A. Centrality to institutional mission statement and planning priorities:

Transcription

1

2 SANS Technology Institute Program Proposal for a Substantial Modification Master of Science in Information Security Management May, 2014 A. Centrality to institutional mission statement and planning priorities: 1. Provide a description of the program, including each area of concentration (if applicable), and how it relates to the institution s approved mission. The program leading to a Master of Science in Information Security Management (MSISM) is a 36 credit hour, graduate level program comprised of an integrated mix of technical and management courses, research, projects, assessments, and simulations that progressively develop the capabilities required lead and manage information security teams. It was initially established and approved by the Maryland Higher Education Commission in The program is designed to be completed in three years by full-time, working professionals who have at least a year or more of experience in information technology, information security, or audit. It is not meant as an introduction to the information security field, but as a program that will advance the capabilities and careers of individuals who are employed already in the field. Students are often supported in the program by their employer and most expect to stay employed by their current employer after graduation. While the program cannot be completed entirely at-a-distance, most of the courses are offered in multiple formats, allowing an individual student the option to take more than 50% of the program at-a-distance using one or more of our online modalities, or, conversely, to take 50% or more of the program via instruction provided at our in-person residential institute events. The formal Mission of the SANS Technology Institute is: The SANS Technology Institute develops leaders to strengthen enterprise and global information security. The SANS Technology Institute educates managers and engineers in information security practices and techniques, attracts top scholar-practitioners as faculty, and engages both students and faculty in real-world applied research. The formal Vision of the SANS Technology Institute is: The SANS Technology Institute aspires to be the preeminent graduate institution translating contemporary information security practice and scholarship into effective educational experiences. Our graduates will be highly valued because they design stateof-the-art, enterprise-level cyber defenses, champion the adoption of those defenses, and manage their implementation and ongoing operation. In so doing, STI will:

3 1. Enable private and public sector enterprises of the United States and its allies to preserve social order and protect their economic rights and military capabilities in the face of cyber attacks; 2. Provide the national defense establishment, critical industries, businesses and government agencies with information security engineers and managers who have the most current and critical knowledge and skills needed to respond effectively to the evolving cyber attack landscape; and, 3. Perform leading-edge research that continually identifies current best practice and enhances the state of the art in the practice of information security. The MSISM program therefore fits directly within the focused mission of the SANS Technology Institute in developing managers of information security groups and technically knowledgeable professionals who can effectively lead information security technology programs. The Master of Science in Information Security Management (MSISM) Program is designed to accelerate the development of information security managers by providing practical experience that can be applied immediately on the job. Students learn from the industry experts how to see the world from an attacker s view, audit information systems, assess legal implications of an incident, and develop risk-based secure enterprise-level solutions that enable an organization s business processes to function in spite of the increasing threat presence. In addition to developing hands-on technical skills, the program emphasizes the development of communication and leadership skills that will improve the student s ability to implement information security solutions within their organization. This proposal is the result of modifications we seek to make to the existing MSISM program that will enable us to manage students and the curriculum more effectively. We make these modifications to the program as a direct result of the outcomes of our accreditation self-study, part of which identified the issues we were having managing students given the fragmented nature of their program requirements. As a simple example, our prior curricula had awarded credits when a graduate student completed three separate course requirements, but each of these elements was paid for individually and not required to be completed in a set timeframe. Oftentimes, students would complete certain requirements swiftly while other requirements were left unaddressed for long periods of time. In order to address such fragmentation, we decided to reformulate how we present and manage our master s programs, the most significant artifact of which is an entirely new course numbering system that often just places these separate elements under a single course name, syllabus, and time requirement. If evaluated from the perspective of work done by the students, these modifications do not appear to exceed 33% of the program. However, because we have reanalyzed our intended program and course learning outcomes and adjusted all course names to accommodate a tight integration of related work into named and aggregated courses, the impact on our ability to manage student progress has been profound. The work itself has not changed by much, but how we now manage student progress has changed substantially. The modifications made to the MSISM program have not changed the program intent, or the relationship with institutional mission. Rather, revisions made to the MSISM program have strengthened the program and further enabled STI to continue to meet our mission.

4 To contextualize the nature of the curriculum changes we have included four examples below, with commentary. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: MGT 512: SANS Security Name: ISM 5100: Enterprise Leadership Essentials For Managers with Information Security Knowledge Compression, GIAC GSLC Gold Course elements: - MGT 512 class instruction, - GSLC exam - GSLC Gold Paper Course elements: - MGT 512 class instruction, - GSLC exam - GSLC Gold Paper 4 credit hours 4 credit hours Summary of changes: This is the most typical of the changes made to the course names under the newest curriculum, relative to the student work required in the curriculum from As shown, none of the work requirements for this group of activities changed. In the past, each course element could be engaged individually with no temporal relationship required between them. In the new curriculum, these activities are formally related under a course number and name, and must be completed within a fixed period of time (4 months). Of the 32 credit hours of work associated with curriculum v2.0, the majority are associated with only changes associated with naming or re- grouping. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: SEC 504: Hacker Techniques, Name: ISM 5200: Hacking Techniques & Exploits, and Incident Handling, GIAC Incident Response GCIH Gold Course elements: Course elements: - SEC 504 class instruction - SEC 504 class instruction - GCI exam - GCI exam - GCI Gold Paper - NetWars simulation experience 4 credit hours 4 credit hours Summary of changes: In this example, the faculty changed one of the elements required to earn 4 credit hours for the SEC 504 instructional component, from writing a page peer- reviewed research paper relative to the topic of the course and exam, to passing a hands- on simulation- based test experience. In this case, 2 credits were simply renamed and re- grouped, while 2 credits would be considered a change in work requirements.

5 Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Community Project Requirements: New course numbers and names: Required elements: - ISM 5700: Situational Response - Group discussion & written project, Practicum 1 credit hour; - 2 oral presentations - ISM 5500: Research Presentation Joint written project, credit hour; - Security awareness talk, - ISM 5900: Research Presentation 2-1 credit hour; 3 credit hours total - ISM 6100: Security Project Practicum 1 credit hour; - ISM 6900: Information Security Fieldwork-.5 credit hour Summary of changes: Summary of changes: In the case of what the v1.8 curriculum referred to as a group of Community Project Requirements done in total for 3 credits, during our self- study these course activities were formalized into individual courses and evaluated for their work requirements and faculty interactions. Student course work remained the same however each requirement was given a new course code, name and an associated credit value. For example, the instruction and work leading to the oral presentations given on one s research paper at a public event to a knowledgeable audience did not change but was renamed ISM 5500: Research Presentation 1, and evaluated on its individual work activity. The result of this analysis was to increase the total credit hours assigned to the program due to this coursework, from 3 to 5.5 credit hours. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: MGT 438: How to establish a Name: ISM 5300: Building Security Security Awareness Program, Awareness Exam/Substitute, Written Assignment Course elements: - MGT 438 Class Instruction - Exam/substitute - Written Assignment Course elements: - MGT 433: Securing the Human: Building and Deploying an Effective Security Awareness Program - Writing Exercise 1 credit hour 1 credit hour Summary of changes: The technical instruction component has been updated by enough that the class had been renamed (in the fast- changing world of information technology, substantial updates to the content of instruction is frequent) over this time period, but still focuses on the same topics. The former Exam/substitute and Written Assignment had typically been implemented as requiring the development of a written Security awareness plan, so ISM 5300 now has a single assessment requirement to write a Security Awareness Plan. Assigned credit hours

6 for this work remained unchanged. 2. Explain how the proposed program supports the institution s strategic goals and provide evidence that affirms it is an institutional priority. The SANS Technology Institute is tightly focused on developing information security leaders who have a combination of deep technical skills, knowledge of effective practice and leadership competencies that will allow them to design, deploy, and manage effective enterprise information security environments. Every major element of the college from admissions to courses, student advising, research, and public service is closely aligned with that mission. Given the small number of programs offered at STI, the success of the MSISM program remains a key strategic goal for STI and is further outlined in our strategic plan. STI updated the institutional strategic plan in focusing on the next 4 years, which we believe are critical for the success of the institution. As a result the following strategic goals were established 1) Enhance Academic Quality; 2) Increase Student Enrollment; 3) Enhance Quality and Quantity of Research; 4) Achieve and Maintain Accreditation. Sub-goals for enhancing academic quality include making quality improvements to the MSISM program that were addressed in the cover letter of this proposal and subsequently, seeking endorsement for the changes. Changes in how the MSISM program is managed have increased transparency in presenting program and course requirements and have provided faculty the freedom to use different pedagogical techniques to ensure students meet established learning outcomes. B. Adequacy of curriculum design and delivery to related learning outcomes consistent with Regulation.10 of this chapter: 1. Provide a list of courses with title, semester credit hours and course descriptions, along with a description of program requirements. Required Courses in the MSISM Program: ISM 5000 Research & Communications Methods SANS class: MGT 305 Research & Communications Methods 0.5 Credit Hours; Course length: 45 days ISM 5000 covers strategies for conducting research and the oral and written communication that follows. The class allows the student to refine their ability to research and write professional quality reports, and to create and deliver oral presentations. Topics such as developing a convincing argument, synthesizing research and writing technical reports for non-technical audiences, and managing the communication environment are covered. Students participate in an editing exercise as well as a hands-on report writing and presentation development workshop, with a required oral presentation assessment. ISM 5100 Enterprise Information Security SANS class: MGT 512 Security Leadership Essentials

7 4 Credit Hours; Course length: 120 days ISM 5100 is the introductory, survey course in the information security management master s program. It establishes the foundations for developing, assessing and managing security functions at the end-user, network and enterprise levels of an organization. The faculty instruction, readings, exam, and required student paper are coordinated to introduce and develop the core technical, management, and enterprise-level capabilities that will be developed throughout the master s program. ISM 5200 Hacking Techniques & Incident Response SANS class: SEC504 Hacker Techniques, Exploits & Incident Handling 4 Credit Hours; Course length: 120 days By adopting the viewpoint of a hacker, ISM 5200 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, exam, and NetWars simulation are coordinated to develop and test a student s ability to utilize the core capabilities required for incident handling. ISM 5300 Building Security Awareness SANS class: MGT 433 Securing the Human: Building and Deploying an Effective Security Awareness Program 1 Credit Hour; Course length: 45 days One of the most effective ways to secure the human factor in an enterprise is an active awareness and education program that goes beyond compliance and leads to actual changes in behaviors. In ISM 5300, students learn the key concepts and skills to plan, implement, and maintain an effective security awareness programs that make organizations both more secure and compliant. In addition, metrics are introduced to measure the impact of the program and demonstrate value. Finally, through a series of labs and exercises, students develop their own project and execution plan, so they can immediately implement a customized awareness program for their organization. ISM 5400 IT Security Planning, Policy & Leadership SANS class: MGT 514 IT Security Strategic Planning, Policy, and Leadership 4 Credit Hours; Course length: 120 days ISM 5400 covers the entire strategic planning process: how to plan the plan, horizon analysis, visioning, environmental scans (SWOT, PEST, Porter's etc.), historical analysis, mission, vision, and value statements. The course also reviews the planning process core, candidate initiatives, the prioritization process, resource and IT change management in planning, how to build a roadmap, setting up assessments, and revising the plan. ISM 5500 Research Presentation 1 1 Credit Hour; Course length: 45 days

8 ISM 5500 gives students the ability to convert written material to a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written in a previous course in the curriculum to build and deliver a 30-minute presentation, typically given at a SANS training conference. ISM 5600 Legal Issues in Data Security and Investigations SANS class: LEG 523 Legal Issues in Information Technology and Security 4 Credit Hours; Course length: 120 days ISM 5600 introduces students to the new laws on privacy, e-discovery, and data security so students can bridge the gap between the legal department and the IT department. It also provides students with skills in the analysis and use of contracts, policies, and records management procedures. ISM 5700 Situational Response Practicum 1 Credit Hour; Course length: 45 days In ISM 5700, a small group of students is given an information security scenario that is partly based on current events, and requires a broad knowledge of information security concepts. Their task is to evaluate the scenario and to recommend a course of action. This experience is a timed 24-hour event and culminates in a group written report and presentation at the end of the 24-hour preparation time. ISM 5800 IT Security Project Management SANS class: MGT 525 IT Project Management, Effective Communication, and PMP Exam Prep 3 Credit Hours; Course length: 120 days In ISM 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISM 5800 follows the basic project management structure from the PMBOK Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered - from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes. ISM 5900 Research Presentation 2 1 Credit Hour; Course length: 45 days ISE 5900 gives a chance to further develop their skills at converting written material into a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written from previous courses in the curriculum to build and deliver a 30- minute presentation, either at a SANS training conference, or in an online environment. ISM 6000 Standards Based Implementation of Security SANS class: SEC 566 Implementing and Auditing the Twenty Critical Security Controls 4 Credit Hours; Course length: 120 days

9 Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ISM 6000 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization s security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks. ISM 6100 Security Project Practicum 2 Credit Hours; Course length: 45 days In ISM 6100, a small group of students is given an information security project that requires a broad knowledge of information security concepts. Their task is to evaluate the project assignment and to recommend a course of action. This experience is a timed 30-day event. Students receive the project assignment from faculty, and must respond with a project plan to address the assignment within 5 days. The group then uses their plan to address the assignment, and deliver a written report at the end of the 30-day period. ISM 6200 Auditing Networks, Perimeters and Systems SANS class: AUD 507 Auditing Networks, Perimeters, and Systems 4 Credit Hours; Course length: 120 days ISM 6200 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples. ISM 6900 Information Security Fieldwork 0.5 Credit Hours; Course length: 45 days In ISM 6900, students move into the field to prepare and present on a project that will help increase computer security awareness. Students devise their own project content, based upon a defined need. Students are also responsible for inviting an audience to review the results of their project work. It is expected that at least one representative from the student's own organization (place of employment) will be present to provide evidence of the presentation MSISM Capstone Assessment: GSM 0 Credit Hours The GSM exam Capstone experience is a two day hands-on lab exercise where students demonstrate their ability to formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology. Students work through scenarios which require them to: construct information

10 security approaches that balance organizational needs, apply standards-based approaches to information security risk management, and devise incident response strategies. Technical Elective Courses (MSISM Students Choose One): ISE 6215 Advanced Security Essentials SANS class: SEC 501 Advanced Security Essentials - Enterprise Defender 3 Credit Hours; Course length: 120 days. ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device. Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics. ISE 6220 Network Perimeter Protection SANS class: SEC 502 Perimeter Protection In-Depth 3 Credit Hours; Course length: 120 days. ISE 6220 provides a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the STI catalog, as mastery of multiple security techniques is required to defend networks from remote attacks. The course moves beyond a focus on single operating systems or security appliances. The course teaches that a strong security posture must be comprised of multiple layers. The course was developed to give students the knowledge and tools necessary at every layer to ensure their network is secure. ISE 6230: Securing Windows and Resisting Malware SANS class: SEC 505 Securing Windows and Resisting Malware 3 Credit Hours; Course length: 120 days. ISE 6230 shows students how to secure Windows and how to minimize the impact of these changes on users of these changes. Through live demonstrations of the important steps, students follow along on their laptops. Where other courses focus on detection or remediation after the fact, the goal of this course is to prevent the infection in the first place. Students learn to write PowerShell scripts, but don't need any prior scripting experience. ISE 6235: Securing Linux/Unix SANS class: SEC 506 Securing Linux/Unix 3 Credit Hours; Course length: 120 days.

11 ISE 6235 provides students with experience in in-depth coverage of Linux and Unix security issues, examining how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix. This course provides specific configuration guidance and practical, real-world examples, tips, and tricks. ISE 6315: Web App Penetration Testing and Ethical Hacking SANS class: SEC 542 Web App Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen. ISE 6320: Network Penetration Testing and Ethical Hacking SANS class: SEC 560 Network Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6320 prepares students to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed handson exercises and practical tips for doing the job safely and effectively. Students will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization. ISE 6325: Mobile Device Security SANS class: SEC 575 Mobile Device Security and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6325 helps students resolve their organization s struggles with mobile device security by equipping then with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches students to build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in their organization. ISE 6330: Wireless Penetration Testing SANS class: SEC 617 Wireless Ethical Hacking, Penetration Testing, and Defenses 3 Credit Hours; Course length: 120 days.

12 ISE 6330 takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students will navigate through the techniques attackers use to exploit WiFi networks, Bluetooth devices, and a variety of other wireless technologies. Using assessment and analysis techniques, this course will show students how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems. ISE 6360: Advanced Network Penetration Testing SANS class: SEC 660 Advanced Penetration Testing, Exploits, and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6360 builds upon ISE 6320 Network Penetration Testing and Ethical Hacking. This advanced course introduces students to the most prominent and powerful attack vectors, allowing students to perform these attacks in a variety of hands-on scenarios. This course is an elective course in the Penetration Testing & Ethical Hacking certificate program, and an elective choice for the master s program in Information Security Engineering. ISE 6420: Computer Forensic Investigations - Windows SANS class: FOR 408 Computer Forensic Investigations - Windows In-Depth 3 Credit Hours; Course length: 120 days. ISE 6105 Computer Forensic Investigations Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. ISE 6425: Advanced Computer Forensic Analysis and Incident Response SANS class: FOR 508 Advanced Computer Forensic Analysis and Incident Response 3 Credit Hours; Course length: 120 days. ISE 6420 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack. ISE 6440: Advanced Network Forensic Analysis SANS class: FOR 572 Advanced Network Forensics and Analysis

13 3 Credit Hours; Course length: 120 days. ISE 6440 focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Students will employ a wide range of open source and commercial tools, exploring real-world scenarios to help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks. ISE 6460: Malware Analysis and Reverse Engineering SANS class: FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques 3 Credit Hours; Course length: 120 days. ISE 6425 teaches students how to examine and reverse engineer malicious programs spyware, bots, Trojans, etc. that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident. ISE 6615: Defending Web Applications Security Essentials SANS class: DEV 522 Defending Web Applications Security Essentials 3 Credit Hours; Course length: 120 days. ISE 6615 covers the OWASP Top 10 and provides students with a better understanding of web application vulnerabilities, enabling them to properly defend organizational web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective are discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities is also covered so students can ensure their application is tested for the vulnerabilities discussed in class. MSISM Graduation Requirements The MSISM program requires completion of 36 credit hours with a 3.0 G.P.A, within 5 years. Students must complete the following requirements: Required Course Credits ISM 5000 Research & Communications Methods 0.5 ISM 5100 Enterprise Information Security 4 ISM 5200 Hacking Techniques & Incident Response 4 ISM 5300 Building Security Awareness 1

14 ISM 5400 IT Security Planning, Policy and Leadership 3 ISM 5500 Research Presentation 1 1 ISM 5600 Legal Issues in Data Security and Investigations 4 ISM 5700 Incident Response Practicum 1 ISM 5800 IT Security Project Management 3 ISM 5900 Research Presentation 2 1 ISM 6000 Standards Based Implementation of Security 4 ISM 6100 Security Project Practicum 2 ISM 6200 Auditing Networks, Perimeters and Systems 4 ISM 6900 Information Security Fieldwork 0.5 Technical Elective (1 course)* 3 Required Program Capstone 0 Total Describe the educational objectives and intended student learning outcomes. The Master of Science in Information Security Management (MSISM) degree program is designed to help a candidate prepare for responsibilities at the highest-ranking management level with IT security responsibilities in an organization. In the government, this is often called the Designated Approving Authority, Information Assurance Manager, or Chief Information Security Officer. In the private sector, titles such as Chief Security Officer or Chief Information Security Officer are often used. Graduates of this program will be able to assess the effectiveness of information security programs, see their strengths and weaknesses, and analyze the design of specific security enhancements. They will also have strong oral presentation and writing skills, knowledge of legal issues in security, and project management skills. Graduates will be able to develop and manage an enterprise-level information security program, including the ability to sponsor adaptive security paradigms that foster rapid detection and mitigation of new and existing attacks, and to measure response strategies to threats as they emerge. The MSISM program approaches the development of information security leaders from a different vector than its sister MSISE program, focusing more on communications, policy, and standards-based management and less on bolstering hands-on skills and capabilities, while still ensuring a facility with the latter. The introductory survey course has no technical labs and materially increased (relative) management and policy content. The MSISM program has two three additional required four credit courses with papers, focused on the leadership, legal and auditing aspects of information security management, while it offers only one choice of a technical elective course. The MSISM capstone practical exam is entirely different and specific to the program than the GIAC Security Expert exam requirement. The MSISM program shares the following General Learning Outcomes with the MSISE program: Formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology.

15 Demonstrate a solid foundation in information security strategies and apply their knowledge by assessing an information security situation and prescribing an appropriate security approach. Construct an information security approach that balances organizational needs with those of confidentiality, integrity and availability. Solutions require a comprehensive approach that aligns with policy, technology, and organizational education, training and awareness programs. Effectively communicate information security assessments, plans and actions for technical and nontechnical audiences/stakeholders. Identify emerging information security issues, utilize knowledge of information security theory to investigate causes and solutions, and delineate strategies guided by evolving information security research and theory. The following Learning Outcomes are specific to the MSISM program: Assess and balance the relationship and inter-responsibilities between all three communities of interest in Information Security: General Business, Information Technology, and Information Security. Apply a standards based approach to implement the principles and applications of risk management, including business impact analyses, cost-benefit analyses, and implementation methods that map to business needs/requirements. Integrate the elements of information security management - Policy, Strategic and Continuity Planning, Programs and Personnel - into a coordinated operation. Articulate positive and socially responsible positions on ethical and legal issues associated with the protection of information and privacy. Devise incident response strategies, including business continuity planning/disaster recovery planning (BCP/DRP) initiatives, while focusing on cost effectiveness from both a proactive and reactive perspective. 3. Discuss how general education requirements will be met, if applicable. General education requirements are not applicable to SANS Technology Institute or the MSISM program, because both are entirely focused on post-baccalaureate studies. Students are required to have completed a bachelor s degree before admittance. 4. Identify any specialized accreditation or graduate certification requirements for this program and its students. Currently no specialized accreditations are required for the MSISM program and its students. 5. If contracting with another institution or non-collegiate organization, provide a copy of the written contract. The modifications made to the MSISM program precipitating this Program Proposal neither include nor impact any changes to any relationship the SANS Technology Institute has with another institution or non-collegiate organization. All courses are authored and taught by

16 members of the faculty of the SANS Technology Institute. Commensurate with the approval of the SANS Technology Institute as a degree-granting institution in the State of Maryland in 2005, and as reviewed and accredited by the Middle States Commission on Higher Education, the SANS Technology Institute will continue to engage the support services of its parent, the Escal Institute for Advanced Technologies (d/b/a/ SANS Institute) and its sister subsidiary, GIAC. The agreements are not designed specifically for the MSISM program, but as supporting structures for STI, support the delivery and management of this program. The two Memorandum of Understandings between the SANS Technology Institute and the SANS Institute and GIAC are included as Attachments B-2 and B-3. C. Critical and compelling regional or Statewide need as identified in the State Plan: 1. Demonstrate demand and need for the program in terms of meeting present and future needs of the region and the State in general based on one or more of the following: o The need for the advancement and evolution of knowledge; o Societal needs, including expanding educational opportunities and choices for minority and educationally disadvantaged students at institutions of higher education; o The need to strengthen and expand the capacity of historically black institutions to provide high quality and unique educational programs. 2. Provide evidence that the perceived need is consistent with the Maryland State Plan for Postsecondary Education (pdf). Technological progress is related to, and the direct result of, the advancement and evolution of knowledge. Together with the increased prevalence in the use and applicability of information technology, and the benefits of substantial increases in productivity and efficiency, comes the need to protect information-based assets from new adversaries, criminals, foreign nation-states, and vectors of attack. The MSISM program is directly supportive of the development of professionals with the skills and capabilities to manage the protection of information assets that are central to the advancement and evolution of knowledge in the information age. Despite the fact that the MSISM program is, by definition, focused exclusively on postbaccalaureate students and not all post-secondary students, it makes substantial contributions to Maryland s goals by seeking to increase the number and quality of Science, Technology, Engineering, and Mathematics (STEM) degrees in the State. From the 2013 Maryland State Plan for Postsecondary Education: Increasing the number of STEM degrees awarded to students is another key goal for Maryland postsecondary education. STEM-related occupations are critical because they are closely tied to technological innovation, economic growth, and increased productivity. Currently, workers with STEM competencies and degrees are in high demand. Data from the Georgetown University 10 Center for Education and the Workforce (2011) rank STEM jobs as the second fastest-growing occupational category in the nation, behind health care. The MSISM program focuses on producing additional highly impactful Information Security leaders with proficiency in STEM-related areas of practice.

17 D. Quantifiable & reliable evidence and documentation of market supply & demand in the region and State: 1. Present data and analysis projecting market demand and the availability of openings in a job market to be served by the new program. 2. Discuss and provide evidence of market surveys that clearly provide quantifiable and reliable data on the educational and training needs and the anticipated number of vacancies expected over the next 5 years. 3. Data showing the current and projected supply of prospective graduates. The need for technically educated information security professionals has been steadily increasing. In July 2010 the CSIS (Center for Strategic and International Studies) Commission on Cybersecurity for the 44 th President 1 released a white paper titled A Human Capital Crisis in Cybersecurity. The white paper presents compelling evidence of a shortage of highly technical information security professionals who can both design secure networks and systems and create the tools needed to detect, mitigate, and recover from compromises. The report cited the number of such professionals currently employed in government is estimated to be around 1,000 with a need for up to 30, In 2013 the US Defense Department released plans to increase the number of information security professionals employed from 900 to 4,900, with an anticipated workforce of 6,000 cyber professionals. 3 The new positions will have 3 distinct focuses: a defensive national mission force to protect systems that support electrical grids, power plants and other critical infrastructure; a combat mission force to help overseas military commanders plan and execute offensive operations; and cyber protection force to bolster Defense Department networks. 4 In 2012 the U.S. Department of Homeland Security Task Force on Cyber Skills called for DHS to hire 600 world-class cyber technologists. 5 The Job Outlook, for Information Security Analysts, Web Developers, and Computer Network Architects published in the Bureau of Labor Statistics Occupational Outlook Handbook anticipates that employment for that category will grow 22% from 2010 to 2020, faster than average for all occupations, with favorable job prospects for all three occupations. 6 This category is projected to grow by 24% in Maryland over a similar time period Eric Cole, DPS, the Director of our Master of Science in Information Security Engineering program, was a member of this commission. 2 White paper can be found at Homeland Security Advisory Council s Cyberskills Task Force Report, Fall, 2012 (Page 4, Objective 4) 6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, Edition, Information Security Analysts, Web Developers, and Computer Network Architects, on the Internet at (visited September 24, 2013). 7 d=2&soccode=151122&stfips=24&x=61&y=9

18 Even if those organizations, and hundreds of others that are seeking talent, can find the tens of thousands of technical cybersecurity experts they jointly seek, they will still need people of sufficient expertise who can organize, manage, and lead the work of these experts. Teams of security professionals are most productive when led by people with substantial technical expertise and experience, just as successful air attack groups are led by active but senior pilots, or surgical departments are led by practicing but senior surgeons. Under pressure, as information security people often find themselves, having a manager or team leader who is not qualified or lacks experience often leads to critical mistakes in a line of work that can ill afford them. In other words, if society hopes to protect itself against the increasing wave of attacks, a program needs to be created to develop technical information security leaders. STI was created to help government and industry develop that missing layer of technical cybersecurity managers. That goal is embodied in STI s mission. STI used data available through IPEDS to obtain a general estimate of the number of graduates from Computer and Information Systems Security programs (specifically CIP Code ). In degrees were awarded, among 36 programs. To date STI has awarded 2 Master of Science in Information Security Management degrees. The need for qualified information security professionals is outpacing the number of professionals with the appropriate credentials and experience. The MSISM program will continue to play an integral part in decreasing the gap. E. Reasonableness of program duplication: 1. Identify similar programs in the State and/or same geographical area. Discuss similarities and differences between the proposed program and others in the same degree to be awarded. This proposal for a Substantial Modification to the SANS Technology Institute s MSISM program does not alter the number or nature of programs related to Information Security in Maryland, nor how our program relates to those programs. The learning outcomes sought have been reformulated but remain substantially the same. Using the MHEC program inventory database we identified the following institutions who offer master s programs with the same CIP code Computer and Information Systems Security: John s Hopkins University Master s Degrees in Cybersecurity and Security Informatics University of Maryland University College Master s degrees in Cybersecurity and Cybersecurity Policy The following Maryland institutions are advertising similar master s programs, however are not listed in the MHEC program inventory database: Capitol College Information Assurance Master s Degree University of Maryland Baltimore College Master s In Professional Studies: Cybersecurity

19 It is our strong belief, after a review of the courses and course descriptions offered by these programs and courses, combined with our own understanding of the content of our courses, that the MSISM program continues to be distinguished in focus by those offered by these other institutions. Our technical courses are well known by governments and corporations to impart hands-on skills that enable our graduates to design, implement, and manage information security defenses. Our programs are designed specifically because of the problems driven by having managers of information security systems who might have apparently relevant credentials but who don t have an adequate understanding of the underlying technologies and hence how to design relevant defenses in the event of a breach. Our management, policy, audit, and legal courses central to the MSISM program have been authored and are taught by practitioners in the field, and seek to establish clear connections between the more commonly taught high-level policy and audit standards with specific case studies of implementation mechanisms. It is this persistent connection of higher-level architecture and policy review and detailed implementation requirements in the real world that sets our program apart from existing, alternative offerings from other institutions in the State. For example, the MSISM program requires a course entitled ISM 6200: Auditing Networks, Perimeters, and Systems. ISM 6200 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples. ISM 5600: Law of Data Security and Investigations, similarly connects higher level legal issues with specific skills in the analysis and use of contracts and records management procedures. From a broad foundation, the course delves into specifics of (for example) preparing credible, defensible reports, whether for cyber, forensics incident response, human resources, or other investigations. The MSISM degree ensures that our graduates understand, at the basic technical level, how operating systems and networks operate, how they can be broken, and therefore what one can do to protect them. On this grounding and with this level of understanding effective information security professionals can develop and implement effective defenses. Lastly, the MSISM program provides for multiple courses that integrate a student s understanding of the technical and management aspects information security and develop their capabilities through real-world simulations. Two one-credit courses (ISM 5500 and ISM 5900) assist the student in the development of presentations of their research that they then need to present faculty at a residential institute in the presence of of their information security peers and professionals, many of whom are well versed in the topic(s) being presented and come prepared with challenging questions. Like their real-world responsibilities, graduate students must develop and prove the proficiency at distilling complex topics into an understandable oral presentation, MSISM students also fulfill the requirements of ISM 5700: Incident Response Practicum, in which a small group of students is given an information security incident scenario

20 based partly on real-world events, and they must recommend a course of action to a CIO board within a fixed 24-hour preparation timeframe, preparing an official written report thereafter. Through ISM 6100: Security Project Practicum, students must work in virtual groups over a 30- day period to evaluate an custom-tailored information security implementation project and also integrate their work into a unified, written project presentation. Practically-driven, integrative coursework like these, combined with formal instruction courses, exams, and research that span high-level information security management concepts with real-world, practical implementation topics are the hallmark of the MSISM program experience and a key differentiator from other programs in the State. 2. Provide justification for the proposed program. Since MHEC authorized STI to award master s programs, the MSISM program remains critical and importantly distinct from other programs in Maryland (and the nation): 1. The SANS Technology Institute builds on the technical training of the SANS Institute, which has trained more than 120,000 information security professionals and teachers since The SANS Institute is the largest cybersecurity training organization, serving the National Security Agency, the FBI, and the US military, as well as their counterparts in many U.S. allied nations. Intelligence, military, and law enforcement organizations account for approximately 20% of SANS students. Others come from more than 5,000 enterprises of all types, ranging from hospitals to banks, utilities, state governments, and churches. Well over 1,500 faculty members and cybersecurity staff from U.S. and international colleges and universities have attended SANS courses. 2. The SANS Technology Institute takes the deep technical instruction of the SANS Institute to an entirely new level. The MSISM program focuses on building a foundation of technical knowledge that students can utilize in managing enterprise level security strategy. The enterprise level view is reinforced through the Critical Controls framework pioneered by STI and SANS and now adopted by the U.S. Department of Homeland Security and the British government s Centre for the Protection of Critical Infrastructure. 3. Further, STI focuses on developing technical communications skills as well as project management skills essential for gaining support for technical cybersecurity programs and succeeding as a leader. Because time away from work is very limited and individuals tend to focus their training on technical skills, it is uncommon for security practitioners to enroll in professional development courses. But these courses are essential for leadership positions, as one of STI s students wrote in 2013: I have to admit that I would not have chosen the project management course if it were not in the STI curriculum, but I am quick to admit that it has helped me greatly at work. I apply a lot of the content at work each day, leading a multi-year, multi-million dollar program. I believe the stakeholder management and guarding against (future) stakeholder scope creep are my biggest takeaways from your course. You did a great job delivering the content and keeping the class engaged.

21 4. The integration of enterprise-level analysis, project management, writing, and presentation courses is only part of what makes the SANS Technology Institute and the MSISM program a fundamentally different experience. SANS is a training institution that imparts a focused set of skills and capabilities to students who rarely take more than one course every couple of years. In contrast, MSISM students participate in a clearly defined, integrated program of study and curricula over a multi-year period. The individual courses are powerful, but it is the integrated curricular experience provided by the SANS Technology Institute that produces enterprise-ready security leaders and practitioners. Through its thoughtful construction of core courses, its focus not just on competency but on proficiency, and its progressive emphasis on applied research and written and verbal presentation skills, the SANS Technology Institute and the MSISM program integrate and augment SANS classes with its own courses and requirements into a whole greater than its constituent parts. 5. The MSISM program is a very serious endeavor to reduce a critical national shortage in technical cybersecurity leadership and management. It builds on the resources and programs of SANS to create a high- level program of academic and professional education that prepares students for the responsibilities of technical leadership in government and critical infrastructure. F. Relevance to Historically Black Institutions (HBIs) 1. Discuss the program s potential impact on the implementation or maintenance of highdemand programs at HBI s. 2. Discuss the program s potential impact on the uniqueness and institutional identities and missions of HBIs. A review of Maryland s HBI s indicates that only Bowie State University offers a similar graduate degree: Master of Science in Management Information Systems with concentration in Information Assurance. This program proposal will have no impact on the uniqueness and institutional identity of mission of HBIs including Bowie State, as it does not represent a net change in the number or kind of offerings in graduate cybersecurity education, nor is Bowie State University s M.S. in Management Information Systems with concentration in Information Assurance a unique offering in the State of Maryland. For example, UMUC offers an online Master of Science in Information Technology: Information Assurance Specialization. G. If proposing a distance education program, please provide evidence of the Principles of Good Practice (as outlined in COMAR 13B C). We do not propose that the MSISM program may be taken 100% as a distance education program indeed, it cannot and we would not offer it as such, given our focus on management and leadership development, including the importance of the presentation of technical material to

22 technical and non-technical audiences in live settings. However, given the nature of our technologically advanced student body and their full-time work commitments, together with our historically-proven ability to offer our instructional programs via multiple distance-enabled modalities, some students do now choose to engage in greater than 50% of the program content at-a-distance. Exhibit G-1 displays the current availability of courses in the MSISM program by the available delivery modality. The availability of courses that student can engage in at-a-distance has not changed substantially since prior to 2010, though we have measured an increase in the proclivity of students to engage in the programs utilizing these modalities. As shown, a substantial majority of the credit hours in the program are, and have been for many years, available to be taken at-a-distance via our OnDemand, vlive, or Simulcast modalities, as well as 2.5 credit hours in ISE 6100 and ISE 6900 for which the requirements have always specified that they be completed only at-a-distance. Therefore, this section addresses the Principles of Good Practice in order to ensure and highlight that we engage in these Principles in the normal course of our activities, and are formally able to allow students to take more than a majority of their course work at-a-distance if they so choose, in order to fit their graduate studies into their work and personal lives. Curriculum and Instruction The MSISM program was established and is overseen by qualified faculty, vetted through a rigorous process that uses educational credentials, practitioner experience and teaching ability to qualify candidates. STI uses a distributed education model that recognizes the needs of an adult student population, with substantial work commitments who are disbursed throughout the United States and some international locations. Therefore, it is necessary and mission critical to utilize distance learning modalities that support students in completing their program of study. STI courses are designed using different pedagogical components to ensure students meet established learning outcomes. Four and three credit hour courses typically consist of formal technical instruction, an exam, and in the case of 4 credit hour courses, a research paper or simulation performance requirement. Because we do not operate a traditional academic calendar we have established course terms which vary by when a student registers and begins a course, in addition to how many credit hours a course awards for example 4 and 3 credit hour courses last no longer than 120 days. This type of course design is standard among all STI courses, regardless of delivery modality. When a student registers for a course, for example ISM 5100, they decide how they would like to take the technical instruction at-a-distance or in-person according to their learning needs and schedule. The following distance learning modalities are available to students to complete the SANS technical course component: OnDemand, vlive and Simulcast. Students who utilize the OnDemand platform are given access to a learning management system with modules pre-loaded into the system in addition to printed course books containing written lectures and labs. Each module is a recording from an in-person course session. The learning management system allows students to revisit lectures and also complete quizzes to check understanding. A

23 recommended viewing schedule is included in course syllabi. Each STI course has a faculty member, who in most cases is the same person recorded for the OnDemand course system. A teaching assistant referred to as a virtual mentor is available for all OnDemand courses to help answer student questions or assist with lab issues. The vlive learning modality is conducted online with established course meeting times led by an instructor typically twice per week for up to 8 weeks, through a learning management system that allows for direct interaction with the instructor and other course participants. Each course session is recorded for students to review previously covered material, or to view if they miss a session meeting. The simulcast delivery modality allows a student to participate in a course being offered through the in-person modality, however, from their location of choice, enabled through a digital learning management system. Students meet during the same time the in-person course meets. They can participate in classroom lectures by seeing and hearing the instructor, in addition to asking questions and participating in classroom discussion. If a student chooses a distance learning modality, that experience is comprised of the very same coherent, cohesive, academically rigorous curriculum as when taken via our traditional residential institute-based, in-person instructional format. The faculty member assigned to the STI course reviews student performance on exams and papers and assigns a grade at the end of the course. A review of STI s at-a-distance capabilities was a core part of our accreditation self-study and review. Exhbit G-2 is the excerpt from our self-study related to our distributed learning modalities. As discussed in that excerpt, a 2013 study of all certification exam results proved that the exam scores achieved on these standardized exams were not statistically different when comparing delivery modalities such as whether the course instruction was taken via our traditional, live instructional format or via either our OnDemand or vlive instructional modalities (Attachment G-2, pages 2-4). At the same time, student ratings of the course content, labs, and teaching skill for our at-a-distance modalities are rated comparably high to our inclassroom instruction experiences. When taken OnDemand or vlive, students have appropriate real-time and delayed interactions with our faculty and teaching assistants, and students often prefer the ability to essentially rewind and replay the OnDemand format, often registering for it in addition to the standard, in person method. The courses, when implemented online, are converted in consultation with and under the direction of the faculty, and the faculty engages in online-specific training to best enable their teaching effectiveness in that format. Role & Mission Distance education is consistent with our mission, and is a critical component allowing a fulltime working professional to engage in our master s program during their available nights and weekends. Faculty Support

24 Faculty who participate in our OnDemand, vlive and simulcast modalities undergo specific training to help modify their style to this format. We engage a team of individuals to assist in online-specific methods to enable virtual student-faculty interactions, including (when a class is Simulcast to students) employing an assistant in the room who participates in the class on behalf of distance students by flagging the instructors attention when questions or issues are addressed by virtual students. Members of the faculty have developed guidelines for best practice when teaching in our distance education formats (Attachment G-3). Learning Resources Students who engage in our distance formats receive access to the same learning resources as those that take the instructional portion of any class live at a residential institute. Labs have been specifically formatted for use at a distance, and we utilize multiple online technologies to assist in student/faculty interaction, including but not limited to real-time interactive two-way video communications. Students and Student Services STI disseminates information regarding the curriculum, degree requirements, availability of academic support services, financial aid resources, and costs and payment policies to students through our website and catalog/ student handbook. These policies and procedures do not differ when students engage in courses in person or via one of our at-a-distance modalities. All students have the same reasonable and adequate access to student services. STI s admissions requirements ensure that all accepted students have the background, knowledge, and technical skills to engage in any of our courses either in person at a residential institute or via one of our at-a-distance modalities. All advertising, recruiting, and admissions materials clearly and accurately represent the program and the degree to which one can, and cannot, engage in it entirely in-person or online. STI s website is the primary source for information about the institution and our programs, therefore it is updated regularly. When students register for a course they are given a detailed course syllabus which details course requirements, nature of faculty/student interaction, assumption about technology competence and skills and technical equipment requirements. An OnDemand platform instructional video 8 has been created to orient students to the delivery modality. The video is available on the SANS webpage and on the home page of the learning management system. Students taking a course through the vlive modality have access to a detailed FAQ 9 to orient them in how to log-in to the platform and additional user information, including troubleshooting. Technical support for students having issues with the OnDemand player, or accessing the vlive platform have access to the SANS helpdesk to resolve any issues. Commitment to Support As displayed in Attachment G-2 (page 5), faculty members are evaluated specifically relative to their effectiveness in a distance format. The SANS Technology Institute is committed to the

25 continuance of its program to offer much of our course instruction at-a-distance, as we have done so since Because our programs are designed for working professionals, engaging in our course instruction at a distance is a critical enabler for full-time working professionals to fit the program within the work and personal lives, saving both travel time and expense, and the requirement to engage in classroom instruction during the workday. Evaluation and Assessment STI utilizes a mix of direct and indirect assessments to inform teaching and learning effectiveness. The majority of STI courses require students to take the same, specific GIAC certification exam, regardless of which modality students choose to engage in the faculty instruction. Results from the exams, such as overall score and specific exam objective performance, are analyzed quarterly as part of our institutional assessment cycle. A summary report of this analysis is created and distributed to STI faculty for follow-up. Results are used to update courses and for supporting students. As part of the summary report, results from scoring rubrics from written assignments are distributed to faculty. These results are used to assess how well students are meeting specific learning outcomes addressing writing and research ability. At the end of each major unit of a faculty instruction, a satisfaction survey is distributed to students. The survey includes questions on targets areas such as course content, instructor performance and lab performance. These results are reviewed immediately to address critical issues and then aggregated for a summary report of each learning event. Similar satisfaction surveys are distributed to students taking instruction through an on-line modality. The on-line survey includes the same categories as in-person courses, except it has additional categories that are specific to the on-line experience such as platform performance and technical issues. Results received from on-line surveys are reviewed regularly to remedy immediate issues, such as technical problems. Data is aggregated on a monthly basis to determine overall satisfaction trends and inform changes to the course or overall experience. Because SANS continuously runs courses through in-person residential institutes, on-site, or through on-line modalities, the feedback loop associated with the satisfaction surveys provides a robust and rich data set to make informed decisions regarding the quality of instruction and course content. Attachment G-4 contains an example of the summary report for on-line courses. Our at-a-distance offerings are inherently cost-effective for students because they mitigate the need for students to travel to various locations to engage in the course instruction live inclassroom. Because there is no distinction between online and in-person programs, we do not assess the impact on student retention, and fundamentally believe that our at-a-distance courses enable the participation of students given the otherwise burdensome time (and cost) requirements for them to travel to our instructional sites. As shown throughout Attachments G-2 and G-4, we take an evidence-based approach to evaluating the effectiveness of our online teaching practices, and we assess and document student achievement of learning outcomes regarding courses taken at-a-distance.

26 H. Adequacy of faculty resources (as outlined in COMAR 13B ). Provide a brief narrative demonstrating the quality of program faculty. Include a summary list of faculty with appointment type, terminal degree title and field, academic title/rank, status (fulltime, part-time, adjunct) and the course(s) each faulty member will teach. SANS Technology Institute s faculty is led by a group of program faculty who have direct oversight of the design and quality of the program and courses in addition to teaching responsibilities, and all program faculty teach courses within the MSISE program. The core group of program faculty has been serving in this capacity since the institute was established in In addition, STI utilizes a larger group of appointed teaching faculty, especially for elective courses, who having teaching responsibilities and are overseen by program faculty, but are not typically involved with the design and maintenance of the program. Program and Teaching faculty are selected and appointed from the three highest ranks of SANS Institute instructors, almost all of whom spend a significant portion of their time as information security practitioners, thus maintaining their currency and expertise. Individuals may attain these SANS designations only after completing a rigorous, multi-year program designed to identify expert practitioners of information security who are also highly effective teachers and researchers. An analysis of student ratings of the teaching effectiveness of SANS Technology Institute faculty over the past three years determined that the average rating was 9.44 on a 10- point scale, with nearly 95% of individual faculty rated over 9.0, confirming the success of this development process. Despite its size, the SANS Technology Institute s faculty appointments receive the full benefit of, and access to, this entire SANS instructor recruitment and development process, a capability otherwise unattainable for similarly sized institutions. Faculty are specifically designated and approved to teach courses in the MSISE curriculum by the Curriculum, Academic, Faculty, and Student Affairs Committee. The faculty body of SANS Technology Institute contains well respected information security professionals who include authors of widely read books in the information security community, researchers for leading national and international information security research programs, keynote and session speakers at major information security conferences, and trusted information security advisors for U.S. government agencies and private sector organizations. Some faculty members, along with STI s President, are also the principal investigators for major STI research and public service initiatives, such as the SANS Internet Storm Center. A list of faculty is included in this proposal Attachment H-1. I. Adequacy of library resources (as outlined in COMAR 13B ). Describe the library resources available and/or the measures to be taken to ensure resources are adequate to support the proposed program. If the program is to be implemented within existing institutional resources, include a supportive statement by the President for library resources to meet the program s needs.

27 The modifications to the MSISM program described herein have no net impact on the needs or requirements on the library resources of the SANS Technology Institute. The challenges of information security are constantly evolving, and excellence in performance demands continuous monitoring of changes in threats, technology, and practices. SANS conducts an extensive research program that helps STI students complete assignments related to their program of study, as well as keeping current with the latest information security trends. The SANS Resource Center is a compilation of thousands of original research papers, security policies, and security notes, along with a wealth of unique network security data. The following list outlines some of the primary resources available: The SANS Information Security Reading Room 10 contains nearly 2,000 original research studies, not available from any other source, in 76 knowledge domains relevant to the study of information security. The SANS Security Policy Collection 11 contains model security policies developed by major corporations and government agencies. The collection contains about 35 policies and grows as new security issues arise and policy templates are needed. The SANS 20 Critical Controls 12 is a consensus list of vulnerabilities that require immediate remediation. It is the result of a process that brought together dozens of leading security experts. The SANS Newsletter Collection 13 helps keep students up to date with the high-level perspective of the latest security news. The Security Glossary 14 is among the largest glossaries of security terms available on the Internet. It was developed jointly by SANS and the National Security Agency and provides authoritative definitions of many of the specialized terms students will encounter. The SANS Collection of Frequently Asked Questions about Intrusion Detection 15 contains 118 authoritative discussions of the primary topics that arise when planning and implementing intrusion detection technologies. The SANS Internet Storm Center Archives 16 contain contemporaneous analyses of new attacks that are discovered on the Internet. The archives constitute an extraordinary research asset because of the depth of the analysis and the currency of the topics covered. They also provide SANS students with access to raw data, summaries, and query facilities to analyze malicious Internet traffic records. This is a rich data source for advanced security research projects that analyze attack patterns and how fast worms spread through the Internet

28 S.C.O.R.E. 17 is a community of security professionals working to develop consensus regarding minimum standards and best-practice information. SANS Web Briefings 18 held several times a month feature SANS faculty and other security experts providing up-to-date web briefings for SANS alumni on new threats seen at the Internet Storm Center, new technologies that are emerging, and analysis of security trends. J. Adequacy of physical facilities, infrastructure and instructional equipment (as outlined in COMAR 13B ) Provide an assurance that physical facilities, infrastructure and instruction equipment are adequate to initiate the program, particularly as related to spaces for classrooms, staff and faculty offices, and laboratories for studies in the technologies and sciences. If the program is to be implemented within existing institutional resources, include a supportive statement by the President for adequate equipment and facilities to meet the program s needs. As a Proposal for Substantial Modification, there is no change in the physical facilities, infrastructure an instructional equipment required by the program. K. Adequacy of financial resources with documentation (as outlined in COMAR 13B ) 1. Complete Table 1: Resources (pdf) and Table 2: Expenditure(pdf). Finance data(pdf) for the first five years of program implementation are to be entered. Figures should be presented for five years and then totaled by category for each year. 2. Provide a narrative rational for each of the resource category. If resources have been or will be reallocated to support the proposed program, briefly discuss the sources of those funds. Attachment K-1: Table 1: Resources Attachment K-2: Table 2: Expenditures Attachment K-3: Resources and Expenditures Narrative L. Adequacy of provisions for evaluation of program (as outlined in COMAR 13B ). Discuss procedures for evaluating courses, faculty and student learning outcomes. Faculty at STI oversees a learning outcomes assessment process that occurs throughout a student s collegiate experience. STI s Curriculum Committee provides oversight of the assessment process to ensure that students are mastering the appropriate program learning outcomes by reviewing performances on certification exams (quarterly), research papers, alternative written assignments, projects and presentations (Attachment L-1). In addition to

29 helping to ensure that students master their program learning outcomes, results from learning assessments are also used to ensure (1) the curriculum is aligned with the community of practice and meets the needs and expectations of our students, and (2) learner satisfaction. Six direct and indirect assessment measures are used to assess student learning: GIAC exam scores, GIAC Gold Paper scores, written assignment scores, graduate exit surveys, graduate position surveys, and project and presentation reflection essays. Results from learning assessments are used in program and curriculum assessment. STI relies on course evaluations to determine curriculum alignment with communities of practice as well as the quality of instruction. Because students are mid-level professionals, most classes include some students with advanced knowledge of relevant areas of security practice. Courses are evaluated by thousands of SANS students as well as STI students, and their combined daily feedback on course currency, accuracy, and utility provides a continuous flow of assessment data directly useful to course authors in ensuring their courses reflect current best practices. The course evaluation process is an integral component of institutional effectiveness. At the conclusion of each day of instruction, students are asked to evaluate their instructor, the learning environment, and the overall learning experience. Evaluations are preliminarily reviewed during the learning event to allow for immediate changes in the learning environment. After each learning event, evaluations are analyzed by SANS assessment analysts. An event report is generated and provided to all stakeholders, including the course author, instructor, and STI s President. STI faculty use results from learning events along with data from GIAC exam assessments to make updates to the curriculum as needed. STI Curriculum Committee members are assigned specific courses to review throughout the year to ensure quality and currency of courses. Course update reports are generated typically three times per year and distributed to the Curriculum Committee. M. Consistency with the State s minority student achievement goals (as outlined in COMAR 13B and in the State Plan for Postsecondary Education). Discuss how the proposed program addresses minority student access & success, and the institution s cultural diversity goals and initiatives. STI is committed to maintaining an environment of appropriate conduct among all persons and respect for individual values. The Institute is committed to enforcing non-discrimination and anti-harassment in order to create an environment free from discrimination, harassment, retaliation and/or sexual assault. Discrimination or harassment based on race, gender and/or gender identity or expression, color, creed, religion, age, national origin, ethnicity, disability, veteran or military status, sex, sexual orientation, pregnancy, genetic information, marital status, citizenship status, or on any other legally prohibited basis is unlawful and undermines the character and purpose of STI. Such discrimination or harassment will not be tolerated. N. Relationship to low productivity programs identified by the Commission:

30 If the proposed program is directly related to an identified low productivity program, discuss how the fiscal resources (including faculty, administration, library resources and general operating expenses) may be redistributed to this program. This program is not related to an identified low productivity program.

31 Attachment B-1: MSISM Curriculum Map Course Number ISM 5000 ISM 5100 ISM 5200 ISM 5300 ISM 5400 ISM 5500 ISM 5700 ISM 5700 ISM 5800 ISM 6xxx ISM 5900 ISM 6000 ISM 6100 ISM 6200 ISM 6900 MSISM Course Title Research & Communications Methods Enterprise Information Security Hacking Techniques and Incident Response Building Security Awareness IT Security Planning, Policy & Leadership Research Presentation 1 Law of Data Security and Investigations Incident Response Practicum IT Security Project Management Elective Research Presentation 2 Standards Based Implementation of Security Security Project Practicum Auditing Networks, Perimeters and Systems Information Security Fieldwork ISM Capstone Credit Hours GSM)not)GIAC)Certification Requires.6.GIAC.Technical.Certifications.&.5.Published.(Gold).Papers - GSM Oral Presentation AUD 507 GSNA GIAC Gold - JWP - Group Written Paper; individual submission Written Assignment on Standards MGT 566 Instructor Provided Exam GIAC Gold - Oral Presentation of Research Paper Select Technical Course GIAC Exam GIAC Gold MGT 525 GCPM Case Analyses & Portfolio - Rapid Incident Response (GDWP) GDWP - Group Paper & Oral Presentation LEG 523 GLEG GIAC Gold - Oral Presentation of Research Paper MGT 514 Instructor Assigned Written Assignment MGT 433 Written Assignment Instructor Assigned Reading SEC 504 GCIH NetWars Critical Controls Reading & Paper MGT 512 GSLC GIAC Gold MGT 305 Oral & Written Presentation 1. Enterprise Introduction 2. Technical Instruction (338.5 Hours) 3. Exam (Certification) 4. Simulation 5. Professional Communication STI.Course.Components 5/6/14 I=Introduced,.D=Developed,.M=Masters.Level M M M M M M M M D M M D D D D D D D D D D D D D M D D D D D D D D D D D I I I D I I I I I I I GPLO1 Formulate Policies and Solutions GPLO2 Assess situation and prescribe an approach GPLO3 Balance Business and Security GPLO4 Communication to Technical and Non-Technical Personnel GPLO5 Identify Issues and Delineat Strategies SPLO1 Manage & Balance Communities of Interest SPLO2 Standards Based Approach to Minimize Risk SPLO3 Integrate Enterprise Security Operations SPLO4 Articulate Legal Positions to Meet Ethical and Business Needs SPLO5 Devise and Implement Strategies for Incident Detection & Response, BCP and DRP Learning.Outcomes.Map

32 Attachment B-2: SANS-STI MOU Memorandum of Understanding between The SANS Technology Institute ( STI ) and The Escal Institute of Advanced Technologies ( SANS ) Agreement Updated: January 1, 2014 Agreement Period of Performance: 2014 Calendar year

33 Contents GENERAL INFORMATION... 3 Purpose... 3 Vision... 3 Mission... 3 Scope... 4 Hours of Operations... 4 Service Expectations... 4 Service Constraints... 7 Terms of Agreement... 7 Periodic Quality Reviews... 8 Service Level Agreement Maintenance... 8 Issue Resolution... 8 Payment Terms and Conditions... 8

34 General Information Purpose The purpose of this Memorandum of Understanding ( MOU ) is to establish a cooperative partnership between the SANS Technology Institute (STI) and the ESCAL Institute of Advanced Technologies, Inc/dba/SANS Institute (SANS). This MOU will: outline services to be offered by SANS to STI; quantify and measure service level expectations, where appropriate; outline the potential methods used to measure the quality of service provided; define mutual requirements and expectations for critical processes and overall performance; strengthen communication between the provider of administrative services (SANS) and its enterprise customer (STI); provide a vehicle for resolving conflicts. Vision SANS will provide a shared business environment for the STI enterprise. The business environment will continuously enhance service, compliance and productivity to STI s employees, students and core administrative practices. The primary goals for the MOU include: Integrate people, processes, and technology to provide a balanced service level to all customers. Create a collaborative environment where trusted relationships and teamwork are encouraged between administrative services, departmental staff, faculty, students and suppliers to further the enterprise s goals. Leverage human resources, institutional knowledge, developing skill sets, and technology in an effort to continuously improve service and productivity for all services provided. Create an organizational structure that balances STI s strategic and tactical efforts to promote efficiencies. Mitigate risk to the STI enterprise by focusing on compliance requirements and understanding the impact these requirements have on productivity and student services. Develop an integrated organizational structure that will promote the consistent interpretation and enforcement of policies, procedures, local, state and Federal laws and regulations throughout the enterprise. Mission Through various SANS educational and administrative service units, provide business activities dedicated to operational and student service excellence to the STI enterprise so that core STI 3

35 staff can focus on the academic components of their mission to educate managers of information security groups and the technical leaders who direct security technology programs. Scope The SANS Institute will also provide access for STI students, in all delivery modalities, to the Technical courses offered by the SANS Institute that are a part of STI s course curricula, including, Course Maintenance, Presentation of this course material, and Educational Residency services for the SANS Technology Institute. The SANS Institute shall provide policy-compliant management of Accounting & Finance, Bursar & Registration, Human Resource, Marketing, and Information Technology infrastructures for STI. Hours of Operations Typical staffed hours of operation for the SANS activities are 9:00 5:00 Monday-Friday, with the exception of approved holidays. Working hours may be adjusted due to system/power outages, emergency situations, or disaster. Through the use of technology, it is expected that many of the services provided will be available to STI students and employees on a 24-hour basis. Service Expectations SANS and STI agree to the service expectations and working assumptions listed below. These service expectations are meant to monitor the more critical elements of the services provided and are not meant to reflect the comprehensive services offered by SANS. The productivity indicators reflected below are not listed in any order of priority. Accounting and Finance Process Service Expectation Service Metric Accounts Receivable Payment accuracy Remittances produced in the form of check, EFT, or wire. All payments made will be for approved and legitimate services/products Payment schedule is set up for a daily cycle and reporting available daily. Audits of vendor transactions will show evidence of 100% three-way match. Employee travel and expenses are reimbursed. Protect financial outlays made by employees. Reimbursements are made within a 30 day timeframe. Financial reporting Financial reporting is done on time and in accordance with the same audited accounting principles used by SANS. All MSCHE, federal and internal reporting deadlines will be met on time. 4

36 Audit of records Annual audits will be performed Annual audit performed on the Financial Statements by an independent external auditor. Bursar & Registration Process Service Expectation Service Metric Cashier Function Process payments and distribute revenue to appropriate departments Payments will be process within 24 hours of receipt, and revenue distributed on a monthly basis Through the quarterly STI roundtable meetings survey students will find that Bursar services are deemed satisfactory. Human Resources Process Service Expectation Service Metric Benefits Provide benefits which are in the best interest of the employees and employer. Annual survey of employees will show that major benefits of interest are being adequately provided. Payroll Assure timely payroll and employee reviews. All bimonthly payrolls will be made on the 15 th and final days of the month. HR services Manage HR service to ensure receipt by employees. HR services are provided for in a timely manner as measure in annual survey and changes are communicated and enforced. 5

37 Marketing Process Service Expectation Service Metric Brand Awareness Create awareness of STI programs within the information Security Community. STI will be listed among the top 3 search results on major search engines like Google for the term Information Security Masters Degree Lead Generation Conduct prospecting activities within defined prospect demographics to produce leads. At least 1,000 leads will be generated per year. Information Technology Process Service Expectation Service Metric Digital learning environment Create and maintain a leading edge digital environment for learners. Standards based accessible content supporting all curricula for all learners that consistently scores above 4 on a scale from 1 to 5 on student surveys. Technology infrastructure Provide transaction platforms to support student course scheduling and learning and other services. Annual surveys of students to reflect adequacy of transaction processes. 6

38 Technical Course Maintenance & Presentation Process Service Expectation Service Metric Currency of content Make available for use by STI Faculty any and all technical content developed by the SANS Institute. Content is reviewed at least semi-annually for currency with existing malicious capabilities and mitigation theory and strategy. Quality of content and presentations Assist through all means necessary and available the delivery of STI faculty and lab instruction in a high quality fashion. SANS Institute will make available all performance ratings derived from students on STI courses or faculty. Educational Residency Process Service Expectation Service Metric Conference services Provide hotel, classroom technology, refreshment and other services that promote an unencumbered learning environment for students. Conference services provided will maintain an average rating of at least 4 out of 5 on daily student surveys. Service Constraints Workload - Increases in workload, such as back log due to power outages or fiscal year end closing, may result in temporary reduction of service level delivery. Conformance Requirements - Finance policy changes and Internal Revenue regulations may alter procedures and service delivery timeframes. Dependencies - Achievement of the service level commitment is dependent upon student and employee compliance with the policies and procedures of the STI enterprise. Terms of Agreement The term of this agreement is January 1, December 31, 2022 with the mutual understanding that modifications may be required over time. Any and all modifications will be made in the spirit of the original Agreement through the mutual agreement of both parties to the MOU. A formal review of this Agreement and published modifications will occur on a semiannual basis. 7

39 Periodic Quality Reviews STI and SANS will jointly conduct periodic reviews of individual SANS administrative support unit performance against agreed-upon service level expectations. The agenda for these reviews should include, but is not limited to: service delivery since the last review major deviations from service levels conflicts or concerns about service delivery planned changes to improve service effectiveness provide feedback from student and employees annual customer satisfaction surveys STI and SANS will also regularly assess customer satisfaction and will use the results as a basis for changes to this Agreement. STI s Chief Operating Officer and the SANS administrative service unit lead will meet annually. Service Level Maintenance This Agreement will be reviewed on an ongoing basis and updated as needed. Revisions may become necessary due to changing service needs, modifications to existing services, addition of services, significant variations from agreed upon-service levels, or unanticipated events. Issue Resolution If either party identifies a substantive breach of responsibility, or other problem that requires resolution prior to the next periodic review, the operating level managers of both parties will engage in a joint effort of understanding and rectification of the issue. In the event this remedial effort fails, either party can raise the issue to the executive levels of both parties. Payment Terms and Conditions For services provided, STI will pay SANS according to the following schedule: STI will pay SANS $400 for each instance when an STI student registers for a SANS class as part of an STI course, regardless of the chosen delivery modality (live event or online). STI will pay amounts to SANS, monthly in arrears, to reflect any directly allocated expenses by SANS personnel in support of STI business according to this services agreement (specifically including the result of any time allocation procedures as determined by SANS accounting department) STI will pay an amount to SANS, monthly in arrears, to reflect its pro-rata share of SANS otherwise unallocated costs for Accounting & Finance, Bursar, Human Resource, Marketing and Information Technology, and related administrative services, in 8

40

41

42 SAN lecnnoiogy msiitute-uiau Memorandum of Understanding Agreement FUDiisnea uaie; feofusiry do, dwm Agreement Period of Performance: 2013 Calendar year

43 Contents GENERA L INFORMATION Purpose Vision Mission Scope Hours of Operations Service Expectations Service Constraints Terms o f Agreement Periodic Quality Reviews Service Level Maintenance Issue Resolution Payment Terms and Conditions

44 General Information Purpose The purpose of this Memorandum of Understanding ("MOU") is to establish a cooperative partnership between the SANS Technology Institute (STI) and Global Information Assurance Certification (GIAC). This MOU will : Vision outline services to be offered and working assumptions between STI and GIAC; quantify and measure service level expectations; outline the potential methods used to measure the quality of service provided; define mutual requirements and expectations for critical processes and overall performance; - strengthen communication between the provider of assessment services (GIAC) and its enterprise customer (STI); provide a vehicle for resolving conflicts. GIAC wil l provide student assessment services for the STI enterprise. The primary goals for the MO U include: Provide access to high quality services for students, community and faculty, while ensuring identity and examination integrity in a secure and test-friendly environment. Provide meaningful certification services to students while promoting their academic, career and personal goals. Demonstrate that STI students can contribute to the knowledge base in information security and can communicate that knowledge to key communities of interest in information security. Mission Through various GIAC service units, provide assessment activities dedicated to operational and student service excellence to the STI enterprise so that core STI staff can focus on the academic components of their mission to educate managers of information security groups and the technical leaders who direct security technology programs. Scope GIAC shall provide job task analysis-based assessments in the form o f proctored certification exams. GIAC wil l also provide and manage a process (GIAC gold process) whereby students are adequately advised i n their program o l study to create a series o f monographs. 3

45 Hours of Operations Through the use of technology and GIAC directed service providers, i t is expected that assessment services provided wil l be available to STI students on a 24-hour basis. Service ExpectaHons STI and GIAC agree to the service expectations and working assumptions listed below. These service expectations are meant to monitor the more critical elements of the services provided and are not meant to reflect the comprehensive services offered by GIAC. The productivity indicators reflected below are not listed in any order of priority. Process Certification Examinations Exam preparation Test center experience Quality management of examination Supply of data for STI program assessment Gold Paper Process Assignment of Advisors Advising Services Posting of Monographs Service Expectation Provide access to two practice exams Students wil l be provided a professional environment free of distractions for taking exams Exam wil l maintain their relevance to the job field for which they are certifying GIAC wil l supply STI with exam results for further evaluation Appropriate advisors wil l be assigned in a timely manner Advisors wil l provide guidance for students through all monograph writing phases Monographs wil i be posted to the SANS Service Metric Practice exams wil l be available to students within 10 days of exam registration Test center experiences wil l receive an average rating of at least 4 out o f 5 on an annual student survey Al l GIAC exam given wil l receive a rating of acceptable in their validation reports. GIAC wil l supply STI with STAR reports on a quarterly basis. Upon approval of paper topic, assigned advisor wil l sent confirmation to student. Monograph advising services wil l maintain an average rating of at least 4 out of 5 on running quarterly average of student surveys Monographs wil l be posted within 30 days of approval and 4

46 reading room in a timely manner acceptance by STI faculty Service Constraints ~ WW Us iili/iiil ~ XliVi vtlscg ii± W 01 ivi 0 $.!, SUCH dk> UtlUli 10^ Cities l U LlllbwiivCtU i wcl jjdpci. submissions, may result in temporary reduction of service level delivery. Conformance Requirements - ANSI policy changes may alter procedures and service delivery timeframes. Dependencies - Achievement of the service level commitment is dependent upon student and faculty compliance with the policies and procedures of GIAC. Terms of Agreement This agreement commences on January with the mutual understanding that modifications may be required over time. Any and all modifications wil l be made in the spirit of the original Agreement through the mutual agreement of both parties to the MOU. A formal review of this Agreement and published modifications wil l occur on a semi-annual basis. Periodic Quality Reviews performance against agreed-upon service level expectations. The agenda for these reviews should include, but is not limited to: service delivery since the last review major deviations from service levels conflicts or concerns about service delivery planned changes to improve service effectiveness provide feedback from student and employees annual customer satisfaction surveys STI and GIAC wil l also regularly assess customer satisfaction and wil l use the results as a basis for changes to this Agreement. STFs Chief Operating Officer and the Director of GIAC wil l meet annually. 5

47 Service Level Maintenance This Agreement will bereviewedon an ongoing basis and updated as needed. Revision* may become necessary due to changing sen ice needs, modifications to existing services, addition of sen ices, significant variations from agreed upon-sen ice levels, or unanticipated events. Issue Resolution I f either party MwtJficw» substantive breach of responsibility, or other problem that requires resolution prior to the next periodic review, the operating level managers of both parties will engage in a joint effort of understanding andrectification o f the issue- In the event this remedial effort fails, either party can raise the issue to the executive levels of both parties. Payment Terms and Conditions lo r Nsrvkes prov tded. S i t wil l pay ti l A t according to Ihe following schedule: STI wil l pay GIAC 25% o f the list price for a GIAC certification exam each time a student pays for the GIAC exam as pan of their program o f studies, or when they purchase and allocate payment for purchased credit hours towards a GIAC certification exam. STI wil l pay GIAC Ctoki paper a*h isors SiOO tor each advisory assignment completed. ST I GIAC

48 Attachment G-1: Availability of Distance Courses Availability of MSISE Courses - At-a-distance Options At-a-distance Instruction Modality Enabled In-Person Correspondence/ Required Courses: Credits At-a-distance? Classroom? OnDemand vlive Simulcast Project Work ISE Yes Yes Yes ISE Yes Yes Yes Yes Yes - ISE Yes Yes Yes Yes Yes - ISE Yes Yes - - Yes - ISE Yes Yes Yes Yes Yes - ISE No Yes ISE Yes Yes Yes - Yes - ISE No Yes ISE No Yes ISE No Yes ISE Yes Yes - Yes Yes - ISE Yes No Yes ISE Yes No Yes Elective Options: ISE Yes Yes Yes - Yes - ISE Yes Yes Yes Yes Yes - ISE Yes Yes Yes - Yes - ISE Yes Yes Yes ISE Yes Yes - Yes Yes - ISE Yes Yes Yes Yes Yes - ISE Yes Yes Yes Yes - - ISE Yes Yes Yes ISE Yes Yes Yes ISE Yes Yes - Yes - - ISE Yes Yes - Yes - - ISE Yes Yes - Yes Yes - ISE Yes Yes Yes Yes - - ISE Yes Yes Yes ISE Yes Yes Yes Yes - - ISE Yes Yes Yes - - -

49 Attachment G2: Excerpt from S!NS Technology Institute s Self-Study: Chapter 13.1 on Distance Learning STI develops and maintains a portfolio of distributed learning environments directed toward maintaining an equivalent learning experience across all modalities. STI students are adult learners and most are already employed in high-pressure careers. 1 Many are key technical information security professionals for their employers and therefore are first responders when cyber intrusions are discovered, new systems must be assessed for security flaws before being deployed, or partnerships or acquisitions are being considered and a rapid security assessment is required. In other words, STI students are not in complete control of their time and they may not have the flexibility to be away from their offices for a full week to attend a Residential Institute for face-to-face live learning. Through SANS, STI is able to offer multiple distance learning options that enable our students to progress toward achieving their program learning outcomes even when they cannot attend the Residential Institutes. 2 The multiple distance learning options are designed to provide learning and assessment experiences equivalent to what students get in the Residential Institutes. In some cases, as the evidence below suggests, the distance learning options offer academic benefits that may be superior to those of the live classroom experience. STI Offers Two Distributed Learning Modalities Synchronous Live at a Distance: vlive & Simulcast vlive is a synchronous delivery environment with an asynchronous component designed to serve adult learners who prefer a classroom-style approach to learning, but cannot afford or do not have the time to travel. 3 With the assistance of virtual moderators, faculty members lecture and respond to questions, assist students in exercises, and otherwise engage them during lectures at scheduled times on a regular basis over an extended period of time (e.g., Tuesday/Thursday evenings from 7-10 p.m.). Each lecture is also recorded, including student interaction and discussions. Students who miss a particular lecture can view the material at a later time. Additionally, recording allows any student to refer back to the archived lecture for as long as six months after the course is completed to facilitate review for preparing for the associated GIAC examinations. The lecture material is supplemented in almost all cases by a digital laboratory environment. 1 Appendix 12: Student Enrollment Profile Example of vlive course available in on-site Resource Room. 1

50 Demonstrations of the vlive experience may be freely accessed at Simulcast is the simultaneous multicasting over SANS vlive delivery system of a course while it is being taught at a Residential Institute. In addition to cameras and audio equipment in the room, a live moderator sits in class and represents Simulcast students, literally raising her/his hand when those Simulcast participants have a question, delivering the question as part of the live class, and ensuring the Simulcast participant is satisfied with the answer. This is particularly useful in the case of certain courses, like MGT 433, which rely on a higher degree of interactivity between the student and faculty member, and for which a delayed view might be suboptimal. OnDemand OnDemand is an asynchronous digital learning environment that allows students to engage whenever and wherever they wish. 4 A top-ranked instructor presents the material live and is recorded, slide-by-slide. That material is delivered in modules, corresponding to the segments of a day at a Residential Institute. OnDemand students thus have the opportunity to listen to the highly-rated teacher and watch the same slides they would have in a Residential Institute, but they have the added benefit of being able to stop the lecture and go back within a single slide, to a former slide, or even to a former chapter in order to hear something that might have gone by too quickly. Further, at the completion of each module, OnDemand delivers self-assessment questions to reinforce learning objectives. The student consumes the course modules in order, and the lectures are supplemented in almost all cases by a digital laboratory environment containing exercises unique to each course. OnDemand courses are also supported by a virtual mentor who responds to questions within 24 hours. When necessary, the virtual mentor accesses STI faculty for additional support. The educational delivery software for OnDemand was developed and is maintained by SANS. Students Are Assessed Using Identical Testing and Exercises, Regardless of Delivery Modality, and GIAC Scores Indicate the Learning Outcomes are the Same Across Modalities. The learning objectives, content, and student testing are identical for all STI students regardless of whether the student attends a Residential Institute or uses OnDemand or vlive training. To help students earn the high scores STI requires on the globally-standardized GIAC exams, the course coverage must be equally comprehensive across all modalities. Each instructor employs his or her own examples and experiences to make the material memorable and to give the students confidence that what they are learning is, in fact, effective in improving information 4 A demonstration of an OnDemand course will be available in on-site Resource Room. 2

51 security. But regardless of modality or instructor, GIAC test scores and student evaluations provide substantial evidence that the three modalities are providing equivalent value. As discussed in Section 7, and further in subsections 11.4, 14.3 and 14.4, GIAC exam scores are reviewed quarterly for each STI student, and no particular patterns have been noted regarding the relative impact of each course delivery modality. This judgment was due, however, to a series of individual quarterly judgments, and was not the result of an assessment over time. As part of our self-study process, we endeavored to evaluate exam performance data longitudinally in order to answer the question, Does the choice of course delivery modality have an impact on measures of students learning outcomes? In other words, can we be confident that our distance learning options offer students an educational experience as effective as the in-person, residential institute experience? To answer this question, during self-study we analyzed 450+ GIAC exam scores received by STI students, relative to the course modality they had taken prior to the exam. The results of this analysis, shown in Figure 13.1, indicate that the modality of the course has no significant relative impact, on average, on the grades STI students achieve on subsequent GIAC exams. Figure 13.1: GIAC Exam Results for STI Students, By Modality of Course Delivery As shown, the average GIAC exam scores achieved by students who took their courses in-person at a Residential Institute, through OnDemand, and through vlive were 88.4, 89.4, and 87.7, respectively. 5 The students who took their courses through our OnDemand system actually 5 Figure 13.1 is based on 455 GIAC exams, of which 327, 104, and 24 of the exams are associated with students who took the associated course through a Live/Residential Institute, OnDemand, or vlive experience, respectively. An analysis of these data confirmed that there are no statistically significant differences in the exam scores of 3

52 achieved slightly higher average scores, although these results are not statistically significant. We believe this is a result of both the quality of the delivery technology and process, as well as the fact that we typically employ our highest-rated faculty in the OnDemand versions of our courses. These data represent a mix of all the certification exams and courses taken by STI students, but the absence of any significant impact of course modality on exam scores is also seen when analyzing individual exam results, albeit with fewer data points available for analysis, as shows in Figure 13.2: Figure 13.2: Individual GIAC Exam Scores, by Delivery Modality Taken by Student GIAC Associated Delivery Modality Exam Course Res Inst OnDemand vlive GSEC SEC 401 Average Grade: Count: GCIA SEC 503 Average Grade: n/a Count: n/a GCIH SEC 504 Average Grade: Count: Quality of the Distance Learning Environment Is Continuously Assessed STI maintains high standards for distance learning environments and holds it partner SANS to those same high standards. SANS has set up a quality-control and remediation program to ensure that distance learning is an equivalent experience to Residential Institute learning for its students. The quality of the distributed learning courses is assessed based on student feedback from their course evaluations posted (as a link) at the end of each section of the course. This information allows STI and SANS to assess and compare distance learning effectiveness module-by-module and target recommended improvements where they are most needed. In order to learn more about what could be improved, the SANS Quality Assurance Manager views every student evaluation and contacts each student who rates a course module below an established threshold or expresses a resolvable concern. 6 students who took the relevant courses through OnDemand or vlive, relative to the scores of those who took them in-person at a Residential Institute. 6 S.E. 7.6: OnDemand and vlive Distributed Learning Executive Analysis Presentation 4

53 Table 13.1 shows the average of all ratings given year-to-date to our OnDemand and vlive offerings by all SANS students, based on a 1-5 scale. Table Student Ratings by Category for vlive and OnDemand Student Ratings by Category, Jan - May, 2013 vlive 2013 Avg Course Content 4.70 Labs Ease of Use 4.61 Labs Value 4.73 Teaching Skill 4.75 OnDemand 2013 Avg Course Content 4.41 Labs Ease of Use 4.24 Labs Value 4.38 Teaching Skill 4.52 As shown, the average ratings for all course components are very satisfactory on an absolute scale. As importantly, these numbers compare favorably to the ratings received at live conferences. For example, the average rating for Teaching Skill given to all Certified SANS Instructors at Network Security 2012, one of SANS largest Residential Institutes, was 4.67, slightly lower than the rating given for the vlive experiences (4.73) and only a little higher than the ratings given from the OnDemand experience (4.52). During 2013, vlive students have been asked to rate the overall value of their courses, and their average response of 4.70 was higher than the average response (4.52) for the mix of courses given at Network Security Lastly, 99.95% of vlive students asked during this period Would you recommend this course? answered affirmatively. All student contacts and requests for new features or changes are logged, and this information is shared with course authors, instructors, and STI staff. Additionally, the SANS Quality Assurance Manager oversees quality-control checking of all courses prior to publication/posting for registration to ensure that they meet the standards that have been set before the course goes live for enrollment. 7 OnDemand students were not asked this question during the period, because another question on player quality had been substituted in its place. 5

54 This constant assessment process has led to many opportunities to improve the distance learning environments. Examples of some of the interventions and improvements in 2012 were shown in Table 7.9, repeated below: Table 7.9. Actions Taken to Improve Distance Learning, 2012 Trigger Analysis Hypothesis Implementation Post-analysis Browser technology update Browser add-ins were examined JAVA program caused issues V4 of OnDemand interface implemented Student experience scores have increased Discovered textbook versions out of sync Worked with web team to examine order process Multiple versions in inventory caused selection issue Linked text version to course audio on ordering Five months of registration monitoring showed no repeat of issue Students dissatisfied with course Q&A Review of course audio Q&A revealed faculty not consistently repeating questions Proposing that multidirectional microphones may solve problem Pending Pending Lab scores lower in distributed than in traditional classes Interview with students to understand interaction with labs Downloading to student s variety of computers leads to variable operational issues Supplemental lab installation documentation being developed Pending Speakers too fast for vlive environment Reviewed lectures of fast speakers in distance environment for confirmation Some faculty unaware of needs for different pacing in streaming environment Tips and tricks document prepared for vlive faculty training before first course Under way Understanding the Current Availability of Distance Learning Options and Potential Expansion Following Accreditation As mentioned in several other sections of our self-study, distance learning options represent an important medium by which our students take courses, and use of this medium has been associated with enabling a faster pace of study untethered to the time or cost requirements associated with the attendance at a Residential Institute. If we desire to increase the average pace of student progress, it follows that we must assess the availability of these options for our students. Table 13.3 represents the availability of courses in the MSISE program through SANS s vlive or OnDemand mechanisms. 6

55 Table Distance Learning Options for MSISE Courses, Second Half of 2013 Core/Required MGT 305 SEC 401 MGT 433 SEC 503 SEC 504 MGT 525 MGT 421 MGT 566 vlive Course Scheduled OnDemand? June July Aug Sep Oct Nov Dec Jan, 2014 No Yes No Yes Yes No Yes Yes (Unavailable) Aug 5 - Sep 11 (Unavailable) Nov 5 - Dec 12 Nov 4 - Dec 11 (Unavailable) (Unavailable) Jul 8 - Aug 7 Dec 2 - Jan 15 Electives Aud 507 Yes Sep 2 - Oct 16 DEV 544 Jul 15 - Aug 7 DEV 544 Nov 4-27 FOR 408 Yes Oct 7 - Nov 13 FOR 526 Dec 3 - Jan 16 FOR 610 Yes Oct 14 - Nov 20 SEC 542 Yes Dec 3 - Jan 23 SEC 560 Yes Sep 24 - Oct 31 SEC 575 Nov 11 - Dec18 SEC 617 Yes Jun 24- Jul24 SEC 642 Jul 23 - Sep 3 Analysis of Table 13.3 indicates that (1) all of the larger, 5-6 day core SEC (Security) courses are available at any time through the OnDemand service, or at least once over a period of six months through a vlive offering in the evenings, and (2) many other electives are available during the next six-month period, either via OnDemand or through a scheduled vlive course. However, the table also shows that SANS does not currently offer MGT 305, MGT 433, MGT 525, or MGT 421 in the vlive format, and of these, only MGT 421 is available OnDemand. This latter group of four courses represents six of the 34 credits required in the MSISE curriculum, half of which are solely MGT 525 (a three-credit course). While these courses represent only about a sixth of the total credits required, STI will work with SANS to increase the ease with which STI students can take these courses outside of Residential Institutes. (Not shown in the table is the fact that MGT 433 is offered via Simulcast at each of the largest five Residential Institutes, which eliminates a student s need to travel but would still require the person to take a day off from work to sit in live at a distance.) Options include presenting these four courses through the OnDemand format or enrolling students after accreditation in cohorts of sufficient size to justify a dedicated vlive class or series of classes. 7

56 Attachment G-3: Instructor Tips for Distance Courses Instructor Guidelines for SANS Simulcast Classes Simulcast Support Team Sales: Project Manager: Accounting: Marketing: Brian Correia Daryl Gilbertson Eva Hoopii Steve Peterson Scott Hazen Debbie Mueller Steve Peterson Cara Mueller Steve Peterson Scott Hazen vlive! Support: Steve Peterson (630) Scott Hazen (773) Rich Fifarek (303) Alex Bass (518) vlive Support NOC On Call: ext. 7 What to Expect During a SANS Simulcast you will be teaching to live students in the same room as you AND to students at remote locations. To accomplish this, your on-site moderator will log into GoToTraining and our system will capture everything that is projected in the classroom. You will also wear a wireless microphone to transmit your voice to remote students. The moderator will also setup a webcam and broadcast video from the classroom. We highly encourage the use of video but if you do not want video to run in your class, please contact the Simulcast staff. SANS Simulcasts are supported by the OnSite and vlive! teams. The OnSite team will take the lead with most sales issues, while the vlive! team will provide most of the support during class. While you are teaching you will have one or more vlive! moderators in the vlive! virtual classroom to provide assistance with labs and logistics. All day classes will be broken into two sessions: morning and afternoon. When you break for lunch please remind all students to log out of GoToTraining and to log into the afternoon session when they return. You will also need to do the same thing, so please return from your lunch break a few minutes early. The key to teaching a successful vlive! Simulcast is to always remember that you are teaching remote students; keep them engaged by promptly responding to their questions and periodically addressing them directly ( Before we move on, are there any questions from our remote students? ).

57 Advance Planning The vlive! and OnSite teams will schedule a planning call with the customer point of contacts two weeks before the course; please plan on attending this call. The AV kit which contains all necessary equipment for the Simulcast will be shipped to the Simulcast location prior to class. vlive! support team will be setting up the audio equipment and test the setup with you. This test is critical to the success of the simulcast session and must be completed prior to starting class. o If it is possible, plan to do the audio testing the day before class starts. If this is not possible please make sure you arrive 2 hours early on the first day of class to complete the audio setup. vlive! team will introduce you to the virtual moderator that will be working the classroom. This moderator is a SANS employee who is there to assist with the running of the Elluminate platform, running labs and assisting with student questions. Many instructors prefer that the moderator relays questions from the virtual students by raising their hands and reading the question. Audio Tips Do not wear your cell phone on your belt next to the transmitter or lay it next to the receiver by the laptop. Your cell phone and student cell phones can create interference. You may need to disable Bluetooth functionality on your phone if it is causing buzzing. Leave your wireless microphone on at all times, but turn off your GoToTraining audio during breaks. To do this, simply ask your on-site moderator to mute you on the Simulcast laptop. ALWAYS repeat comments and questions from students at your location; remote students can hear you, but all other sound will be muffled or inaudible. Starting Class When it is time to start class, your moderator will start the recording and give you a signal that everything is ready on the remote side. After the moderator has turned the class over to you, introduce yourself and briefly explain to students how the Simulcast class will work. It is important to make the remote and on site students aware of each other. Identify and welcome each remote site by name. A roster with the remote sites and student counts will be provided to you. Please encourage remote students to participate by typing their questions and comments into the Chat window. Directing questions about class material to the virtual students can also help to keep them to be engaged throughout the class. The moderator will relay any questions from the online students to you. Discuss any other housekeeping items as needed (timing of breaks, confirming that VMWare The SANS Promise is That You Will Be Able To Apply Our Training the Day You Get Back to the Office.

58 is installed, etc.). Teaching Tips ALWAYS repeat comments and questions from students at your location; remote students can hear you, but all other sound will be muffled or inaudible. If you need to discuss issues that students should not see, please use the Organizers Only or private message chat option as your means of communication. Address remote students often to ensure they feel like they are part of the class; remote students become passive listeners if they are not actively engaged. All scripts, videos, demos, etc. that you wish to show to students must be shared with GoToTraining s application sharing feature. Remote students systems (and your host s network) can be slowed down if you send very large files. If a file is necessary for class try to send it before class or during a break. If it is not course-related (e.g. music while on break), consider not sending it. Use the GoToTraining timer when breaking from lecture so remote students know when class will be resuming; tell the moderator how many minutes you would like and they will setup the timer for you. When breaking for lunch, please explain to students that they will need to log out of the morning session and log into the afternoon session upon their return. Allow plenty of time to log into GoToTraining when arriving in the morning or returning from lunch. Depending on the location, you may have to extend the lunch break. Conduct a quick audio check after each break and lunch to confirm that your microphone is on and that your remote students can hear you. Suggested Best Practices Jason Fossen: o Each day I used a second laptop to log onto vlive as an attendee so that I could see how fast my application sharing window was updating its screen.! It was also useful for checking the sound, video and file sharing features.! I granted my other account moderator status so that, in case my primary laptop had an issue, I could switch over to the secondary and continue teaching. o New vlive instructors (or new laptops for prior instructors) should go through the setup and test process before flying on-site; there won't be enough time to fix any problems like these the morning of. o Return early after lunch to log back into GoToTraining o Make sure your internet connection is wired and not shared by the students. o Make sure to have the vlive emergency contact info on hand. o The instructor should have the slides to teach the course on his/her laptop in case the slides in the vlive system are missing, wrong or have any problems. Jason Lam: o Make sure that the OnSite students are aware of the virtual students. o Be available for remote students before or after class in the Elluminate Office session. The SANS Promise is That You Will Be Able To Apply Our Training the Day You Get Back to the Office.

59 o Depending on the class size and your teaching style you might need longer than usual to prepare for class (questions, demos, labs). o Have the moderator type names of products, vendors or URL s etc. in the chat for the virtual students. The SANS Promise is That You Will Be Able To Apply Our Training the Day You Get Back to the Office.

60 A"achment G- - 4: OnDemand QA Execu6ve Summary 1. OnDemand YTD Scores (non- weighted and weighted averages) Month # Resp Course Eval Teaching Skill Course Content Player Labs Overall Value of Labs Ease of Use Labs Virtual Mentor # VM Resp Total Pts. % Total Pts. Jan % Feb % Mar % Apr % May % Jun % Jul % Aug % Sep % Oct (True Avg) % Nov (True Avg) % Non- weighted scores are an average of the averages of all the category scores (i.e. sum the column for all courses/number of evals). The True Avg scores here take into account that some course averages are more meaningful (i.e. the average score in any category for SEC504 is more statistically relevant than the same score in MGT442). True Avg is calculated: course s avg category score X # responses for course/total responses. New data point this month: % Total Pts. This last column, % Total Points gives a school- style score to a month and is calculated based on this formula: total points scored (via average) divided by total points possible (80 10 s in categories). It s not actionable on its own but does good job of establishing an historical performance range (low of 83% and high of 91%) as well as helping to set realistic goals for increasingly improved performance with the reality of the historical range in mind. 2. Responses to issues raised in October Summary ReQC of SEC504 assigned results/decision pending. 3. Discoveries/resolutions from November We made two discoveries this month with regard to external supports that could have a positive impact on OnDemand quality: a. Dedicated Web Team support It can take up to two days for a course to be posted (by the Web Team) once we have it ready to publish. Additionally, other maintenance and triage tasks seem to take longer than they might if there were dedicated OnDemand point person on the Web Team. b. At least one student this month was negatively affected by a slow response time by the Virtual Lab Team. Given all the investment we are putting into improving the lab experience for OnDemand students, additional support here would also be beneficial. Save of the Month [name withheld] [name withheld] is enrolled in SEC401 and scored Sections 4-6 at 7.57 with both complaints and suggestions about the labs. His comments seemed mostly positive but scores were low. KC had been in touch with him in August (Wrote that he is pleased with course but that he scored low on labs because he thinks they can be better) and followed up via e- mail and he responded: apologize for the (very) delayed response. I am extremely impressed with the response to feedback. All of my issues have been resolved (the skipping of the evaluation, and my issues with what slide I am on being saved). I also really like the new lab videos, it is a much more helpful introduction.

61 4. Action items for December and forward Per the ReQC protocol: No Red Card courses Yellow Card (ReQC): FOR508 (course eval score = 7.33 with responses) o FOR508: This is FOR508 s performance in 2012: The break in the line represents the month of July when this course was pulled for updating. November s score is only informed by 3 evals. Student issues are limited to one student who submitted multiple low- score evals with no qualitative feedback and one student who wrote, The instructor kept referencing portions of the slides as he was talking to the class. However, the ondemand student cannot see which areas he was referring to. Due to the complexity of this course, it will be necessary to engage the Virtual Mentor team (Matt Austin and Brandon Greenwood) to solicit their expertise/recommendations regarding opportunities for improvement in addition to the standard reqc process. Cross BU Compare: SEC566 (8.33), FOR610 (8.69) o SEC566 (course eval score = 8.33 with 9 evals): There was problem with the LO Map for this course that negatively affected how quiz questions were served u and it created major frustration for a few students. The problem was corrected (and in one case, a student s money was refunded. Overall performance for the year (2102 Course Eval avg is 9.08) is excellent. Because this course requires exact mapping to the 20 Critical Controls, one takeaway is that this course requires extra- special vigilance to make sure Sections and Modules are structured correctly prior to release and that any functions that bridge off the LO Map are flagged if a structure- related problem surfaces (i.e. outlines, outcome statements, quiz questions) o FOR610 (course eval score = 8.69 with 1 evals): The OnDemand course score is in line with conference. Lenny does a bit better in person than in OnDemand (expected, he has great live energy) but the OnDemand course actually beats a non- author instructor. The 201 YTD average score for Course Eval is 9.36 and FOR610 has some of the highest lab scores across all OnDemand courses

62 Attachment H-1: Faculty List Core program faculty involved in designing and maintaining the program, in addition to having major teaching responsibilities. Name: Dr. Johannes Ullrich Most Advanced Degree: Ph.D. Physics, SUNY Albany Field of Experience: Information Security Research Expert. See details below. Courses Taught: ISE 5400 Advanced Network Intrusion Detection & Analysis; ISE 6615: Defending Web Applications Security Essentials Dr. Johannes Ullrich is Dean of Research and a program faculty member of SANS Technology Institute. Johannes also serves on the following SANS Technology Institute committees: Long Range Planning; Curriculum, Academic and Student Affairs. As Chief Research Officer for SANS, Dr. Ullrich is responsible for the SANS Internet Storm Center (ISC) and the GIAC Gold program. He founded DShield.org in 2000, which is now the data collection engine behind the ISC. His work with the ISC has been widely recognized, and in 2005, SC Magazine named him one of the 5 most influential IT security thinkers in the networking industry. Name: Toby Gouker Most Advanced Degree: Ph.D. Information Systems Management. Field of Experience: Technology Services; Higher Education Management. IT Enabled Change Management Courses Taught: ISE/M 5000 Research & Communications Methods; ISE/M 5500 & 5900: Research Presentation 1&2; ISE/M 5700: Situational Response Practicum; ISE/M 6100 Security Project Practicum; ISE/M 6900 Information Security Fieldwork. Dr. Toby Gouker is the Chief Academic Officer of the SANS Technology Institute, and a member of the Program Faculty. Toby has extensive experience in building and operating graduate school programs for working adults. He served as the Executive Director for National Technological University, where he led the transition from a satellite-based delivery modality to a web-based program, and coordinated contract courseware development with the best and brightest faculty from across the country in engineering and technology fields. Toby led the turnaround of American Graduate University s programs in federal contracting by developing infrastructure for recruiting and student information, and developing process and procedure for content delivery and student retention. Toby also started the Lyman Spaulding Institute for the US Pharmacopeia, establishing education and training centers in China, India and Brazil as well as online and US-based teaching facilities. Before beginning his career in higher education, Toby held a variety of leadership positions in technology-focused firms including agricultural biotechnology, synthetic fuels, pharmaceuticals, and pollution control.

63 Name: Dr. Eric Cole Most Advanced Degree: DPS, Information Technology, Pace University Field of Experience: Information Security Expert. See details below. Courses Taught: ISE/M 5100 Enterprise Information Security; ISE/M 6000 Standards Based Implementation of Security; ISE 6215 Advanced Security Essentials;. Dr. Eric Cole is the Program Director for the MSISE program, program faculty member, general faculty advisor, and he teaches, maintains and develops courseware. Dr. Cole is an industry-recognized security expert with over 20 years of hands-on experience. Dr. Cole has experience in information technology with a focus on helping customers focus on the right areas of security by building out a dynamic defense. Dr. Cole has a master's degree in computer science from NYIT and a doctorate from Pace University with a concentration in information security. He served as CTO of McAfee and Chief Scientist for Lockheed Martin. Dr. Cole is the author of several books, including Advanced Persistent Threat, Hackers Beware, Hiding in Plain Sight, Network Security Bible 2nd Edition, and Insider Threat. He is the inventor of over 20 patents and is a researcher, writer, and speaker. He is also a member of the Commission on Cyber Security for the 44th President and several executive advisory boards. Dr. Cole is the founder and an executive leader at Secure Anchor Consulting where he provides leading-edge cyber security consulting services, expert witness work, and leads research and development initiatives to advance the state-of-the-art in information systems security. Name: Stephen Northcutt Most Advanced Degree: Bachelor of Science, Mary Washington College Courses Taught: ISE/M 5000 Research & Communications Methods; ISM 5100 Enterprise Information Security; ISM 5400: IT Security Planning, Policy, and Leadership; ISE 5500/5900: Research Presentations 1 & 2; ISE/M 5700 Situational Response Practicum; ISE 5600 IT Security Leadership Competencies; ISE 6100 Security Project Practicum; ISE 6900 Information Security Fieldwork. Stephen Northcutt founded the GIAC certification and served as president of the SANS Technology Institute. Stephen is author/coauthor of Incident Handling Step-by-Step, Intrusion Signatures and Analysis, Inside Network Perimeter Security 2nd Edition, IT Ethics Handbook, SANS Security Essentials, SANS Security Leadership Essentials and Network Intrusion Detection 3rd Edition. He was the original author of the Shadow Intrusion Detection system before accepting the position of chief for information warfare at the Ballistic Missile Defense Organization. Stephen is a graduate of Mary Washington College. Before entering the field of computer security, he worked as a Navy helicopter search and rescue crewman, white water raft guide, chef, martial arts instructor, cartographer, and network designer.

64 Since 2007 Stephen has conducted over 40 in-depth interviews with leaders in the security industry, from CEOs of security product companies to the most well-known practitioners, in order to research the competencies required to be a successful leader in the security field. He maintains the SANS Leadership Laboratory, where research on these competencies is posted, as well as SANS Security Musings. He leads the Management 512 Alumni Forum, where hundreds of security managers post questions. He is the lead author/instructor for Management 512: SANS Security Leadership Essentials for Managers, a prep course for the GSLC certification that meets all levels of requirements for DoD Security Managers per DoD Name: Ed Skoudis Most Advanced Degree: M.S., Information Networking, Carnegie Mellon University; and B.S. Electrical Engineering, University of Michigan, Summa Cum Laude. Field of Experience: Incident Handling, Expertise in Hacker Attacks and Defenses, Information Security Industry, and Computer Privacy Issues. See details below. Courses Taught: ISE 5200 Hacking Techniques & Incident Response; and also ISE 6320: Network Penetration Testing and Ethical Hacking Ed Skoudis is the founder of Counter Hack, an innovative organization that designs, builds, and operates popular infosec challenges and simulations including CyberCity, NetWars, Cyber Quests, and Cyber Foundations. As director of the CyberCity project, Ed oversees the development of missions which help train cyber warriors in how to defend the kinetic assets of a physical, miniaturized city. Ed's expertise includes hacker attacks and defenses, incident response, and malware analysis, with over fifteen years of experience in information security. Ed authored and regularly teaches the SANS courses on network penetration testing (Security 560) and incident response (Security 504), helping over three thousand information security professionals each year improve their skills and abilities to defend their networks. He has performed numerous security assessments; conducted exhaustive anti-virus, anti-spyware, Virtual Machine, and IPS research; and responded to computer attacks for clients in government, military, financial, high technology, healthcare, and other industries. Previously, Ed served as a security consultant with InGuardians, International Network Services (INS), Global Integrity, Predictive Systems, SAIC, and Bell Communications Research (Bellcore). Ed also blogs about command line tips and penetration testing.. Ed also serves on the Board of Directors of SANS Technology Institute. Name: Lenny Zeltser Most Advanced Degree: M.B.A. from M.I.T. Field of Experience: Security. See details below. Courses Taught: Lenny teaches ISE 6460: Malware Analysis and Reverse Engineering

65 Lenny Zeltser is a seasoned business leader with extensive experience in information technology and security. As a product management director at NCR Corporation, he focuses on safeguarding IT infrastructure of small and mid-size businesses world-wide. Before NCR, Lenny led the enterprise security consulting practice at a major IT hosting provider. He also teaches digital forensics and malware courses for the SANS Institute, where he is a senior faculty member. In addition, Lenny is a Board of Directors member at SANS Technology Institute and a volunteer incident handler at the Internet Storm Center. Lenny's expertise is strongest at the intersection of business, technology, and information security practices and includes incident response, cloud services, and product management. He frequently speaks at conferences, writes articles, and has co-authored books on network security and malicious software defenses. Lenny is one of the few individuals in the world who've earned the prestigious GIAC Security Expert designation. He has an MBA degree from MIT Sloan and a Computer Science degree from the University of Pennsylvania. Name: Benjamin Wright Most Advanced Degree: JD, Law, Georgetown University Law Center Field of Experience: Legal Issues. See details below. Courses Taught: ISM 5600 Law of Data Security and Investigations Benjamin Wright is the author of several technology law books, including Business Law and Computer Security, published by the SANS Institute. With 26 years in private law practice, he has advised many organizations, large and small, on privacy, e-commerce, computer security, and discovery and has been quoted in publications around the globe, from the Wall Street Journal to the Sydney Morning Herald. Mr. Wright is known for spotting and evaluating trends, such as the rise of whistleblowers wielding small video cameras. In 2010, Russian banking authorities tapped him for experience and advice on the law of cyber investigations and electronic payments. Wright maintains a popular blog at Name: Rob Lee Most Advanced Degree: M.B.A. Georgetown University, Washington D.C.; B.S. Space Operations Engineering, U.S. Air Force Academy Field of Experience: Forensics. See details below. Courses Taught: ISE 6425: Advanced Computer Forensic Analysis and Incident Response and ISE 6420: Computer Forensic Investigations Windows. Rob Lee is an information security entrepreneur and consultant in the Washington, DC area, specializing in information security, incident response, and digital forensics. Rob is currently the curriculum lead and author for digital forensic and incident response

66 training at the SANS Institute in addition to owning his own firm. Rob has more than 15 years of experience in computer forensics, vulnerability and exploit discovery, intrusion detection/prevention, and incident response. Rob is currently the program lead for STI s post-baccalaureate program in Incident Response. Prior to starting his own firm, he directly worked with a variety of government agencies in the law enforcement, U.S. Department of Defense, and intelligence communities as the technical lead for a vulnerability discovery and an exploit development team, lead for a cyber forensics branch, and lead for a computer forensic and security software development team. Rob co-authored the book Know Your Enemy, 2nd Edition. Rob earned his MBA from Georgetown University in Washington DC. He was awarded the Digital Forensic Examiner of the Year from the Forensic 4Cast Awards. Rob is an ardent blogger about computer forensics and incident response topics at the SANS Computer Forensic Blog. Rob is also a co-author of the MANDIANT threat intelligence report M-Trends: The Advanced Persistent Threat. Name: Jeff Frisk Most Advanced Degree: BS, Engineering, Rochester Institute of Technology Field of Experience: Engineering, Project Management. Courses Taught: ISM 5800 IT Security Project Management Jeff Frisk currently serves as the director of the GIAC certification program and is a member of the STI Curriculum, Academic, and Student Affairs Committee. Jeff holds the PMP certification from the Project Management Institute and GIAC GSEC credentials. He also is a certified SANS instructor and course author and instructor for ISM 5800 IT Security Project Management. He has worked on many projects for SANS and GIAC including courseware, certification and exam development. Jeff has an engineering degree from The Rochester Institute of Technology and more than 15 years of IT project management experience with computer systems, high tech consumer products, and business development initiatives. Jeff has held various positions including managing operations, product development, electronic systems/computer engineering. He has many years of international and high-tech business experience working with both big and small companies to develop computer hardware/software products and services. Name: David Hoelzer Most Advanced Degree: B.S. in Information Technology, Summa Cum Laude. Field of Experience: Intrusion Detection and Auditing. See details below. Courses Taught: ISE 5000 Research & Communications Methods; ISM 6200 Auditing Networks, Perimeters and Systems

67 David Hoelzer is a high-scoring SANS Fellow instructor and author of more than twenty sections of SANS courseware. He is an expert in a variety of information security fields, having served in most major roles in the IT and security industries over the past twentyfive years. Recently, David was called upon to serve as an expert witness for the Federal Trade Commission for ground-breaking GLBA Privacy Rule litigation. David has been highly involved in governance at SANS Technology Institute, serving as a member of the Curriculum Committee as well as Audit Curriculum Lead. As a SANS instructor, David has trained security professionals from organizations including NSA, DHHS, Fortune 500 security engineers and managers, various Department of Defense sites, national laboratories, and many colleges and universities. David is a research fellow in the Center for Cybermedia Research and also a research fellow for the Identity Theft and Financial Fraud Research Operations Center (ITFF/ROC). He also is an adjunct research associate of the UNLV Cybermedia Research Lab and a research fellow with the Internet Forensics Lab. David has written and contributed to more than 15 peer reviewed books, publications, and journal articles. Currently, David serves as the principal examiner and director of research for Enclave Forensics, a New York/Las Vegas based incident response and forensics company. He also serves as the chief information security officer for Cyber-Defense, an open source security software solution provider. In the past, David served as the director of the GIAC Certification program, bringing the GIAC Security Expert certification to life. David holds a BS in IT, Summa Cum Laude, having spent time either attending or consulting for Stony Brook University, Binghamton University, and American Intercontinental University. Name: Jim Voorhees Most Advanced Degree: Ph.D., Advanced International Studies, Johns Hopkins University Field of Experience: IT Security Courses Taught: ISE/M 5700: Situational Response Practicum; ISE/M 6100 Security Project Practicum Jim Voorhees was named MSISM Program Director of SANS Technology Institute (STI) in November A graduate of STI, Dr. Voorhees has had a varied career in government and private industry. He earned his Ph.D from the Johns Hopkins School for Advanced International Studies after earning degrees in International Affairs from the George Washington University and working on the editorial staff of the International Food Policy Research Institute. After writing a book for the Kettering Foundation (Dialogue Sustained) and experience with Kettering, the Congressional Research Service, and IREX, Dr. Voorhees entered the IT industry as a technical writer, he quickly moved on to systems administration, then IT security and SANS. He has worked on security at several government agencies, including the FBI and the IRS, and currently works for Sage Management as a Network Security Engineer on a DOD contract. A list of all current teaching faculty can be found at

68 TABLE 1: RESOURCES: Resource Categories Year 1 Year 2 Year 3 Year 4 Year 5 1. Reallocated Funds 2. Tuition/Fee Revenue (c + g below) a. Number of F/T Students b. Annual Tuition/Fee Rate c. Total F/T Revenue (a x b) d. Number of P/T Students e. Credit Hour Rate f. Annual Credit Hour Rate g. Total P/T Revenue (d x e x f) 3. Grants, Contracts & Other External Sources 4. Other Sources TOTAL (Add 1 4)

69 TABLE 2: EXPENDITURES: Expenditure Categories Year 1 Year 2 Year 3 Year 4 Year 5 1. Faculty (b + c below) a. # FTE b. Total Salary c. Total Benefits 2. Admin. Staff (b + c below) a. # FTE b. Total Salary c. Total Benefits 3. Support Staff (b + c below) a. # FTE b. Total Salary c. Total Benefits 4. Equipment 5. Library 6. New or Renovated Space 7. Other Expenses TOTAL (Add 1 7)

70 Attachment K-3: Resources and Expenditures Narrative Maryland Higher Education Commission Academic Program Proposal FINANCE DATA: PROPOSALS Finance data for the first five years of program implementation are to be entered in Table 1 Resources and Table 2 Expenditures. Figures should be presented for five years and then totaled by category for each year. As an attachment, narrative explanation must accompany each table. Below is the format for both tables as well as directions for entering the data and writing the accompanying narrative. TABLE 1: RESOURCES 1. Reallocated Funds Data: Enter the amount of funds for the first five years of implementation that will be reallocated from existing campus resources to support the proposed program. This would include funds reallocated from the discontinuance or downsizing of academic programs. Narrative: STI does not anticipate reallocating funds to the MSISM program. 2. Tuition and Fee Revenue Data: Enter the estimated tuition and fee revenue that will be directly attributable to students new to the institution enrolled in this program each year. The revenue should be calculated by multiplying the tuition rate by the projected annual FTE enrollment. Narrative: Because the program is currently being offered, we are starting with a base student enrollment of 15 students for the MSISE program. Enrollment projections are year-end estimates. STI anticipates admitting 20 new students to the MSISM program per year starting by year 2 (our current rate of new student enrollment). We have accounted for an 80% graduation rate in total headcount numbers, anticipating 10% of students to withdraw each year in the 3-year program. This results in a steady-state number of MSISM students of 54 in years 4 and 5, for purposes of these projections. Tuition rate is set at the current average annual total cost, with an assumption included for student who progress at a slower pace than target, and rises at 3% per year. Because students are expected to enroll in the program full-time meaning, earning twelve credit hours in each of the three years they are in the program we included all student tuition and fee revenue on the Full-time rows, and none on the Part-time rows, even though we charge tuition per credit hour. 3. Grants and Contracts

71 Data: Enter the amount of grants, contracts or other external funding which will become available each of the five years as a direct result of this program. Narrative: Currently the MSISM program does not anticipate any grants or contracts that will bring in resources. Conditional approval may be granted to a proposal that is dependent on grant funds that have not been officially awarded at the time of proposal submission, but in which substantial evidence has been provided to indicate a favorable review and an impending grant award is imminent. Under these conditions, program approval may be granted for a twelve-month period. During this period, the program may not be implemented. Full program approval is granted only after funding documentation is accepted. Under extraordinary circumstances, a one-time extension to conditional approval may be granted to an institution that provides compelling information to warrant an extension. 4. Other Sources Data: Enter any additional funds from sources other than in 1, 2, and 3 that have been specifically designated for the program. Narrative: Currently we do not anticipate any other sources of additional funds for the MSISM program. 5. Total Year Data: Total the financial resources that will be available for each year of program implementation. Include cumulative as well as one-time resources. Narrative: Expected student enrollments and engagement, together with tuition price increases in-line with inflation, result in annual revenues from the MSISM program expanding from $199,750 in year 1 to $812,350 in year 5.

72 Maryland Higher Education Commission Academic Program Proposal Guidelines TABLE 2: EXPENDITURES 1. Faculty (# FTE, Salary, and Benefits): Enter (a) the cumulative number of new fulltime equivalent faculty needed to implement the program each year, (2) the related salary expenditures, and (3) the related fringe benefit expenditures. (For example, if two new faculty members are needed, one in the first year and one in the second, the full-time equivalency, salary, and benefits for one member should be reported in Year 1, and the same information for both members should be reported in Year 2 and each successive year.) Narrative: No changes are required to the current number or utilization of our current faculty in order to support this proposed program modification. STI program and teaching faculty teach in multiple programs at once, in addition to engaging in research and other activities. In order to create the appropriate allocations for the projections, we first evaluated the number of instructional hours required by the faculty to support the projected students, and then allocated both FTE time and expense to these projections. The SANS Technology Institute is able to manage the cost of expert faculty because they typically teach a class simultaneously to both graduate students and non-enrolled students, which allows the graduate school to benefit from the economies of scale gained by having faculty teach larger numbers of students alongside students in the MSISM program. 2. Administrative Staff (# FTE, Salary, and Benefits): Enter the cumulative number of new full-time equivalent administrative staff needed to implement the program each year, (2) the related salary expenditures, and (3) the related fringe benefit expenditures. Narrative: No change in current or anticipated administrative staff costs are anticipated as a result of this program modification proposal. The costs of administrative staff allocated for purposes of these projections cover executive leadership, enrollment management, student advising, and institutional effectiveness. Estimates were made for the proportion of full-time employees as allocated to the MSISM program, because the activities of all personnel are allocated to multiple programs and other activities. 3. Support Staff (# FTE, Salary, and Benefits): Enter the cumulative number of new fulltime equivalent support staff needed to implement the program each year, (2) the related salary expenditures, and (3) the related fringe benefits expenditures. Narrative: No change in current or anticipated support activities and staff are anticipated as a result of this program modification proposal. Expenses associated with support staff to administer the programs are considered either administrative staff and covered above, or are incorporated into the costs of our shared services agreement with the parent of the SANS Technology Institute, and included in other expenses.

73 4. Equipment: Enter the anticipated expenditures for equipment necessary for the implementation and continuing operation of the program each year. Narrative: No change in equipment costs is anticipated as a result of this program modification proposal. Equipment necessary for administrative purposes is contracted through our parent company as part of our shared services agreement. Expenses related to this are accounted for in other expenses. Likewise, equipment for educational related activities i.e. NetWars, virtual labs and exam management is also covered under our shared services agreement and is accounted for in other expenses. 5. Library: Enter the anticipated expenditures for library materials directly attributable to the new program each year. Narrative: No anticipated expenditures for library services are anticipated for the modifications made to existing programs. 6. New and/or Renovated Space: Enter anticipated expenditures for any special facilities (general classroom, laboratory, office, etc.) that will be required for the new program. As a footnote to the table or in attached narrative, indicate whether the renovation of existing facilities will be sufficient or new facilities will be necessary. Narrative: No new and/or renovated space is required as part of this Proposal or for the implementation of the program over the projected time horizon. 7. Other Expenses: Enter other expenditures required for the new program. Attach descriptive narrative or provide footnotes on the table. Included in this category should be allowances for faculty development, travel, memberships, office supplies, communications, data processing, equipment maintenance, rentals, etc. Narrative: No changes to or additional expenses are anticipated as a result of this proposed program modification. Other expenses account for the approximately 15% of revenues that are paid to our parent company SANS Institute for services provided according to our memorandum of understanding/shared services agreement, including accounting, server maintenance, website maintenance and costs associated with running residential institutes. Other expenses also include direct costs for marketing, regulatory and miscellaneous expenses when those are not specifically done by the SANS Technology Institute. 8. Total Year: Add each expenditure (continuing and one-time) to indicate total expenditures for each year of operation.

74 Attachment L-1: Quarterly Learning Assessment Report Q GIAC Exam Assessment Report (Summary) Prepared by Matthew Scott Director of Institutional Effectiveness December 16, Number of exams taken during the quarter and scores achieved by STI students individually. 12 exams taken. Performance information below. ID Program Cert/Course Date Avg Event Instructor 1 MSISE GCIA/ SEC 503 9/17/13 80 SANS vlive Oct 12 U 2 MSISE GCIA/ SEC 503 9/20/13 93 OnDemand May SANSFIRE MSISE GCIH/ SEC 504 9/3/13 92 Washington, DC Jun 13 S 4 MSISE GCFE/ FOR 408 7/10/13 73 SANS Security West 2013 San Diego May 13 L GXPN/ SEC 5 MSISE 660 7/30/13 76 OnDemand Apr GWAPT/ SEC SANS Rocky Mountain 6 MSISE 542 9/10/ Denver, Co Jul 13 J 7 MSISE GCFA/ FOR 508 9/13/13 75 SANS Security West 2013 San Diego, Ca May 13 Challenge Sep 13 T 8 MSISE GSE 9/6/13 86 Challenge -- 1 MSISM GCIH/ SEC 504 8/5/13 87 SANS 2013 Orlando, FL Mar 13 Strand GSLC/ MGT 2 MSISM 512 7/8/13 93 SANS vlive May 13 D,H,N 3 MSISM G2700/ MGT 411 7/8/13 96 OnDemand Mar GLEG/ LEG SANS 2012 Orlando, FL 4 MSISM 523 7/9/13 91 Mar 12 W 2. Distribution of scores reflecting STI s 80% pass criterion and performance on items aligned with STI learning outcomes. Please see table above. Three scores out of 12 exams taken received below 80 (range was between 73-76) 3. Analysis of possible achievement gaps across delivery methods and instructors

75 Out of 3 students who took an OnDemand course 67% scored above 80. Average score of exams for students who took the course through OnDemand is Two students took a course through the vlive platform and both scored above 80. Out of 12 exams taken, 41.6% of students took the SANS course through a distributed learning modality during Q3. Reviewers should respond if they notice any additional achievement gaps. 4. Analysis and reflection on content areas, including those aligned with program outcomes, for which two or more students receive 3 stars or less. If you are a reviewer with stars noted below, please reply to all with your thoughts. n = Number of students who received 3 stars or less on an exam objective % = Number of students who received 3 stars or less divided by total exams taken for that quarter GCIH (SEC 504: Hacker Techniques, Exploits & Incident Handling) 2 Exam Scores Reviewed - Reviewer E Incident Handling Phase 2 Identification 2 (100%) Virtual Machine Attacks 2 (100%) GCIA (SEC 503: Intrusion Detection In-Depth) 2 Exam Scores Reviewed - Reviewer J Network Traffic Analysis 2 (100%) Snort GUIs & Sensor 2 Management (100%)

76 Q GIAC Gold Rubric Score (Summary) Prepared by Matthew Scott Director of Institutional Effectiveness December 16, 2013 The purpose of this report is to document the progress students are making towards achieving program learning outcomes and provide early indicators of outcomes trends that do not align with expectations. 1. Number of Gold papers completed by students and overall scores achieved 13 Gold papers published during Q3. Performance information below. ID Program Cert/Course Date Score 1 MSISE GSEC/ SEC 401 9/17/ MSISE GSEC/ SEC 401 9/17/ MSISE GCIA/ SEC 503 9/17/ MSISE GCIH/ SEC 504 9/9/ MSISE GCIA/ SEC 503 9/6/ MSISE GCIA/ SEC 503 8/20/ MSISE GCIA/ SEC 503 8/19/ MSISE GSEC/ SEC 401 8/19/ MSISE GSEC/ SEC 401 8/8/ MSISE GSEC/ SEC 401 7/17/ ID Program Cert/Course Date Score 1 MSISM GSLC/ MGT 512 9/23/ MSISM GLEG/ LEG 523 8/6/ MSISM GCIA/ SEC 503 9/19/ Analysis and reflection on distribution of scores on rubric categories related to writing ability For management focused papers 2 scores analyzed Rubric category Average Content and Structure 9 Language 9 Referencing 9.5 Knowledge and Wisdom 8.5 For technical focused papers 11 scores analyzed Rubric category Average Content and Structure 8.73

77 Language 8.73 Referencing 8.91 Knowledge and Wisdom 8.82 A score of 8-9 on the rubric categories analyzed have the following significance: Content and Structure: Paper has good content and/or structure. Language: Spelling is clean and good use of language. Referencing: References are used where necessary and refer to original work. Knowledge and Wisdom: Domain knowledge could only be found by hours of Internet searching as well as using books, periodicals and other sources, and represents an increase in the body of searchable knowledge available on the Internet after it is posted. 3. Analysis and reflection on distribution of rubric score categories related to general program learning outcome 5: Identify emerging information security issues, utilize knowledge of information security theory to investigate causes and solutions, and delineate strategies guided by evolving information security research and theory. For management focused papers 2 scores analyzed Rubric category Average Actionable Items 9.5 Framework-driven 9 approach For technical focused papers 11 scores analyzed Rubric category Average Application of 8.36 Technology State of the art 8.27 A score of 8-9 on the rubric categories analyzed have the following significance: Actionable Items: Paper provides a comprehensive set of actionable tips for planning, organizing, staffing, leading or directing, and controlling a group or organization. Framework-driven Approach: A framework is a tiered approach that shows how individual actions fit together when you raise the level of abstraction. In conceptual modeling, we called that going from a model to a meta-model, or from a meta-model to a meta-meta-model. Consider a scenario where you may review log files, check IDS alerts, speak to users, look at help desk records, review netflows, check SIEMs, etc. All of these actions are separate operations, but

78 when you take a step back and adopt a higher level of abstraction, it becomes clear that they are all are part of the identification phase. Making such relationships clear and having them logically interact with each other and apply some prescriptive guidelines is what I consider to be a framework. A score of 8-9 indicates the paper provides a framework that is well- aligned with the subject matter. Application of technology: Paper provides guidance on how to apply technology and discusses benefits from using the chosen technology in specific terms. State of the art: The technology discussed in the paper is state- of- the- art. 4. Note to committee regarding further assessment of general program learning outcome 4: Effectively communicate information security assessments, plans and actions for technical and nontechnical audiences/stakeholders. In November STI established a work agreement with xx, a third party independent organization that provides writing assistance to students pursuing technical degrees. STI contracted the organization to conduct a review of published GIAC gold papers from STI students during The sample chosen was the first paper of a student s program of study typically related to the GSEC or GSLC certification exams, in addition to their leadership admissions essay. xx compared writing samples to identify whether a student s writing improved, remained static or regressed. J and T are currently reviewing the analysis completed and will make recommendations based on the results.