A. Suggested Schedule:
The following sample module plan is based on the offering of six to nine hours of lectures with outside lab and homework time. To cover adequately each area in this module, integrate the material into other business and information systems courses.
||Organizational Policies and Procedures
||Ethics and Professionalism
||0.5 to 1 hour
||Threats and Vulnerability
||0.5 to 1 hour
||Data Security and Recovery
||0.5 to 1 hour
||Control and Audit
||Costs and Benefits
||0.5 to 1 hour
B. Homework and Lab Exercises:
Following are examples of exercises to enhance the lecture material for this module:
- Class/Paper exercises:
- Brainstorm and graph the flow of data in an organization then identify sensitive resources;
- List organizational security mechanisms that might be used to control the sensitive resources in (a).
- Take the position of the “bad guy” and justify the ethical standpoint of “why you went wrong.”
- Identify corporate policies and procedures for dealing with sensitive resources, and show how these policies and procedures might be communicated to the appropriate personnel.
- Lab exercise - Visit the microcomputer lab and identify:
- What is GOOD about security. Why?
- What is POOR about security. Why?
- Schou, C.D., Fites, P.E., & Burgess, J.D., “Corporate Security Management,” in Information Security Modules, Department of Defense, 1989.
- Consider this the capstone security module in this document. Emphasis is on the management of a corporate level data security program.
- Fites, Philip E., Martin P. J. Kratz, and Alan F. Brebner, Control and Security of Computer Information Systems, W. H. Freeman/Computer Science Press, September. 1988.
- A textbook intended to support college level courses in computer security for technicians and accountants, or to serve as a reference for computer law courses. Contains considerable detail on the material mentioned in this module. A useful reference as well.
- Computer Security Institute, Computer Security Handbook: Computer Security Institute, updated yearly.
- This publication is a compilation of timely sensitivity related articles and monographs. Chapter headings include Managing Security, Protecting the Data Center Communication Security, Disaster Recovery Planning, and Auditing. A good general reference of timely information.
- The Computer Security Institute publishes The Computer Security Journal and a computer security handbook. Computer Security Institute, 360 Church Street, North Borough, MA. 01532, (508) 393-2600.
- Johnson, Douglas W., Computer Ethics: A Guide for the New Age, The Brethren Press, 1984.
- This low-cost, readable paperback book introduces critical issues, including: personal data, decision-making and identifying, building and maintaining ethics in a computer society. This book addresses the question of ethics in the indiscriminate use of the personal computer. The concept of what ethics are is proposed and suggestions are made for establishing a code for personal computer use.
- Computer Professionals for Social Responsibility, Inc., P.O. Box 717, Palo Alto, CA 94301, 415/322-3778.
- CPSR is an organization for computer professionals concerned about social issues. There are active chapters around the world. They produce a newsletter.
- Mandell, Steven L., Computer Data Processing, and the Law, West Publishing Company, Minnesota, 1984.
- This book has been designed especially for the functional aspects of data processing management.
- Davis, G. G., Software Protection, Practical and Legal Steps to Protect and Market Computer Programs, Van Nostrand Reinhold, New York, 1985.
- An academic discussion of intellectual property rights, copyright, unresolved problems with copyright, software warranties, export controls, and infringement remedies.
- Richards, T., Schou, C.D. & Fites, P.E. “Information Systems Security Laws and Legislation,” in Information Security Modules, Department of Defense, 1989.
- Richards, et. al. review topics, timely laws and legislation about computer security as it relates to the individual and the organization.
- Institute For Certification of Computer Professionals, 2200 E. Devon Avenue, Suite 268, Des Plaines, IL 60018. 312/299-4227
- This organization administers professional certificate programs and is sponsored by thirteen other professional organizations.
- DATAPRO Research Corp., Data Pro Reports on Information Security, 1988
- This is a collection of reports dealing with all aspect of information security. Reports IS30-xxx-xxx are primarily concerned with the subject of microcomputer security.
- DATAPRO Research Corp.
- Delran, NJ 08075 (800) 328-2776
- Spiro, Bruce E. & Schou, Corey D., “System Security,” in Information Security Modules, Department of Defense, 1988.
- A detailed review of security issues and the integration of these details into an organizational security program.
- Walston, Claude, and Lisa Hinman, Communications Security IDA Memorandum security breach dealing with possible misappropriation of data, computer programs blueprints, plans, laboratory notes or similar material.
- Whiteside, T., Computer Capers, Mentor, 1978.
- Many vignettes of some early “tales of electronic thievery, embezzlement, and fraud” that brought the problem of data security to our attention. These stories can be used with reports of current problems, for example from The Wall Street Journal or Fortune magazine.
- Voydock, V. and Kent, S., “Security Mechanisms in High-Level Network Protocols,” ACM Computing Surveys, Vol. 15, No. 2, June 1983, pp. 135-171.
- Threats, cryptographic controls, and use of end-to-end encryption in networks.
- Denning, D.E., Cryptography and Data Security, Addison-Wesley, 1983.
- Presently this is one of the principal textbooks in computer security. Good as a background reference.
- Burgess, J.D. & Watts, R.T., “PC/Workstation Security,” in Information Security Modules, Department of Defense, 1989.
- This module gives an introduction to security problems that one may have when working with a stand-alone PC or workstation (networked PCs or workstations are NOT considered here). This material is useful, for a one-person business as well as individual user who is part of a larger organization.
- National Computer Security Center, “A Guide to Understanding AUDIT in Trusted Systems”, NCSC-TG-001-87, 1987. Department of Defense, 9800 Savage Road, Fort George G. Meade, MD 20755-6000
- The guidelines described in this document provide a set of good practices related to the use of auditing in automatic data processing systems used for processing classified and other sensitive information.