MIS755, Information System Security Management

advertisement
MIS755, Information System Security Management
Spring 2016
San Diego State University
College of Business Administration
Department of Management Information Systems
COURSE INFORMATION
Class Days: Tuesday
Class Times: 1900-2140
Class Location: EBA260
Office Hours Times T/W 1500-1800 (and by appointment):
Office Hours Location: SS3206
Units: 3
Course Overview
The objective of this course is to prepare you to identify information security threats and solutions for an organization and/or a
system. To do this we will cover in detail information security management, threat analysis, risk management, attack methods,
security models, application security methods, network security methods, physical security, access control, and cryptography.
Due to issues associated with security, we will not be able to practice many of the techniques and methods discussed in class.
Program Learning Goals
MSIS students will graduate being able to:

Design and use technology-supported solutions to improve decision making and create value

Create value through the development of data, information or knowledge (DIK) strategies and the management of
processes and projects

Demonstrate business professional skills
MIS755 contributes to these goals through its student learning outcomes . . .
Explain and describe the various components of security management.
Discuss how security planning is used to manage security
Discuss how policies are used to implement security plans
Describe the various threats to information systems
Describe how a threat analysis and risk assessment is performed
Discuss risk mitigation strategies
Perform a threat analysis and risk assessment for a specified organization
Identify and explain security models and architectures.
Describe the NSTISSC security model
Describe and apply the concept of multi level or defense in depth security design
Describe the CIA triangle
Describe the trusted system model
Describe the DoD security model
Describe the DMZ concept for Internet security
Describe the various security technologies and methodologies.
Describe application and database security technologies and methodologies
Describe access control technologies
Describe encryption methodologies
Describe physical security technologies
Describe network security technologies and methodologies
Enrollment Information

There are no prerequisites

Adding/Dropping is through web portal although due to the large number on the wait list, students missing the first
class session and who are not present at the start of the second class session will be dropped.
Course Materials
Management of Information Security, 4th edition, Whitman and Mattord, Cengage Learning, 2014.
Applied Information Security: A Hands-on Guide to Information Security Software 2nd edition, Boyle and Proudfoot, Prentice
Hall, 2014
Additional course materials will be posted on Blackboard..
Course Structure and Conduct
MIS755 is a combination seminar and lecture based course. Students are expected to be prepared for class and to contribute
to class discussions. Class nights are broken into three sections:
The first part of the class will be dedicated to Security in the news. This section is to make students aware of how widespread
and common Security issues are in everyday activities. Students are expected to watch the media and bring in examples of
security issues. Discussion will focus on why the example is an issue, what it affects, how effective/risky it is, and any new
threats the Security issue raises.
The second portion of the class is dedicated to answering questions on the assigned reading. Lecture/discussions will not focus
on going over the reading assignments. Students are expected to read assignments prior to class and come prepared to use the
readings to support class discussion. This portion of the class is for students to ask questions about portions of the readings
they do not understand or want clarification on.
The third portion of the class is dedicated to the topic of the night. The topic of the night will be some aspect of the reading
material that the instructor feels needs expanding. This may be specific issues, applications, or related topics not covered by
the readings.
Finally, the course does have a self-directed lab component.
Other course policies:
Students are expected to be prepared to discuss the assigned readings and to attend class. It is understood that there may be
occasions when you will have to miss class, on these occasions I request you send me an email letting me know prior to class.
Should it be necessary that you miss class on the night an assignment is due or the exam or presentation is scheduled I request
notification prior to the absence so that exams/presentations can be rescheduled. I will accept assignments via email on the
due date as long as a hard copy is submitted at the next class the student is at.
Excessive absences, more than 4, or a lack of participation, or excessive unrelated conversation, or excessive use of computers
for non class work will result in a 5% grade deduction. Excessive will be in my opinion but students will be warned and given an
opportunity to improve before the deduction will be assessed.
Cheating is defined as the effort to give or receive help on any graded work in this class without permission from the instructor,
or to submit alterations to graded work for re-grading. Any student who is caught cheating receives an F for the class, will be
reported to Judicial Procedures, and be recommended for removal from the College of Business.
A 10% penalty will be assigned for late assignments. No assignment will be accepted if over 2 weeks late.
All turn in work needs to be typed, have a cover page, and be single-spaced. Be sure to include your name, the class, and what
the turn in work is on the cover sheet.
Students with Disabilities
If you are a student with a disability and believe you will need accommodations for this class, it is your responsibility to contact
Student Disability Services at (619) 594-6473. To avoid any delay in the receipt of your accommodations, you should contact
Student Disability Services as soon as possible. Please note that accommodations are not retroactive, and that accommodations
based upon disability cannot be provided until you have presented your instructor with an accommodation letter from Student
Disability Services. Your cooperation is appreciated.
Academic Honesty
The University adheres to a strict policy regarding cheating and plagiarism. These activities will not be tolerated in this class.
Become familiar with the policy (http://www.sa.sdsu.edu/srr/conduct1.html). Any cheating or plagiarism will result in
Plagiarism will not be tolerated and rampant or repeated plagiarism will be treated as cheating. Plagiarism is claiming other’s
work for your own. This can be done by not properly citing or referencing other’s work in your papers, copying other’s work
into your own (even if cited and referenced), and/or copying other’s work into your own without citing or referencing the
source. Citation and referencing errors will result in grade deductions for the first offense, repeated offenses will result in
reduction by a full grade on the assignment, an F for the assignment, or an F for the class depending upon the severity and
intent of the offense.
Examples of Plagiarism include but are not limited to:

Using sources verbatim or paraphrasing without giving proper attribution (this can include phrases, sentences,
paragraphs and/or pages of work)

Copying and pasting work from an online or offline source directly and calling it your own

Using information you find from an online or offline source without giving the author credit

Replacing words or phrases from another source and inserting your own words or phrases

Submitting a piece of work you did for one class to another class
If you have questions on what is plagiarism, please consult the policy and this helpful guide from the Library
Turnitin
Students agree that by taking this course all required papers may be subject to submission for textual similarity review to
Turnitin.com for the detection of plagiarism. All submitted papers will be included as source documents in the Turnitin.com
reference database solely for the purpose of detecting plagiarism of such papers. You may submit your papers in such a way
that no identifying information about you is included. Another option is that you may request, in writing, that your papers not
be submitted to Turnitin.com. However, if you choose this option you will be required to provide documentation to
substantiate that the papers are your original work and do not include any plagiarized material.
Assessments and Grading
Course grades will be assigned in accordance with San Diego State University policy (see Graduate Bulletin, pp. 62-64).
Graduate grades shall be: A (outstanding achievement, available for the highest accomplishment), B (average, awarded for
satisfactory performance), C (minimally passing), D (unacceptable for graduate credit, course must be repeated), F (failing).
Table 1. Your course grade will be based on the following weighted components
Component
Weight
Exercise Portfolio
40
Personal Risk Assessment
25
Group Audit Project
25
Class Participation
10
Assignment Descriptions:
A portfolio of ten exercises. Each student is expected to do one exercise from each of 10 chapters of the students’ choice from
Boyle’s Applied Information Security text or from a list to be provided by the instructor. The student will write a short 2-5 page
paper describing what was done, what was the outcome for each exercise (include any generated printouts, etc.), what was
learned, and how it fits into the class. Additionally the student will answer the thought questions associated with each exercise.
The portfolio is due on 3/1 (but one individual exercise can be turned in any time before then for review) and is worth 40
points.

Question: what did you do? - Provide a description of what you did. I know you probably followed the directions
provided so don’t do a step by step account of the directions. What I am really interested in are the actual data
manipulations and actions you performed, any problems you encountered, what you did to overcome them, and any
insights you learned about the technology. Finally, the better/clearer/insightful your write up is the better it scores.

Question: what were the results? - Provide any printouts produced and answer the thought questions. To improve
the score on this section you should also explain what the printouts and questions mean. What are the implications
for security? Remember that I value the journey, so take the time to tell me the story and determine the value of your
printouts and answers.

Question: what did you learn - I can't tell you what you learned. What I will say is that I reward insight. Insights are
aha moments (a term in use long before Oprah wanted to copyright it). If you see new ways of doing things, new
insights to your thought processes, potential future applications be they personal or work related, crossovers to other
topics, these are what I reward more than just telling me you learned lots. I expect you to learn lots but it isn't untill
you explain where and what that I see that you really did. Ok, so sometimes you don't learn much. I'll still grade this
area high if you tell me why, what you know, how this works on what you've done in the past, etc. Sometimes when
you start doing this you see that what you've learned is reinforcing what you've done and sometimes you even have
small aha moments. Bottom line is to be reflective, think a few minutes or overnight about what you've done and
how it fits into your nomological net (your personal set of knowledge base structure, those theories and beliefs that
guide how you evaluate and use knowledge). Then write the section, when I see this done I always score the section
higher.

Question: how does it relate to the material that was covered in the class? - As a minimum discuss specific topics that
relate to what we've done and at least mention the obvious ones. Be specific, cite the section/chapter/reading it
comes from. Also cite the topics/presentations that relate. The top scores come from also citing articles from the
suggested readings and outside readings.

An optional exam, consisting of 50 multiple-choice questions based on the CISSP certification exam can be taken in
lieu of 5 exercises. The CISSP exam is a broad-based exam focusing on key concepts from the 10 security knowledge
domains. The exam is worth 20 of the 40 exercise portfolio points. The exam will be posted on 2/23 and should be
included in the exercise portfolio due 3/1.
A business impact analysis/vulnerability/risk assessment. Each student will either analyze themselves or select an organization
and (with their permission) perform a vulnerability/risk assessment for operating security and a business impact analysis for
business continuity. A report along with supporting matrices will be generated documenting the findings of the assessment and
is due on 3/22. This assignment is worth 25 points.
A security plan audit/analysis (team project) with presentation. The team will select a company (one that is willing) and analyze
their security plan with respect to material covered in the class. Recommendations are to be generated for improving the plan.
Should the company not have a security plan the team will generate one. A report documenting the findings and a
presentation of the findings will be presented on 5/3 and is due on 5/10. This assignment is worth 25 points.
Class participation is worth 10 points. Participation is not just showing up to class. Participation is active interaction in
discussions, asking questions, answering questions, providing context and opinion. Students who only attend class and do not
participate in discussion will earn no better than an 8 for participation, students who actively engage in class discussions and
attend consistently will earn scores above 8 depending on their level of participation. If students are not good at talking in class
participation points can be earned by conducting email/online discussions with me and/or by coming to my office. Finally, part
of the participation grade will be determined based on a team participation evaluation conducted the night of the team
presentations.
Note that in instances where students have special experience or needs the assignments can be modified to fit those
experiences and needs with the consent of the instructor.
Grade of Incomplete. A grade of Incomplete (I) indicates that a portion of required coursework has not been completed and
evaluated in the prescribed time period due to unforeseen, but fully justified, reasons and that there is still a possibility of
earning credit. It is your responsibility to bring pertinent information to the instructor and to reach agreement on the means by
which the remaining course requirements will be satisfied. The conditions for removal of the Incomplete shall be reduced to
writing by the instructor and given to you with a copy placed on file with the department chair until the Incomplete is removed
or the time limit for removal has passed. A final grade is assigned when the work agreed upon has been completed and
evaluated. An Incomplete shall not be assigned when the only way you could make up the work would be to attend a major
portion of the class when it is next offered. Contract forms for Incomplete grades are available at the Office of the Registrar
website
Tentative Course Schedule
Table 2. The course schedule, including topics and class activities listed by week, is presented in the following table
Week
Topics
Activities/Readings
1: January 26
Introduction/The Need for Security
Ch 1
2: February 2
Planning for Security
Ch. 2
3: February 9
Planning for Contingencies
Ch 3
4: February 16
Information Security Policy/Program
Ch 4, 5
5: February 23
Security Management Models and
Practices
Ch 6/7
6: March 1
Identifying and Assessing Risk
Ch 8, Exercise Portfolio Turn In
7: March 8
Controlling Risk
Ch 9
8: March 15
Controlling Risk
Ch 9
9: March 22
Auditing
Risk Assessment Turn In
10: March 29
Spring Break
none
11: April 5
Protection Mechanisms
Ch 10
12: April 12
Protection Mechanisms
Ch 10
13: April 19
Physical Security
none
14: April 26
Security Personnel/Legal Issues
Ch 11, 12
15: May 3
Team Presentations
none
16: May 10
Changes to the course schedule, if any, will be announced in class.
Final Project Turn In
Download