INFA 713 Managing Security Risks - Dakota State University

INFA713
Managing Security Risks
Fall 2011
Instructor:
Kevin F. Streff, Associate Professor and Director of the National Center for the Protection of
the Financial Infrastructure and the Center for Information Assurance, College of Business and
Information Systems, Dakota State University
Office: Heartland Technology Center Suite 104
Phone: (605) 256-5698
Email:
Office Hours:
Description:
kevin.streff@dsu.edu
By Appointment Only M, T, W, Th
Provide students a management perspective to protect information infrastructure and assets
utilizing a defense in depth model that emphasizes the role of people, process, and
technology. This course is a study of the existing risk management frameworks, models,
processes and tools to equip students with the theory, science and practical knowledge to
operationalize risk management in an organization, government agency, or critical
infrastructure. The course covers a wide range of business and technical issues and topics,
including a discussion on vulnerabilities and risks, computer crime, law, disaster recovery,
contingency planning, physical security, operational security, and information security. The
course also defines the role of all personnel in promoting security awareness, and the role of
law, policy, and standards it relates to security, privacy, fraud, and identity theft. Several
learning objectives include:
Credit Hours: 3
Prerequisites:
Texts:
Master the concepts associated with risk assessment, mitigation, and management.
Stimulate advanced thought to extend the existing methodologies and models used to
assess, mitigate, and manage risk.
Master the concepts associated with security policy, procedures, standards, and
guidelines.
Master the concepts associated with Business Continuity Planning and Incident
Response Planning.
Master the concepts associated with Security Awareness Training Programs.
Demonstrate mastery of ability to apply aforementioned security concepts in a realworld
environment.
The course supports much of the CNSSI 4011 and 4016 topics, including playing a key role in
the 4016 as it is a dedicated course to risk management. The course provides awareness-level
information on security basics and NSTISS basics, while providing performance-level
information on NSTISS planning and management and NSTISS policies and procedures. It also
provides information on information system life cycle activities, countermeasures
identification, implementation and assessments, certification and accreditation, synthesis of
analysis, testing and evaluation, threat and adversary analysis, mission and asset
assessments, vulnerabilities and attack avenues analysis, and training/awareness.
N/A
Official (ISC)²® Guide to the CISSP® CBK®, 2nd ed, Harold Tipton, Auerbach Publications.
Assessing and Managing Security Risk in IT Systems, John McCumber, Auerbach Publications,
2007, 2 nd edition.

Writing Information Security Policies, Scott Barman, New Riders Publishing, 2002. ISBN 1-
57870-264-X.
Information Security Policies, Procedures, and Standards, Thomas R. Peltier, Auerbach
Publications, 2002. ISBN 0-8493-1137-3.
Other resources will be used, including FFIEC manuals, government documents, and other
security resources from ISC2, FISSEA, NIST and SANS.
Attendance:
Dishonesty:
Participation:
Projects/Papers:
Examinations:
Make-Ups:
Security Project:
Evaluation:
Class meets on Tuesdays and Thursdays from 8:00 to 9:15. Regular class attendance and
completion of assignments are required to successfully complete this course.
All forms of academic dishonesty will result in an F for the course, notification of the Dean of
Student Affairs and the University Disciplinary Board. Academic dishonesty includes (but is
not limited to) plagiarism, copying answers or work done by others and use of notes or other
aids during quizzes and exams.
You will be asked to participate in discussions both in the classroom and in Desire2Learn. For
each question posted by the instructor in the virtual course room, you are asked to provide a
substantive response of 200-300 words. Of course you can say more and this is encouraged.
Further, your participation in class is important as it contributes to your learning. Together,
the postings and class participation make up the "participation" component of your grade.
Responses to other student postings are encouraged and will be rewarded.
You will be asked to research, analyze, and write-up several reports throughout the semester.
You may also be asked to complete projects that reinforce risk management concepts.
Two tests (a mid-term and final) covering assigned material are given during the semester and
will be objective and/or essay in format. The final exam is comprehensive.
Makeup exams will only be given when situations out of your control warrant. Failure to study
for an examination is not sufficient grounds to schedule a makeup exam. Should you feel that
a makeup is warranted, please contact me before the scheduled exam if at all possible.
The semester project focuses on performing a risk assessment or other approved security
project for a company that you select (and I approve). You will develop a detailed written
report. Informal project status updates will be given orally by you to the class during specified
class meetings or in D2L. The security project will complete a risk assessment (and all the
phases in a risk assessment) so you gain real-world experience implementing class concepts.
Grades will be based on the following points.
Participation
100 points
Projects & Papers
250 points
Mid-Term Exam
200 points
Security Project
250 points
Final Exam
200 points
TOTAL
1000 points
Grades will be assigned on the following scale, with reservation for judgment.
92%-100% A
84%-91% B
76%-83% C
68%-75% D
Below 68% F
Final grades are due at 4:30 P.M. on December 22 nd

ADA Statement:
Syllabus:
If you have a documented disability and/or anticipate needing accommodations (e.g., nonstandard
note taking, extended time on exams or a quiet space for taking exams) in this
course, please contact the instructor. Also, please contact Dakota State University’s ADA
coordinator, Keith Bundy (located in the Student Development Office in the Trojan Center
Underground or via email at Keith.Bundy@dsu.edu or via phone (605-256-5121) as soon as
possible. The DSU website containing additional information, along with the form to request
accommodations, is available at http://www.dsu.edu/student-life/disabilityservices/index.aspx.
You will need to provide documentation of your disability. The ADA
coordinator must confirm the need for accommodations before officially authorizing them.
The following represents the tentative order of business for the course. However, I reserve
the right to make any necessary changes to the syllabus throughout the semester. Guest
speakers will also be brought in and will introduce changes to the syllabus.
Date
Sept.
Oct.
Nov.
Dec.
Topic
Introduction to the course
Information Assurance Overview
Information Assurance and Defense in Depth
Security Strategy
Information Risk
Information Security Law, Regulation and Governance
McCumber Cube
Risk Management Lifecycle
Asset Inventory
Information Criticality Matrix
Protection Profiles
Threats and Vulnerabilities
Safeguards
Residual Risk
Octave
Asset
IAM
HIPAA Crosswalk
TRAC
Tools
Mid-Term Exam
Policy
Procedures
Standards
Guidelines
Incident Response Planning
Disaster Recovery Planning
Business Continuity Planning
Pandemic Planning
Security Awareness Programs
Final Exam
Security Project Due
12/12 Final Exam 8:00 to 10:00

Other Policies:
Dakota State University has published the Fall 2011 Semester Calendar:
http://www.dsu.edu/academics/academic-calendar.aspx
This calendar includes the important dates to remember, including last day to drop, last day
to withdraw, etc.
Dakota State University has also published the Fall 2011 Final Exam Schedule:
http://www.dsu.edu/academics/documents/2011-fall-exam-schedule.pdf