 4823), students will be able to:

·        Describe the need for and relationship among the attributes of confidentiality, integrity, and availability.

·        Describe the McCumber model of information security and use it to describe and evaluate security controls.

·        Define the role of policy in driving information security.

·        Differentiate among policy, standards, and procedures.

·        Describe issue-specific policies and tell how they are used.

·        Describe how to identify an organization’s information assets.

·        Distinguish between identification, authentication, and authorization.

·        Describe discretionary and mandatory access control and tell how they are different.

·        Enumerate common classes of threats to information assets and describe the technical and procedural protections against each.

·        Define annualized loss expectancy (ALE) and describe its role in risk management.

·        Describe the concept of layers of information security, and give examples.

·        Define and distinguish among incident response plans, disaster recovery plans, business continuity plans, and crisis management plans.

·        Discuss business continuity strategies.

·        Describe the methods of protecting information in storage and transmission.

·        Differentiate between symmetric and public-key cryptography.

·        Explain how public-key cryptography can provide for non-repudiation through digital signatures.

·        Explain the role of digital certificates in a public-key infrastructure.

·        Describe risk assessment for and implementation pf physical security controls.

·        Describe the process of maintaining an operating information security plan.

 

Course Content Outline / Major Topics:

                  1.            Security Fundamentals

1.1 The History of Information Security

1.2 Critical Characteristics of Information

                1.2.1 Availability

1.2.2 Accuracy

1.2.3 Authenticity

1.2.4 Confidentiality

1.2.5 Integrity

1.2.6 Utility

1.2.7 Possession

1.3 NSTISSC Security Model

1.4 Components of an Information System

1.4.1 Software

1.4.2 Hardware

1.4.3 Data

1.4.4 People

1.4.5 Procedures

1.4.6 Networks

1.5 Securing Components

1.6 Balancing Information Security and Access

1.7 Approaches to Information Security Implementation

1.8 The Systems Development Life Cycle

1.8.1 Methodology

1.8.2 Phases

1.8.3 Investigation

1.8.4 Analysis

1.8.5 Logical Design

1.8.6 Physical Design

1.8.7 Implementation

1.8.8 Maintenance and Change

1.9 The Security Systems Development Life Cycle

1.9.1 Investigation

1.9.2 Analysis

1.9.3 Logical Design

1.9.4  Physical Design

1.9.5 Implementation

1.9.6 Maintenance and Change

1.10 Security Professionals and the Organization

1.11 Communities of Interest

 

                  2.            Business Needs

2.1 Business Needs First

2.1.1 Protecting the Functionality of an Organization

2.1.2 Enabling the Safe Operation of Applications

2.1.3 Protecting Data that Organizations Collect and Use

2.1.4 Safeguarding Technology Assets in Organizations

                2.2 Threats

2.2.1 Acts of Human Error or Failure

2.2.2 Compromises to Intellectual Property

2.2.3 Deliberate Acts of Espionage or Trespass

2.2.4 Deliberate Acts of Information Extortion

2.2.5 Deliberate Acts of Sabotage or Vandalism

2.2.6 Deliberate Acts of Theft

2.2.7 Deliberate Software Attacks

2.2.8 Forces of Nature

2.2.9 Deviations in Quality of Service

2.2.10 Technical Hardware Failures or Errors

2.2.11 Technical Software Failures or Errors

2.2.12 Technological Obsolescence

2.2 Attacks

2.2.1 Malicious Code

2.2.2 Hoaxes

2.2.3 Back Doors

2.2.4 Password Crack

2.2.5 Brute Force

2.2.6 Dictionary

2.2.7 Denial-of-Service (DOS) and Distributed Denial-of-Service (DDOS)

2.2.8 Spoofing

2.2.9 Man-in-the-Middle

2.2.10 Spam

2.2.11 Mail Bombing

2.2.12 Sniffers

2.2.13 Social Engineering

2.2.14 Buffer Overflow

2.2.15 Timing Attack

 

                  3.            Legal, Ethical and Professional Issues

3.1 Laws and Ethics in Information Security

3.2 Types of Law

3.3 Relevant U.S. Laws

                3.3.1 General Computer Crime Laws

3.3.2 Privacy

3.3.3 Export and Espionage Laws

3.3.4 U.S. Copyright Law

3.3.5 Financial Reporting

3.3.6 Freedom of Information Act of 1966 (FOIA)

3.3.7 State and Local Regulations

3.4 International Laws and Legal Bodies

3.4.1 European Council Cyber-Crime Convention

3.4.2 Digital Millennium Copyright Act (DMCA)

3.4.3 United Nations Charter

3.5 Policy versus Law

3.6 Ethics and Information Security

3.6.1 Ethical Differences Across Cultures

3.6.2 Software License Infringement

3.6.3 Illicit Use

3.6.4 Misuse of Corporate Resources

3.6.5 Ethics and Education

3.6.6 Deterrence to Unethical and Illegal Behavior

3.7 Codes of Ethics and Professional Organizations

3.7.1 Major Professional Organizations for IT

3.7.2 Other Security Organizations

3.7.3 Key U.S. Federal Agencies

3.8 Organizational Liability and the Need for Counsel

 

                  4.            Risk Management

4.1 An Overview of Risk Management

4.1.1 Know Yourself

4.1.2 Know the Enemy

4.1.3 The Roles of the Communities of Interest

4.2 Risk Identification

                4.2.1 Asset Identification and Valuation

4.2.2 Automated Risk Management Tools

4.2.3 Information Asset Classification

4.2.4 Information Asset Valuation

4.2.5 Listing Assets in Order of Importance

4.2.6 Data Classification and Management

4.2.7 Security Clearances

4.2.8 Management of Classified Data

4.2.9 Threat Identification

4.2.10 Identify and Prioritize Threats and Threat Agents

4.2.11 Vulnerability Identification

4.3 Risk Assessment

4.3.1 Introduction to Risk Assessment

4.3.2 Likelihood

4.3.3 Valuation of Information Assets

4.3.4 Risk Determination

4.3.5 Identify Possible Controls

4.3.6 Access Controls

4.3.7 Documenting the Results of Risk Assessment

4.4 Risk Control Strategies

4.4.1 Avoidance

4.4.2 Imlementing Avoidance

4.4.3 Transference

4.4.4 Mitigation

4.4.5 Disaster Recovery Plan

4.4.6 Acceptance

4.5 Selecting a Risk Control Strategy

4.5.1 Evaluation, Assessment, and Maintenance of Risk Controls

4.5.2 Categories of Controls

4.5.3 Feasibility Studies

4.5.4 Other Feasibility Studies

4.6 Risk Management Discussion Points

4.6.1 Risk Appetite

4.6.2 Residual Risk

4.7 Documenting Results

4.8 Recommended Practices in Controlling Risk

4.8.1 Qualitative Measures

4.8.2 Delphi Technique

 

                  5.            Policies, Standards and Practices

5.1 Information Security Policy, Standards, and Practices

5.1.1 Enterprise Information Security Policy (EISP)

5.1.2 Issue-Specific Security Policy (ISSP)

5.1.3 Systems-Specific Security Policy (SysSP)

5.1.4 Policy Management

5.1.5 Information Classification

5.2 The Information Security Blueprint

                5.2.1 ISO 17799/BS7799

5.2.2 NIST Security Models

5.2.3 IETF Security Architecture

5.2.4 VISA International Security Model

5.2.5 Baselining and Best Business Practices

5.2.6 Hybrid Framework for a Blueprint of an Information Security System

5.2.7 Design of Security Architecture

5.3 Security Education, Training, and Awareness Program

5.3.1 Security Education

5.3.2 Security Training

5.3.3 Security Awareness

5.4 Continuity Strategies

5.4.1 Business Impact Analysis

5.4.2 Incident Response Planning

5.4.3 Disaster Recovery Planning

5.4.4 Business Continuity Planning

5.4.5 Model for a Consolidated Contingency Plan

5.4.6 Law Enforcement Involvement

 

                  6.            Security Technology: Firewalls and VPNs

6.1 Physical Design

6.2 Firewalls

                6.2.1 Firewall Categorization Methods

6.2.2 Firewall Architectures

6.2.3 Selecting the Right Firewall

6.2.4 Configuring and managing Firewalls

6.2.5 Content Filter

6.3 Protecting Remote Connections

6.3.1 Dial-Up

6.3.2 Virtual Private Networks (VPNs)

 

                  7.            Security Technology: Intrusion Detection, Access Control, and Other Security Tools

7.1 Intrusion Detection Systems (IDSs)

7.1.1 IDS Terminology

7.1.2 Why Use IDS?

7.1.3 Types of IDS and Detection Methods

7.1.4 IDS Response Behavior

7.1.5 Selecting IDS Approaches and Products

7.1.6 Strengths and Limitations of IDS

7.1.7 Deployment and Implementation of an IDS

7.1.8 Measuring the Effectiveness of IDS

7.2 Honey Pots, Honey Nets, and Padded Cell Systems

                7.2.1 Trap and Trace Systems

7.2.2 Active Intrusion Prevention

7.3 Scanning and Analysis Tools

7.3.1 Port Scanners

7.3.2 Firewall Analysis Tools

7.3.3 Operating System Detection Tools

7.3.4 Vulnerability Scanners

7.3.5 Packet Sniffers

7.3.6 Wireless Security Tools

7.4 Access Control Devices

7.4.1 Authentication

7.4.2 Effectiveness of biometrics

7.4.3 Acceptability of Biometrics

 

                  8.            Cryptography

8.1 A Short History of Cryptography

8.2 Principles of Cryptography

                8.2.1 Basic Encryption Definitions

8.2.2 Cipher Methods

8.2.3 Elements of Cryptosystems

8.2.4 Encryption Key Size

5.2.5 Conclusions Regarding the Principles of Cryptography

8.3 Cryptography Tools

8.3.1 Public Key Infrastructure (PKI)

8.3.2 Digital signatures

8.3.3 Digital Certificates

8.3.4 Hybrid Cryptography Systems

8.3.5 Steganography

8.4 Protocols for Secure Communications

8.4.1 Securing Internet Communication with S-HTTP and SSL

8.4.2 Securing E-mail with S/MIME, PEM, and PGP

8.4.3 Securing Web Transactions with SET, SSL, and S-HTTP

8.4.4 Securing TCP/IP with IPSec and PGP

8.5 Attacks on Cryptosystems

8.5.1 Man-in-the-Middle Attack

8.5.2 Correlation Attacks

8.5.3 Dictionary Attacks

8.5.4 Timing Attacks

8.5.5 Defending From Attacks

 

                  9.            Physical Security

9.1 Physical Access Controls

9.1.1 Controls for Protecting the Secure Facility

9.2 Fire Security and Safety

                9.2.1 Fire Detection and Response

9.3 Failure of Supporting Utilities and Structural Collapse

9.3.1 Heating, Ventilation, and Air Conditioning

9.3.2 Power Management and Conditioning

9.3.3 Water Problems

9.3.4 Structural Collapse

9.3.5 Maintenance of Facility Systems

9.4 Interception of Data

9.5 Mobile and Portable Systems

9.5.1 Remote Computing Security

9.6 Special Considerations for Physical Security Threats

9.6.1 Inventory Management

 

              10.            Implementing Information Security

10.1 Project Management for Information Security

10.1.1 Developing the Project Plan

10.1.2 Project Planning Considerations

10.1.3 Scope Considerations

10.1.4 The Need for Project Management

10.2 Technical Topics of Implementation

                10.2.1 Conversion Strategies

10.2.2 The Bull’s-Eye Model for Information Security Project Planning

10.2.3 To Outsource or Not

10.2.4 Technology Governance and Change Control

10.3 Nontechnical Aspects of Implementation

10.3.1 The Culture of Change Management

10.3.2 Considerations for Organizational Change

 

              11.            Information Security Credentials, Security and Personnel

11.1 Positioning and Staffing the Security Function

11.2 Credentials of Information Security Professionals

                11.2.1 Certified Information Security Professional (CISSP) and Systems

11.2.2 Security Certified Practitioner (SSCP)

11.2.3 Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM)

11.2.4 Global Information Assurance Certification (GIAC)

11.2.5 Security Certified Professional (SCP)

11.2.6 TruSecure ICSA Certified Security Associate (TICSA)

11.2.7 Security+

11.2.8 Certified Information Forensics Investigator

11.2.9 Related Certifications

11.2.10 Cost of Being Certified

11.2.11 Advice for Information Security Professionals

11.3 Employment Policies and Practices

11.3.1 Job Descriptions

11.3.2 Interviews

11.3.3 Background Checks

11.3.4 Employment Contracts

11.3.5 New Hire Orientation

11.3.6 On-the-Job Security Training

11.3.7 Performance Evaluation

11.3.8 Termination

11.4 Security Considerations for Nonemployees

11.5 Separation of Duties and Collusion

11.6 Privacy and Security of Personnel Data

 

              12.            Maintaining Information Security

12.1 Security Management Models

12.1.1 The ISO Network Management Model

12.2 The Maintenance Model

                12.2.1 Monitoring the External Environment

12.2.2 Monitoring the Internal Environment

12.2.3 Planning and Risk Assessment

12.2.4 Vulnerability Assessment and Remediation

12.2.5 Readiness and Review

 

 

Method of Instruction:

 

            Lectures, discussion, presentation, hands-on lab practice.

 

Evaluation Methods:

Grade will be based on meeting attendance, participation, submitting the required written assignments, two examinations, and a comprehensive final examination.

·        Participation, written assignments and labs   40%    

·        Examinations                                                          30%     Two at 15% each

·        Comprehensive final exam                           30%    

To receive a grade of “A”, the student must accumulate 90% to 100% of the points.

To receive a grade of “B”, the student must accumulate 80% to 89% of the points.

To receive a grade of “C”, the student must accumulate 70% to 79% of the points.

To receive a grade of “D”, the student must accumulate 60% to 69% of the points.

Any student who accumulates total scores of 59 or less will receive a grade of “F”.

 

A grade of “I” is awarded only when a student was doing satisfactory work but, for nonacademic reasons beyond his or her control, was unable to meet the full requirements of the course.   All policies in the University Catalog will apply to a grade of I.

 

Please adhere to the following requirements which may affect your grade: (I) Regular and punctual meeting and lab attendance and participation; (II) Submission of all written work on time; and (III) Successful completion of the examinations.

 

 

Class Schedule:

Date

Topic  

Reading

Due Today 

Aug 22

Introductions, Security Fundamentals I

1 - 19

 

Aug 24

Security Fundamentals II

20 - 32

 

Aug 29

Business Needs, Threats, Attacks

35 - 68

 

Aug 31

Legal, Ethical & Professional Issues

75 - 104

Assignment 1

Sep 5

No Meeting – Labor Day Holiday

 

 

Sep 7

Risk Management I

109 - 131

 

Sep 12

Risk Management II

132 - 144

Assignment 2

Sep 14

Risk Management III

145 - 165

 

Sep 19

Risk Management IV

 

 

Sep 21

Policies, Standards and Practices

171 - 185

Assignment 3

Sep 26

Information Security Blueprint

186 - 205

 

Sep 28

Continuity Strategies I

206 - 233

 

Oct 3

Examination 1

 

 

Oct 5

Firewalls and VPNs I

239 - 260

 

Oct 10

Firewalls and VPNs II

260 - 276

Assignment 4

Oct 12

Intrusion Detection Systems

281 - 319

 

 

October 13 is the last day to withdraw with a grade of W.

 

 

Oct 17

Scanning and Analysis, Access Control 

320 - 336

Assignment 5

Oct 19

Lab Day

341 - 365

 

Oct 24

Cryptography I

341 - 365

 

Oct 26

Crytptography II

366 - 385

 

Oct 31

Cryptography III

 

 

Nov 2

Examination 2

 

 

Nov 7

Physical Access, Fire Safety

389 - 407

 

Nov 9

Other Physical Security

408 - 421

Assignment 6

Nov 14

Implementing Information Security I

427 - 447

 

Nov 16

Information Security Credentials

451 - 471

Assignment 7

Nov 21

Employment Practices

472 - 482

 

Nov 23

No Meeting – Thanksgiving Holiday

 

 

Nov 28

Information Security Maintenance I

489 - 500

 

Nov 30

Information Security Maintenance II

501 - 527

Assignment 8

Dec 5

Information Security Maintenance III

 

</