section 701 syllabus page mis 5206 protecting information … · 2017-08-29 · mis5206 – section...
TRANSCRIPT
MIS5206 – Section 701 Syllabus Page 1
MIS 5206 – Protecting Information Assets Fall 2016
About the Instructor David Lanter
209C Speakman Hall Email: [email protected] Telephone: (215) 204-3077
e-profile: http://community.mis.temple.edu/dlanter/ Office hours: Most Wednesday’s 1-3pm, or by appointment
Class Location and Time Classroom: Alter 0A603 Time: Thursdays 5:30 – 8pm
Class blog: http://community.mis.temple.edu/itacs5206fall16-sec701/
Course Description In this course you will learn key concepts and components necessary for protecting the confidentiality, integrity and availability (CIA) of information assets. You will gain an understanding of the importance and key techniques for managing the security of information assets including logical, physical, and environmental security along with disaster recovery and business continuity. The first half of the course, leading up to the mid-term exam, will focus on Information Security Risk Identification and Management. The second half of the class will cover the details of security threats and the mitigation strategies that are used to manage risk.
Course Objectives 1. Gain an overview of the nature of information security vulnerabilities and
threats 2. Learn how information security risks are identified, classified and prioritized 3. Develop an understanding of how information security risks are managed,
mitigated and controlled 4. Gain experience working as part of team, developing and delivering a
professional presentation 5. Gain insight into certification exams and improve your test taking skills
MIS5206 – Section 701 Syllabus Page 2
Required Textbook and Readings Textbook Computer and Information Security Handbook second edition, 2013, John R. Vacca,
Morgan Kaufmann, ISBN: 978-0-12-394397-2
ISACA ISACA Risk IT Framework http://www.isaca.org/Knowledge-Center/Research/ResearchDeliverables/Pages/The-Risk-IT-Framework.aspx
ISACA Reading 1: “Disaster Recovery and Business Continuity Planning: Testing an Organization’s Plans”, http://community.mis.temple.edu/itacs5206fall16/files/2016/08/DisasterRecoveryAndBCP.pdf
ISACA Reading 2: “What Every IT Auditor Should Know About Backup and Recovery”, http://community.mis.temple.edu/itacs5206fall16/files/2016/08/What-Every-IT-Auditor-Should-Know-About-Backup-and-Recovery.pdf
SANS SANS Reading 1: “The Importance of Security Awareness Training” https://www.sans.org/reading_room/whitepapers/awareness/importance-security-awareness-training_33013/
SANS Reading 2: “Making Security Awareness Work for You” https://www.sans.org/reading_room/whitepapers/awareness/making-security-awareness-efforts-work_32763/
SANS Reading 3: “Implementing Robust Physical Security” http://www.sans.org/reading_room/whitepapers/physcial/implementing-robust-physical-security_1447/
SANS Reading 4: “Assessing Vendor Application Security A Practical Way to Begin” http://www.sans.org/reading_room/whitepapers/application/assessing-vendor-application-security-practical_1370/
SANS Reading 5: “Application Development Technology and Tools: Vulnerabilities and threat management with secure programming practices, a defense in-depth approach” http://www.sans.org/reading_room/whitepapers/application/application-development-technology-tools-vulnerabilities-threat-management-secure-pro_1283/
SANS Reading 6: “An Overview of Cryptographic Hash Functions and Their Uses” https://www.sans.org/reading_room/whitepapers/vpns/overview-cryptographic-hash-functions_879/
SANS Reading 7: “The Risks Involved With Open and Closed Public Key Infrastructure” https://www.sans.org/reading_room/whitepapers/vpns/risks-involved-open-closed-public-key-infrastructure_882/
FIPS FIPS Reading 1: “Standards for Security Categorization of Federal Information and Information Systems” http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
NIST NIST Reading 1: NIST Reading 1: “Framework for Improving Critical Infrastructure Cybersecurity”, https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf NIST Reading 2: “Information Security Handbook: A Guide for Managers”, http://csrc.nist.gov/publications/nistpubs/800-100/SP800-100-Mar07-2007.pdf
FGDC FGDC Reading 1: “Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns”, https://www.fgdc.gov/policyandplanning/Access%20Guidelines.pdf
ISO ISO Reading 1: ISO 27001 Data Security Classification Model Policy http://www.iso27001security.com/ISO27k_Model_policy_on_information_classification.pdf
Harvard Business Publishing (HBP)
The 2 case studies and 1 reading listed below are available in the course pack for purchase from HBP: http://cb.hbsp.harvard.edu/cbmp/access/52163838 HBR Reading 1: “The Myth of Secure Computing” Case Study 1: “HDFC: Securing Online Banking” Case Study 2: “Security Breach at TJX”
MIS5206 – Section 701 Syllabus Page 3
Assignments The readings, weekly discussion questions, News of the Week and case study assignments have been carefully chosen to bring the real world into class discussion while also illustrating fundamental concepts. Your participation in the online and class discussions is critical. Evaluation is based on you consistently demonstrating your engagement with the material. Assessment is based on what you contribute. The frequency and quality of your contributions are equally important. 1. Readings: Below is the reading schedule you are responsible for completing. You are
responsible for completing each of the readings (prior to answering the Weekly Reading Discussion Questions posted each Friday) before the Class Date:
Class # Readings Class Date
2 Vacca Ch.1 “Building a Secure Organization”
ISACA Risk IT Framework, pp. 1-42
NIST Reading 1: “Framework for Improving Critical Infrastructure Cybersecurity”
9/8
3 Vacca Ch.21 “Information Security Essentials for IT Managers: Protecting Mission-Critical Systems
FIPS Reading 1: “Standards for Security Categorization of Federal Information and Information Systems”
FGDC Reading 1: “Guidelines for Providing Appropriate Access to Geospatial Data in Response to Security Concerns
ISO 27001 Reading 1: ISO 27001 Data Security Classifications Model Policy
9/15
4 Vacca Ch.22 “Security Management Systems”
Vacca Ch.53 “Risk Management”
ISACA Risk IT Framework pp. 47-96
NIST Reading 2: “Information Security Handbook: A Guide for Managers”, Chapter 10 – “Risk Management”, pp. 84-95
9/22
5 Vacca Ch. 24 “Information Technology Security Management”
SANS Reading 1: “The Importance of Security Awareness Training”
SANS Reading 2: “Making Security Awareness Work for You”
NIST Reading 2: “Information Security Handbook: A Guide for Managers”, Chapter 4 – “Awareness and Training”, pp. 26-34
9/29
6 HBR Reading 1: “The Myth of Secure Computing” 10/6
7 Vacca Ch.54 “Physical Security Essentials”
SANS Reading 3: “Implementing Robust Physical Security” 10/13
8 Vacca Ch. 57 “Homeland Security”
ISACA Reading 1: “Disaster Recovery and Business Continuity
Planning: Testing an Organization’s Plans” ISACA Reading 2: “What Every IT Auditor Should Know About
Backup and Recovery”
10/20
MIS5206 – Section 701 Syllabus Page 4
9 Vacca Ch.5 “Guarding Against Network Intrusions”
Vacca Ch.11 “Internet Security”
Vacca Ch. 12 “The Botnet Problem”
Vacca Ch. 13 “Intranet Security”
Vacca Ch. 14 “Local Area Network Security” Optional:
o Vacca Ch.9 “Unix and Linux Security” o Vacca Ch.10 “Eliminating the Security Weakness of
Linux and Unix Operating Systems” o Vacca Ch. 15 “Wireless Network Security” o Vacca Ch. 17 “Cellular Network Security”
10/27
10 Vacca Ch. 25 “Online Identity and User Management Services”
Vacca Ch. 26 “Intrusion Prevention and Detection Systems”
Vacca Ch. 42 “Privacy on the Internet”
Vacca Ch. 43 “Privacy-Enhancing Technologies”
Vacca Ch. 49 “Identity Theft”
11/3
11 Vacca Ch. 51 “SAN Security”
Vacca Ch. 52 “Storage Area Networking Security Devices” SANS Reading 4: “Assessing Vendor Application Security A
Practical Way to Begin”
SANS Reading 5: “Application Development Technology and Tools:
Vulnerabilities and threat management with secure programming practices, a defense in-depth approach”
11/10
12 Vacca Ch. 37 “Data Encryption”
Vacca Ch. 38 “Satellite Encryption”
Vacca Ch. 39 “Public Key Infrastructure”
Vacca Ch. 40 “Password-based Authentication Key Establishment Protocols”
Vacca Ch. 41 “Instant-Messaging Security”
SANS Reading 6: “An Overview of Cryptographic Hash Functions
and Their Uses” SANS Reading 7: “The Risks Involved With Open and Closed Public
Key Infrastructure”
11/17
MIS5206 – Section 701 Syllabus Page 5
2. Answers to Weekly Reading Discussion Questions: Each Friday morning, you will find a post that includes several discussion questions about the coming week’s readings. You will be expected to post your answer to one of the discussion questions on the week’s readings by Monday @11:59 PM (except 9/5 which is Labor Day – so the answers can be posted on 9/4). A paragraph or two of thoughtful analysis is expected for your initial answer to the question. Post your answer to the weekly class assignment blog. You must come to class prepared to discuss all of these questions in detail when we meet.
Schedule for submitting answers to Weekly Reading Discussion Questions:
Class # Assignment/Discussion Topics
Due
2 Understanding an Organization’s Risk Environment 9/4
3 Data Classification Process and Models 9/12
4 Risk Evaluation 9/19
5 Creating a Security Aware Organization 9/26
7 Physical and Environmental Security 10/10
8 Business Continuity and Disaster Recovery Planning 10/17
9 Network Security 10/24
10 Identity Management and Access Control 10/31
11 Application Development Security 11/7
12 Cryptography, Public Key Encryption and Digital Signatures 11/14
3. Case Study Analysis Write-ups: You will prepare two case study analysis write-ups this semester. For each case study I will provide several discussion questions which will be posted to the class site. Pick one question and respond to it in depth. Your analysis should not exceed one single-spaced page using 11 point Times New Roman font with one-inch margins. Do not prepare a separate cover page, instead put your name, the class section number and the case name in the top-left corner of the header.
To submit your case study analysis, you must post it on the class blog no later than Tuesday at 9:00 AM of the week it is due. Please copy your analysis in clear text onto the blog.
Late submissions for this deadline will result in no credit earned for the case study analysis write-up assignment.
There is no one particular style for a good case study analysis. But, there are some common elements to excellent submissions (additional, grade-specific criteria are provided at the end of this syllabus): The opening of the analysis makes it immediately clear which case study and what
question is being addressed. You have cited specific details regarding key facts and issues of the case. Instead of
general observations about information technology or organizations that apply to any problem, draw details from the case study itself. Analyses, observations, and
MIS5206 – Section 701 Syllabus Page 6
suggestions should be tied directly to those key facts and issues. You can also draw on the other readings in the course to inform and support your arguments.
After analyzing the details of the case study, discuss how its specific issues have broader application. In other words, use your analysis to provide some advice to managerial decision-makers that can be applied to other situations beyond this case.
Provide a balanced perspective. For example, when making a recommendation explain the pros and cons, providing both the rationale (the why) as well as its feasibility (the how). Well-considered recommendations include discussion of potential issues with your solution and conditions that should be in place for your recommendation to be successful.
Below is the schedule for the Case Studies:
Class #
Case Studies Due
3 Read and be prepared to discuss Case 1: HDFC Bank
4 Prepare analysis for Case 1: HDFC Bank
5 Case Study 1 Analysis 9/27
11 Read and be prepared to discuss Case 2: TJX
12 Prepare analysis for Case 2: TJX
13 Case Study 2 Analysis 12/6
MIS5206 – Section 701 Syllabus Page 7
Participation Much of your learning will occur as you prepare for and participate in discussion about the course material. The assignments, cases, and readings have been carefully chosen to bring the real work into class discussion while also illustrating fundamental concepts. Your participation in the online and class discussions is critical. Evaluation is based on you consistently demonstrating your engagement with the material. Assessment is based on what you contribute. The frequency and quality of your contributions are equally important. Therefore, in addition to fulfilling your weekly assignment by actively participating in class and posting your answer to one of the reading discussion questions, each week you are also expected to participate in two other activities: 1) Comments on Weekly Reading Discussion Questions and Other Students Answers and 2) In the News articles:
1. Comments on Other student’s answers and comments to weekly reading discussion questions: Read the responses of others to the discussion questions and contribute at least four (4) substantive posts that include your thoughtful comments as you participate in the discussion of the questions. The posting of these additional four comments is due by Wednesday @ 11:59am.
Below is the schedule for your submittals of Comments on Weekly Reading Discussion Questions:
Class #
Weekly Discussion Topics
Due
2 Understanding an Organization’s Risk Environment 9/7
3 Data Classification Process and Models 9/14
4 Risk Evaluation 9/21
5 Creating a Security Aware Organization 9/28
7 Physical and Environmental Security 10/12
8 Business Continuity and Disaster Recovery Planning 10/19
9 Network Security 10/26
10 Identity Management and Access Control 11/2
11 Application Development Security 11/9
12 Cryptography, Public Key Encryption and Digital Signatures 11/16
MIS5206 – Section 701 Syllabus Page 8
2. “In the News” Article: Research, identify, write a summary, post a link to your summary, and be prepared to discuss in class an article you found about a current event in the Information Security arena. An ideal article would be tied thematically to the topic of the week. However, any article you find interesting and would like to
share is welcome. The deadline for posting is by Wednesday @ 11:59am. Below is the schedule for your “In the News” submittals:
Class # Topic of the Week Due
2 Understanding an Organization’s Risk Environment 9/7
3 Data Classification Process and Models 9/14
4 Risk Evaluation 9/21
5 Creating a Security Aware Organization 9/28
6 Review: Managing IT Security Risks 10/5
7 Physical and Environmental Security 10/12
8 Business Continuity and Disaster Recovery Planning 10/19
9 Network Security – Reading Question 10/26
10 Identity Management and Access Control 11/2
11 Application Development Security 11/9
12 Cryptography, Public Key Encryption and Digital Signatures 11/16
13 Review: Security Threat and Mitigations 11/30
Team Presentation During Class #6, the students will be organized into a series of presentation development and delivery teams. Each team will be assigned a topic. The team will develop a presentation covering the assigned topic, and the presentation will be designed/planned so that is completed in no less than 15 minutes and no more than 30 minutes. Each member of the team will present for no less than 5 minutes and no more than 10 minutes. For example, the team may cover all three of the following areas in its presentation with each presenter on the team focusing on one important area:
1) Business/organizational context 2) Technical environment 3) Risk management/mitigation focus
Below is the schedule for the Team Presentations:
Class # Team Presentation Schedule Due
6 Teams and topics assigned
7 Draft outlines submitted 10/20
8 Draft presentation submitted 11/3
10 Presentations 11/10
11 Presentations 11/17
12 Presentations 12/1
MIS5206 – Section 701 Syllabus Page 9
Exams There will be two exams during the semester. Each exam will be conducted online. Together these exams are weighted 30% of your final grade.
Below is the Exam schedule:
Class # Exam Date
6 Exam 1 10/6
14 Exam 2 12/8
All exams will consist of multiple-choice, fill in the blank and possible short answer questions. You will have a fixed time (e.g. 40 minutes) to complete the exam. Exam 1 will occur during week 6’s class, and Exam 2 will occur during class of week 14. In general, the exams will not be cumulative but focused on the course materials since the beginning of last exam. However, some concepts highlighted in class as important or a ‘Core Principle’ may appear on either or both exams. A missed exam can only be made up in the case of documented and verifiable extreme emergency situations. No make-up is possible for Exam 2.
Quizzes Beginning with Class #2 at the end of each class you will be provided with a test taking tip followed by a practice quiz consisting of multiple choice questions modeled after the content of the CISA and CISSP certification exams. You will not be given quizzes during classes where either of the two exams are scheduled. The quizzes are for practice only, and will not count towards your final grade. You will be given time to answer the exam, and then we will go over the answers to the exam. The goals for the quizzes are twofold: 1) help you become familiar with areas requiring additional study and attention, and 2) help you gain skills that improve your test taking abilities.
Weekly Cycle As outlined above in the Assignments and Participation sections, much of your learning will occur as you prepare for and participate in discussions about the course content. To facilitate learning the course material, we will discuss course material on the class blog in between classes. Each week this discussion will follow this cycle:
When Actor Task Type Friday Instructor (me) Post reading questions (Friday am)
Monday 11:59pm Student Post answers to reading questions Assignment
Tuesday 9:00am Student Post case study analysis (when due) Assignment
Wednesday 11:59am Student Post 4 comments to others’ answers Participation
Wednesday 11:59am Student Post “In The News” article Participation
Thursday 5:30pm-8pm Both of Us Class meeting Participation
Friday Instructor Post summary notes
MIS5206 – Section 701 Syllabus Page 10
Evaluation and Grading
Item Weight
Assignments 25%
Participation (in class and online) 20%
Team Presentation 25%
Exams 30%
100%
Grading Scale
94 – 100 A 73 – 76 C
90 – 93 A- 70 – 72 C-
87 – 89 B+ 67 – 69 D+
83 – 86 B 63 – 66 D
80 – 82 B- 60 – 62 D-
77 – 79 C+ Below 60 F
Grading Criteria
The following criteria are used for evaluating assignments. You can roughly translate a letter grade as the midpoint in the scale (for example, an A- equates to a 91.5).
Criteria Grade
The assignment consistently exceeds expectations. It demonstrates originality of thought and creativity throughout. Beyond completing all of the required elements, new concepts and ideas are detailed that transcend general discussions along similar topic areas. There are no mechanical, grammatical, or organization issues that detract from the ideas.
A- or A
The assignment consistently meets expectations. It contains all the information prescribed for the assignment and demonstrates a command of the subject matter. There is sufficient detail to cover the subject completely but not too much as to be distracting. There may be some procedural issues, such as grammar or organizational challenges, but these do not significantly detract from the intended assignment goals.
B-, B, B+
The assignment fails to consistently meet expectations. That is, the assignment is complete but contains problems that detract from the intended goals. These issues may be relating to content detail, be grammatical, or be a general lack of clarity. Other problems might include not fully following assignment directions.
C-, C, C+
The assignment constantly fails to meet expectations. It is incomplete or in some other way consistently fails to demonstrate a firm grasp of the assigned material.
Below C-
Late Assignment Policy An assignment is considered late if it is turned in after the assignment deadlines stated above. No late assignments will be accepted without penalty unless arrangements for validated unusual or unforeseen situations have been made.
● Class Blog contributions cannot be turned in late. If you miss contributing prior to class for that week’s discussion / questions you will receive no credit for it. ● The exercise assignments will be assessed a 20% penalty each day they are late. No credit is given for assignments turned in over five calendar days past the due date.
MIS5206 – Section 701 Syllabus Page 11
● You must submit all assignments, even if no credit is given. If you skip an assignment, an additional 10 points will be subtracted from your final grade in the course. ● Plan ahead and backup your work. Equipment failure is not an acceptable reason for turning in an assignment late.
Citation Guidelines If you use text, figures, and data in reports that were created by others you must identify the source and clearly differentiate your work from the material that you are referencing. If you fail to do so you are plagiarizing. There are many different acceptable formats that you can use to cite the work of others (see some of the resources below). The formats are not as important as the intent. You must clearly show the reader what is your work and what is a reference to someone else’s work.
Plagiarism and Academic Dishonesty All work done for this course: papers, examinations, homework exercises, blog posts, laboratory reports, oral presentations — is expected to be the individual effort of the student presenting the work. Plagiarism and academic dishonesty can take many forms. The most obvious is copying from another student’s exam, but the following are also forms of this: ● Copying material directly, word-for-word, from a source (including the Internet) ● Using material from a source without a proper citation ● Turning in an assignment from a previous semester as if it were your own ● Having someone else complete your homework or project and submitting it as if it were
your own ● Using material from another student’s assignment in your own assignment
Plagiarism and cheating are serious offenses, and behavior like this will not be tolerated in this class. In cases of cheating, both parties will be held equally responsible, i.e. both the student who shares the work and the student who copies the work. Penalties for such actions are given at my discretion, and can range from a failing grade for the individual assignment, to a failing grade for the entire course, to expulsion from the program.
Student and Faculty Academic Rights and Responsibilities The University has adopted a policy on Student and Faculty Academic Rights and Responsibilities (Policy # 03.70.02) which can be accessed through the following link: http://policies.temple.edu/getdoc.asp?policy_no=03.70.02
MIS5206 – Section 701 Syllabus Page 12
Additional Information Availability of Instructor
Please feel free to contact me via e-mail with any issues related to this class. I will also be available at the end of each session. Please note that these discussions are to address questions/concerns but are NOT for helping students catch up on content they missed because they were absent. Note: I will respond promptly when contacted during the week
I am available to meet personally with you: Immediately after class During office hours By appointment prior to class By appointment by phone
Attendance Policy Class discussion is intended to be an integral part of the course. Therefore, full attendance is expected by every student.
If you are absent from class, speak with your classmates to catch up on what you have missed.
Class Etiquette Please be respectful of the class environment. Class starts promptly at the start time. Arrive on time and stay until
the end of class. Turn off and put away cell phones, pagers and alarms during class. Limit the use of electronic devices (e.g., laptop, tablet computer) to
class-related usage such as taking notes. Restrict the use of an Internet connection (e.g., checking email, Internet browsing, sending instant messages) to before class, during class breaks, or after class.
Refrain from personal discussions during class. Please leave the room if you need to speak to another student for more than a few words. If a student cannot refrain from engaging in private conversation and this becomes a pattern, the students will be asked to leave the classroom to allow the remainder of the students to work.
During class time speak to the entire class (or breakout group) and let each person “take their turn.”
Be fully present and remain present for the entirety of each class meeting.