Spring 2013 Syllabus MIS755, Information System Security Management Course Information

Spring 2013 Syllabus MIS755, Information System Security Management
Course Information
Room: GMCS 310
Time: Tuesday 1900 – 2140
Professor: Dr. Murray E. Jennex, P.E., CISSP, CSSLP, PMP
Office: SS3206
Phone: 619/594-3734
Email: murphjen@aol.com OR mjennex@mail.sdsu.edu
Office Hours:
Monday: 1500-1600; Tuesday: 1500 – 1800 or by appointment
Instant Message Office Hours: whenever online (be sure to identify yourself immediately
so I don’t ignore you)
Computer Security Principles and Practice, 2nd edition, Stallings and Brown, Prentice
Hall/Pearson, 2012.
Applied Information Security: A Hands-on Guide to Information Security Software,
Boyle, Prentice Hall, 2010
Schneier On Security, Schneier / Halsted Press, 2008
Additional course materials will be posted on Blackboard.
Course Design
MIS755 is a combination seminar and lecture based course. Students are expected to be
prepared for class and to contribute to class discussions. Class nights are broken into
three sections:
The first part of the class will be dedicated to Security in the news. This section is to
make students aware of how widespread and common Security issues are in everyday
activities. Students are expected to watch the media and bring in examples of security
issues. Discussion will focus on why the example is an issue, what it affects, how
effective/risky it is, and any new threats the Security issue raises.
The second portion of the class is dedicated to answering questions on the assigned
reading. Lecture/discussions will not focus on going over the reading assignments.
Students are expected to read assignments prior to class and come prepared to use the
readings to support class discussion. This portion of the class is for students to ask
questions about portions of the readings they do not understand or want clarification on.
The third portion of the class is dedicated to the topic of the night. The topic of the night
will be some aspect of the reading material that the instructor feels needs expanding.
This may be specific issues, applications, or related topics not covered by the readings.
Finally, the course does have a self based lab component.
Course Goals/Purpose
The objective of this course is to prepare you to identify information security threats and
solutions for an organization and/or a system. To do this we will cover in detail
information security management, threat analysis, risk management, attack methods,
security models, application security methods, network security methods, physical
security, access control, and cryptography. Due to issues associated with security, we
will not be able to practice many of the techniques and methods discussed in class.
Course Objectives/Learning Outcomes
At the end of the course the student will have accomplished the following objectives:
Explain and describe the various components of security management.
Discuss how security planning is used to manage security
Discuss how policies are used to implement security plans
Describe the various threats to information systems
Describe how a threat analysis and risk assessment is performed
Discuss risk mitigation strategies
Perform a threat analysis and risk assessment for a specified organization
Identify and explain security models and architectures.
Describe the NSTISSC security model
Describe and apply the concept of multi level or defense in depth security design
Describe the CIA triangle
Describe the trusted system model
Describe the DoD security model
Describe the DMZ concept for Internet security
Describe the various security technologies and methodologies.
Describe application and database security technologies and methodologies
Describe access control technologies
Describe encryption methodologies
Describe physical security technologies
Describe network security technologies and methodologies
Course Polices
Students are expected to be prepared to discuss the assigned readings and to attend class.
It is understood that there may be occasions when you will have to miss class, on these
occasions I request you send me an email letting me know prior to class. Should it be
necessary that you miss class on the night an assignment is due or the exam or
presentation is scheduled I request notification prior to the absence so that
exams/presentations can be rescheduled. I will accept assignments via email on the due
date as long as a hard copy is submitted at the next class the student is at.
Excessive absences, more than 4, or a lack of participation, or excessive unrelated
conversation, or excessive use of computers for non class work will result in a 5% grade
deduction. Excessive will be in my opinion but students will be warned and given an
opportunity to improve before the deduction will be assessed.
Cheating will be defined as the effort to give or receive help on any graded work in this
class without permission from the instructor, or to submit alterations to graded work for
re-grading. Any student who is caught cheating receives an F for the class, will be
reported to Judicial Procedures, and be recommended for removal from the College of
Plagiarism will not be tolerated and rampant or repeated plagiarism will be treated as
cheating. Plagiarism is claiming other’s work for your own. This can be done by not
properly citing or referencing other’s work in your papers, copying other’s work into
your own (even if cited and referenced), and/or copying other’s work into your own
without citing or referencing the source. Citation and referencing errors will result in
grade deductions for the first offense, repeated offenses will result in reduction by a full
grade on the assignment, an F for the assignment, or an F for the class depending upon
the severity and intent of the offense.
A 10% penalty will be assigned for late assignments. No assignment will be accepted if
over 2 weeks late.
All turn in work needs to be typed, have a cover page, and be double-spaced. Be sure to
include your name, the class, and what the turn in work is on the cover sheet.
Course assessment will be based on three assignments (see below). Grading will be
based 75% on content, 15% on organization, formatting, citations, etc., and 10% on
grammar. The grading scale is:
Assignment Descriptions:
A security plan analysis (team project) with presentation. The team will select a
company (one that is willing) and analyze their security plan with respect to material
covered in the class. Recommendations are to be generated for improving the plan.
Should the company not have a security plan the team will generate one. A report
documenting the findings and a presentation of the findings will be presented on 5/7 and
is due on 5/14. This assignment is worth 25 points.
A portfolio of ten exercises. Each student is expected to do one exercise from each of 10
chapters of the students’ choice from Boyle’s Applied Information Security text or from a
list to be provided by the instructor. The student will write a short 2-3 page paper
describing what was done, what was the outcome for each exercise (include any
generated printouts, etc.), what was learned, and how it fits into the class. The portfolio
is due on 3/12 (but individual exercises can be turned in any time before then) and is
worth 40 points.
A business impact analysis/vulnerability/risk assessment. Each student will either
analyze themselves or select an organization and (with their permission) perform a
vulnerability/risk assessment for operating security and a business impact analysis for
business continuity. A report along with supporting matrices will be generated
documenting the findings of the assessment and is due on 4/16. This assignment is worth
25 points.
An optional exam, consisting of 50 multiple-choice questions based on the CISSP
certification exam can be taken in lieu of 5 exercises. The CISSP exam is a broad-based
exam focusing on key concepts from the 10 security knowledge domains. The exam is
worth 20 of the 40 exercise portfolio points. The exam will be posted on 3/5 and should
be included in the exercise portfolio due 3/12.
Class participation is worth 10 points. Participation is not just showing up to class.
Participation is active interaction in discussions, asking questions, answering questions,
providing context and opinion. Students who only attend class and do not participate in
discussion will earn no better than an 8 for participation, students who actively engage in
class discussions and attend consistently will earn scores above 8 depending on their
level of participation.
Note that in instances where students have special experience or needs the assignments
can be modified to fit those experiences and needs with the consent of the instructor.
Reading Assignments
Reading are from the text
Ch 1
Ch 2, 20-24
Ch 3/4
Ch 5
Ch 6/7/10
Ch 8/9
Ch 11/12/
Ch 13
Ch 14
Ch 15
Ch 18/19
Ch 16/17
Introduction/The Need for Security
Security Basic Approach
Authentication/Access Control
Database Security
Intrusion Detection/ Firewalls
Application Security/Secure Program
Security Models/catch up
Risk Assessment
Spring Break
Risk Management
Security Planning
Security Auditing, Legal Issues
Physical Security
Team Presentations
Final Week – Turn in Project
Exercise Portfolio
Risk Management Assignment
Team Audit Report