2 SANS Technology Institute Program Proposal for a Substantial Modification Master of Science in Information Security Engineering May, 2014 A. Centrality to institutional mission statement and planning priorities: 1. Provide a description of the program, including each area of concentration (if applicable), and how it relates to the institution s approved mission. The program leading to a Master of Science in Information Security Engineering (MSISE) is a 36 credit hour, graduate level program comprised of an integrated mix of technical and management courses which include faculty instruction, research, projects, assessments, and simulations that progressively develop the capabilities required by a technically proficient leader in information security engineering. It was initially established and approved by the Maryland Higher Education Commission in The program is designed to be completed in three years by full-time, working professionals who have at least a year or more of experience in information technology, information security, or audit. It is not meant as an introduction to the information security field, but as a program that will advance the capabilities and careers of individuals who are employed already in the field. Students are often supported in the program by their employer and most expect to stay employed by their current employer after graduation. While the program cannot be completed entirely at-a-distance, most of the courses are offered in multiple formats, allowing an individual student the option to take more than 50% of the program at-a-distance using one or more of our online modalities, or, conversely, to take 50% or more of the program in-classroom at our residential institute events that are comprised of hours of intensive instruction by our faculty over five to six days. While there are no formal areas of concentration, students may make elective choices that coincide with the award of the postbaccalaureate certificates in Penetration Testing & Ethical Hacking, or Incident Response. The MSISE program is directly aligned with the formal Mission of the SANS Technology Institute: The SANS Technology Institute develops leaders to strengthen enterprise and global information security. The SANS Technology Institute educates managers and engineers in information security practices and techniques, attracts top scholar-practitioners as faculty, and engages both students and faculty in real-world applied research. The formal Vision of the SANS Technology Institute is: The SANS Technology Institute aspires to be the preeminent graduate institution translating contemporary information security practice and scholarship into effective educational experiences. Our graduates will be highly valued because they design state-
3 of-the-art, enterprise-level cyber defenses, champion the adoption of those defenses, and manage their implementation and ongoing operation. In so doing, STI will: 1. Enable private and public sector enterprises of the United States and its allies to preserve social order and protect their economic rights and military capabilities in the face of cyber attacks; 2. Provide the national defense establishment, critical industries, businesses and government agencies with information security engineers and managers who have the most current and critical knowledge and skills needed to respond effectively to the evolving cyber attack landscape; and, 3. Perform leading-edge research that continually identifies current best practice and enhances the state of the art in the practice of information security. The MSISE program therefore fits directly within the focused mission of the SANS Technology Institute in developing both managers of information security groups and technical experts who lead information security technology programs. The MSISE program seeks to develop security practitioners who excel as technical leaders in their organizations. The program is designed to ensure that each student achieves knowledge of the core, foundational domains of information security, plus allows them elective choices to develop either concentrations in particular domains, or add to the breadth of their expertise by exploring a mixed set of topics beyond the core areas. The MSISE program prepares students to weave deep technical expertise into the design of effective cybersecurity. It also provides them with the communications skills and knowledge to gain proactive support for security enhancements from (1) higher-level management, (2) other peer organizational leaders and staff who must cooperate in adopting the enhancements, and (3) technical team members who must build and deploy those enhancements. This proposal is the result of modifications we seek to make to the existing MSISE program that will enable us to manage students and the curriculum more effectively. We make these modifications to the program as a direct result of the outcomes of our accreditation self-study, part of which identified the issues we were having managing students given the fragmented nature of their program requirements. As a simple example, our prior curricula had awarded credits when a graduate student completed three separate course requirements, but each of these elements was paid for individually and not required to be completed in a set timeframe. Oftentimes, students would complete certain requirements swiftly while other requirements were left unaddressed for long periods of time. In order to address such fragmentation, we decided to reformulate how we present and manage our master s programs, the most significant artifact of which is an entirely new course numbering system that often just places these separate elements under a single course name, syllabus, and time requirement. If evaluated from the perspective of work done by the students, these modifications do not to exceed 33% of the program. However, because we have reanalyzed our intended program and course learning outcomes and adjusted all course names to accommodate a tight integration of related work into named and
4 aggregated courses, the impact on our ability to manage student progress has been profound. The work itself has not changed by much, but how we now manage student progress has changed substantially. The modifications made to the MSISE program have not changed the program intent, or the relationship with institutional mission. Rather, revisions made to the MSISE program have strengthened the program and further enabled STI to continue to meet our mission. To contextualize the nature of the curriculum changes we have included four examples below, with commentary. Curriculum v1.8 July, 2010 Curriculum v3.0 April, 2014 Name: SEC 503: Intrusion Detection in Name: ISE 5400: Advanced Network Depth, GIAC GCIA Gold Intrusion Detection & Analysis Course elements: - SEC 503 class instruction, - GCIA exam - GCIA Gold Paper Course elements: - SEC 503 class instruction, - GCIA exam - GCIA Gold Paper 4 credit hours 4 credit hours Summary of changes: This is the most typical of the changes made to the course names under the newest curriculum, relative to the student work required. As shown, none of the work requirements for this group of activities changed. In the past, each course element could be engaged individually with no temporal relationship required between them. In the new curriculum, these activities are formally related under a course number and name, and must be completed within a fixed period of time (4 months). Of the 31 credit hours of work associated with curriculum v1.8, the majority are associated with only changes associated with naming or re- grouping. Curriculum v1.8 July, 2010 Curriculum v3.0 April, 2014 Name: SEC 504: Hacker Techniques, Name: ISE 5200: Hacking Techniques & Exploits, and Incident Handling, GIAC Incident Response GCIH Gold Course elements: Course elements: - SEC504 class instruction - SEC504class instruction - GCI exam - GCI exam - GCI Gold Paper - NetWars simulation experience 4 credit hours 4 credit hours Summary of changes: In this example, the faculty changed one of the elements required to earn 4 credit hours for the SEC 504 course, from writing a page peer- reviewed research paper relative to the topic of the course and exam, to passing a hands- on simulation- based test experience. In this case, 2 credits were
5 simply renamed and re- grouped, while 2 credits would be considered a change in work requirements. Curriculum v1.8 July, 2010 Curriculum v3.0 April, 2014 Community Project Requirements: Required elements: - Group discussion & written project, - 2 oral presentations - Joint written project, - Security awareness talk, - GSE capstone exam 3 credit hours total New course numbers and names: - ISE 5700: Situational Response Practicum 1 credit hour; - ISE 5500: Research Presentation 1 1 credit hour; - ISE 5900: Research Presentation 2-1 credit hour; - ISE 6100: Security Project Practicum 1 credit hour; - ISE 6900: Information Security Fieldwork-.5 credit hour - GSE Capstone Exam 0 Credit Hours Summary of changes: In the case of what the v1.8 curriculum referred to as a group of Community Project Requirements done in total for 3 credits, during our self- study these course activities were formalized into individual courses and evaluated for their work requirements and faculty interactions. Student course work remained the same however each requirement was given a new course code, name and an associated credit value. For example, the instruction and work leading to the oral presentations given on one s research paper at a public event to a knowledgeable audience did not change but was renamed ISE 5500: Research Presentation 1, and evaluated on its individual work activity. The result of this analysis was to increase the total credit hours assigned to the program due to this coursework, from 3 to 5.5 credit hours. The GSE capstone exam is still required for graduation however no credit hours were assigned for that experience and the name remained the same. Curriculum v1.8 July, 2010 Curriculum v3.0 April, 2014 Name: MGT 438: How to establish a Name: ISE 5300: Building Security Security Awareness Program, Awareness Exam/Substitute, Written Assignment Course elements: - MGT 438 Class Instruction - Exam/substitute - Written Assignment Course elements: - MGT 433: Securing the Human: Building and Deploying an Effective Security Awareness Program - Writing Exercise 1 credit hour 1 credit hour Summary of changes: The technical instruction component has been updated by
6 enough that the class had been renamed (in the fast- changing world of information technology, substantial updates to the content of instruction is frequent) over this time period, but still focuses on the same topics. The former Exam/substitute and Written Assignment had typically been implemented as requiring the development of a written Security awareness plan, so ISE 5300 now has a singl assessment requirement to write a Security Awareness Plan. Assigned credit hours for this work remained unchanged. An analysis of all changes, for each course, indicate that approximately 80% of the student work required remains unchanged since 2010, though 100% of the courses have been renamed for purposes of the new curriculum. We believe less than 15% of the remaining changes represent material changes to the work required of students, while the other 5% represent changes substantial enough to be included in the reason for submitting a Substantial Modification proposal. 2. Explain how the proposed program supports the institution s strategic goals and provide evidence that affirms it is an institutional priority. The SANS Technology Institute is tightly focused on developing information security leaders who have a combination of deep technical skills, knowledge of effective practice and leadership competencies that will allow them to design, deploy, and manage effective enterprise information security environments. Every major element of the college from admissions to courses, student advising, research, and public service is closely aligned with that mission. Given the small number of programs offered at STI, the success of the MSISE program remains a key strategic goal for STI and is further outlined in our strategic plan. It is one of only two master s programs offered by our institution, and serves the majority of current students. STI updated the institutional strategic plan in focusing on the next 4 years, which we believe are critical for the success of the institution. As a result the following strategic goals were established 1) Enhance Academic Quality; 2) Increase Student Enrollment; 3) Enhance Quality and Quantity of Research; 4) Achieve and Maintain Accreditation. Sub-goals for enhancing academic quality include making quality improvements to the MSISE program that were addressed in the cover letter of this proposal and subsequently, seeking endorsement for the changes. The MSISE curriculum is a driving factor in recruiting, educating and graduating information security professionals with a strong technical knowledge and skill set, therefore, the success of the program is critical to the success of the institute. Changes in how the MSISE program is managed have increased transparency in presenting course requirements and have provided faculty the freedom to use different pedagogical techniques to ensure students meet established learning outcomes. B. Adequacy of curriculum design and delivery to related learning outcomes consistent with Regulation.10 of this chapter: 1. Provide a list of courses with title, semester credit hours and course descriptions, along with a description of program requirements.
7 Required Courses in the MSISE Program: ISE 5000 Research & Communications Methods SANS class: MGT 305 Research & Communications Methods 0.5 Credit Hours; Course length: 45 days. ISE 5000 covers strategies for conducting research and the oral and written communication that follows. The class allows the student to refine their ability to research and write professional quality reports, and to create and deliver oral presentations. Topics such as developing a convincing argument, synthesizing research and writing technical reports for non-technical audiences, and managing the communication environment are covered. Students participate in an editing exercise as well as a hands-on report writing and presentation development workshop, with a required oral presentation assessment. ISE 5100 Enterprise Information Security SANS class: SEC 401 Security Essentials Boot-camp Style 4 Credit Hours; Course length: 120 days. ISE 5100 is the introductory, technically-oriented survey course in the information security engineering master s program. It establishes the foundations for designing, building, maintaining and assessing security functions at the end-user, network and enterprise levels of an organization. The faculty instruction, readings, lab exercises, exam, and required student paper are coordinated to introduce and develop the core technical, management, and enterprise-level capabilities that will be developed throughout the information security engineering master s program. ISE 5200 Hacking Techniques & Incident Response SANS class: SEC504 Hacker Techniques, Exploits & Incident Handling 4 Credit Hours; Course length: 120 days. By adopting the viewpoint of a hacker, ISE 5200 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, exam, and NetWars simulation are coordinated to develop and test a student s ability to utilize the core capabilities required for incident handling. ISE 5300 Building Security Awareness SANS class: MGT 433 Securing the Human: Building and Deploying an Effective Security Awareness Program 1 Credit Hour; Course length: 45 days. One of the most effective ways to secure the human factor in an enterprise is an active awareness and education program that goes beyond compliance and leads to actual changes in behaviors. In ISE 5300, students learn the key concepts and skills to plan, implement, and maintain an
8 effective security awareness programs that make organizations both more secure and compliant. In addition, metrics are introduced to measure the impact of the program and demonstrate value. Finally, through a series of labs and exercises, students develop their own project and execution plan, so they can immediately implement a customized awareness program for their organization. ISE 5400 Advanced Network Intrusion Detection & Analysis SANS class: SEC 503 Intrusion Detection In-Depth 4 Credit Hours; Course length: 120 days. ISE 5400 arms you with the core knowledge, tools, and techniques to prepare you to defend your networks. Hands-on exercises supplement the course book material, allowing you to transfer the knowledge in your head to your keyboard using the Packetrix VMware distribution. As the Packetrix name implies, the distribution contains many of the tricks of the trade to perform packet and traffic analysis. All exercises have two different approaches. A basic one that assists you by giving hints for answering the questions. The second approach provides no hints, permitting you to have a more challenging experience. ISE 5500 Research Presentation 1 1 Credit Hour; Course length: 45 days. ISE 5500 gives students the ability to convert written material to a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written in a previous course in the curriculum to build and deliver a 30-minute presentation, typically given at a SANS training conference. ISE 5600 IT Security Leadership Competencies SANS class: MGT IT Security Strategic Planning, Policy, and Leadership 1 Credit Hour; Course length: 45 days. ISE 5600 covers the critical processes to be employed by technical leaders to develop the skills and techniques to select, train, equip, and develop a team into a single cohesive unit with defined roles that operate together in harmony toward team-objective accomplishment. Topics covered include: leadership development, coaching and training, employee involvement, conflict resolution, change management, vision development, motivation, communication skills, selfdirection, brainstorming techniques, and the ten core leadership competencies. ISE 5700 Situational Response Practicum 1 Credit Hour; Course length: 45 days. In ISE 5700, a small group of students is given an information security scenario that is partly based on current events, and requires a broad knowledge of information security concepts. Their task is to evaluate the scenario and to recommend a course of action. This experience is a timed 24-hour event and culminates in a group written report and presentation at the end of the 24-hour preparation time. ISE 5800 IT Security Project Management
9 SANS class: MGT 525 IT Project Management, Effective Communication, and PMP Exam Prep 3 Credit Hours; Course length: 120 days. In ISE 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISE 5800 follows the basic project management structure from the PMBOK Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered - from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes. ISE 5900 Research Presentation 2 1 Credit Hour; Course length: 45 days. ISE 5900 gives a chance to further develop their skills at converting written material into a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written from previous courses in the curriculum to build and deliver a 30- minute presentation, either at a SANS training conference, or in an online environment. ISE 6000 Standards Based Implementation of Security SANS class: SEC 566 Implementing and Auditing the Twenty Critical Security Controls 4 Credit Hours; Course length: 120 days. Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ISE 6000 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization s security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks. ISE 6100 Security Project Practicum 2 Credit Hours; Course length: 45 days. In ISE 6100, a small group of students is given an information security project that requires a broad knowledge of information security concepts. Their task is to evaluate the project assignment and to recommend a course of action. This experience is a timed 30-day event. Students receive the project assignment from faculty, and must respond with a project plan to address the assignment within 5 days. The group then uses their plan to address the assignment, and deliver a written report at the end of the 30-day period. ISE 6900 Information Security Fieldwork 0.5 Credit Hours; Course length: 45 days.
10 In ISE 6900, students move into the field to prepare and present on a project that will help increase computer security awareness. Students devise their own project content, based upon a defined need. Students are also responsible for inviting an audience to review the results of their project work. It is expected that at least one representative from the student's own organization (place of employment) will be present to provide evidence of the presentation MSISE Capstone 0 Credit Hours The GSE exam Capstone experience has two parts. The first is a multiple choice exam which may be taken at a proctored location just like any other GIAC exam. Passing this exam qualifies students to sit for the GSE hands-on lab. The first day of the two day GSE lab consists of an incident response scenario that requires the candidate to analyze data and report their results in a written report. The second consists of a rigorous battery of hands-on exercises drawn from a variety of information security domains listed. Elective Courses (MSISE Students Choose Three): ISE 6215 Advanced Security Essentials SANS class: SEC 501 Advanced Security Essentials - Enterprise Defender 3 Credit Hours; Course length: 120 days. ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device. Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics. ISE 6220 Network Perimeter Protection SANS class: SEC 502 Perimeter Protection In-Depth 3 Credit Hours; Course length: 120 days. ISE 6220 provides a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the STI catalog, as mastery of multiple security techniques is required to defend networks from remote attacks. The course moves beyond a focus on single operating systems or security appliances. The course teaches that a strong security posture must be comprised of multiple layers. The course was developed to give students the knowledge and tools necessary at every layer to ensure their network is secure. ISE 6230: Securing Windows and Resisting Malware SANS class: SEC 505 Securing Windows and Resisting Malware
11 3 Credit Hours; Course length: 120 days. ISE 6230 shows students how to secure Windows and how to minimize the impact of these changes on users of these changes. Through live demonstrations of the important steps, students follow along on their laptops. Where other courses focus on detection or remediation after the fact, the goal of this course is to prevent the infection in the first place. Students learn to write PowerShell scripts, but don't need any prior scripting experience. ISE 6235: Securing Linux/Unix SANS class: SEC 506 Securing Linux/Unix 3 Credit Hours; Course length: 120 days. ISE 6235 provides students with experience in in-depth coverage of Linux and Unix security issues, examining how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix. This course provides specific configuration guidance and practical, real-world examples, tips, and tricks. ISE 6315: Web App Penetration Testing and Ethical Hacking SANS class: SEC 542 Web App Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen. ISE 6320: Network Penetration Testing and Ethical Hacking SANS class: SEC 560 Network Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6320 prepares students to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed handson exercises and practical tips for doing the job safely and effectively. Students will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization. ISE 6325: Mobile Device Security SANS class: SEC 575 Mobile Device Security and Ethical Hacking 3 Credit Hours; Course length: 120 days.
12 ISE 6325 helps students resolve their organization s struggles with mobile device security by equipping then with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches students to build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in their organization. ISE 6330: Wireless Penetration Testing SANS class: SEC 617 Wireless Ethical Hacking, Penetration Testing, and Defenses 3 Credit Hours; Course length: 120 days. ISE 6330 takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students will navigate through the techniques attackers use to exploit WiFi networks, Bluetooth devices, and a variety of other wireless technologies. Using assessment and analysis techniques, this course will show students how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems. ISE 6360: Advanced Network Penetration Testing SANS class: SEC 660 Advanced Penetration Testing, Exploits, and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6360 builds upon ISE 6320 Network Penetration Testing and Ethical Hacking. This advanced course introduces students to the most prominent and powerful attack vectors, allowing students to perform these attacks in a variety of hands-on scenarios. This course is an elective course in the Penetration Testing & Ethical Hacking certificate program, and an elective choice for the master s program in Information Security Engineering. ISE 6420: Computer Forensic Investigations - Windows SANS class: FOR 408 Computer Forensic Investigations - Windows In-Depth 3 Credit Hours; Course length: 120 days. ISE 6105 Computer Forensic Investigations Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. ISE 6425: Advanced Computer Forensic Analysis and Incident Response SANS class: FOR 508 Advanced Computer Forensic Analysis and Incident Response 3 Credit Hours; Course length: 120 days.
14 also covered so students can ensure their application is tested for the vulnerabilities discussed in class. ISE 6715 Auditing Networks, Perimeters and Systems SANS class: AUD 507 Auditing Networks, Perimeters, and Systems 3 Credit Hours; Course length: 120 days. ISE 6715 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples. ISE 6720 Legal Issues in Data Security and Investigations SANS class: LEG 523 Legal Issues in Information Technology and Security 3 Credit Hours; Course length: 120 days. ISE 6720 introduces students to the new laws on privacy, e-discovery, and data security so students can bridge the gap between the legal department and the IT department. It also provides students with skills in the analysis and use of contracts, policies, and records management procedures. MSISE Graduation Requirements The MSISE program requires completion of 36 credit hours with a 3.0 G.P.A, within 5 years. Students must complete the following requirements: Required Course Credits ISE 5000 Research & Communications Methods 0.5 ISE 5100 Enterprise Information Security 4 ISE 5200 Hacking Techniques & Incident Response 4 ISE 5300 Building Security Awareness 1 ISE 5400 Advanced Network Intrusion Detection & Analysis 4 ISE 5500 Research Presentation 1 1 ISE 5600 IT Security Leadership Competencies 1 ISE 5700 Situational Response Practicum 1 ISE 5800 IT Security Project Management 3 ISE 5900 Research Presentation 2 1 ISE 6000 Standards Based Implementation of Security 4 ISE 6100 Security Project Practicum 2 ISE 6900 Information Security Fieldwork 0.5
15 Technical Electives (3 courses; 3 credits each) 9 Required Program Capstone - GIAC Security Expert exam 0 Total Describe the educational objectives and intended student learning outcomes. The Master of Science in Information Security Engineering (MSISE) degree program prepares student to be the architects, designers, and lead builders of information security for an enterprise, defined here as an organization of sufficient size and complexity to have a dedicated information security team. Graduates will take on enterprise security technical leadership roles with titles such as Technical Director for Information Security, Senior Security Analyst, Senior Security Administrator, Information Systems Security Manager, Information Systems Security Officer, Information Security Manager, and Chief Information Security Officer. Graduates may also work as consultants who carry out the responsibilities of those positions, or who advise organizations on information security engineering issues. The MSISE program is designed to provide a sound theoretical framework delivered through a practitioner lens, but also to ensure that the graduate is capable of establishing adaptive security paradigms. By the end of this program, graduates will be able to: Formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology. Demonstrate a solid foundation in information security strategies and apply their knowledge by assessing an information security situation and prescribing an appropriate security approach. Construct an information security approach that balances organizational needs with those of confidentiality, integrity and availability. Solutions require a comprehensive approach that aligns with policy, technology, and organizational education, training and awareness programs. Effectively communicate information security assessments, plans and actions for technical and nontechnical audiences/stakeholders. Identify emerging information security issues, utilize knowledge of information security theory to investigate causes and solutions, and delineate strategies guided by evolving information security research and theory. Analyze and design technical information security controls and safeguards, including system specific policies, network, and platform security countermeasures and access controls. Conduct threat assessments (offensive measures), appraise/prioritize vulnerabilities (defensive perspectives), and appraise technical risks for enterprise information assets/needs/requirements. Apply a standards-based approach to minimize risk through the implementation of the principles and applications of information security.
16 Evaluate the appropriate security solutions required to design/build a security architecture - this includes the integration of intrusion detection, defensive infrastructures, penetration testing, and vulnerability analysis. Formulate plans for adaptive detection of threats, including leading/oversight of intrusion/malware detection, incident response, forensics, reverse engineering, and e- discovery initiatives and actions. A curriculum map demonstrating how each course aligns with the program learning outcomes is included in this proposal as Attachment B Discuss how general education requirements will be met, if applicable. General education requirements are not applicable to SANS Technology Institute. Students are required to have completed a bachelor s degree before admittance. 4. Identify any specialized accreditation or graduate certification requirements for this program and its students. No specialized accreditations or certifications are required for this program or its students. 5. If contracting with another institution or non-collegiate organization, provide a copy of the written contract. The modifications made to the MSISE program precipitating this Program Proposal neither include nor impact any changes to any relationship the SANS Technology Institute has with another institution or non-collegiate organization. Courses are authored and taught by members of the faculty of the SANS Technology Institute, with limited exceptions. Commensurate with the approval of the SANS Technology Institute as a degree-granting institution in the State of Maryland in 2005, and as reviewed and accredited by the Middle States Commission on Higher Education, the SANS Technology Institute will continue to engage the support services of its parent, the Escal Institute for Advanced Technologies (d/b/a/ SANS Institute) and its sister subsidiary, GIAC. The agreements are not designed specifically for the MSISE program, but as supporting structures for STI, support the delivery and management of this program. The two Memorandum of Understandings between the SANS Technology Institute and the SANS Institute and GIAC are included as Attachments B-2 and B-3. C. Critical and compelling regional or Statewide need as identified in the State Plan: 1. Demonstrate demand and need for the program in terms of meeting present and future needs of the region and the State in general based on one or more of the following: o The need for the advancement and evolution of knowledge; o Societal needs, including expanding educational opportunities and choices for minority and educationally disadvantaged students at institutions of higher education; o The need to strengthen and expand the capacity of historically black institutions to provide high quality and unique educational programs.
17 2. Provide evidence that the perceived need is consistent with the Maryland State Plan for Postsecondary Education (pdf). Technological progress is a primary demonstration of, and the direct result of, the advancement and evolution of knowledge. Together with the increased prevalence in the use and applicability of information technology, and the benefits of substantial increases in productivity and efficiency this provides, comes the need to protect information-based assets from new adversaries, criminals, foreign nation-states, and vectors of attack. The MSISE program is directly supportive of the development of professionals with the skills and capabilities to design, implement, and manage the protection of information assets that are central to the advancement and evolution of knowledge in the information age. Despite the fact that the MSISE program is, by definition, focused exclusively on postbaccalaureate students and not all post-secondary students, it makes substantial contributions to Maryland s goals by seeking to increase the number and quality of Science, Technology, Engineering, and Mathematics (STEM) degrees in the State. From the 2013 Maryland State Plan for Postsecondary Education: Increasing the number of STEM degrees awarded to students is another key goal for Maryland postsecondary education. STEM-related occupations are critical because they are closely tied to technological innovation, economic growth, and increased productivity. Currently, workers with STEM competencies and degrees are in high demand. Data from the Georgetown University 10 Center for Education and the Workforce (2011) rank STEM jobs as the second fastest-growing occupational category in the nation, behind health care. The MSISE program focuses squarely on producing additional highly impactful Information Security professionals with proficiency in the STEM-related practice area of Information Security Engineering. D. Quantifiable & reliable evidence and documentation of market supply & demand in the region and State: 1. Present data and analysis projecting market demand and the availability of openings in a job market to be served by the new program. 2. Discuss and provide evidence of market surveys that clearly provide quantifiable and reliable data on the educational and training needs and the anticipated number of vacancies expected over the next 5 years. 3. Data showing the current and projected supply of prospective graduates. The need for technically educated information security professionals has been steadily increasing. In July 2010 the CSIS (Center for Strategic and International Studies) Commission on Cybersecurity for the 44 th President 1 released a white paper titled A Human Capital Crisis in Cybersecurity. The white paper presents compelling evidence of a shortage of highly technical 1 Eric Cole, DPS, the Director of our Master of Science in Information Security Engineering program, was a member of this commission.
18 information security professionals who can both design secure networks and systems and create the tools needed to detect, mitigate, and recover from compromises. The report cited the number of such professionals currently employed in government is estimated to be around 1,000 with a need for up to 30, In 2013 the US Defense Department released plans to increase the number of information security professionals employed from 900 to 4,900, with an anticipated workforce of 6,000 cyber professionals. 3 The new positions will have 3 distinct focuses: a defensive national mission force to protect systems that support electrical grids, power plants and other critical infrastructure; a combat mission force to help overseas military commanders plan and execute offensive operations; and cyber protection force to bolster Defense Department networks. 4 In 2012 the U.S. Department of Homeland Security Task Force on Cyber Skills called for DHS to hire 600 world-class cyber technologists. 5 The Job Outlook, for Information Security Analysts, Web Developers, and Computer Network Architects published in the Bureau of Labor Statistics Occupational Outlook Handbook anticipates that employment for that category will grow 22% from 2010 to 2020, faster than average for all occupations, with favorable job prospects for all three occupations. 6 This category is projected to grow by 24% in Maryland over a similar time period. 7. Even if those organizations, and hundreds of others that are seeking talent, can find the tens of thousands of technical cybersecurity experts they jointly seek, they will still need people of sufficient expertise who can organize, manage, and lead the work of these experts. Teams of security professionals are most productive when led by people with substantial technical expertise and experience, just as successful air attack groups are led by active but senior pilots, or surgical departments are led by practicing but senior surgeons. Under pressure, as information security people often find themselves, having a manager or team leader who is not qualified or lacks experience often leads to critical mistakes in a line of work that can ill afford them. In other words, if society hopes to protect itself against the increasing wave of attacks, a program is needed to develop technical information security leaders. STI was created to help government and industry develop that missing layer of technical cybersecurity managers. That goal is embodied in STI s mission. STI used data available through IPEDS to obtain a general estimate of the number of graduates from Computer and Information Systems Security programs (specifically CIP Code ). In degrees were awarded, among 36 programs across the United States. In White paper can be found at Homeland Security Advisory Council s Cyberskills Task Force Report, Fall, 2012 (Page 4, Objective 4) 6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, Edition, Information Security Analysts, Web Developers, and Computer Network Architects, on the Internet at (visited September 24, 2013). 7 d=2&soccode=151122&stfips=24&x=61&y=9
19 2013 STI awarded 5 Master of Science Degrees in Information Security Engineering, bringing the total number of degrees awarded for the MSISE program to 24. The need for qualified information security professionals is outpacing the number of professionals with the appropriate credentials and experience. The MSISE program will continue to play an integral part in decreasing the gap. E. Reasonableness of program duplication: 1. Identify similar programs in the State and/or same geographical area. Discuss similarities and differences between the proposed program and others in the same degree to be awarded. This proposal for a Substantial Modification to the SANS Technology Institute s MSISE program does not alter the number or nature of programs related to Information Security Engineering in Maryland, nor how our program relates to those programs. Using the MHEC program inventory database we identified the following institutions who offer master s programs with the same CIP code Computer and Information Systems Security: John s Hopkins University Master s Degrees in Cybersecurity and Security Informatics University of Maryland University College Master s degrees in Cybersecurity and Cybersecurity Policy The following Maryland institutions are advertising similar master s programs, however are not listed in the MHEC program inventory database: Capitol College Information Assurance Master s Degree University of Maryland Baltimore College Master s In Professional Studies: Cybersecurity It is our strong belief, after a review of the courses and course descriptions that these programs and courses differ in-kind from the MSISE program offered by the SANS Technology Institute. Our technical courses are well known by governments and corporations to impart hands-on skills that enable our graduates to design, implement, and manage information security defenses. Our programs are designed specifically because of the problems driven by having managers of information security systems who might have apparently relevant credentials but who don t have an adequate understanding of the underlying technologies and hence how to design relevant defenses in the event of a breach. The MSISE degree focuses on ensuring that our graduates understand, at the basic technical level, how operating systems and networks operate, how they can be broken, and therefore what one can do to protect them. On this grounding and with this level of understanding effective information security professionals can develop and implement effective defenses. We expect that information security leaders need to be developed in similar fashion to a fighter pilot squadron leader: that individual doesn t necessarily need to be the best pilot in the group, but decidedly needs to know how to fly the planes under his command, precisely what is involved in flying them, how to lead and communicate both with those pilots and with upper
20 management to describe and implement the mission, and corral appropriate resources. Many of these other programs discuss teaching principals of cybersecurity, they discuss policy management or trends. Even those that seek to impart technical skills end their programs with sufficient preparation to sit for the broadly recognized Certified Information Systems Security Professional (CISSP) credential. By comparison, and relative to our MSISE program, this credential would provide a waiver for taking only the first required class (and not the required exam, which is considered more technical compared to the CISSP s broad domains of knowledge ), while the remaining courses build beyond the capabilities of a typical CISSP holder. While some other programs might offer two or three different courses that have a fundamentally technical nature, our program requires the completion of at least seven such courses and the achievement of a similar number of industry recognized exam certifications. While some other programs offer the opportunity for a limited subset of students to compete in competitions that are often frequently designed for undergraduates, each graduate student in our program must complete a series of firing range simulations (the same one used by the Army, Air Force and FBI) and incident response preparations to earn their degree and prove their capability. 2. Provide justification for the proposed program. Since MHEC authorized STI to award master s programs, the MSISE program remains critical and importantly distinct from other programs in Maryland (and the nation): a. The SANS Technology Institute builds on the technical training of the SANS Institute, which has trained more than 120,000 information security professionals and teachers since The SANS Institute is the largest cybersecurity training organization, serving the National Security Agency, the FBI, and the US military, as well as their counterparts in many U.S. allied nations. Intelligence, military, and law enforcement organizations account for approximately 20% of SANS students. Others come from more than 5,000 enterprises of all types, ranging from hospitals to banks, utilities, state governments, and churches. Well over 1,500 faculty members and cybersecurity staff from U.S. and international colleges and universities have attended SANS courses. b. The SANS Technology Institute takes the deep technical instruction of the SANS Institute to an entirely new level. The MSISE program focuses on integrating that technical material into an enterprise view that enables its students to judge, prioritize, and justify alternative approaches to reducing risk generally within the Critical Controls framework pioneered by STI and SANS and now adopted by the U.S. Department of Homeland Security and the British government s Centre for the Protection of Critical Infrastructure. c. Further, STI focuses on developing technical communications skills as well as project management skills essential for gaining support for technical cybersecurity programs and meeting management commitments. Because time away from work is very limited and individuals tend to focus their training on technical skills, it is uncommon for security practitioners to enroll in professional development courses. But these courses are essential for leadership positions, as one of STI s students wrote in 2013: