CIS 519

Information Assurance Tools and DB Administration

T-Th 10:50-12:05

Sage Hall 113

Office Hours

Note that office hours will be announced in class and posted on office door.

Office Location

Room 1013, Cole Building

Office Telephone

404-880-6945

Email

rgeorge@cau.edu

Course

Number/Section

Course Title

Credit

Hours

Semester

Time

Level

(U/G)

CIS

CIS 519 IA Tools and DB Administration

3

Spring

10:50-12:05

UG/G

Brief Description

Broad overview of the field of computer organization and architecture.  Topics to be covered include and tools required protecting information resources. 

Prerequisites

if applicable

CIS 123: Data Structures

CIS 474: Intro to Operating Systems

HTTP Links

http://www.cis.cau.edu/course/cis519

http://www.cis.cau.edu/course/securitylinks

http://www.cis.cau.edu

http://acm.org

Course Length

3 hours credit for 16 weeks.  Twice a week for 1 hour and 15 minutes each session.

The total of 48 hours

Course Description:

Advance study of logical organization of functional components of computers, including processors, control units and memory.  Also include interconnection networks, memory hierarchies, and array and pipeline machines.

Course Objectives and Learning Outcomes:

The purpose of the course is to provide the student with an overview of the field of Information Security and Assurance.  Students will be exposed to the spectrum of Security activities, methods, methodologies, and procedures.  Coverage will include inspection and protection of information assets, detection of and reaction to threats to information assets, and examination of pre- and post-incident procedures, technical and managerial responses and an overview of the Information Security Planning and Staffing functions.

This course provides the student with a background, foundation, and insight into the subject of Information Assurance and Database Administration. This knowledge will serve as a foundation for future study in selected aspects of this important field or as an important dimension to their effectiveness in the broader computer science field. The primary objectives of the course are to

• Knowledge of the importance of Database Security and how it affects our changing world.
• Knowledge of the basic concepts of Security Requirements, especially the close relation between the objective of machine security and human factors
• Understand the basic concepts of database reliability and integrity
• Understand the basic concepts of Encryption, Program Threats, and Trusted Operating Systems
• Be capable of developing a Security Policy for an Organization
• Understand the relationship between software development and information security
• Identify the key areas of Security in Networks 
• Learn how to critically analyze situations of Threats in Networks

Learning Outcomes: Upon completion of this course, students should be able to…

After completing the course, students will be able to:

·         Knowledge of Administering Security (the passwords, files, and data)

·         Knowledge of protections against malicious logic

·         Identify and prioritize security Planning

·         Identify and prioritize threats to information assets.

·         Define an information security strategy and architecture.

·         Plan for and respond to intruders in an information system

·         Describe legal and public relations implications of security and privacy issues.

·         Present a disaster recovery plan for recovery of information assets after an incident

·         Be aware of Legal, Privacy, and Ethical Issues in Computer Security

·         Understand the Right of Employees and employers

·         Understand the fundamental concepts of Cryptographic Systems

Course outline and Major Topics

1. Introduction to Information Assurance and Databases and its Security

a.       CONOP (Concept of Operation in IA)

b.      What is CONOP ( detailed document describes the method, act, process or effect of using an IS)

c.       Explain Information Warfare

2. Multilevel secure databases: partitioned, cryptographically sealed, filtered

-          Define Techniques of cryptanalytic

-          Digital Signatures

-          Methods of encryption

3. General procedures in facilities (standards operation)
4. The threats to security in computing: interception, interruption, modification, fabrication

-          Define System Security Authorization Agreement (SSAA)

5. Controls Available to Address these Threats and its consequences:

          -    Investigative analysis

-          Encryption, programming controls, operating systems,

-          Network controls, administrative controls

-          Law and ethics (criminal prosecution and consequences)

-          Define appropriate interrogation procedures and policies

6. Threats against networked applications, including denial of service, web site defacements, malicious mobile code, and protocol attacks.
7. Controls against network attacks:

-          physical security;

-          Control and modify policies and procedures;

-          Control range of technical issues.

-          Discus specific agency on security policies and policy making bodies

-          Countermeasures to reduce the impact of threats.

-          IA Countermeasure training and education for employee

8. Security goals: the confidentiality, integrity, and availabilities
9. Vulnerabilities control (hardware and its peripheral devises, software, data and other exposed assets)
10. Program development controls against malicious code and vulnerabilities-software engineering principles and practices

a.       Define Software Licensing

b.      Define Software piracy

11. Administering Security:  Security Plan, Risk Analysis, Audit and Assessments, System Life Cycle Security Management

a.       The nature of risk

b.      Risk management policy

c.       Steps of a risk analysis

d.      Identify assets

e.       Determine Vulnerabilities

f.       Identify the structured of Database

g.      Survey and select the new controls

h.      Assuring Commitment to a Security Plan (Describe Business Continuity Plan (BCP) this include SA/Staff

i.        Continuing attention and document (Security Planning Policies and working with Team Member)

j.        Configuration Management (dealing with SA/Staff legal configuration restriction)

12. Database Security (terms and Concepts)

a.       Database management system (DBMS) and its Vulnerabilities

b.      Database Threats (Data mining, data warehouse)

13. Security Policy- high-level standards for users and managers

-          Identifies and organizes the security activities for the users and managers

-          Access control authorization  (unauthorized, policies, law, and penalties with personnel)

-          Accountability (train users about the computer security principles)

-          Monitoring users (SA/Staff) computer systems

-          Due care rule (monitoring users activities)

-          Intrusion detection policy

-          Law regulations, and other public policy

14. Physical Security and standards (protecting outside the computer system)

-          Define Contingency plans and its developments

-          Contingency planning- recovery adequate preparation based on the standards

-          Tempest- U.S. government program under which computer equipment is certified as emission-free.

-          Natural threats (flood, fire, earthquake, etc…)

-          Disaster recovery planning (DRP)

-          Environmental control (flood, fire, safety issues, etc...)

-          Fire prevention procedures and grounding issues

-          Facilities management (disaster recovery plan testing)

-          Network storage

15. System emergency (Such as federal emergency management, Homeland security)

-          Defined the procedures on emergency/incident respond team report

16. Legal, Privacy Act (1974, 1986, 2001), and Ethical Issues in Computer Security

a.       Federal ISM Act

b.      21^st century Copyright Act

c.       Define Federal IS Management of Act

d.      Describe Computer Crime and its Laws

e.       Define Intellectual Properties Laws

f.       Liability, licensing and security Laws

17. Protection of programs and information, equipments by patents, copyrights, and trademarks

-          Implications of the Privacy Act

-          Define Clinger-Cohen Act

-          Freedom of information Act

-          Discuss USA Patriot Act

18. Ethical analysis of computer security situations
19. Code of professional ethics, standard of conduct

a.       monitoring keystroke

b.      describe keystroke and monitoring policy

c.       Policy on monitoring systems

d.      Policy on Ethics and organization Culture

20. Introduction to Operation Security
21. Protecting in General-purpose Operating Systems

-          User authentication

-          Controlled access to voice and data communications

-          Protecting memory, files and the execution environment  

22. Cryptography Concepts

-          Concepts of Encryption (clearly address the need for confidentiality of data)

-          Asymmetric encryption and RSA algorithm

-          National policies and procedures (enforcing security through hardware or software means)

-          System Software Authorization Agreement (SSAA)

-          Policy in depth regard to classified materials

-          Technology Policy

23. Security Networks Concepts, Traffic Control, Firewalls, IDS, Secure e-mail/phone mail, and modems.

a.       What firewalls can and cannot do (Block, provide layers of protection such as Defense in Depth)

b.      Instruction Detection Systems (Type of IDSs)

24. Mode of Communications, Such as Media, Protocols, ISO OSI Reference Model

Teaching/Learning Methods: (lectures, videos, outside speakers, etc.)

This class is a lecture-focused course, with supplementing homework, assignments, lab and group project work and presentations.

We will use electronic means of communication including email, class web site. Changes will be announced in class and posted on the class web site. Please check it frequently.

We will follow the posted course schedule as closely as possible but it is subject to change based on speaker availability, etc. Changes will be announced in class.

Evaluation Methods

Grading and other policies and expectations:

Assignment Type Weight (%)

• Homework- 25%
• Article Critiques- 20%
• Class Project- 30%
• Class Participation/Attendance/Quizzes- 25%

All assignments and projects are required for passing the course.

CLASS PARTICIPATION AND ATTENDANCE
Discovery does not arise from instruction but from personal engagement with the controversies and potentials of a computerized society.  You have to be in class to contribute to and benefit from that personal engagement. As you saw above, a quarter of your grade depends on class participation and attendance. In this class, engagement will take several forms:

• You will be expected to read, summarize, and interpret the articles for yourself and others.
• You will be expected to study problems, techniques, and approaches individually and in groups, and then present your findings both orally and in writing.
• You will be expected to critique the perspectives/opinions of both authors and classmates in discussions and position papers.

At any class period, you may be asked to summarize and critique readings from the book or elsewhere in an “elevator speech” for the class. On such occasions, you are invited to refer to notes you've made in response to the readings. You may also be quizzed on the high points of the material.

If you are unable to attend class, notify the TA by email before the period begins for consideration of an excused absence.

CAU/CIS Policies and Expectations:

 COURSE POLICIES:

1.  Student Conduct In Class Policy

Any acts of classroom disruption that go beyond the normal rights of students to question and discuss with instructors the educational process relative to subject content will not be tolerated, in accordance with the Academic Code of Conduct described in the Student Handbook.

2.  Electronic Devices In Class Policy

Cellular phones, pagers, CD players, radios, and similar devices are prohibited in the classroom and laboratory facilities. Calculators and computers are prohibited during examinations and quizzes, unless specified.

3.  Disabilities Policy

In compliance with the Americans with Disabilities Act (ADA), all qualified students enrolled in this course are entitled to “reasonable accommodations.” Please present proper documentation and notify the instructor within the first two weeks of class of any accommodations needed for the course.

4.  Academic honesty

Academic honesty is based on the principle that one’s work is one’s own.  Clark Atlanta University encourages all members of the University to accept responsibility for taking academic honesty seriously by being informed, by contributing to a climate in which honesty is valued, and by considering responsible ways to discourage dishonesty in the work of others.  Students, faculty, administrators and staff should not condone or tolerate cheating, plagiarism, or falsification, since such activity negatively affects members of the academic community.  Plagiarism is the presentation of all or a portion of someone else’s work, as one’s own, without properly citing/documenting the work.  Plagiarism is unacceptable and will result in a failing grade in the course. 

5.  Clark Atlanta University Campus Cultural Creed 

Clark Atlanta University is committed to academic excellence, building character, and service to others.  The University will achieve its mission by cultivating an environment of honesty, kindness, mutual respect, self-discipline, school loyalty, trust, academic integrity and communal pride.  As a member of this scholarly community, I make the following pledge:

·              I will work to promote academic honesty and integrity;

·              I will work to cultivate a learning environment which opposes violence, vulgarity, lewdness and selfishness;

·            I will embrace the concept of mutual respect by treating others the way I want them to treat me;

·          I will support a campus culture of diversity by respecting the rights of those whose views and experiences differ from my own;

·            I will honor and care for the sanctity of my body as the temple of God;

·            I will commit myself to service so that I can make a difference in the world and a difference for more than just myself;

·         I will celebrate and contribute to the “spirit of greatness” left by those who preceded me, and I will work to leave this a better place for those who follow me;

As a member of this community, I am committed to conducting myself in ways that contribute to a civil campus environment, which encourages positive behavior in others.  I accept the responsibility to uphold these noble ideals as a proud member of the Clark Atlanta University Family.

6.     Attendance

To confirm enrollment, a student must attend each scheduled class within the first two weeks following the official start of the semester.  After this period, a student will not be permitted to enter any class, and the professor will report the student’s nonattendance to the Registrar.  The student will be withdrawn from the class with a grade of “WU” assigned.

Students are expected to attend all classes and are responsible for all notes, class assignments and activities whether in class or not.  If a student has an excused absence, he or she must provide documentation and must makeup missed work within one week of absence.  Unexcused absences will result in a grade of zero for missed assignments.  There are a maximum of 3 unexcused absences for this course. 

A student who has stopped attending class is one who has not attended class for three consecutive weeks and has not contacted his/her professor.  This student does not qualify for an “I” grade and will be administratively withdrawn.  The student will receive a course grade as stipulated on the syllabus.  The instructor is expected to record the last date of attendance.

7. Incomplete Policy

An incomplete grade (“I”) is given when a student has been enrolled in a course for an entire semester but has not completed all the requirements.  The “I” is given only when the student has an acceptable excuse for not taking the final examination or for failing to complete other requirements, but does the instructor determine otherwise doing passing work as.  An “I” should be removed by the end of the semester following the one in which the “I” grade was earned, but no later than one year from the end of the semester in which the “I” grade was earned.  Removal of an “I” does not assure a passing grade in the course.  (Undergraduate Academic Regulations and Procedures Handbook for Students)

4.  Academic honesty

Academic honesty is based on the principle that one’s work is one’s own.  Clark Atlanta University encourages all members of the University to accept responsibility for taking academic honesty seriously by being informed, by contributing to a climate in which honesty is valued, and by considering responsible ways to discourage dishonesty in the work of others.  Students, faculty, administrators and staff should not condone or tolerate cheating, plagiarism, or falsification, since such activity negatively affects members of the academic community.  Plagiarism is the presentation of all or a portion of someone else’s work, as one’s own, without properly citing/documenting the work.  Plagiarism is unacceptable and will result in a failing grade in the course. 

5.  Clark Atlanta University Campus Cultural Creed 

Clark Atlanta University is committed to academic excellence, building character, and service to others.  The University will achieve its mission by cultivating an environment of honesty, kindness, mutual respect, self-discipline, school loyalty, trust, academic integrity and communal pride.  As a member of this scholarly community, I make the following pledge:

·              I will work to promote academic honesty and integrity;

·              I will work to cultivate a learning environment which opposes violence, vulgarity, lewdness and selfishness;

·            I will embrace the concept of mutual respect by treating others the way I want them to treat me;

·          I will support a campus culture of diversity by respecting the rights of those whose views and experiences differ from my own;

·            I will honor and care for the sanctity of my body as the temple of God;

·            I will commit myself to service so that I can make a difference in the world and a difference for more than just myself;

·         I will celebrate and contribute to the “spirit of greatness” left by those who preceded me, and I will work to leave this a better place for those who follow me;

As a member of this community, I am committed to conducting myself in ways that contribute to a civil campus environment, which encourages positive behavior in others.  I accept the responsibility to uphold these noble ideals as a proud member of the Clark Atlanta University Family.

6.     Attendance

To confirm enrollment, a student must attend each scheduled class within the first two weeks following the official start of the semester.  After this period, a student will not be permitted to enter any class, and the professor will report the student’s nonattendance to the Registrar.  The student will be withdrawn from the class with a grade of “WU” assigned.

Students are expected to attend all classes and are responsible for all notes, class assignments and activities whether in class or not.  If a student has an excused absence, he or she must provide documentation and must makeup missed work within one week of absence.  Unexcused absences will result in a grade of zero for missed assignments.  There are a maximum of 3 unexcused absences for this course. 

A student who has stopped attending class is one who has not attended class for three consecutive weeks and has not contacted his/her professor.  This student does not qualify for an “I” grade and will be administratively withdrawn.  The student will receive a course grade as stipulated on the syllabus.  The instructor is expected to record the last date of attendance.

7. Incomplete Policy

An incomplete grade (“I”) is given when a student has been enrolled in a course for an entire semester but has not completed all the requirements.  The “I” is given only when the student has an acceptable excuse for not taking the final examination or for failing to complete other requirements, but does the instructor determine otherwise doing passing work as.  An “I” should be removed by the end of the semester following the one in which the “I” grade was earned, but no later than one year from the end of the semester in which the “I” grade was earned.  Removal of an “I” does not assure a passing grade in the course.  (Undergraduate Academic Regulations and Procedures Handbook for Students).

Required Readings:

• Security in Computing (3^nd Edition), by Charles P. and Shari Lawrence Pfleeger, Prentice Hall, 2003, ISBN 0-13-035548-8
     

Recommended:

• Computer Security: Art and Science, by Matt Bishop, Addison-Wesley, 2003,
  ISBN 0-201-44099-7

Supplemental Readings/Additional Bibliography:

• Computer Related Risks, by Peter G. Neumann, Addison-Wesley, 1995, ISBN 0-201-558
• Information Security: Protecting the Global Enterprise, by Donald L. Pipkin, Prentice Hall, 2000, ISBN 0-13-017323-1
• Information Warfare and Security, by Dorothy E. Denning, Addison-Wesley, 1999,
  ISBN 0-201-43303-6
• Internet Besieged: Countering Cyberspace Scofflaws, edited by Dorothy E. Denning and Peter J. Denning, 1998, ISBN 0-201-30820-7
• Whitman, M. & Mattord, H. (2003).  Principles of Information Security. Boston: Course Technology. ISBN 0-619-06318-1.
•  Guide to Network Defense and Countermeasures, Greg Holden , ISBN: 0-619-13124-1 © 2003
• Thomas A. Wadlow, The Process of Network Security, Addison Wesley Longman, 2000 ISBN: 0-201-43317-6.
• Whitman, M. E. & Shackleford, D. Hands-On Information Security Lab Manual, Thompson Custom Publishing 2003 ISBN 0-759-31283-4.
• Whitman, M. & Mattord, H. (2003).  Management of Information Security. Boston: Course Technology Publisher Company 2003, ISBN 0-619-21515-1.

Government Reading

Executive Order 13010-Critical Infrastructure Protection (July 15, 1996)

http://www.fas.org/irp/offdocs/eo13010.htm

The President's Commission on Critical Infrastructure Protection (PCCIP) and their final report, "Critical Foundations" (Oct 1997) – Read article summary of the Report

http://www.marshall.org/article.php?id=65

PDD-63 – Critical Infrastructure Protection (May 22, 1998)

http://www.fas.org/irp/offdocs/pdd/pdd-63.htm

U.S. Commission on National Security/21st Century (Hart-Rudman Commission--September 1999)— Review just this web page information--

http://www.disinfopedia.org/wiki.phtml?title=U.S._Commission_on_National_Security/21st_Century_/_Hart-Rudman_Commission

Executive Order 13228 - Establishing the Office of Homeland Security and the Homeland Security Council (October 8, 2001)

http://www.fas.org/irp/offdocs/eo/eo-13228.htm

Executive Order 13231 - Critical Infrastructure Protection in the Information Age (October 16, 2001) http://www.fas.org/irp/offdocs/eo/eo-13231.htm

Homeland Security Act of 2002 (H.R. 5005) - http://www.dhs.gov/interweb/assetlibrary/hr_5005_enr.pdf

Review--Contents and Title 1 on PDF pages 1-11

“The National Strategy For Homeland Security” (July 16, 2002)

http://www.whitehouse.gov/homeland/book/index.html

Read only— Letter from the President & Executive Summary

“National Strategy to Secure Cyberspace” (February 2003) http://www.whitehouse.gov/pcipb/

Read only— Letter from the President, Executive Summary, & Introduction

“National Strategy for the Physical Protection of Critical Infrastructures and Key Assets”

(February 2003)—Read only--Letter from the President and Executive Summary

http://www.dhs.gov/interweb/assetlibrary/Physical_Strategy.pdf

Executive Order 13231 of October 16, 2001 (as amended by E.O 13286 of February 26, 2003) “Critical Infrastructure Protection in the Information Age”

http://www.dhs.gov/interweb/assetlibrary/EO_13231_Revised.pdf

Homeland Security Presidential Directive (HSPD)-7 (Dec.17, 2003)

Subject: Critical Infrastructure Identification, Prioritization, and Protection

http://www.whitehouse.gov/news/releases/2003/12/print/text/20031217-5.html

“The DHS Strategic Plan--Securing Our Homeland” (February 24, 2004) Read just contents and summary

http://www.dhs.gov/interweb/assetlibrary/DHS_StratPlan_FINAL_spread.pdf

National Infrastructure Advisory Council (NIAC)-- (Just website info and members)

http://www.dhs.gov/dhspublic/display?theme=9&content=3445

Protected Critical Infrastructure Information (PCII) Program— (Just program overview

http://www.dhs.gov/dhspublic/display?theme=92&content=3755

Information Sharing and Analysis Centers (ISACs)—

http://www.dhs.gov/dhspublic/display?theme=73&content=1375&print=true