Course Designator/Course Number: IT 4823
Course Title: INFORMATION SECURITY ADMINISTRATION
Instructor: Mr. Bob Brown
HTTP Link:
http://www.spsu.edu/cs/faculty/bbrown/it4823/f05
Course Length: 40 contact hours. 2.5 hours per week for 16 weeks; approximately 80 hours reading, research and writing outside class.
Textbook: Whitman, Michael E. and Herbert J. Mattors (2005) Principles of Information Security, Second Edition. Thompson, Course Technology. ISBN: 0-619-21625-5. (For Fall, ’05.)
Bishop,
Matt (2005) Introduction to Computer
Security. Addison-Wesley.
(For Spring ’06 forward.)
Course Description/Objectives:
The student develops knowledge of he
principles of information assurance at the policy, procedural, and technical
levels to prepare the student for a role as a business decision-makers. Real-world
examples from the text and current events will be used to demonstrate the
applicability of the techniques of information assurance.
Prerequisites: IT 1124 Advanced Programming Principles, CS 3153 Database
Systems, IT 3124 Hardware and Software Concepts.
This course will teach students:
· The role of policy in driving information security.
· The fundamental attributes that define information security: confidentiality, integrity, and availability
· Identification of an organization’s information assets, including people, hardware, software, and data.
· The role of risk management in information security.
· The proper balance between technical controls and procedural controls.
· The necessity of physical security controls and how to implement them.
· The roles of awareness, training, end education in information security.
· The need to make information security an ongoing part of daily operations.
After completion
of this course (IT 4823), students will be able to:
· Describe the need for and relationship among the attributes of confidentiality, integrity, and availability.
· Describe the McCumber model of information security and use it to describe and evaluate security controls.
· Define the role of policy in driving information security.
· Differentiate among policy, standards, and procedures.
· Describe issue-specific policies and tell how they are used.
· Describe how to identify an organization’s information assets.
· Distinguish between identification, authentication, and authorization.
· Describe discretionary and mandatory access control and tell how they are different.
· Enumerate common classes of threats to information assets and describe the technical and procedural protections against each.
· Define annualized loss expectancy (ALE) and describe its role in risk management.
· Describe the concept of layers of information security, and give examples.
· Define and distinguish among incident response plans, disaster recovery plans, business continuity plans, and crisis management plans.
· Discuss business continuity strategies.
· Describe the methods of protecting information in storage and transmission.
· Differentiate between symmetric and public-key cryptography.
· Explain how public-key cryptography can provide for non-repudiation through digital signatures.
· Explain the role of digital certificates in a public-key infrastructure.
· Describe risk assessment for and implementation pf physical security controls.
· Describe the process of maintaining an operating information security plan.
1.
Security
Fundamentals
1.1
The History of Information Security
1.2
Critical Characteristics of Information
1.2.1 Availability
1.2.2
Accuracy
1.2.3
Authenticity
1.2.4
Confidentiality
1.2.5
Integrity
1.2.6
Utility
1.2.7
Possession
1.3
NSTISSC Security Model
1.4
Components of an Information System
1.4.1
Software
1.4.2
Hardware
1.4.3
Data
1.4.4
People
1.4.5
Procedures
1.4.6
Networks
1.5
Securing Components
1.6
Balancing Information Security and Access
1.7
Approaches to Information Security Implementation
1.8
The Systems Development Life Cycle
1.8.1
Methodology
1.8.2
Phases
1.8.3
Investigation
1.8.4
Analysis
1.8.5
Logical Design
1.8.6
Physical Design
1.8.7
Implementation
1.8.8
Maintenance and Change
1.9
The Security Systems Development Life Cycle
1.9.1
Investigation
1.9.2
Analysis
1.9.3
Logical Design
1.9.4 Physical Design
1.9.5
Implementation
1.9.6
Maintenance and Change
1.10
Security Professionals and the Organization
1.11
Communities of Interest
2.
Business
Needs
2.1 Business
Needs First
2.1.1
Protecting the Functionality of an Organization
2.1.2
Enabling the Safe Operation of Applications
2.1.3
Protecting Data that Organizations Collect and Use
2.1.4
Safeguarding Technology Assets in Organizations
2.2 Threats
2.2.1
Acts of Human Error or Failure
2.2.2
Compromises to Intellectual Property
2.2.3
Deliberate Acts of Espionage or Trespass
2.2.4
Deliberate Acts of Information Extortion
2.2.5
Deliberate Acts of Sabotage or Vandalism
2.2.6
Deliberate Acts of Theft
2.2.7
Deliberate Software Attacks
2.2.8
Forces of Nature
2.2.9
Deviations in Quality of Service
2.2.10
Technical Hardware Failures or Errors
2.2.11
Technical Software Failures or Errors
2.2.12
Technological Obsolescence
2.2
Attacks
2.2.1
Malicious Code
2.2.2
Hoaxes
2.2.3
Back Doors
2.2.4
Password Crack
2.2.5
Brute Force
2.2.6
Dictionary
2.2.7
Denial-of-Service (DOS) and Distributed Denial-of-Service (DDOS)
2.2.8
Spoofing
2.2.9
Man-in-the-Middle
2.2.10
Spam
2.2.11
Mail Bombing
2.2.12
Sniffers
2.2.13
Social Engineering
2.2.14
Buffer Overflow
2.2.15
Timing Attack
3.
Legal,
Ethical and Professional Issues
3.1 Laws
and Ethics in Information Security
3.2 Types
of Law
3.3
Relevant
3.3.1 General Computer Crime
Laws
3.3.2
Privacy
3.3.3
Export and Espionage Laws
3.3.4
3.3.5
Financial Reporting
3.3.6
Freedom of Information Act of 1966 (FOIA)
3.4
International Laws and Legal Bodies
3.4.1
European Council Cyber-Crime Convention
3.4.2
Digital Millennium Copyright Act (DMCA)
3.4.3
United Nations Charter
3.5
Policy versus Law
3.6
Ethics and Information Security
3.6.1
Ethical Differences Across Cultures
3.6.2
Software License Infringement
3.6.3
Illicit Use
3.6.4
Misuse of Corporate Resources
3.6.5
Ethics and Education
3.6.6
Deterrence to Unethical and Illegal Behavior
3.7
Codes of Ethics and Professional Organizations
3.7.1
Major Professional Organizations for IT
3.7.2
Other Security Organizations
3.7.3
Key
3.8
Organizational Liability and the Need for Counsel
4.
Risk
Management
4.1 An
Overview of Risk Management
4.1.1
Know Yourself
4.1.2
Know the Enemy
4.1.3
The Roles of the Communities of Interest
4.2
Risk Identification
4.2.1 Asset Identification and
Valuation
4.2.2
Automated Risk Management Tools
4.2.3
Information Asset Classification
4.2.4
Information Asset Valuation
4.2.5
Listing Assets in Order of Importance
4.2.6
Data Classification and Management
4.2.7
Security Clearances
4.2.8
Management of Classified Data
4.2.9
Threat Identification
4.2.10
Identify and Prioritize Threats and Threat Agents
4.2.11
Vulnerability Identification
4.3
Risk Assessment
4.3.1
Introduction to Risk Assessment
4.3.2
Likelihood
4.3.3
Valuation of Information Assets
4.3.4
Risk Determination
4.3.5
Identify Possible Controls
4.3.6
Access Controls
4.3.7
Documenting the Results of Risk Assessment
4.4
Risk Control Strategies
4.4.1
Avoidance
4.4.2
Imlementing Avoidance
4.4.3
Transference
4.4.4
Mitigation
4.4.5
Disaster Recovery Plan
4.4.6
Acceptance
4.5
Selecting a Risk Control Strategy
4.5.1
Evaluation, Assessment, and Maintenance of Risk Controls
4.5.2
Categories of Controls
4.5.3
Feasibility Studies
4.5.4
Other Feasibility Studies
4.6
Risk Management Discussion Points
4.6.1
Risk Appetite
4.6.2
Residual Risk
4.7
Documenting Results
4.8
Recommended Practices in Controlling Risk
4.8.1
Qualitative Measures
4.8.2
5.
Policies,
Standards and Practices
5.1 Information
Security Policy, Standards, and Practices
5.1.1
5.1.2
Issue-Specific Security Policy (ISSP)
5.1.3
Systems-Specific Security Policy (SysSP)
5.1.4
Policy Management
5.1.5
Information Classification
5.2
The Information Security Blueprint
5.2.1 ISO 17799/BS7799
5.2.2
NIST Security Models
5.2.3
IETF Security Architecture
5.2.4
VISA International Security Model
5.2.5
Baselining and Best Business Practices
5.2.6
Hybrid Framework for a Blueprint of an Information Security System
5.2.7
Design of Security Architecture
5.3
Security Education, Training, and Awareness Program
5.3.1
Security Education
5.3.2
Security Training
5.3.3
Security Awareness
5.4
Continuity Strategies
5.4.1
Business Impact Analysis
5.4.2
Incident Response Planning
5.4.3
Disaster Recovery Planning
5.4.4
Business Continuity Planning
5.4.5
Model for a Consolidated Contingency Plan
5.4.6
Law Enforcement Involvement
6.
Security
Technology: Firewalls and VPNs
6.1
Physical Design
6.2 Firewalls
6.2.1 Firewall Categorization
Methods
6.2.2
Firewall Architectures
6.2.3
Selecting the Right Firewall
6.2.4
Configuring and managing Firewalls
6.2.5
Content Filter
6.3
Protecting Remote Connections
6.3.1
Dial-Up
6.3.2
Virtual Private Networks (VPNs)
7.
Security
Technology: Intrusion Detection, Access Control, and Other Security Tools
7.1 Intrusion
Detection Systems (IDSs)
7.1.1
IDS Terminology
7.1.2
Why Use IDS?
7.1.3
Types of IDS and Detection Methods
7.1.4
IDS Response Behavior
7.1.5
Selecting IDS Approaches and Products
7.1.6
Strengths and Limitations of IDS
7.1.7
Deployment and Implementation of an IDS
7.1.8
Measuring the Effectiveness of IDS
7.2
Honey Pots, Honey Nets, and Padded Cell Systems
7.2.1 Trap and Trace Systems
7.2.2
Active Intrusion Prevention
7.3
Scanning and Analysis Tools
7.3.1
Port Scanners
7.3.2
Firewall Analysis Tools
7.3.3
Operating System Detection Tools
7.3.4
Vulnerability Scanners
7.3.5
Packet Sniffers
7.3.6
Wireless Security Tools
7.4
Access Control Devices
7.4.1
Authentication
7.4.2
Effectiveness of biometrics
7.4.3
Acceptability of Biometrics
8.
Cryptography
8.1 A
Short History of Cryptography
8.2 Principles
of Cryptography
8.2.1 Basic Encryption
Definitions
8.2.2
Cipher Methods
8.2.3
Elements of Cryptosystems
8.2.4
Encryption Key Size
5.2.5
Conclusions Regarding the Principles of Cryptography
8.3 Cryptography
Tools
8.3.1
Public Key Infrastructure (PKI)
8.3.2
Digital signatures
8.3.3
Digital Certificates
8.3.4
Hybrid Cryptography Systems
8.3.5
Steganography
8.4
Protocols for Secure Communications
8.4.1
Securing Internet Communication with S-HTTP and SSL
8.4.2
Securing E-mail with S/MIME, PEM, and PGP
8.4.3
Securing Web Transactions with SET, SSL, and S-HTTP
8.4.4
Securing TCP/IP with IPSec and PGP
8.5
Attacks on Cryptosystems
8.5.1
Man-in-the-Middle Attack
8.5.2
Correlation Attacks
8.5.3
Dictionary Attacks
8.5.4
Timing Attacks
8.5.5
Defending From Attacks
9.
Physical
Security
9.1 Physical
Access Controls
9.1.1
Controls for Protecting the Secure Facility
9.2
Fire Security and Safety
9.2.1 Fire Detection and
Response
9.3
Failure of Supporting Utilities and Structural Collapse
9.3.1
Heating, Ventilation, and Air Conditioning
9.3.2
Power Management and Conditioning
9.3.3
Water Problems
9.3.4
Structural Collapse
9.3.5
Maintenance of Facility Systems
9.4
Interception of Data
9.5
9.5.1
Remote Computing Security
9.6
Special Considerations for Physical Security Threats
9.6.1
Inventory Management
10.
Implementing
Information Security
10.1
Project Management for Information Security
10.1.1
Developing the Project Plan
10.1.2
Project Planning Considerations
10.1.3
Scope Considerations
10.1.4
The Need for Project Management
10.2
Technical Topics of Implementation
10.2.1 Conversion Strategies
10.2.2
The Bull’s-Eye Model for Information Security Project Planning
10.2.3
To Outsource or Not
10.2.4
Technology Governance and Change Control
10.3
Nontechnical Aspects of Implementation
10.3.1
The Culture of Change Management
10.3.2
Considerations for Organizational Change
11.
Information
Security Credentials, Security and Personnel
11.1
Positioning and Staffing the Security Function
11.2
Credentials of Information Security Professionals
11.2.1 Certified Information
Security Professional (CISSP) and Systems
11.2.2
Security Certified Practitioner (SSCP)
11.2.3
Certified Information Systems Auditor (CISA) and Certified Information Security
Manager (CISM)
11.2.4
Global Information Assurance Certification (GIAC)
11.2.5
Security Certified Professional (SCP)
11.2.6
TruSecure ICSA Certified Security Associate (TICSA)
11.2.7
Security+
11.2.8
Certified Information Forensics Investigator
11.2.9
Related Certifications
11.2.10
Cost of Being Certified
11.2.11
Advice for Information Security Professionals
11.3
Employment Policies and Practices
11.3.1
Job Descriptions
11.3.2
Interviews
11.3.3
Background Checks
11.3.4
Employment Contracts
11.3.5
New Hire Orientation
11.3.6
On-the-Job Security Training
11.3.7
Performance Evaluation
11.3.8
Termination
11.4
Security Considerations for Nonemployees
11.5
Separation of Duties and Collusion
11.6
Privacy and Security of Personnel Data
12.
Maintaining
Information Security
12.1
Security Management Models
12.1.1
The ISO Network Management Model
12.2
The Maintenance Model
12.2.1 Monitoring the External
Environment
12.2.2
Monitoring the Internal Environment
12.2.3
Planning and Risk Assessment
12.2.4
Vulnerability Assessment and Remediation
12.2.5
Readiness and Review
Method of Instruction:
Lectures, discussion, presentation, hands-on lab practice.
Evaluation Methods:
Grade will be based on meeting attendance, participation, submitting the required written assignments, two examinations, and a comprehensive final examination.
· Participation, written assignments and labs 40%
· Examinations 30% Two at 15% each
· Comprehensive final exam 30%
To receive a grade of “A”, the student must accumulate 90% to 100% of the points.
To receive a grade of “B”, the student must accumulate 80% to 89% of the points.
To receive a grade of “C”, the student must accumulate 70% to 79% of the points.
To receive a grade of “D”, the student must accumulate 60% to 69% of the points.
Any student who accumulates total scores of 59 or less will receive a grade of “F”.
A grade of “I” is awarded only when a student was doing satisfactory work but, for nonacademic reasons beyond his or her control, was unable to meet the full requirements of the course. All policies in the University Catalog will apply to a grade of I.
Please adhere to the following requirements which may affect your grade: (I) Regular and punctual meeting and lab attendance and participation; (II) Submission of all written work on time; and (III) Successful completion of the examinations.
Class
Schedule:
|
Date |
Topic |
|
Due Today |
|
Aug 22 |
Introductions, Security Fundamentals I |
1 - 19 |
|
|
Aug 24 |
Security Fundamentals II |
20 - 32 |
|
|
Aug 29 |
Business Needs, Threats, Attacks |
35 - 68 |
|
|
Aug 31 |
Legal, Ethical & Professional Issues |
75 - 104 |
Assignment 1 |
|
Sep 5 |
No Meeting – Labor Day |
|
|
|
Sep 7 |
Risk Management I |
109 - 131 |
|
|
Sep 12 |
Risk Management II |
132 - 144 |
Assignment 2 |
|
Sep 14 |
Risk Management III |
145 - 165 |
|
|
Sep 19 |
Risk Management IV |
|
|
|
Sep 21 |
Policies, Standards and Practices |
171 - 185 |
Assignment 3 |
|
Sep 26 |
Information Security Blueprint |
186 - 205 |
|
|
Sep 28 |
Continuity Strategies I |
206 - 233 |
|
|
Oct 3 |
Examination 1 |
|
|
|
Oct 5 |
Firewalls and VPNs I |
239 - 260 |
|
|
Oct 10 |
Firewalls and VPNs II |
260 - 276 |
Assignment 4 |
|
Oct 12 |
Intrusion Detection Systems |
281 - 319 |
|
|
|
October 13 is the last day to withdraw with a grade of W. |
|
|
|
Oct 17 |
Scanning and Analysis, Access Control |
320 - 336 |
Assignment 5 |
|
Oct 19 |
Lab Day |
341 - 365 |
|
|
Oct 24 |
Cryptography I |
341 - 365 |
|
|
Oct 26 |
Crytptography II |
366 - 385 |
|
|
Oct 31 |
Cryptography III |
|
|
|
Nov 2 |
Examination 2 |
|
|
|
Nov 7 |
Physical Access, Fire Safety |
389 - 407 |
|
|
Nov 9 |
Other Physical Security |
408 - 421 |
Assignment 6 |
|
Nov 14 |
Implementing Information Security I |
427 - 447 |
|
|
Nov 16 |
Information Security Credentials |
451 - 471 |
Assignment 7 |
|
Nov 21 |
Employment Practices |
472 - 482 |
|
|
Nov 23 |
No Meeting – Thanksgiving |
|
|
|
Nov 28 |
Information Security Maintenance I |
489 - 500 |
|
|
Nov 30 |
Information Security Maintenance II |
501 - 527 |
Assignment 8 |
|
Dec 5 |
Information Security Maintenance III |
|