INFA 713 Managing Security Risks - Dakota State University
INFA 713 Managing Security Risks - Dakota State University
INFA 713 Managing Security Risks - Dakota State University
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>INFA</strong><strong>713</strong><br />
<strong>Managing</strong> <strong>Security</strong> <strong>Risks</strong><br />
Fall 2011<br />
Instructor:<br />
Kevin F. Streff, Associate Professor and Director of the National Center for the Protection of<br />
the Financial Infrastructure and the Center for Information Assurance, College of Business and<br />
Information Systems, <strong>Dakota</strong> <strong>State</strong> <strong>University</strong><br />
Office: Heartland Technology Center Suite 104<br />
Phone: (605) 256-5698<br />
Email:<br />
Office Hours:<br />
Description:<br />
kevin.streff@dsu.edu<br />
By Appointment Only M, T, W, Th<br />
Provide students a management perspective to protect information infrastructure and assets<br />
utilizing a defense in depth model that emphasizes the role of people, process, and<br />
technology. This course is a study of the existing risk management frameworks, models,<br />
processes and tools to equip students with the theory, science and practical knowledge to<br />
operationalize risk management in an organization, government agency, or critical<br />
infrastructure. The course covers a wide range of business and technical issues and topics,<br />
including a discussion on vulnerabilities and risks, computer crime, law, disaster recovery,<br />
contingency planning, physical security, operational security, and information security. The<br />
course also defines the role of all personnel in promoting security awareness, and the role of<br />
law, policy, and standards it relates to security, privacy, fraud, and identity theft. Several<br />
learning objectives include:<br />
<br />
<br />
<br />
<br />
<br />
<br />
Credit Hours: 3<br />
Prerequisites:<br />
Texts:<br />
Master the concepts associated with risk assessment, mitigation, and management.<br />
Stimulate advanced thought to extend the existing methodologies and models used to<br />
assess, mitigate, and manage risk.<br />
Master the concepts associated with security policy, procedures, standards, and<br />
guidelines.<br />
Master the concepts associated with Business Continuity Planning and Incident<br />
Response Planning.<br />
Master the concepts associated with <strong>Security</strong> Awareness Training Programs.<br />
Demonstrate mastery of ability to apply aforementioned security concepts in a realworld<br />
environment.<br />
The course supports much of the CNSSI 4011 and 4016 topics, including playing a key role in<br />
the 4016 as it is a dedicated course to risk management. The course provides awareness-level<br />
information on security basics and NSTISS basics, while providing performance-level<br />
information on NSTISS planning and management and NSTISS policies and procedures. It also<br />
provides information on information system life cycle activities, countermeasures<br />
identification, implementation and assessments, certification and accreditation, synthesis of<br />
analysis, testing and evaluation, threat and adversary analysis, mission and asset<br />
assessments, vulnerabilities and attack avenues analysis, and training/awareness.<br />
N/A<br />
Official (ISC)²® Guide to the CISSP® CBK®, 2nd ed, Harold Tipton, Auerbach Publications.<br />
Assessing and <strong>Managing</strong> <strong>Security</strong> Risk in IT Systems, John McCumber, Auerbach Publications,<br />
2007, 2 nd edition.
Writing Information <strong>Security</strong> Policies, Scott Barman, New Riders Publishing, 2002. ISBN 1-<br />
57870-264-X.<br />
Information <strong>Security</strong> Policies, Procedures, and Standards, Thomas R. Peltier, Auerbach<br />
Publications, 2002. ISBN 0-8493-1137-3.<br />
Other resources will be used, including FFIEC manuals, government documents, and other<br />
security resources from ISC2, FISSEA, NIST and SANS.<br />
Attendance:<br />
Dishonesty:<br />
Participation:<br />
Projects/Papers:<br />
Examinations:<br />
Make-Ups:<br />
<strong>Security</strong> Project:<br />
Evaluation:<br />
Class meets on Tuesdays and Thursdays from 8:00 to 9:15. Regular class attendance and<br />
completion of assignments are required to successfully complete this course.<br />
All forms of academic dishonesty will result in an F for the course, notification of the Dean of<br />
Student Affairs and the <strong>University</strong> Disciplinary Board. Academic dishonesty includes (but is<br />
not limited to) plagiarism, copying answers or work done by others and use of notes or other<br />
aids during quizzes and exams.<br />
You will be asked to participate in discussions both in the classroom and in Desire2Learn. For<br />
each question posted by the instructor in the virtual course room, you are asked to provide a<br />
substantive response of 200-300 words. Of course you can say more and this is encouraged.<br />
Further, your participation in class is important as it contributes to your learning. Together,<br />
the postings and class participation make up the "participation" component of your grade.<br />
Responses to other student postings are encouraged and will be rewarded.<br />
You will be asked to research, analyze, and write-up several reports throughout the semester.<br />
You may also be asked to complete projects that reinforce risk management concepts.<br />
Two tests (a mid-term and final) covering assigned material are given during the semester and<br />
will be objective and/or essay in format. The final exam is comprehensive.<br />
Makeup exams will only be given when situations out of your control warrant. Failure to study<br />
for an examination is not sufficient grounds to schedule a makeup exam. Should you feel that<br />
a makeup is warranted, please contact me before the scheduled exam if at all possible.<br />
The semester project focuses on performing a risk assessment or other approved security<br />
project for a company that you select (and I approve). You will develop a detailed written<br />
report. Informal project status updates will be given orally by you to the class during specified<br />
class meetings or in D2L. The security project will complete a risk assessment (and all the<br />
phases in a risk assessment) so you gain real-world experience implementing class concepts.<br />
Grades will be based on the following points.<br />
Participation<br />
100 points<br />
Projects & Papers<br />
250 points<br />
Mid-Term Exam<br />
200 points<br />
<strong>Security</strong> Project<br />
250 points<br />
Final Exam<br />
200 points<br />
TOTAL<br />
1000 points<br />
Grades will be assigned on the following scale, with reservation for judgment.<br />
92%-100% A<br />
84%-91% B<br />
76%-83% C<br />
68%-75% D<br />
Below 68% F<br />
Final grades are due at 4:30 P.M. on December 22 nd
ADA <strong>State</strong>ment:<br />
Syllabus:<br />
If you have a documented disability and/or anticipate needing accommodations (e.g., nonstandard<br />
note taking, extended time on exams or a quiet space for taking exams) in this<br />
course, please contact the instructor. Also, please contact <strong>Dakota</strong> <strong>State</strong> <strong>University</strong>’s ADA<br />
coordinator, Keith Bundy (located in the Student Development Office in the Trojan Center<br />
Underground or via email at Keith.Bundy@dsu.edu or via phone (605-256-5121) as soon as<br />
possible. The DSU website containing additional information, along with the form to request<br />
accommodations, is available at http://www.dsu.edu/student-life/disabilityservices/index.aspx.<br />
You will need to provide documentation of your disability. The ADA<br />
coordinator must confirm the need for accommodations before officially authorizing them.<br />
The following represents the tentative order of business for the course. However, I reserve<br />
the right to make any necessary changes to the syllabus throughout the semester. Guest<br />
speakers will also be brought in and will introduce changes to the syllabus.<br />
Date<br />
Sept.<br />
Oct.<br />
Nov.<br />
Dec.<br />
Topic<br />
Introduction to the course<br />
Information Assurance Overview<br />
Information Assurance and Defense in Depth<br />
<strong>Security</strong> Strategy<br />
Information Risk<br />
Information <strong>Security</strong> Law, Regulation and Governance<br />
McCumber Cube<br />
Risk Management Lifecycle<br />
Asset Inventory<br />
Information Criticality Matrix<br />
Protection Profiles<br />
Threats and Vulnerabilities<br />
Safeguards<br />
Residual Risk<br />
Octave<br />
Asset<br />
IAM<br />
HIPAA Crosswalk<br />
TRAC<br />
Tools<br />
Mid-Term Exam<br />
Policy<br />
Procedures<br />
Standards<br />
Guidelines<br />
Incident Response Planning<br />
Disaster Recovery Planning<br />
Business Continuity Planning<br />
Pandemic Planning<br />
<strong>Security</strong> Awareness Programs<br />
Final Exam<br />
<strong>Security</strong> Project Due<br />
12/12 Final Exam 8:00 to 10:00
Other Policies:<br />
<strong>Dakota</strong> <strong>State</strong> <strong>University</strong> has published the Fall 2011 Semester Calendar:<br />
http://www.dsu.edu/academics/academic-calendar.aspx<br />
This calendar includes the important dates to remember, including last day to drop, last day<br />
to withdraw, etc.<br />
<strong>Dakota</strong> <strong>State</strong> <strong>University</strong> has also published the Fall 2011 Final Exam Schedule:<br />
http://www.dsu.edu/academics/documents/2011-fall-exam-schedule.pdf