Clark Atlanta University

Information Assurance Design

CIS 521: Introduction to Information Security

Overview:

Description

Objective(s)

Goals/Outcome

Outline

Suggested Assignments

References

Suggested Time: 2 class periods

Course Length: 3 Hours

Pre-Requisite : CIS 123, CIS 474

Target Audience

Levels	Disciplines
Levels	CS	CIS
Undergraduate	x	x
Graduate

Description:

This course provides an overview of Information Security. It is designed to teach Computer Science students’ important issues in Information Security from both the computational and administrative viewpoint.   Thus the while the primary emphasis of this course is technical – it examines the issues of providing security for information processing systems--secure operating systems and applications, network security, cryptography, security protocols, etc., this course also examines security from an administrative perspective- the importance of management and administration, and the place information security holds in overall business risk.

Objective(s):

The primary purpose of this course:

Understand the importance of information security and how it affects our changing world.

Understand the basic concepts of Information Security, especially the close relation between the objective of machine security and human factors

Understand the basic concepts of Encryption, Program Threats, and Trusted Operating Systems

Be capable of developing a Security Policy for an Organization

Understand the relationship between software development and information security

Identify the key areas of information security and how they work.

Learn how to critically analyze situations of computer use, identifying the issues, consequences, and viewpoints

Goals/Outcome:

Upon completion of this course, students should understand the following concepts:

Identify and prioritize information assets.

·        Identify and prioritize threats to information assets.

·        Define an information security strategy and architecture.

·        Plan for and respond to intruders in an information system

·        Describe legal and public relations implications of security and privacy issues.

·        Present a disaster recovery plan for recovery of information assets after an incident

Outline:

Security Problems in Computing- What does “Secure” means?

The risks involved in computing:

-    Risk assessment, acceptance, and management;

-    Risk assessment—information states and valuation;

-         Validation testing;

-         Traffic analysis;

-         and information processing and storage.

The goals of secure computing: information characteristic, confidentiality, integrity, and availability

The threats to security in computing: interception, interruption, modification, fabrication

- Security investigation procedures

Controls Available to Address these Threats:

-    Human-threats

-         Encryption, programming controls, operating systems,

-         Network controls, administrative controls

-         Law (enforcement interface) and ethics.

-         International laws and legal bodies

The meaning of Computer Security

Plan security program for users and managers

Computer Criminals:

-         The career computer criminals and understanding of the targets of computer crime

-         Accountability of the employees for accessing information and protecting their organization (fraud, waste, & abuse)

Vulnerabilities management and analysis

-         Records management

-         Records retention

- hardware asset management,

     - software asset management

     - mail retention

     - and other exposed assets

Program security and development controls against malicious code and vulnerabilities-software engineering principles and practices

Protecting in General-purpose Operating Systems

-         User authentication

-         Controlled access to objects

-         Protecting memory, files and the execution environment

Methods of Defense

-         Concepts of Encryption (clearly address the need for confidentiality of data)

-         Asymmetric encryption and RSA algorithm

-         Key exchange protocols and certifications

-         National policies and procedures (enforcing security through hardware or software means)

-         Controls (software, hardware, physical controls)

-         Handling media (complying with rules and regulation, etc.)

Designing Trusted Operating Systems

-         What makes operating systems “secure”? or “trustworthy”?

-         How are trusted systems designed (employee clearance)

-         How do we develop “assurance” of the correctness of a trusted operating system?

-         Evaluation of the “Trusted Computer Systems”

-         Security clearances

Management of Information Security: Review Policies and Procedures.

-         Key management rules

-         Introduce to users and manger about COMSEC/security profiles

-         COMSEC custodian process and relevant to users and mangers

-         Program budget and evaluation

-         Ethical procedures

-         Deliberate planting of apparent security weaknesses

Information Systems Security Policies

-         Incorporate technical security policies

-         Train users about policies (physical controls, transportation)

-          Evaluate security policies (control disgruntled employees)

-         Ensure adaptive security policies implementation

-         Define computer security principles

-         Risk involve operation security

-         Auditing tools (policy and procedures)

Emerging Trends in Certification and Accreditation

Network security evaluation

-    Products

-         Third party

-         Cost & benefit analysis

Information Security oversight Office (ISOO) rules

-         Marking of media

-         Labeling

-         Marking of sensitive information

-       Discuss the list of command security policies and safeguards

Suggested Assignments:

References: