Add to collection(s) Add to saved
  1. Business
  2. Management

Trustworthy Computing - Center for IT and e

Course Syllabus
BADM 590-MS11 / BADM 395-MS12
Trustworthy Computing: Information Security and Management
Meet Time: 3- 5:50 pm Thursdays, Spring Semester 2006
Instructor: Prof. Mike Shaw, Dept. Business Administration, College of Business
Classroom: 130 Wohlers Hall
4 Credit Hours or 3 Graduate Credit Units
Course Overview
This is a new course partly sponsored by a grant from Microsoft. As Information
Technology (IT) has become the foundation that supports the infrastructure, transactions,
processes, and customer service of any business large or small, so has managing the
trustworthiness of enterprise IT effectively emerged as a high priority for business
administration. This focus on trustworthy computing is analogous to total quality
management widely used in manufacturing and distribution a decade ago, except that the
impact is potentially more pronounced because of the greater reliance on IT not only by
businesses but also by the broader society. The course will provide students with a core
body of knowledge-- for IT applications, management, and research-- concerning:
 The state of research and business practice of trustworthy computing
 Managerial issues for the prevention of business frauds and threats
 The multiple perspectives of trustworthy computing and how to integrate them
 The key technology for trustworthy computing for users and for businesses
 Issues concerning integrity, privacy, ethics, risk management, and reliability
 Best practices concerning regulatory compliance requirements
 Enterprise information management issues, policies and practices
Who Should Take the Course
This course is designed for students who are interested in pursuing a professional career
in research, applications, or management-- in the business administration or information
technology fields-- with additional skills and knowledge to manage information security,
risk assessment, privacy, and recent regulatory compliance requirements. Since no prior
technical background is needed, this course is also suitable for students not in the IT
career path but just want to know more about business issues concerning information
security, privacy management, and compliance practices. The course format will be such
that students are allowed to explore their professional interest by selecting their projects
and interacting with executive speakers. Students from various programs will bring their
varying disciplinary perspectives to the class. This diverse approach to course delivery
can create valuable synergy by integrating the various perspectives to broaden the
outlook of all of the students. The topics to be covered will follow the following structure:
1
2
CN-44226
CN-45357
Course Content
Introduction: Trustworthy Computing and Business Administration
1. Introduction: The Importance of Trustworthy Computing to Enterprise
Management
2. Building Trust in Enterprise IT: Integration of IT and Business Perspectives
Business Integrity, Privacy management, and Fraud Prevention
3. The Integrity Requirement for Enterprise Accounting and Financial Data
4. Prevention of Financial Frauds
5. Case Study: IT, Sarbanes-Oxley Compliance, and Trustworthy Computing;
HIPPA and the Healthcare Industry
6. IT and Privacy Issues (Discussion: Managing Privacy for Competitive
Advantages)
Management of Threats and Vulnerabilities
7. Sources of Enterprise IT Vulnerabilities
8. Trustworthy Computing and Electronic Commerce
9. Risk Assessment
Survey of Related Technology and Business Issues: A Multidisciplinary Approach
10. Survey of Enterprise IT Security: Issues, Technology, Infrastructure and
Management
11. Developments in Electronic Evidence and Computer Forensics
Enhancing Reliability and Integrity in Enterprise IT
12. The Life-Cycle Methodology for Trustworthy Computing & Risk Management
13. Trustworthy Computing in the Development, Adoption, Deployment, and
Diffusion of IT
Trust Management in the Globalization of IT
14. Managing Trust in the Diffusion of Enterprise IT
15. Case Study: Trustworthy Computing in the IT infrastructure for Global Supply
Chains
16. Trust Enhancing Information Policies and Practices
Guest Speakers
One of the features of the new course will be the group of guest speakers from the
industry and major companies that are thought leaders on the practice of trustworthy
computing, Information presented and collected will be used as the basis for a series of
industrial best practices reports by the students as part of the course requirements. A
number of IT managers from major organizations will visit and talk to the class as guest
speakers.
Course Requirements
Students are required to complete a project on selected topics in lieu of the final
examination.
Textbook: Principles and Practices of Information Security, Volonino, L., and Robinson,
S., 2004, Pearson Prentice Hall: New Jersey.
2
Class Schedule
Spring 2006
1. 1/19
Introduction & Overview
Chapter 1. Security in a Globally Connected Economy
“Trustworthy Computing” Microsoft White Paper, Craig Mundie et al., 2003
“Dependable Pervasive Systems,“ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004.
“The Myth of Secure Computing” R. Austin and C. Darby, Harvard Business Review,
June 2003.
2. 1/26
Business Risk Management
Jason Weile, Manager, Systems and Process Assurance, PWC
--“Risk Management”
Chapter 2. Sources of Digital Liability
Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications
Board, National Research Council, National Academic Press, 1999.
“Assessing Accounting Risk” (D. Hawkins), Harvard Business School Case 9-105054, Nov. 2005.
3. 2/2
Vulnerability Management and Assessment
Andrew Petrum, Protiviti
--“Vulnerability Management”
Chapter 3. Threats, Vulnerabilities, and Risk Exposure
“The iPremier Company (A): Denial of Service Attack” (A. Austin), Harvard
Business School Case 9-601-114,
Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004.
3
4. 2/9
Critical Infrastructure
Roy H. Campbell, Sohaib and Sara Abbasi Professor
Siebel Center for Computer Science, UIUC
--“Critical Infrastructure for the Power Grid”
Chapter 4. An Affirmative Model of Defense
Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press,
Boston, MA 2004.
5. 2/16
Information Trust and Compliance Issues
Deron Grzetich, Protiviti
-- --“IT and Sarbines-Oxley Compliance Issues”
“The Sabine-Oxley Act” (L. Paine), Harvard Business School Case 9-304-079, July
2004.
“Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked
Questions” Protiviti White Paper (32 pages).
Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn
and B. T. Blair, AIIM, 2004.
Chapter 5. Models for Estimating Risks
6. 2/23
Dependable & Trustworthy Enterprises Systems
Chapter 6 Acceptable-Use Policies: Human Defenses
Framing the Domain of Information Technology Management, R. W. Zmud (Ed.)
“Dependable Pervasive Systems,“ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004.
7. 3/2
Enterprise Information Security Policy
Peter Siegel, CIO, UIUC
-- “Enterprise Information Security Issues: The Case of Higher Education Institutions”
4
Chapter 7 Acceptance Use Practices: Defense Best Practices
“Colleges Protest Call to Upgrade Online Systems,” New York Times, October 23, 2005.
8. 3/9
Trustworthy Systems Development
“The Trustworthy Computing Security Development Lifecycle, S. Lipner and M.
Howard, Microsoft Research. 2005.
Chapter 8 Technology & Auditing Systems: Hardware and Software Defenses
9. 3/16
Technology & Auditing Systems: Hardware and Software Defenses
Mike Corn, Director, Security and Privacy Services, UIUC
Chapter 9 Electronic Evidence and Electronic Record Management
Case: University Security Infrastructure
10. 3/30
Privacy Issues
Thomas Kleyle, Senior Manager, Systems and Process Assurance, PWC
Jason Weile, Manager, Systems and Process Assurance
“Privacy Issues and Regulation.”
Chapter 11 Privacy and Data Protection
“A New Covenant with Stakeholders: Managing Privacy as a Competitive
Advantage,” KPMG Whitepaper
“Google Inc.: Launching Gmail” (D. Darren), Ivey School of Business, Case 904E19,
2004.
11. 4/6
Managing Security in a Multinational Enterprise
Bill Boni, Chief Security Officer, Motorola
“Talking Security with Motorola’s William Boni, Network World, 2004.
“From IT Security to Information Management” (M. Rasmussen), Forrester Report on
Best Practices, June 2005.
5
12. 4/13
Crisis Management and Emergency Response
Richard Jaehne, Director, the Illinois Fire Service Institute
“Emergency Response and Unified Command Systems.”
“Assessing Your Organization’s Crisis Response Plans” (M. Watkins), Harvard
Business School Note 9-902-064, 2001.
Chapter 10. Computer Crime, Computer Fraud, and Cyber Terrorism
13. 4/20
Risk Metrics and Models
Healthcare-Industry Issues and Privacy Management Concerning HIPAA
Greg Hodges, Managing Director, Protiviti
Risk Management and the Identity Theft
Anthony Cutilletta, MD, Managing Director, Protiviti
HIPAA
“Combating Fraud in Financial Services” (P. Gillespie and M. Rasmussen), Forrester
Report on Best Practices, April 2004.
“Phishing Concerns Impact Consumer Online Financial Behavior,” (C. Graeber),
Forrester Report on Best Practices, December 2004.
Chapter 11 Privacy and Data Protection
Appendix. HIPAA
14./15. 4/27 & 5/4
Project Presentations;
Summary and Conclusions.
Guest Speakers Schedule
1/26
Jason Weile, Manager, Systems and Process Assurance PWC
--“Risk Management”
2/2
Andrew Petrum, Protiviti
--“Vulnerability Management”
6
2/9
Roy H. Campbell, Sohaib and Sara Abbasi Professor
Siebel Center for Computer Science, UIUC
--“Critical Infrastructure for the Power Grid”
2/16
Deron Grzetich, Protiviti
--“IT and Sarbines-Oxley Compliance Issues”
3/2
Peter Siegel, CIO, UIUC
--“Enterprise Information Security Issues: The Case of Higher Education Institutions”
3/16
Mike Corn, Director, Security and Privacy Services, UIUC
3/30
Thomas Kleyle, Senior Manager, Systems and Process Assurance, PWC
Jason Weile, Manager, Systems and Process Assurance
“Privacy Issues and Regulation.”
4/6
Bill Boni, Chief Security Officer, Motorola
4/13
Richard Jaehne, Director, the Illinois Fire Service Institute
“Emergency Response and Unified Command Systems.”
4/20
Greg Hodges, Managing Director, Protiviti, “Risk Management and the Identity Theft”
Anthony Cutilletta, MD, Managing Director, Protiviti, “HIPAA and the Healthcare
Industry.”
Readings List
Articles3
1. “The Myth of Secure Computing” R. Austin and C. Darby, Harvard Business Review, 2003.
2. “The iPremier Company (A): Denial of Service Attack” (A. Austin), Harvard
Business School Case 9-601-114, Oct 2005.
3. “Google Inc.: Launching Gmail” (D. Darren), Ivey School of Business, Case 904E19, 2004.
4. “Assessing Accounting Risk” (D. Hawkins), Harvard Business School Case 9-105054, Nov. 2005.
5. “Assessing Your Organization’s Crisis Response Plans” (M. Watkins), Harvard
3
Copies of articles 1-6 are available at TIS Bookstore as a course package. The rest are available online at
the Compass course site.
7
Business School Note 9-902-064, 2001.
6. “The Sabine-Oxley Act” (L. Paine), Harvard Business School Case 9-304-079, July 2004.
7. “From IT Security to Information Management” (M. Rasmussen), Forrester Report on
Best Practices, June 2005.
8. “Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked
Questions” Protiviti White Paper (32 pages).
9. “Combating Fraud in Financial Services” (P. Gillespie and M. Rasmussen), Forrester
Report on Best Practices, April 2004.
10. “Phishing Concerns Impact Consumer Online Financial Behavior,” (C. Graeber),
Forrester Report on Best Practices, December 2004.
11. “The Trustworthy Computing Security Development Lifecycle, S. Lipner and M.
Howard, Microsoft Research. 2005.
12. “Dependable Pervasive Systems, “ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004.
13. “A New Covenant with Stakeholders: Managing Privacy as a Competitive
Advantage,” KPMG Whitepaper (36 pages), 2001.
14. “Trustworthy Computing” Microsoft White Paper, Craig Mundie et al., 2003 (10 pages)
References Books (These books will be reserved in the Library. They provide more substantial
discussions on the topics as referenced in the course schedule).

Framing the Domain of Information Technology Management, R. W. Zmud (Ed.), Pinnaflex
Educational Resources: Cincinnati OH, 2000.

Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn and B. T.
Blair, AIIM, 2004.

Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications Board,
National Research Council, National Academic Press, 1999.

Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004.

Digital Defense, T. Parenty, Harvard Business School Press, Boston, MA 2003.

Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press, Boston, MA
2004.
Project Description
Students are required to complete a report focused on a selected topic. There will be
flexibility in the focus in terms of the disciplinary coverage (e.g., technical vs. managerial)
and also the orientation (e.g., application vs. research). Since the underlying vision of the
course content is about integrating technical and managerial perspectives, there will be
room for diverse approaches for you to take in this project.
You can choose your project from the list of the topics to be discussed in this course:
8
1. Business Risk Management
2. Vulnerability Management and Assessment
3. Critical Infrastructure
4. Information Trust and Compliance Issues (SOX)
5. Dependable & Trustworthy Enterprises Systems
6. Enterprise Information Security Policy
7. Trustworthy Systems Development
8. Technology & Auditing Systems: Hardware and Software Defenses
9. Privacy Issues
10. Trustworthy supply chains in multinationals
11. Crisis Management and Emergency Response
12. HIPAA
Each report should cover both the technical and business perspectives although there can
be a greater emphasis on one of the perspectives. One component of the report is a
summary of the related guest lecture(s), which will require adding sufficient background
information either by literature research or by collecting additional information from the
speaker giving the presentation.
Students from various degree programs may choose different types of individual projects.
There are three basic types from which you can choose to do:
1. An academic research project.
2. An application project.
3. A survey of the state-of-the-art methodology, practices, and trends.
Students can focus on projects concerning a research topic, a real-world application, or
the state of development of a given area. Examples include developing a risk metric, a
model for assessing the vulnerability of an enterprise, the risk analysis of an e-commerce
site, enhancing the trustworthiness of the supply-chain of a multinational companies, or
evaluating the maturity of the security readiness of a business. It is possible that several
students can work on related problems with different but complementary focuses.
9
Related documents
Honor: honesty, fairness, or integrity in one`s beliefs and actions
Honor: honesty, fairness, or integrity in one`s beliefs and actions
Privacy Confidentiality Minor
Privacy Confidentiality Minor
“Contrasting the early 19th versus early 21st Centuries”
“Contrasting the early 19th versus early 21st Centuries”
UNION ELEMENTARY
UNION ELEMENTARY
Central Missouri Cardiovascular Associates P
Central Missouri Cardiovascular Associates P
Download