Course Syllabus BADM 590-MS11 / BADM 395-MS12 Trustworthy Computing: Information Security and Management Meet Time: 3- 5:50 pm Thursdays, Spring Semester 2006 Instructor: Prof. Mike Shaw, Dept. Business Administration, College of Business Classroom: 130 Wohlers Hall 4 Credit Hours or 3 Graduate Credit Units Course Overview This is a new course partly sponsored by a grant from Microsoft. As Information Technology (IT) has become the foundation that supports the infrastructure, transactions, processes, and customer service of any business large or small, so has managing the trustworthiness of enterprise IT effectively emerged as a high priority for business administration. This focus on trustworthy computing is analogous to total quality management widely used in manufacturing and distribution a decade ago, except that the impact is potentially more pronounced because of the greater reliance on IT not only by businesses but also by the broader society. The course will provide students with a core body of knowledge-- for IT applications, management, and research-- concerning: The state of research and business practice of trustworthy computing Managerial issues for the prevention of business frauds and threats The multiple perspectives of trustworthy computing and how to integrate them The key technology for trustworthy computing for users and for businesses Issues concerning integrity, privacy, ethics, risk management, and reliability Best practices concerning regulatory compliance requirements Enterprise information management issues, policies and practices Who Should Take the Course This course is designed for students who are interested in pursuing a professional career in research, applications, or management-- in the business administration or information technology fields-- with additional skills and knowledge to manage information security, risk assessment, privacy, and recent regulatory compliance requirements. Since no prior technical background is needed, this course is also suitable for students not in the IT career path but just want to know more about business issues concerning information security, privacy management, and compliance practices. The course format will be such that students are allowed to explore their professional interest by selecting their projects and interacting with executive speakers. Students from various programs will bring their varying disciplinary perspectives to the class. This diverse approach to course delivery can create valuable synergy by integrating the various perspectives to broaden the outlook of all of the students. The topics to be covered will follow the following structure: 1 2 CN-44226 CN-45357 Course Content Introduction: Trustworthy Computing and Business Administration 1. Introduction: The Importance of Trustworthy Computing to Enterprise Management 2. Building Trust in Enterprise IT: Integration of IT and Business Perspectives Business Integrity, Privacy management, and Fraud Prevention 3. The Integrity Requirement for Enterprise Accounting and Financial Data 4. Prevention of Financial Frauds 5. Case Study: IT, Sarbanes-Oxley Compliance, and Trustworthy Computing; HIPPA and the Healthcare Industry 6. IT and Privacy Issues (Discussion: Managing Privacy for Competitive Advantages) Management of Threats and Vulnerabilities 7. Sources of Enterprise IT Vulnerabilities 8. Trustworthy Computing and Electronic Commerce 9. Risk Assessment Survey of Related Technology and Business Issues: A Multidisciplinary Approach 10. Survey of Enterprise IT Security: Issues, Technology, Infrastructure and Management 11. Developments in Electronic Evidence and Computer Forensics Enhancing Reliability and Integrity in Enterprise IT 12. The Life-Cycle Methodology for Trustworthy Computing & Risk Management 13. Trustworthy Computing in the Development, Adoption, Deployment, and Diffusion of IT Trust Management in the Globalization of IT 14. Managing Trust in the Diffusion of Enterprise IT 15. Case Study: Trustworthy Computing in the IT infrastructure for Global Supply Chains 16. Trust Enhancing Information Policies and Practices Guest Speakers One of the features of the new course will be the group of guest speakers from the industry and major companies that are thought leaders on the practice of trustworthy computing, Information presented and collected will be used as the basis for a series of industrial best practices reports by the students as part of the course requirements. A number of IT managers from major organizations will visit and talk to the class as guest speakers. Course Requirements Students are required to complete a project on selected topics in lieu of the final examination. Textbook: Principles and Practices of Information Security, Volonino, L., and Robinson, S., 2004, Pearson Prentice Hall: New Jersey. 2 Class Schedule Spring 2006 1. 1/19 Introduction & Overview Chapter 1. Security in a Globally Connected Economy “Trustworthy Computing” Microsoft White Paper, Craig Mundie et al., 2003 “Dependable Pervasive Systems,“ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004. “The Myth of Secure Computing” R. Austin and C. Darby, Harvard Business Review, June 2003. 2. 1/26 Business Risk Management Jason Weile, Manager, Systems and Process Assurance, PWC --“Risk Management” Chapter 2. Sources of Digital Liability Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications Board, National Research Council, National Academic Press, 1999. “Assessing Accounting Risk” (D. Hawkins), Harvard Business School Case 9-105054, Nov. 2005. 3. 2/2 Vulnerability Management and Assessment Andrew Petrum, Protiviti --“Vulnerability Management” Chapter 3. Threats, Vulnerabilities, and Risk Exposure “The iPremier Company (A): Denial of Service Attack” (A. Austin), Harvard Business School Case 9-601-114, Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004. 3 4. 2/9 Critical Infrastructure Roy H. Campbell, Sohaib and Sara Abbasi Professor Siebel Center for Computer Science, UIUC --“Critical Infrastructure for the Power Grid” Chapter 4. An Affirmative Model of Defense Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press, Boston, MA 2004. 5. 2/16 Information Trust and Compliance Issues Deron Grzetich, Protiviti -- --“IT and Sarbines-Oxley Compliance Issues” “The Sabine-Oxley Act” (L. Paine), Harvard Business School Case 9-304-079, July 2004. “Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked Questions” Protiviti White Paper (32 pages). Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn and B. T. Blair, AIIM, 2004. Chapter 5. Models for Estimating Risks 6. 2/23 Dependable & Trustworthy Enterprises Systems Chapter 6 Acceptable-Use Policies: Human Defenses Framing the Domain of Information Technology Management, R. W. Zmud (Ed.) “Dependable Pervasive Systems,“ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004. 7. 3/2 Enterprise Information Security Policy Peter Siegel, CIO, UIUC -- “Enterprise Information Security Issues: The Case of Higher Education Institutions” 4 Chapter 7 Acceptance Use Practices: Defense Best Practices “Colleges Protest Call to Upgrade Online Systems,” New York Times, October 23, 2005. 8. 3/9 Trustworthy Systems Development “The Trustworthy Computing Security Development Lifecycle, S. Lipner and M. Howard, Microsoft Research. 2005. Chapter 8 Technology & Auditing Systems: Hardware and Software Defenses 9. 3/16 Technology & Auditing Systems: Hardware and Software Defenses Mike Corn, Director, Security and Privacy Services, UIUC Chapter 9 Electronic Evidence and Electronic Record Management Case: University Security Infrastructure 10. 3/30 Privacy Issues Thomas Kleyle, Senior Manager, Systems and Process Assurance, PWC Jason Weile, Manager, Systems and Process Assurance “Privacy Issues and Regulation.” Chapter 11 Privacy and Data Protection “A New Covenant with Stakeholders: Managing Privacy as a Competitive Advantage,” KPMG Whitepaper “Google Inc.: Launching Gmail” (D. Darren), Ivey School of Business, Case 904E19, 2004. 11. 4/6 Managing Security in a Multinational Enterprise Bill Boni, Chief Security Officer, Motorola “Talking Security with Motorola’s William Boni, Network World, 2004. “From IT Security to Information Management” (M. Rasmussen), Forrester Report on Best Practices, June 2005. 5 12. 4/13 Crisis Management and Emergency Response Richard Jaehne, Director, the Illinois Fire Service Institute “Emergency Response and Unified Command Systems.” “Assessing Your Organization’s Crisis Response Plans” (M. Watkins), Harvard Business School Note 9-902-064, 2001. Chapter 10. Computer Crime, Computer Fraud, and Cyber Terrorism 13. 4/20 Risk Metrics and Models Healthcare-Industry Issues and Privacy Management Concerning HIPAA Greg Hodges, Managing Director, Protiviti Risk Management and the Identity Theft Anthony Cutilletta, MD, Managing Director, Protiviti HIPAA “Combating Fraud in Financial Services” (P. Gillespie and M. Rasmussen), Forrester Report on Best Practices, April 2004. “Phishing Concerns Impact Consumer Online Financial Behavior,” (C. Graeber), Forrester Report on Best Practices, December 2004. Chapter 11 Privacy and Data Protection Appendix. HIPAA 14./15. 4/27 & 5/4 Project Presentations; Summary and Conclusions. Guest Speakers Schedule 1/26 Jason Weile, Manager, Systems and Process Assurance PWC --“Risk Management” 2/2 Andrew Petrum, Protiviti --“Vulnerability Management” 6 2/9 Roy H. Campbell, Sohaib and Sara Abbasi Professor Siebel Center for Computer Science, UIUC --“Critical Infrastructure for the Power Grid” 2/16 Deron Grzetich, Protiviti --“IT and Sarbines-Oxley Compliance Issues” 3/2 Peter Siegel, CIO, UIUC --“Enterprise Information Security Issues: The Case of Higher Education Institutions” 3/16 Mike Corn, Director, Security and Privacy Services, UIUC 3/30 Thomas Kleyle, Senior Manager, Systems and Process Assurance, PWC Jason Weile, Manager, Systems and Process Assurance “Privacy Issues and Regulation.” 4/6 Bill Boni, Chief Security Officer, Motorola 4/13 Richard Jaehne, Director, the Illinois Fire Service Institute “Emergency Response and Unified Command Systems.” 4/20 Greg Hodges, Managing Director, Protiviti, “Risk Management and the Identity Theft” Anthony Cutilletta, MD, Managing Director, Protiviti, “HIPAA and the Healthcare Industry.” Readings List Articles3 1. “The Myth of Secure Computing” R. Austin and C. Darby, Harvard Business Review, 2003. 2. “The iPremier Company (A): Denial of Service Attack” (A. Austin), Harvard Business School Case 9-601-114, Oct 2005. 3. “Google Inc.: Launching Gmail” (D. Darren), Ivey School of Business, Case 904E19, 2004. 4. “Assessing Accounting Risk” (D. Hawkins), Harvard Business School Case 9-105054, Nov. 2005. 5. “Assessing Your Organization’s Crisis Response Plans” (M. Watkins), Harvard 3 Copies of articles 1-6 are available at TIS Bookstore as a course package. The rest are available online at the Compass course site. 7 Business School Note 9-902-064, 2001. 6. “The Sabine-Oxley Act” (L. Paine), Harvard Business School Case 9-304-079, July 2004. 7. “From IT Security to Information Management” (M. Rasmussen), Forrester Report on Best Practices, June 2005. 8. “Guide to the Sarbines-Oxley Act: IT Risks and Controls: Frequently Asked Questions” Protiviti White Paper (32 pages). 9. “Combating Fraud in Financial Services” (P. Gillespie and M. Rasmussen), Forrester Report on Best Practices, April 2004. 10. “Phishing Concerns Impact Consumer Online Financial Behavior,” (C. Graeber), Forrester Report on Best Practices, December 2004. 11. “The Trustworthy Computing Security Development Lifecycle, S. Lipner and M. Howard, Microsoft Research. 2005. 12. “Dependable Pervasive Systems, “ C. Jones and B. Randell, Technical Report CSTR-839, University of Newcastle upon Tyne, April 2004. 13. “A New Covenant with Stakeholders: Managing Privacy as a Competitive Advantage,” KPMG Whitepaper (36 pages), 2001. 14. “Trustworthy Computing” Microsoft White Paper, Craig Mundie et al., 2003 (10 pages) References Books (These books will be reserved in the Library. They provide more substantial discussions on the topics as referenced in the course schedule). Framing the Domain of Information Technology Management, R. W. Zmud (Ed.), Pinnaflex Educational Resources: Cincinnati OH, 2000. Information Nation: Seven Keys to Information Management Compliance, R. A. Kahn and B. T. Blair, AIIM, 2004. Trust in Cyberspace, F. B. Schneider (Ed.), Computer Science and Telecommunications Board, National Research Council, National Academic Press, 1999. Threat Modeling, F. Swiderski and W. Snyder, Microsoft Press, Redmond WA, 2004. Digital Defense, T. Parenty, Harvard Business School Press, Boston, MA 2003. Predictable Surprises, M. Bazerman and M. Watkins, Harvard Business School Press, Boston, MA 2004. Project Description Students are required to complete a report focused on a selected topic. There will be flexibility in the focus in terms of the disciplinary coverage (e.g., technical vs. managerial) and also the orientation (e.g., application vs. research). Since the underlying vision of the course content is about integrating technical and managerial perspectives, there will be room for diverse approaches for you to take in this project. You can choose your project from the list of the topics to be discussed in this course: 8 1. Business Risk Management 2. Vulnerability Management and Assessment 3. Critical Infrastructure 4. Information Trust and Compliance Issues (SOX) 5. Dependable & Trustworthy Enterprises Systems 6. Enterprise Information Security Policy 7. Trustworthy Systems Development 8. Technology & Auditing Systems: Hardware and Software Defenses 9. Privacy Issues 10. Trustworthy supply chains in multinationals 11. Crisis Management and Emergency Response 12. HIPAA Each report should cover both the technical and business perspectives although there can be a greater emphasis on one of the perspectives. One component of the report is a summary of the related guest lecture(s), which will require adding sufficient background information either by literature research or by collecting additional information from the speaker giving the presentation. Students from various degree programs may choose different types of individual projects. There are three basic types from which you can choose to do: 1. An academic research project. 2. An application project. 3. A survey of the state-of-the-art methodology, practices, and trends. Students can focus on projects concerning a research topic, a real-world application, or the state of development of a given area. Examples include developing a risk metric, a model for assessing the vulnerability of an enterprise, the risk analysis of an e-commerce site, enhancing the trustworthiness of the supply-chain of a multinational companies, or evaluating the maturity of the security readiness of a business. It is possible that several students can work on related problems with different but complementary focuses. 9