Webster University

COMP 5200 G1 Information Security Management
Summer 2005
Wednesdays 5:30-9:30 p.m.
1 June—27 July
WingHaven Campus, Rm. 312

Instructor: Scott Granneman

Background

Instructor, Washington University in St. Louis &Webster University

Author, Don't Click on the Blue E!: Switching to Firefox (O'Reilly: 2005) & Hacking Knoppix (Wiley & Sons: 2005)

Columnist for SecurityFocus & Linux Magazine

Professional Blogger for The Open Source Weblog

Senior Consultant in Internet Services, Bryan Consulting

Contact Info

scott at granneman dot com

Course Objectives

After completing the course, students will be able to:

• Identify and prioritize information assets
• Identify and prioritize threats to information assets
• Define an information security strategy and architecture
• Plan for and respond to intruders in an information system
• Describe legal and public relations implications of security and privacy issues
• Present a disaster recovery plan for recovery of information assets after an incident

Learning Outcomes

As a result of completing this course, students will be able to:

• Describe threats to information security
• Identify methods, tools and techniques for combating these threats
• Identify types of attacks and problems that occur when systems are not properly protected
• Explain integral parts of overall good information security practices
• Identify and discuss issues related to access control
• Describe the need for and development of information security policies, and identify guidelines and models for writing policies
• Define risk management and explain why it is an important component of an information security strategy and practice
• Describe the types of contingency plan and the steps involved in developing each
• Identify security issues related to personnel decisions, and qualifications of security personnel

Prerequisites

Effective & well-honed verbal & written skills at the graduate level.

Required Texts & Resources

Required

Whitman & Mattord. Management of Information Security. Thomson Course Technology (2004). ISBN: 0-619-21515-1

Recommended NIST publications

SP 800-12An Introduction to Computer Security: The NIST Handbook (HTML or 1.7 MB PDF)

SP 800-26Security Self-Assessment Guide for Information Technology Systems (1.5 MB PDF or 922 kb Word Doc)

SP 800-30Risk Management Guide for Information Technology Systems (480 kb PDF)

SP 800-34Contingency Planning Guide for Information Technology Systems (1.9 MB PDF)

Grading

Your grade will be based on the following factors:

• Class attendance and participation (20%): You are expected to attend class prepared to learn and discuss the topics with your fellow classmates. We may also work on in-class exercises, and you are expected to take an active part.
• Midterm (40%): A midterm exam covering chapters 1-6 of our textbook will be held on Wednesday, 29 June 2005
• Final (40%): A final exam covering chapters 7-12 of our textbook will be held on Wednesday, 27 July 2005

Grades will be based on an average of the above as follows:

94-100 A
89-93 A-
86-88 B+
83-85 B
79-82 B-
76-78 C+
73-75 C
69-72 C-
66-68 D+
63-65 D
59-62 D-
0-58 F

Projects and papers will be graded for correctness and completeness. All assignments turned in to me must be neatly typed and printed with letter-quality type. Students failing to present the information completely, neatly, and in the prescribed format will receive minimal credit for their work. Students should double-check assignments for spelling and grammar before submitting them.

Accommodation of disabilities: If you have a disability that might affect your ability to complete the required assignments, please contact me during the first week of class to discuss an accommodation.

Academic Integrity

The University is committed to high standards of academic conduct and integrity. Students will be held responsible for violations of academic honesty. Academic dishonesty includes the following and any other forms of academic dishonesty:

1. Cheating: Using or attempting to use crib sheets, electronic sources, stolen exams, unauthorized study aids in an academic assignment, or copying or colluding with a fellow student in an effort to improve one's grade.
2. Fabrication: Falsifying, inventing, or misstating any data, information, or citation in an academic assignment, field experience, academic credentials, job application or placement file.
3. Plagiarism: Using the works (i.e. words, images, other materials) of another person as one's own words without proper citation in any academic assignment. This includes submission (in whole or in part) of any work purchased or downloaded from a Web site or an Internet paper clearinghouse.
4. Facilitating Academic Dishonesty: Assisting or attempting to assist any person to commit any act of academic misconduct, such as allowing someone to copy a paper or test answers.

In most cases, the instructor will address issues of academic dishonesty within the confines of the student's course. The instructor may decide an appropriate consequence, including the following options: a written warning; the assignment of a written research project about the nature of plagiarism and academic honesty; a reduced grade or partial credit on the assignment; requiring the student to repeat the assignment; or issuing a failing grade to the student of the course.

If a student receives an unsatisfactory grade in a course as a result of academic dishonesty, existing academic policies may lead to probation or dismissal. In extreme cases, a dishonesty violation may warrant consideration for dismissal, suspension, or other disciplinary action. These disciplinary actions require a formal judicial process as outlined in the Student Handbook.

Netiquette

It is paramount that we respect each other online in our email listserv. Follow this simple rule: disagree with the idea, but not the person. In other words, it's OK to say "That's a bad idea, because …", and it's not OK to say "You're a bad/stupid/inconsiderate person, because …". If you have an issue with a classmate's behavior online, please bring it to me privately by emailing me at scott at granneman dot com. If you'd like to find out more, please feel free to read The Core Rules of Netiquette, by Virginia Shea.

Schedule

1

Topic: Introductions
Date: Wednesday, 1 June 2005

Slides

InfoSec Management 0: Overview (150 kb PDF, 64 kb PowerPoint)

2

Topics: InfoSec Management & Planning
Date: Wednesday, 8 June 2005

Slides

InfoSec Management 1: Introduction (585 kb PDF, 573 kb PowerPoint)

InfoSec Management 2: Planning (1.1 MB PDF, 1.1 MB PowerPoint)

3

Topics: Planning for Contingencies & InfoSec Policy
Date: Wednesday, 15 June 2005

Slides

InfoSec Management 3: Contingencies (1.1 MB PDF, 1.2 MB PowerPoint)

InfoSec Management 4: Policy (1.5 MB PDF, 1.7 MB PowerPoint)

4

Topics: Security Programs, Models, & Practices
Date: Wednesday, 22 June 2005

Slides

InfoSec Management 5: Program (2.4 MB PDF, 2.7 MB PowerPoint)

InfoSec Management 6: Models (945 kb PDF, 886 kb PowerPoint)

5

Topics: Midterm Exam (chapters 1-6)
Date: Wednesday, 29 June 2005

6

Topics: Identifying, Assessing, & Controlling Risk
Date: Wednesday, 6 July 2005

Slides

InfoSec Management 7: Risk Management ID (2.5 MB PDF, 1.9 MB PowerPoint)

InfoSec Management 8: Risk Management Control (950 kb PDF, 849 kb PowerPoint)

7

Topics: Protection Mechanisms & Personnel and Security
Date: Wednesday, 13 July 2005

Slides

InfoSec Management 9: Protection (2.8 MB PDF, 2.4 MB PowerPoint)

InfoSec Management 10: Personnel (302 kb PDF, 387 kb PowerPoint)

8

Topics: Law and Ethics & InfoSec Project Management
Date: Wednesday, 20 July 2005
Software:

9

Topic: Final Exam (chapters 7-12) & Goodbyes
Date: Wednesday, 27 July 2005