INSS 703 - Information Security Management

Professor Al Bento
office BC 473 v-mail 837-5272
e-mail abento@ubalt.edu URL http://home.ubalt.edu/abento

[exercises][cases][mid-term exam] [final exam][outline] [WebTycho]

COURSE DESCRIPTION

Information systems and technology are an integral part of most products and services of the post-industrial society of the 21st century. Organizations have a strong operational dependency on information systems to process the mostly on-line transactions generated by their daily operations. Most organizations would shut down their operations in matter of hours or days if information systems would become unavailable, because information systems "run the business." The security and reliability of information systems are the key factors to keep information available to support business operations. In addition, the volume of transactions on the Web are increasingly important to the success of many businesses. Securing these transactions are even more pressing concern in modern organizations, where E-Commerce is a vital and strategic activity.

This course is a managerial view of information security. It provides brief hands-on experience with technical aspects of security, but it concentrates on planning, risk management, development, specification, informal, cultural and legal aspects of information security management. The pre-requisite for this course is INSS640 - Information Systems in Business.

In the first part of the course (weeks one to five) we study the basic information security concepts and have a hands-on introduction to technical aspects of information security. The second part of the course (weeks six to eleven) covers managerial and informal aspects of information security. Finally, the last part of the course (weeks twelve to fifteen) introduces cultural, standards, legal and forensical aspects of information security.

You will work in a small group to do assignments and discuss and report on selected security cases. All cases are included in the Textbook. You will also take home a mid-term and final exam. Assignments (5) differ from cases (8) in their nature. Assignments are hands-on exercises, while cases are short essay papers (between two to five pages). Both are to be made in groups of 2-3 students and posted as one file per group in the ASSIGNMENTS area of WebTycho. Both the mid-term and the final exams are to be done individually.

We offer other courses with a more technical emphasis such as INSS753 - Internet and Network Security if you are also interested.


ASSIGNMENTS AND GRADING

Exercises (5)25%
Cases (8)40%
Mid-term exam15%
Final exam20%

Exercises

The exercises are hands-on use of security tools to provide practical experience with information security software. The assignments are to be done in group and posted on the corresponding ASSIGNMENTS tab in WebTycho, as follows:

  1. Google hacking exercise: finding security flaws using the Google search
  2. PGP e-mail exercise: using encryption to secure your e-mail communications
  3. Scanning exercises: looking for vulnerabilities with automated tools
  4. Firewall, IDS exercises: setting basic defense mechanisms
  5. Software for legal aspects of IT security: a Web exercise

Cases

The cases are actual situations that allow us to discuss specific information security management issues and topics. The cases are also to be done in group and a final report is to be submitted in the corresponding ASSIGNMENTS tab in WebTycho, as follows (the numbers in parenthesis are the page number of the case in the Textbook):

  1. Cases in Computer Crime (349)
  2. Developing a Security Policy at M&M (431)
  3. Security Management at the Tower (369)
  4. Case of a computer hack (325)
  5. IS security at Southam Council (356)
  6. Computer crime and the demise of Barings Bank (375)
  7. Taylor City Police Department security breach (426)
  8. Botnet: anatomy of a case (335)

Mid-term Exam

The mid-term exam is an individual exam comprised of modified multiple-choice questions, where you select an answer and explain why you did so, and a few hands-on exercises based on the exercises you did in group.

Final Exam

The final exam is an individual exam comprised of multiple-choice questions, where you select an answer and explain why you did so, and a few essay questions based on your experiences with the cases discussed in class.

TEXTBOOK

Dhillon, Gurpreet Principles of IS Security:Text and Cases, Wiley, 2007. ISBN 13-978-0-471-45056-6.
See also: Book student resourceWeb site.

Web references:

to be added throughout the semester, in addition to the ones available in the book Web site.


OUTLINE
Date Topic Assignment
01/29 Information security and basic security requirements [1,2] Google hacking exercise
02/05 Models for security specification [3] Cases in Computer Crime (349)
02/12 Cryptography in information security [4] PGP e-mail exercise
02/19 Network security - vulnerabilities [5] scanning exercises
02/26 Network security - defense mechanisms [5] firewall, IDS exercises
03/05 Formal Information Security and Planning [6,7] Developing a Security Policy at M&M (431)
03/12 Designing information systems security [8] Security Management at the Tower (369)
03/19 Spring Break  
03/26 Mid-term exam  
04/02 Risk management for information security [9] Case of a computer hack (325)
04/09 Informal aspects and governance of information security [10,11] IS security at Southam Council (356)
04/16 Culture and information security [12] Computer crime and the demise of Barings Bank (375)
04/23 Information security standards [13] Taylor City Police Department security breach (426)
04/30 Legal aspects of information security: HIPAA, SOX, FISMA [14] Software for legal aspects of IT security : a Web exercise
05/07 Computer Forensics [15] Botnet: anatomy of a case (335)
05/14 Final Exam  
Note: the numbers in the brackets [ ], refer to chapters in the Textbook. The numbers between parenthesis ( ) refer to page numbers in the Textbook.

This page is maintained by Al Bento who can be reached at abento@ubalt.edu. This page was last updated on February 8, 2007. Although we will attempt to keep this information accurate, we can not guarantee the accuracy of the information provided.