Summer 2014 Syllabus MIS755, Information System Security Management Course Information Room: EBA247

advertisement
Summer 2014 Syllabus MIS755, Information System Security Management
Course Information
Room: EBA247
Time: Tuesday 1900 – 2140
Professor: Dr. Murray E. Jennex, P.E., CISSP, CSSLP, PMP
Office: SS3206
Phone: 619/594-3734
Email: murphjen@aol.com OR mjennex@mail.sdsu.edu
Office Hours:
Monday-Thursday: 1700-1800; or by appointment
Instant Message Office Hours: whenever online (be sure to identify yourself immediately
so I don’t ignore you)
Book:
Management of Information Security, 4th edition, Whitman and Mattord, Cengage
Learning, 2014.
Applied Information Security: A Hands-on Guide to Information Security Software 2nd
edition, Boyle and Proudfoot, Prentice Hall, 2014
Additional course materials will be posted on Blackboard.
Course Design
MIS755 is a combination seminar and lecture based course. Students are expected to be
prepared for class and to contribute to class discussions. Class nights are broken into
three sections:
The first part of the class will be dedicated to Security in the news. This section is to
make students aware of how widespread and common Security issues are in everyday
activities. Students are expected to watch the media and bring in examples of security
issues. Discussion will focus on why the example is an issue, what it affects, how
effective/risky it is, and any new threats the Security issue raises.
The second portion of the class is dedicated to answering questions on the assigned
reading. Lecture/discussions will not focus on going over the reading assignments.
Students are expected to read assignments prior to class and come prepared to use the
readings to support class discussion. This portion of the class is for students to ask
questions about portions of the readings they do not understand or want clarification on.
The third portion of the class is dedicated to the topic of the night. The topic of the night
will be some aspect of the reading material that the instructor feels needs expanding.
This may be specific issues, applications, or related topics not covered by the readings.
Finally, the course does have a self based lab component.
Course Goals/Purpose
The objective of this course is to prepare you to identify information security threats and
solutions for an organization and/or a system. To do this we will cover in detail
information security management, threat analysis, risk management, attack methods,
security models, application security methods, network security methods, physical
security, access control, and cryptography. Due to issues associated with security, we
will not be able to practice many of the techniques and methods discussed in class.
Course Objectives/Learning Outcomes
At the end of the course the student will have accomplished the following objectives:
Explain and describe the various components of security management.
Discuss how security planning is used to manage security
Discuss how policies are used to implement security plans
Describe the various threats to information systems
Describe how a threat analysis and risk assessment is performed
Discuss risk mitigation strategies
Perform a threat analysis and risk assessment for a specified organization
Identify and explain security models and architectures.
Describe the NSTISSC security model
Describe and apply the concept of multi level or defense in depth security design
Describe the CIA triangle
Describe the trusted system model
Describe the DoD security model
Describe the DMZ concept for Internet security
Describe the various security technologies and methodologies.
Describe application and database security technologies and methodologies
Describe access control technologies
Describe encryption methodologies
Describe physical security technologies
Describe network security technologies and methodologies
Course Polices
Students are expected to be prepared to discuss the assigned readings and to attend class.
It is understood that there may be occasions when you will have to miss class, on these
occasions I request you send me an email letting me know prior to class. Should it be
necessary that you miss class on the night an assignment is due or the exam or
presentation is scheduled I request notification prior to the absence so that
exams/presentations can be rescheduled. I will accept assignments via email on the due
date as long as a hard copy is submitted at the next class the student is at.
Excessive absences, more than 4, or a lack of participation, or excessive unrelated
conversation, or excessive use of computers for non class work will result in a 5% grade
deduction. Excessive will be in my opinion but students will be warned and given an
opportunity to improve before the deduction will be assessed.
Cheating will be defined as the effort to give or receive help on any graded work in this
class without permission from the instructor, or to submit alterations to graded work for
re-grading. Any student who is caught cheating receives an F for the class, will be
reported to Judicial Procedures, and be recommended for removal from the College of
Business.
Plagiarism will not be tolerated and rampant or repeated plagiarism will be treated as
cheating. Plagiarism is claiming other’s work for your own. This can be done by not
properly citing or referencing other’s work in your papers, copying other’s work into
your own (even if cited and referenced), and/or copying other’s work into your own
without citing or referencing the source. Citation and referencing errors will result in
grade deductions for the first offense, repeated offenses will result in reduction by a full
grade on the assignment, an F for the assignment, or an F for the class depending upon
the severity and intent of the offense.
A 10% penalty will be assigned for late assignments. No assignment will be accepted if
over 2 weeks late.
All turn in work needs to be typed and have a cover page. I like the use of headings and
organization. Be sure to include your name, the class, and what the turn in work is on the
cover sheet.
Assessment
Course assessment will be based on three assignments (see below). Grading will be
based 75% on content, 15% on organization, formatting, citations, etc., and 10% on
grammar. The grading scale is:
Grade
A
AB+
B
BC+
C
Cother
Range
>=
>=
>
>=
>=
>
>=
>=
<
94%
90%
87.5%
83%
80%
77.5%
73%
70%
70%
Assignment Descriptions:
A security plan analysis (team project) with presentation. The team will select a
company (one that is willing) and analyze their security plan with respect to material
covered in the class. Recommendations are to be generated for improving the plan.
Should the company not have a security plan the team will generate one. A report
documenting the findings and a presentation of the findings will be presented and is due
on 7/2. This assignment is worth 25 points.
A portfolio of ten exercises. Each student is expected to do one exercise from each of 10
chapters of the students’ choice from Boyle’s Applied Information Security text or from a
list to be provided by the instructor. The student will write a short 2-3 page paper
describing what was done, what was the outcome for each exercise (include any
generated printouts, etc.), what was learned, and how it fits into the class. The portfolio
is due on 6/11 (but individual exercises can be turned in any time before then) and is
worth 40 points.
A business impact analysis/vulnerability/risk assessment. Each student will either
analyze themselves or select an organization and (with their permission) perform a
vulnerability/risk assessment for operating security and a business impact analysis for
business continuity. A report along with supporting matrices will be generated
documenting the findings of the assessment and is due on 6/23. This assignment is worth
25 points.
An optional exam, consisting of 50 multiple-choice questions based on the CISSP
certification exam can be taken in lieu of 5 exercises. The CISSP exam is a broad-based
exam focusing on key concepts from the 10 security knowledge domains. The exam is
worth 20 of the 40 exercise portfolio points. The exam will be posted on 6/4 and should
be included in the exercise portfolio due 6/11.
Class participation is worth 10 points. Participation is not just showing up to class.
Participation is active interaction in discussions, asking questions, answering questions,
providing context and opinion. Students who only attend class and do not participate in
discussion will earn no better than an 8 for participation, students who actively engage in
class discussions and attend consistently will earn scores above 8 depending on their
level of participation.
Note that in instances where students have special experience or needs the assignments
can be modified to fit those experiences and needs with the consent of the instructor.
Reading Assignments
Reading are from the text
Date
5/21
Reading
Ch 1
Topic
Introduction/The Need for Security
Assignments
5/26
5/28
6/2
6/4
6/9
None
Ch. 2
Ch 3
Ch 4, 5
Ch 6/7
6/11
6/16
6/18
6/23
6/25
6/30
7/2
Ch 8
Ch 9
Blackboard
Ch 10
none
Ch 11, 12
none
Memorial Day – No Class
Planning for Security
Planning for Contingencies
Information Security Policy/Program
Security Management Models and
Practices
Identifying and Assessing Risk
Controlling Risk
Physical Security/Auditing
Protection Mechanisms
Protection Mechanisms
Security Personnel/Legal Issues
Team Presentations
Exercise Portfolio
Risk Management Assignment
Audit Project Turn In
Download