Security and Risk Management

Course Composition and Objectives

• Understand the issues, techniques, and technologies for security and risk management
  • Explain how Risk Management and Information Security are interrelated
  • Define security operations concepts and how security policy addresses these concepts. (includes least-privilege, need-to-know, separation of duties, etc.)
  • Describe the primary security models (Bell-LaPadulla, Biba, MAC, DAC, etc.)
  • Explain the importance of change and patch management to security management
  • Explain the purpose and usage of network security management technologies (firewall, IDS, network telescope, honeypot, server and application logs, etc.)
• Discuss various system vulnerabilities and mitigation strategies
  • Describe major application vulnerabilities (XSS, SQL injection, etc.) and mitigation methods.
  • Explain how access controls relate to system and network security.
  • Explain how an systems architecture lends itself to potential vulnerabilities. (processor, storage, network)
  • Describe various tools for evaluating the threat landscape.
• Discuss the importance of policies, plans and programs in security management
  • Explain the role of security policy in security management at enterprise, issue and technical levels
  • Describe the need for and structure of various security-related plans including contingency plans, incent response plans, disaster-recovery plans and business continuity plans
  • Describe the various security program approaches for organizations ranging from very large to very small
  • Describe components and approaches to security training and awareness programs
  • Describe the varies human security positions, along with possible security certifications
• Understand the role of security inspections, security certification and accreditation, and system certification
  • Describe the major laws that result in system compliance regulations and audits (FERPA, HIPPA, SOX, etc.)
  • Describe Information Systems Evaluation Models, certification and accreditation (Common Criteria, ITSEC, etc.)
  • List major documents from DoD, NIST, and other major security organizations that influence systems evaluation or security specifications. (rainbow series, etc.)
  • Explain how vulnerability testing is done and the role of vulnerability scanning and alerting services (CERT, Secundia Inspector, etc.)
  • Explain and demonstrate the process for conducting a qualitative or quantitative security audit of an organization
  • Describe the ISO-27000 standards for security assessment and accreditation
  • Explain how ISO-27000 standards may be applied in various organizations
• Understand the interactions between systems design, systems management, social factors and the socio-political environment as pertain to security and risk management
  • Describe basic social engineering methodologies and approaches for mitigation
  • List major agencies and professional organizations that support security management professionals
  • Identify a number of current issues – technical, social or legal – in security management
  • Describe the history of security management and possible technologies and issues that will impact its future.
• Instructors Choice: Instructors may choose topics and learning objectives that meet the spirit of the course as defined here. Instructors may choose to devote more time to the learning objectives listed above or to add additional, complimentary objectives. Supplementary material and objectives should not overlap with the defined content of other courses in the curriculum

Course Description

Communication technologies have become a key component to support critical infrastructure services in various sectors of our society. In an effort to share information and streamline operations, organizations are creating complex networked systems and opening their networks to customers, suppliers, and other business partners. Increasing network complexity, greater access, and a growing emphasis on the Internet have made information systems and network security a major concern for organizations.

IST 456 focuses on risk management. Students will learn contemporary security issues; security management processes, architecture and models; risk analysis and management; security planning, analysis and safeguards; security policies development and administration; contingency planning, incidence handling and response; and security standards and certification processes. IST 456 will also address security certification and accreditation, security inspections, security processing mode, and system certification.

A major component of the course will be several case studies and a final team-based project. This course will incorporate collaborative and action-learning experiences wherever appropriate. Emphasis will be placed on developing and practicing writing and speaking skills through application of the concepts, theories and technologies that define the course.