Course Development

Revised 16 April 2014

Description:

This section shows the instructor how to use these materials to create a custom course based on the contents of the Information Security Modules. This principle can be used for both University and industrial courses

Creating Information Security Courses

Since Information Security is a developing discipline in the academic community, there are few academicians who have experience teaching courses in the area. As stated earlier, these modules have been designed to supplement other courses in the curriculum; an additional use of these modules is to guide the instructor in the creation of a custom course at the undergraduate level.

By using the components of the modules separately, the instructor can tailor the course to his particular expertise. Among the authors of these modules there are individuals with backgrounds in Computer Science, Information Science, Mathematics, Management, Accounting, and even International Law. Each of us teach our Information Security Courses with an individual focus.

There is a total of up to 87 hours of instructional material contained in these modules. The breakdown is:

Introduction to Information Protection 5 hours
PC/Workstation Security 4.5 hours
Security Fundamentals 12 hours
Laws and Legislation 9 hours
System Security 15 hours
Communications Security 7 hours
Corporate Security Management. 17 hours
Introduction to Accounting Controls and EDP Auditing 18 hours

Since the materials were designed with redundancy, many of the components of the modules overlap. Frequently, the overlap represents a level of detail rather than a difference in content.

Course 1 for Accountants

For example, an Information Security course for accounting students might be composed of:

Module and Content Time

Part I of Module One Information as a corporate resource 2 hour
Part 1 of Module Two Ethics 1 hour
Part 2 of Module Three Organizational Policies and Procedures 1 hour
Part 10 of Module Three Costs and Benefits 1 hour
Part 2 of Module Four Laws as tools for computer security 3 hours
Part 3 of Module Four Laws as legal options for control 4 hours
Part 6 of Module Five Protection Planning 5 hours
Part 2 of Module Six Threats 2 hours
Part 8 of Module Seven Computer Security Checklist 5 hours
Module Eight All of module Eight 18 hours

This represents as much as 42 hours of classroom instructional time. This forms the core of material for the course. It is expected that the faculty will introduce other material that is specific to his area of expertise.

Course 2 Legal Focus

Module and Content Time

Part I of Module One Information as a corporate resource 2 hour
Part 1 of Module Two Ethics 1 hour
Part 2 of Module Three Organizational Policies and Procedures 1 hour
Part 4 of Module Three Personnel Security 1 hour
Part 1 of Module Four The Underlying Problem 3 hours
Part 2 of Module Four Laws as tools for computer security 3 hours
Part 3 of Module Four Laws as legal options for control 4 hours
Part 6 of Module Five Protection Planning 5 hours
Part 2 of Module Five Security Requirements 3 hours
Part 5 of Module Five Data Life Cycle 2 hours
Part 8 of Module Seven Computer Security Checklist 5 hours
Part 2 of Module Eight Roles 1 hour
Part 4 of Module Eight General Internal Controls 2 hours
Part 11 of Module Eight Evidence 3 hours

This represents approximately 36 hours of classroom instructional time. This forms the core of material for the course. It is expected that the faculty will introduce other material that is specific to his area of expertise.

If you have suggestion for improvement or chose to use this technique, please send your suggestions or a copy of your course syllabus to;

Corey D. Schou

Associate Dean, College of Business

Professor, Computer Information Systems

P.O. Box 4043

Pocatello, Idaho

83204

Each summer, we will compile these teaching materials, and distribute them to interested parties.

Topic Outline: Introduction to Information Protection

  1. Information As A Corporate Resource 2 Hour
    1. Security As Part Of The Total Organization
    2. Understanding The Organization
    3. Identifying Sensitive Data
    4. Controlled Sharing Of Information And Resources
  2. Basic Security Problems 1 Hour
    1. Natural Disasters
    2. Accidental Problems
    3. Malicious Threats
  3. Ethical Issues 1 Hour
    1. Ethics And Responsible Decision-Making
    2. Confidentiality & Privacy
    3. Piracy
    4. Fraud & Misuse
    5. Liability
    6. Patent And Copyright Law
    7. Trade Secrets
    8. Sabotage
  4. Major Areas Of Information Systems Study 1 Hour
    1. PC/Workstation Security
    2. Security Fundamentals
    3. Information Security Laws And Legislation
    4. System Security
    5. Communications Security
    6. Corporate Security Management

Topic Outline: PC/Workstation Security

  1. Ethical Use Of The Computer 1 Hour
  2. Computer Room Environment. 1 Hour
    1. Temperature
    2. Foreign Materials
    3. Radio Frequency Interference (RFI)
    4. Power Surges And Brownouts
  3. Physical Security 1 Hour
    1. Location And Construction
    2. Computer Room Access
    3. Physical Control
  4. Data Security 1 Hour
    1. Software Control
    2. Backup Procedures
    3. Recovery Techniques
    4. Data Encryption And Access Control
  5. Security Training 0.5 Hour

Topic Outline: Security Fundamentals

  1. Planning 2 Hours
    1. Security As Part Of The Total Organization
    2. Understanding The Organization
    3. Identifying Sensitive Data
    4. Controlled Sharing Of Information And Resources
    5. Specific Needs
    6. Analysis And Design
  2. Organizational Policies And Procedures 1 Hour
    1. Scope Of Security Mechanisms
    2. Basic Goals
      1. Prevention
      2. Deterrence
      3. Containment
      4. Detection
      5. Recovery
    3. Written Management Policies & Procedures
  3. Ethics And Professionalism 2 Hour
    1. Ethics
      1. Ethics And Responsible Decision-Making
      2. Confidentiality & Privacy
      3. Piracy
      4. Fraud & Misuse
      5. Liability
      6. Patent And Copyright Law
      7. Trade Secrets
      8. Sabotage
    2. Laws And Legislation
    3. Professionalism
      1. The Computer Security Institute
      2. Computer Professionals For Social Responsibility
      3. Data Processing Management Association
      4. Security Management Magazine
      5. Licensing And Certification
        1. Institute For Certification Of Computer Professionals
        2. IISSCC (ISC2)
  4. Personnel Security 1 Hour
    1. Hiring Practices
    2. Training
    3. Access Rights And Privileges
    4. Rules For Granting And Revoking Privileges
    5. Separation Of Privileges And Roles
    6. Adverse Actions
    7. Termination Practices
  5. Physical Security 1 Hour
    1. Location
      1. Access Versus Security
      2. Rooms, Doors, Windows, Keys
    2. Environment
      1. Radio Frequency Interference [RFI]
      2. Cooling
      3. Cabling
      4. Power
  6. System Security 1 Hour
    1. PC & Workstations
    2. Database
    3. Networks And Communications
    4. Operating Systems
    5. Application Software
    6. Systems Security
    7. Systems Architecture
    8. Audit And Control
    9. Corporate Security Management
  7. Threats And Vulnerability. 1 Hour
    1. Natural Disasters
      1. Fire
      2. Flood
      3. Brown-Outs
      4. Lightning
    2. Accidental Acts (Threats)
      1. Disclosure Of Data
      2. Modification/Destruction Of Data
      3. Faulty Software
      4. Residual Data
      5. Wrong Parameters
    3. Malicious Acts (Threats)
      1. Trap Doors
      2. Trojan Horse
      3. Tampering
      4. Snooping Or Browsing
      5. Intentional Disclosure Of Data
      6. Viruses
    4. Locus Of Attack
      1. Terminals
      2. Hosts
      3. Front-Ends
      4. Gateways
      5. Links
      6. Packet-Switches
      7. PC/Workstations
  8. Data Security And Recovery 1 Hour
  9. Control And Audit 1 Hour
  10. Costs And Benefits 1 Hour
    1. Accessibility Versus Secrecy
    2. Costs
      1. Money And Time For Development, Installation, Procurement, And Maintenance Of Security Measures
      2. Special Skills
      3. Performance
      4. Productivity
      5. Training Time
      6. Compatibility - Of Equipment, Procedures,
    3. Benefits
      1. Precise Definition Of Requirements
      2. Value Of Information
      3. Peace Of Mind
      4. Productivity
      5. Protection From Legal Liability
      6. Protection From Loss Of Control Of Assets/Company
      7. Good-Will
      8. Privacy

Topic Outline: Laws And Legislation

  1. The Underlying Problem 1 - 2 Hours
    1. Theft Of Hardware And Data
    2. Fraud
    3. Physical Abuse
    4. Misuse Of Information And Privacy Issues
    5. Issues Of Adjudication And Regulation
  2. Laws As Tools For Computer Security 1 - 3 Hours
    1. Privacy Laws And Legislation
    2. Intellectual Property Laws
      1. Trade Secrets Law
      2. Patent Law
      3. Copyright Law
      4. Trademark Law
    3. Federal Laws
    4. State Statutes
    5. DPMA Model Computer Crime Bill
  3. Laws As Legal Options For Control 1 - 4 Hours
    1. License Agreements
    2. Intellectual Property Laws, (Trade Secrets, Patents, Copyright And Trademarks)
    3. Employee Non-Disclosure Considerations
    4. Contracts
    5. Warranties For Software And Hardware

Topic Outline: System Security

  1. Overview 1 Hours
    1. Definitions
    2. Background
      1. Identifying Sensitive Systems
      2. Developing A Security Program And Plan, And
      3. Training Appropriate People Concerned With Both Development And Operation Of Systems
    3. Management Responsibility
  2. System Sensitivity 2 Hours
    1. Criticality
    2. Sensitivity
    3. Source Of Sensitivity Information
    4. Level Of Sensitivity
  3. Security Requirements. 3 Hours
    1. Security Policy
    2. Accountability
    3. Assurance
      1. Architecture
      2. Integrity
      3. Testing
      4. Specification/Verification
      5. Facility Management
      6. Configuration Control
      7. Disaster Recovery Or Contingency Planning
      8. Compliance
  4. Levels Of Security 2 Hours
  5. Data Life Cycle. 2 Hours
    1. Retention Policy
    2. Destruction Policy
  6. Protection Planning 2 - 5 Hours
    1. System Description
      1. The Physical Location Of The Equipment
      2. Types Of Data And Information
      3. Classification Level
      4. Duration And Importance Of MIS Activity
      5. Equipment Location
      6. Equipment Description By Name And Model Number
      7. Security Officers
      8. Data Processing Terms
      9. System Integrity Study
    2. MIS Security
    3. Communications Security
    4. Information Security
    5. Personnel Security
    6. Physical Security
    7. Contingency Plans

Topic Outline: Communications Security

  1. Overview 1 Hours
    1. Brief Review Of The Concepts Of Protection In Data Communication Systems And Networks From A Management Perspective
      1. Systems Objectives: Controlled Sharing Of Information And Resources.
      2. Specific Needs: Privacy, Secrecy, Integrity And Availability.
      3. Policies And Mechanisms.
      4. Assets: Identification Of Valuable/ Sensitive Data And Information.
      5. Threats And Vulnerability.
    2. The Interrelationship Of Communications Security And Network Security For Interconnected Elements:
      1. Systems Connectivity
      2. Public/Private Carriers
      3. Relationship To Reliability And Dependability
  2. Threats 2 Hours
    1. Types Of Attacks/Failures
      1. Passive Intrusion
        1. Disclosure Of Message Contents
        2. Traffic Analysis
        3. Disclosure Of Data On Network Users
      2. Active Intrusion
        1. Modification Or Deletion Of Message Contents
        2. Insertion Of Bogus Messages
        3. Replay Or Reordering Of Messages
        4. Viruses
      3. Natural Disasters/Catastrophes/Sabotage
        1. Human Errors
        2. Fires, Floods, Brown-Outs.
    2. Locus Of Attack/Failure
      1. Terminals
      2. Hosts
      3. Front-Ends
      4. Gateways
      5. Links
      6. Switches (Includes Multiplexer, Intermediate Nodes)
      7. Interconnected PC/Workstations (Includes LAN, Host-PC Etc.)
  3. Countermeasures 2 Hours
    1. Encryption
      1. Private-Key And Public-Key Systems - Des And RSA As Examples
      2. Key Distribution
      3. Link Level And End-To-End
    2. Authentication
      1. Node And User Authentication
      2. Passwords
      3. Message Authentication
      4. Encryption-Based
      5. Added Protection For PC Authentication Date
    3. Access Control
      1. Access Control Mechanisms-Control Lists And Passwords
      2. Administration
    4. Contingency Planning
  4. Tradeoffs - Costs And Benefits 2 Hours

Topic Outline: Corporate Security Management

  1. Overview 1 Hour
  2. Development Of Security Program. 3 Hours
    1. Objectives
    2. Policies
    3. Connectivity, Corporate Structure, And Security
      1. Connectivity Defined
      2. Affect On Corporate Structure
      3. Security Considerations
    4. Plans
    5. Responsibilities
  3. Risk Analysis 2 Hours
  4. Contingency Planning 3 Hours
  5. Legal Issues For Managers 1 Hour
    1. Licenses
    2. Fraud/Misuse
    3. Privacy
    4. Copyright
    5. Trade Secrets
    6. Employee Agreements
  6. System Validation & Verification (Accreditation)1 Hour
  7. Information Systems Audit 1 Hour
  8. Computer Security Checklist. 5 Hours
    1. General Information
    2. General Security
    3. Fire Risk And Water Damage Analysis
    4. Air Conditioning Systems
    5. Electrical System
    6. Natural Disasters
    7. Backup Systems
    8. Access Control
    9. System Utilization
    10. System Operation
    11. Software
    12. Hardware
    13. File Security
    14. Data File Standards
    15. Shared Resource Systems Security

Topic Outline: Introduction To Accounting Controls And EDP Auditing

  1. Goals. 1 Hour
    1. Role Of The Accountant
    2. Asset Safety
      1. Organizational Asset
      2. Computer Resource Abuses
      3. Value Of Systems
        1. Hardware
        2. Software
        3. Personnel
        4. Operating Systems
        5. Application Systems
        6. Data
        7. Facilities
        8. Supplies
      4. Proprietary And Private Data
    3. Data Integrity
      1. Pervasiveness Of Errors
      2. Individual Decisions
    4. System Effectiveness
      1. Decision Making Value
      2. Timeliness
      3. Support For Competitive Advantage
    5. System Efficiency
      1. Proper Uses Of Systems And Components
      2. Misallocation Of Resources
        1. Theft
        2. Destruction
          1. Physical Acts Of Nature
          2. Physical Acts Of Persons
        3. Disruption Of Service
          1. Hardware
          2. Software
          3. Personnel
        4. Unauthorized Changes
  2. Roles. 1 Hour
    1. Management
      1. Top Management
      2. Middle Management
      3. Entry-Level Management
    2. Information Systems Professionals
      1. MIS Orientation
      2. Data Processing Orientation
    3. Internal Auditors
    4. External Auditors
    5. Management Controls
  3. Systems Cycle. 1 Hour
    1. Auditor's Involvement
      1. Concurrent Participation
      2. Ex Post Review
      3. Phases And Concerns
    2. Alternative Models
      1. Traditional
      2. Prototype
      3. Socio-technical
    3. Differences In Internal And External Auditors'
    4. End-User Developed Systems
  4. General Internal Controls 2 Hours
    1. Segregation Of Duties
    2. Proper Delegation Of Authority
    3. Competent Personnel
    4. Authorization System
    5. Documentation
    6. Physical Controls
    7. Supervision
    8. Accountability
  5. Access Controls 1 Hour
    1. Strengths And Weakness
    2. Encryption
    3. Personalized Access
      1. Cards And PINS
      2. Physical Identifiers
    4. Audit Trails
      1. Accounting
        1. User Identities
        2. Validation Routines Used
        3. Access And Usage Desired
        4. Physical Location Of Originating Site
        5. Session Times And Dates
        6. Access Methods And Number Of Tries
        7. Results Of Access: Authorized Or Rejected
      2. Operations
  6. Input Controls 2 Hours
    1. Data
      1. Preparation
        1. Conversion To Machine-Readable
        2. Prepare Totals
        3. Human Scanning As Quality Control
        4. Verification
      2. Gathering
        1. Paper-Based
        2. Machine-Based
        3. Mixture
      3. Review
        1. Components
        2. Design
          1. What Data To Gather,
          2. How To Gather Data,
          3. Who Will Gather The Data,
          4. When Will The Data Be Gathered, And
          5. How The Data Will Be Handled, Retained, And Used
      4. Controls
        1. Hash Totals
        2. Financial
        3. Document Counts
    2. Validation
      1. Online
      2. Batch
      3. Lexical
      4. Semantic
      5. Syntactic
      6. Corrections
    3. Error Controls
      1. Error Report
      2. Field Checks
      3. Record Checks
      4. Batch Checks
      5. File Checks
  7. Communications Controls 1 Hour
    1. Risks
      1. Reliability
      2. Unauthorized Uses And Abuses
      3. Errors
    2. Technical Failure
      1. Communications
      2. Hardware
      3. Software
      4. Personnel
    3. Terrorism And Other Overt Threats
      1. Aggressive
        1. Insertion
        2. Deletion
        3. Modification
        4. Intervention
      2. Non-Intrusive
        1. Note Or File Sending
        2. Monitoring Activities
      3. Controls
        1. Audit Trail
        2. Operations Audit Trail
  8. Processing Controls 1 Hour
    1. CPU Controls
      1. Instruction Set Check
      2. Status Check
        1. Kernel
        2. Supervisor
        3. Problem
    2. Memory Controls
      1. Physical
      2. Access
      3. Virtual
    3. Systems
      1. Operating
        1. Protected From Users
        2. Insulated From Its Environment
        3. Users Isolated From Each Other
        4. Examples
      2. Application
        1. Validation Reviews
        2. Programming Reviews
        3. Interfaces Among Programs/Routines
      3. Audit Controls
  9. Database Controls 2 Hours
    1. Access To Levels
      1. Name
      2. Content
      3. Context
      4. History
    2. Application Oversight
      1. Update Policy
      2. Reporting Procedures
    3. Concurrency
      1. Replication
      2. Partitioning
      3. Priorities
    4. Encryption
      1. Transportability
      2. Personalized
      3. Multiple Levels Of Access
    5. Physical Security
      1. Access
      2. File Protection
      3. Data Base Administrator (DBA)
      4. Backup
    6. Audit Controls
  10. Output Controls 1 Hour
    1. Production
      1. Online
      2. Off-line
      3. Ad Hoc
    2. Distribution
      1. Physical Requirements
      2. Control
    3. Presentation
      1. Content
      2. Physical Form
      3. Format
      4. Layout
      5. Time Aspects
    4. Interpretation
      1. Availability
      2. Warning System For Further Information
  11. Evidence 3 Hours
    1. Needs
      1. Assess Quality Of Data
      2. Evaluate Processes
      3. Review Existence Of Processes And Data
      4. Initial Review
        1. Analytical Review
        2. Statistical Analysis
        3. Spreadsheet
        4. Expert Systems Or Decision Support Systems
    2. Limitations
      1. Often After The Fact
      2. Constrained To Extent Of Generalized Audit Software (Gas)
    3. Generalized Audit Software
      1. Parallel Simulation
      2. Integrated Test Facility
      3. File And Record Extraction
    4. Specialized Audit Software
      1. Industry Specific
      2. Configuration Specific
      3. Potential To Be More Efficient
      4. Less Flexible Than Gas
    5. Concurrent Techniques
      1. Concurrent Integrated Test Facility
      2. Simulations
        1. Continuous
        2. Intermittent
      3. System Control Audit Review File (Scarf)
    6. Human Techniques
      1. Interviews
        1. Preparation
        2. Observation
        3. Evaluation
      2. Questionnaires
        1. Determine Objectives
        2. Plan Questions
        3. Test
        4. Deliver
        5. Analyze
      3. Observation
        1. Work As Participant
        2. Unobtrusive
    7. Flowcharts
      1. Document
      2. Data Flow
      3. Systems
      4. Programs
    8. Machine Techniques
      1. Hardware Monitors
        1. Tracks Activity
        2. Analyzes Activity
      2. Software Monitors
        1. Internal To System
        2. Particular Transaction Versus Sampling
        3. Analyzes Activity
  12. Integration 2 Hours
    1. Asset Safety
      1. Measurement
        1. Qualitative
          1. Questionnaires
          2. Risk Matrix
        2. Quantitative
          1. Expected Dollar Loss Versus Cost Of Controls
          2. Expected Time Loss
      2. Cost-Benefit
    2. Data Integrity
      1. Measurement
        1. Qualitative
        2. Quantitative
      2. Cost-Benefit
    3. System Effectiveness
      1. Objectives
        1. Goals Of Firm
        2. Usage
        3. Types Of Usage
        4. User Satisfaction
        5. Technical
          1. Hardware
          2. Software
          3. Degree Of Independence Of Components Of System
      2. Judgment
      3. Overall Evaluation
    4. System Efficiency
      1. Objectives
      2. Indicators
        1. Workload Monitors
        2. Systems Checks
      3. Overall Evaluation
    5. Summary
      1. Qualitative
        1. Collect All Items
        2. Think
      2. Quantitative
        1. Financial Or Business Terms
        2. Sensitivity To Assumptions
      3. Judgment Group Decision Making and Experience Transfer
NIATEC National Science Foundation Information Assurance Directorate Department of Homeland Security CISSE Scholarship For Service