MIS755, Information System Security Management Spring 2016 San Diego State University College of Business Administration Department of Management Information Systems COURSE INFORMATION Class Days: Tuesday Class Times: 1900-2140 Class Location: EBA260 Office Hours Times T/W 1500-1800 (and by appointment): Office Hours Location: SS3206 Units: 3 Course Overview The objective of this course is to prepare you to identify information security threats and solutions for an organization and/or a system. To do this we will cover in detail information security management, threat analysis, risk management, attack methods, security models, application security methods, network security methods, physical security, access control, and cryptography. Due to issues associated with security, we will not be able to practice many of the techniques and methods discussed in class. Program Learning Goals MSIS students will graduate being able to: Design and use technology-supported solutions to improve decision making and create value Create value through the development of data, information or knowledge (DIK) strategies and the management of processes and projects Demonstrate business professional skills MIS755 contributes to these goals through its student learning outcomes . . . Explain and describe the various components of security management. Discuss how security planning is used to manage security Discuss how policies are used to implement security plans Describe the various threats to information systems Describe how a threat analysis and risk assessment is performed Discuss risk mitigation strategies Perform a threat analysis and risk assessment for a specified organization Identify and explain security models and architectures. Describe the NSTISSC security model Describe and apply the concept of multi level or defense in depth security design Describe the CIA triangle Describe the trusted system model Describe the DoD security model Describe the DMZ concept for Internet security Describe the various security technologies and methodologies. Describe application and database security technologies and methodologies Describe access control technologies Describe encryption methodologies Describe physical security technologies Describe network security technologies and methodologies Enrollment Information There are no prerequisites Adding/Dropping is through web portal although due to the large number on the wait list, students missing the first class session and who are not present at the start of the second class session will be dropped. Course Materials Management of Information Security, 4th edition, Whitman and Mattord, Cengage Learning, 2014. Applied Information Security: A Hands-on Guide to Information Security Software 2nd edition, Boyle and Proudfoot, Prentice Hall, 2014 Additional course materials will be posted on Blackboard.. Course Structure and Conduct MIS755 is a combination seminar and lecture based course. Students are expected to be prepared for class and to contribute to class discussions. Class nights are broken into three sections: The first part of the class will be dedicated to Security in the news. This section is to make students aware of how widespread and common Security issues are in everyday activities. Students are expected to watch the media and bring in examples of security issues. Discussion will focus on why the example is an issue, what it affects, how effective/risky it is, and any new threats the Security issue raises. The second portion of the class is dedicated to answering questions on the assigned reading. Lecture/discussions will not focus on going over the reading assignments. Students are expected to read assignments prior to class and come prepared to use the readings to support class discussion. This portion of the class is for students to ask questions about portions of the readings they do not understand or want clarification on. The third portion of the class is dedicated to the topic of the night. The topic of the night will be some aspect of the reading material that the instructor feels needs expanding. This may be specific issues, applications, or related topics not covered by the readings. Finally, the course does have a self-directed lab component. Other course policies: Students are expected to be prepared to discuss the assigned readings and to attend class. It is understood that there may be occasions when you will have to miss class, on these occasions I request you send me an email letting me know prior to class. Should it be necessary that you miss class on the night an assignment is due or the exam or presentation is scheduled I request notification prior to the absence so that exams/presentations can be rescheduled. I will accept assignments via email on the due date as long as a hard copy is submitted at the next class the student is at. Excessive absences, more than 4, or a lack of participation, or excessive unrelated conversation, or excessive use of computers for non class work will result in a 5% grade deduction. Excessive will be in my opinion but students will be warned and given an opportunity to improve before the deduction will be assessed. Cheating is defined as the effort to give or receive help on any graded work in this class without permission from the instructor, or to submit alterations to graded work for re-grading. Any student who is caught cheating receives an F for the class, will be reported to Judicial Procedures, and be recommended for removal from the College of Business. A 10% penalty will be assigned for late assignments. No assignment will be accepted if over 2 weeks late. All turn in work needs to be typed, have a cover page, and be single-spaced. Be sure to include your name, the class, and what the turn in work is on the cover sheet. Students with Disabilities If you are a student with a disability and believe you will need accommodations for this class, it is your responsibility to contact Student Disability Services at (619) 594-6473. To avoid any delay in the receipt of your accommodations, you should contact Student Disability Services as soon as possible. Please note that accommodations are not retroactive, and that accommodations based upon disability cannot be provided until you have presented your instructor with an accommodation letter from Student Disability Services. Your cooperation is appreciated. Academic Honesty The University adheres to a strict policy regarding cheating and plagiarism. These activities will not be tolerated in this class. Become familiar with the policy (http://www.sa.sdsu.edu/srr/conduct1.html). Any cheating or plagiarism will result in Plagiarism will not be tolerated and rampant or repeated plagiarism will be treated as cheating. Plagiarism is claiming other’s work for your own. This can be done by not properly citing or referencing other’s work in your papers, copying other’s work into your own (even if cited and referenced), and/or copying other’s work into your own without citing or referencing the source. Citation and referencing errors will result in grade deductions for the first offense, repeated offenses will result in reduction by a full grade on the assignment, an F for the assignment, or an F for the class depending upon the severity and intent of the offense. Examples of Plagiarism include but are not limited to: Using sources verbatim or paraphrasing without giving proper attribution (this can include phrases, sentences, paragraphs and/or pages of work) Copying and pasting work from an online or offline source directly and calling it your own Using information you find from an online or offline source without giving the author credit Replacing words or phrases from another source and inserting your own words or phrases Submitting a piece of work you did for one class to another class If you have questions on what is plagiarism, please consult the policy and this helpful guide from the Library Turnitin Students agree that by taking this course all required papers may be subject to submission for textual similarity review to Turnitin.com for the detection of plagiarism. All submitted papers will be included as source documents in the Turnitin.com reference database solely for the purpose of detecting plagiarism of such papers. You may submit your papers in such a way that no identifying information about you is included. Another option is that you may request, in writing, that your papers not be submitted to Turnitin.com. However, if you choose this option you will be required to provide documentation to substantiate that the papers are your original work and do not include any plagiarized material. Assessments and Grading Course grades will be assigned in accordance with San Diego State University policy (see Graduate Bulletin, pp. 62-64). Graduate grades shall be: A (outstanding achievement, available for the highest accomplishment), B (average, awarded for satisfactory performance), C (minimally passing), D (unacceptable for graduate credit, course must be repeated), F (failing). Table 1. Your course grade will be based on the following weighted components Component Weight Exercise Portfolio 40 Personal Risk Assessment 25 Group Audit Project 25 Class Participation 10 Assignment Descriptions: A portfolio of ten exercises. Each student is expected to do one exercise from each of 10 chapters of the students’ choice from Boyle’s Applied Information Security text or from a list to be provided by the instructor. The student will write a short 2-5 page paper describing what was done, what was the outcome for each exercise (include any generated printouts, etc.), what was learned, and how it fits into the class. Additionally the student will answer the thought questions associated with each exercise. The portfolio is due on 3/1 (but one individual exercise can be turned in any time before then for review) and is worth 40 points. Question: what did you do? - Provide a description of what you did. I know you probably followed the directions provided so don’t do a step by step account of the directions. What I am really interested in are the actual data manipulations and actions you performed, any problems you encountered, what you did to overcome them, and any insights you learned about the technology. Finally, the better/clearer/insightful your write up is the better it scores. Question: what were the results? - Provide any printouts produced and answer the thought questions. To improve the score on this section you should also explain what the printouts and questions mean. What are the implications for security? Remember that I value the journey, so take the time to tell me the story and determine the value of your printouts and answers. Question: what did you learn - I can't tell you what you learned. What I will say is that I reward insight. Insights are aha moments (a term in use long before Oprah wanted to copyright it). If you see new ways of doing things, new insights to your thought processes, potential future applications be they personal or work related, crossovers to other topics, these are what I reward more than just telling me you learned lots. I expect you to learn lots but it isn't untill you explain where and what that I see that you really did. Ok, so sometimes you don't learn much. I'll still grade this area high if you tell me why, what you know, how this works on what you've done in the past, etc. Sometimes when you start doing this you see that what you've learned is reinforcing what you've done and sometimes you even have small aha moments. Bottom line is to be reflective, think a few minutes or overnight about what you've done and how it fits into your nomological net (your personal set of knowledge base structure, those theories and beliefs that guide how you evaluate and use knowledge). Then write the section, when I see this done I always score the section higher. Question: how does it relate to the material that was covered in the class? - As a minimum discuss specific topics that relate to what we've done and at least mention the obvious ones. Be specific, cite the section/chapter/reading it comes from. Also cite the topics/presentations that relate. The top scores come from also citing articles from the suggested readings and outside readings. An optional exam, consisting of 50 multiple-choice questions based on the CISSP certification exam can be taken in lieu of 5 exercises. The CISSP exam is a broad-based exam focusing on key concepts from the 10 security knowledge domains. The exam is worth 20 of the 40 exercise portfolio points. The exam will be posted on 2/23 and should be included in the exercise portfolio due 3/1. A business impact analysis/vulnerability/risk assessment. Each student will either analyze themselves or select an organization and (with their permission) perform a vulnerability/risk assessment for operating security and a business impact analysis for business continuity. A report along with supporting matrices will be generated documenting the findings of the assessment and is due on 3/22. This assignment is worth 25 points. A security plan audit/analysis (team project) with presentation. The team will select a company (one that is willing) and analyze their security plan with respect to material covered in the class. Recommendations are to be generated for improving the plan. Should the company not have a security plan the team will generate one. A report documenting the findings and a presentation of the findings will be presented on 5/3 and is due on 5/10. This assignment is worth 25 points. Class participation is worth 10 points. Participation is not just showing up to class. Participation is active interaction in discussions, asking questions, answering questions, providing context and opinion. Students who only attend class and do not participate in discussion will earn no better than an 8 for participation, students who actively engage in class discussions and attend consistently will earn scores above 8 depending on their level of participation. If students are not good at talking in class participation points can be earned by conducting email/online discussions with me and/or by coming to my office. Finally, part of the participation grade will be determined based on a team participation evaluation conducted the night of the team presentations. Note that in instances where students have special experience or needs the assignments can be modified to fit those experiences and needs with the consent of the instructor. Grade of Incomplete. A grade of Incomplete (I) indicates that a portion of required coursework has not been completed and evaluated in the prescribed time period due to unforeseen, but fully justified, reasons and that there is still a possibility of earning credit. It is your responsibility to bring pertinent information to the instructor and to reach agreement on the means by which the remaining course requirements will be satisfied. The conditions for removal of the Incomplete shall be reduced to writing by the instructor and given to you with a copy placed on file with the department chair until the Incomplete is removed or the time limit for removal has passed. A final grade is assigned when the work agreed upon has been completed and evaluated. An Incomplete shall not be assigned when the only way you could make up the work would be to attend a major portion of the class when it is next offered. Contract forms for Incomplete grades are available at the Office of the Registrar website Tentative Course Schedule Table 2. The course schedule, including topics and class activities listed by week, is presented in the following table Week Topics Activities/Readings 1: January 26 Introduction/The Need for Security Ch 1 2: February 2 Planning for Security Ch. 2 3: February 9 Planning for Contingencies Ch 3 4: February 16 Information Security Policy/Program Ch 4, 5 5: February 23 Security Management Models and Practices Ch 6/7 6: March 1 Identifying and Assessing Risk Ch 8, Exercise Portfolio Turn In 7: March 8 Controlling Risk Ch 9 8: March 15 Controlling Risk Ch 9 9: March 22 Auditing Risk Assessment Turn In 10: March 29 Spring Break none 11: April 5 Protection Mechanisms Ch 10 12: April 12 Protection Mechanisms Ch 10 13: April 19 Physical Security none 14: April 26 Security Personnel/Legal Issues Ch 11, 12 15: May 3 Team Presentations none 16: May 10 Changes to the course schedule, if any, will be announced in class. Final Project Turn In