New Undergraduate Course Proposal Form

Transcription

1 View New Course Proposal New Undergraduate Course Proposal Form 1. Department and Contact Information Tracking Number Date & Time Submitted :49:08 Department Information Systems and Decision Sciences College Budget Account Number Business Contact Person Phone Dr. Kaushal Chari Course Information Prefix Number Full Title ISM 4XXX Information Security and IT Risk Management Is the course title variable? Is a permit required for registration? Are the credit hours variable? N N N Credit Hours Section Type Grading Option 3 Class Lecture (Primarily) Regular Total Clock Hours Abbreviated Title (30 characters maximum) 45 Info sec and risk mgt Prerequisites Interest in computers and information security Corequisites None Co-Prerequisites None Course Description Senior standing, all majors. Introduction to information security and IT risk management in organizations. Covers essential IT general controls and frameworks to assess IT risk in a business environment. 3. Justification A. Indicate how this course will strengthen the Undergraduate Program. Is this course necessary for accreditation or certification? With increasing amounts of organizational information stored in computers, there is increasing interest in information security and IT risk management. Organizations are also required to comply with various legal provisions such as Sarbanes-Oxley for information security. A substantial body of specialized knowledge and tool support has emerged to assist in supporting these functions. There is also considerable interest among local employers for information security knowledge. B. What specific area of knowledge is covered by this course which is not covered by courses currently listed? 1:56:26 PM]

2 View New Course Proposal The topics covered in this course that are not currently covered in other currently listed courses includes (1) an overview of information security and its business impacts; (2) the relationships between vulnerabilities, threats and controls; (3) legal provisions for auditing IT controls; (4) specialized information security tools; (5) control objectives for IT and their application in complying with federal rules and (6) IT risk management. C. What is the need or demand for this course? (Indicate if this course is part of a required sequence in the major.) What other programs would this course service? The skills covered in this course are highly sought by local employers. The course can also service students in the accounting program. D. Has this course been offered as Selected Topics/Experimental Topics course? If yes, what was the enrollment? Yes, offerings and enrolments are as follows: Fall 2008: 30 Fall 2009: 28 Fall 2010: 34 E. How frequently will the course be offered? What is the anticipated enrollment? The course is expected to be offered once a year. The anticipated enrolment is 30 students per offering. F. Do you plan to drop a course if this course is added? If so, what will be the effect on the program and on the students? (Please forward the nonsubstantive course change form regarding the course to be deleted to the Council secretary.) No, there is no plan to drop a course in order to accommodate this course. G. What qualifications for training and/or experience are necessary to teach this course? (List minimum qualifications for the instructor.) At least a masters degree in MIS or related field. 4. Other Course Information A. Objectives / Outcomes 1. To introduce the importance of information security and related business concer. 2. To make students aware of the major categories of information security threats. 3. To make students aware of the common information security controls. 4. To enable students to implement the basic information security controls. 5. To introduce students to the important legal provisions regarding information security. 6. To make students aware of the methodological implications for information security arising from these legal provisions. 7. To provide students with an understanding of the standard methodologies for complying with legal requirements for IT general controls. 8. To provide basic understanding of IT risk management in organizations.student Learning Outcomes: 1. Students will demonstrate an understanding of security concerns and issues in organizations. 2. Students will have the ability to identify major categories of information security threat. 3. Students will have the ability to apply various kinds of controls to counter common threats 4. Students will have the ability to apply best practices related to IT controls to comply with legal requirements. 5. Students will have the ability to provide solutions to mitigate IT risks. B. Major Topics The current topics are as follows: introduction - Why information security is important, common attacks, security perspectives Introduction to computer networking - OSI model, IP addresses, TCP ports, DNS Wireshark Introduction to computer system administration Introduction and use of security tools such as firewall, intrusion detection, vulnerability detection Encryption Software errors Introduction to COBIT and IT general controls for Sarbanes Oxley Introduction to IT risk management C. Textbooks 1:56:26 PM]

3 View New Course Proposal 5. Syllabus Currently, the course uses instructor s notes. Your college will forward an electronic copy of your syllabus to Undergraduate Studies when your course is approved for submission. 1:56:26 PM]

4 SYLLABUS ISM 4XXX: YYY INFORMATION SECURITY AND IT RISK MANAGEMENT Semester : Fall 2010 Room : BSN 111 Meetings : Tue/ Thu, 2:00 3:15 pm Instructor : Manish Agrawal Office : CIS 2071 Telephone : (813) Fax : (813) magrawal@usf.edu Office Hours : Hour before class and anytime my office door is open Textbook : Course material posted on Blackboard Site : http// Username: isecsite; password: isecsite Pre-requisites : Interest in computers and information security Course objectives The objective of the course is to introduce skills and knowledge on Information Security and IT Risk Management in businesses. The course is open to students in all majors. Course objectives will be accomplished through two categories of information (1) helping students develop technical skills to secure computer networks by implementing IT general controls and (2) introducing frameworks that comply with legal provisions for the assessment of IT risk in a business environment. The course will include class presentations and extensive hands-on projects on implementing the common IT controls such as access control lists (ACLs), firewalls, network scanning, STIG (Security Technical Implementation Guidelines), identifying software errors and documenting some key IT General Controls. Required project reports will help students improve their writing and documentation skills. To facilitate learning and to give students the opportunity to implement security controls on server-class technologies, each student will be assigned a UNIX server with root privileges. Specifically, the course objectives are: 1. To introduce the importance of information security and related business concern. 2. To make students aware of the major categories of information security threats. 3. To make students aware of the common information security controls. 4. To enable students to implement the basic information security controls. 5. To introduce students to the important legal provisions regarding information security. 6. To make students aware of the methodological implications for information security arising from these legal provisions. 7. To provide students with an understanding of the standard methodologies for complying with legal requirements for IT general controls. 8. To provide basic understanding of IT risk management in organizations.

5 The student learning outcomes: 1. Students will demonstrate an understanding of security concerns and issues in organizations. 2. Students will have the ability to identify major categories of information security threat. 3. Students will have the ability to apply various kinds of controls to counter common threats 4. Students will have the ability to apply best practices related to IT controls to comply with legal requirements. 5. Students will have the ability to provide solutions to mitigate IT risks. Attendance policy There is no formal attendance policy for this course. However, students who anticipate being absent from class due to religious observance should inform the instructor by the second class meeting Logistics 1. Students may form groups of two students each to complete projects. While forming groups, If you are not an IS major, you should find it useful to pair up with someone who is an IS major. 2. Use the phrase USF Class in the subject line of your for priority attention. I DO NOT provide quality of service guarantee to . Please see Making time to make for reasons. 3. In all deliverables and communication, please include the names of ALL students involved. 4. Readings and assignment deliverables are always scheduled for the last meeting of the week. 5. Deliverables are due by the end of day on the due date (usually this means 11:55pm). 6. Students may not sell notes or tapes of class lectures. 7. Make up opportunities will only be provided for job-related situations and for medical emergencies in the immediate family. Readings Class readings to broaden general awareness on information security and IT risk management are available at The username is isecsite and the password is isecsite. Students will be individually responsible to answer questions related to these readings, but may form study/ discussion groups of 2 3 students each to discuss readings prior to class. Students are encouraged to form such groups. Please, no laptops when readings are being discussed. Highly recommended resources on Information Security and IT Risk Management If you have anything more than a passing interest in information security and IT risk management, the following books cannot be recommended enough. Information from all these sources is used in the class. The Anderson book provides detailed managerial coverage of information security problems and solutions. The Mandia book has recipes for responding to intrusions. Perlman s book has an extra-

6 ordinarily great presentation of encryption algorithms. Westerman s book describes why IT risk management deserves top-management attention and how the major IT risks can be identified. 1. Anderson, Ross, Security Engineering: A Guide to Building Dependable Distributed Systems, Wiley, 2002, ISBN Incident Response and Computer Forensics, Second Edition, by Chris Prosise, Kevin Mandia and Matt Pepe, McGraw-Hill/Osborne; 2 edition (July 17, 2003), ISBN: X 3. Kaufman, Charlie, Radia Perlman, and Mike Speciner, Network Security: Private Communication in a Public World. 2 nd ed. 2002: Prentice-Hall 4. Westerman, George and Richard Hunter, IT Risk: Turning Business Threats into Competitive Advantage (Hardcover). 2007, Boston, MA: Harvard Business School press Acknowledgments Assistance from Sun Microsystems (now Oracle Corp) in the form of Academic Excellence Grant #EDUD US is gratefully acknowledged. The grant provides one T2000 and one T1000 server for classroom use. These machines will be used to provide each student a Solaris zone with root privileges and an externally addressable IP address for the duration of the class. I believe that this may be one of the few classes in the country which makes this resource available to students. The effort involved in making this resource available would be worthwhile if used by students to refine their IT skills. Business Continuity In the event of an emergency, USF may opt to continue delivery of instruction through methods that include but are not limited to: Blackboard, Elluminate, Skype, and messaging and/or an alternate schedule. It s the responsibility of the student to monitor Blackboard for each class for course specific communication, and the main USF, College, and department websites, s, and MoBull messages for important general information. Grading Item Weight Performance Item Weight Performance Exam 20% Individual Intrusion 02% Group detection Readings 10% Individual Scripting 05% Group Narrative report 05% Group UNIX STIG 10% Group Vimtutor 03% Individual Software error 05% Group What they know 05% Group Business plan 04% Group Vulnerability assessment 02% Group IT controls 04% Group STIG demo 05% Group Module questions 15% Firewall 05% Group * 10% of the grade on each deliverable will reflect attention to detail

7 Grading policy Total% Grade Total% Grade Total% Grade Total% Grade >= 93 A+ (max 10% of class) >= 83 B+ >= 73 C+ >= 60 D+ >= 90 A >= 80 B >= 67 C <= 57 D >= 87 A- >= 77 B- >= 63 C- < 57 F

8 Tentative course outline Week/ Dates Perspective Topic Readings Deadlines ** 1-2/ Aug 24, 26, 31, Sep 2 Syllabus, introduction - Why information security is important, common attacks, security perspectives 3/ Sep 7, 9 General Introduction to computer networking - OSI model, IP addresses, TCP ports, DNS Wireshark BG/1,2; Create groups, assign hosts/ IP addresses 4-5/ Sep 14, 16, 21, 23 Introduction to system administration UNIX and vi tutorial BI/ 1 Narrative report on T J Maxx/ Heartland case BI/ 2 6/ Sep 28, 30 Firewalls and ACLs ipfilter I/ 1, 2; Vimtutor, What they know 7/ Oct 5, 7 IT CVE database, vulnerability detection nessus, Samba GI/ 1-5; Vulnerability assessment administrator * nessus 8-9/ Oct 12, 14, 19, 21 Intrusion detection snort; Data collection in Windows/ UNIX, file system permissions, bash scripting, nmap, nc (possibly also buffer overflow) S/ 1, 2 STIG demo S/ 5 Firewall 10-11/ Oct 26, 28, Nov 2, 4 Internal auditor Software errors Encryption techniques Symmetric key, Public key, RSA Security protocols PKI, SSL, SET, VPN, NAT 12-13/ Nov 9, 16, 18 Legal requirements, COBIT, IT Control Objectives for Sarbanes Oxley, ISACA IS auditing standards F/ 1, 2 Intrusion detection snort F/ 3 Scripting exercise T/ 4, 2, 5; UNIX STIG 14-15/ Nov 23, 30, Dec 2 Top management IT Risk management ITRM/ 1, 2; Software errors assessment; business plan; IT controls * Lab activities Exam - (L1 - Introduction, L2 - OSI, L6 encryption etc, L7 - COBIT, L8 - IT risk management) ** Deliverables are due by end of day (usually means 11:55 pm) on the day of the last meeting of the week