in Information Security and Assurance
|
|
|
- Barrie Reynolds
- 10 years ago
- Views:
Transcription
1 [DRAFT] A Model Curriculum for Programs of Study A Model Curriculum for Programs of Study in Information Security and Assurance in Information Security and Assurance v. 6.0 February 2013 [DRAFT] Michael E. Whitman, Ph.D., CISM, CISSP Herbert J. Mattord, Ph.D., CISM, CISSP KSU Center for Information Security the Coles College of Business Kennesaw State University 1000 Chastain Rd. MS 1101 Kennesaw, GA (770) [email protected] *A limited use license is granted to adopt parts of this curriculum for use in your institution. Specific permission is required to reproduced or republish this content. Contact the authors for additional details.
2 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Note: Kennesaw State University was designated a National Center of Academic Excellence in Information Assurance Education by the National Security Agency and the Department of Homeland Security in 2004, 2007 and Contents Introduction... 6 Statement of the Problem... 6 Goals and Objectives... 8 Approaches to Implementing Information Security Curricula... 8 Preliminary Work Completed Information Security Position and Roles CISO Security Managers Security Administrators and Analysts Security Technicians Security Staffer or Watchstander Update: The NICE Definitions of Security Roles and Responsibilities Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) Component 3: Cybersecurity Workforce Structure Lead: DHS Component 4: Cybersecurity Workforce Training and Professional Development Tri-Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS) I. Securely Provision II. Operate and Maintain III. Protect and Defend IV. Investigate V. Operate and Collect VI. Analyze VII. Support Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense Information Security Professional Certifications Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) Global Information Assurance Certification (GIAC) Security Kennesaw State University Center for Information Security Education ( / [email protected]) 2
3 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) Certified Forensics Investigator Certifications Established Standards, Models And Practices ISO/IEC 27002/17799/BS Mapping Positions and Roles to Knowledge Areas Mapping the CISSP Common Body of Knowledge NSTISSC Training Standards Mapping the CISSP Common Body of Knowledge to NICE {Additional Material to be added here as the NICE framework continues to evolve and disseminate}defining the Focus of the Program Managerial InfoSec Program Technical InfoSec Program Balanced InfoSec Program Levels of Mastery Determining Numbers of Courses Needed Mapping Mastery Depth to Courses Pilot study Principles of Information Security & Assurance Technical Applications in Information Security & Assurance The Draft Curriculum Model Implementation of the Draft Curriculum Model Number of Course the Institution can Implement in InfoSec Certificate in Information Security and Assurance (ISA) ISA 3100 Principles of Information Security and Assurance ISA 3200 Technical Applications in Information Security and Assurance ISA 3300 Policy and Administration in Information Security and Assurance Project Presentations Bachelor of Science in Information Security and Assurance Program Objectives General Program Learning Objectives Specific Program Learning Objectives Major Electives Business Electives: Criminal Justice Electives: CSIS Electives: Information Security Electives: Information Technology Electives: Sample Programs of Study Development of the Degree Program Textbooks used in the program: ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec) Introduction to Information Security The Need for Security Legal, Ethical, and Professional Issues in Information Security Risk Management Kennesaw State University Center for Information Security Education ( / [email protected]) 3
4 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 5. Planning for Security Security Technology: Firewalls, VPNs, and Wireless Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools Cryptography Physical Security Implementing Information Security Security and Personnel Information Security Maintenance and ediscovery ISA 3200: Network Security (Technical InfoSec) ISA 3300: Management of Information Security in a Global Environment ISA 4330: Incident Response and Disaster Recovery 2 nd ed ISA 4350: Computer Forensics Lab Manual used for a variety of ISA courses: If you would like additional information on these books (i.e. how well they worked in the class, or what support materials are included) please contact us. All Course Technology texts include instructor s ancillaries including PowerPoint slide shows, text banks, and instructor s guides.2011 and the Bachelor of Business Administration in Information Security and Assurance Program Description: Program Curriculum: Program Goals and Objectives Note Goals 1-4 are common to all BBA programs: Minor in Information Security and Assurance Minor Curriculum: Revision of Pilot Model Broader Impacts of This Proposal Evaluation Plan Academic Information Security Peer Review External Practitioner Review DISSEMINATION ) Proceedings of the upcoming academic conferences ) Inclusion in PIs texts ) Course University and Working Connections Series ) Publication through Educational Portals: ) Posting on Regional Security Web Sites ) Recognition through NSA ) Publication in regional and national venues How you can help Appendix: Information Security Curriculum Development Procedures and Forms for use at your institution: 126 I. Determine interest, scope and intent of the program II. Determine stakeholder interest and guidance III. Form the curriculum development committee IV. Map desired positions to knowledge areas V. Discuss the following constraints on the program VI. Define program objectives VII. Determine the level of mastery desired in the program Kennesaw State University Center for Information Security Education ( / [email protected]) 4
5 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance VIII. Determine the number of courses to offer IX. Determine the Prerequisite knowledge areas necessary to support the desired classes X. Develop specific course learning objectives XI. Define laboratory components and required resources XII. Pilot test key courses XIII. Refine and revise as needed Kennesaw State University Center for Information Security Education ( / [email protected]) 5
6 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Introduction Greetings! We would like to take this opportunity to thank you for allowing us to share our lessons learned in the development of Information Security Curriculum. As part of our ongoing commitment to Information Security education, we have decided to formally compile our information into a single packet and provide it to any who seek it, without any requirements, associated costs or restrictions. As a courtesy we would like to ask that if you like what you see, and would like to adopt the contents in whole or in part, that you send us a letter indicating your intent. This is to allow us to maintain a contact within institutions that are adopting our curriculum and to gather feedback on its feasibility and use. This document begins with pieces of the overall curriculum model as defined in an NSF proposal. We then continue through a discussion of the specific courses and programs implemented at Kennesaw State University, along with accompanying course materials. We then conclude with the intended next steps in the development of this curriculum. We invite you to participate in this process by forwarding suggestions, constructive criticisms, and ideas to us at the address above or by to [email protected]. The following sections overview our experiences and findings in developing security curriculum. At the end of this discussion an abbreviated copy of our methodology is repeated with blank worksheet so that you may duplicate our process yourself. Statement of the Problem One of the continuing challenges facing society is the security and protection of information assets. Advances in information security (InfoSec) have been unable to keep pace with advances in computing in general [1]. Daily, press accounts of dramatic computer theft, fraud and abuse are reported as leading to extensive economic loss. Continuous attacks on the American IT Infrastructure have highlighted the need for information security [2]. The annual CSI/FBI Computer Security survey highlights the high levels of respondents detected computer security breaches (usually in the 80-90% range), with the majority reporting significant financial losses due to these computer breaches. According to Dr. Joseph Bordogna, Deputy Director, National Science Foundation in remarks at a June 2002 NSF Workshop The events of September 11 only accelerated longstanding concerns about the threat of cyberterrorism and the vulnerability of the nation s information systems and communications networks [ ] Questions about the adequacy of the U.S. science, engineering, and technology workforce are also rising to a chorus. Reported shortages of skilled workers in the IT sector are only one example. The need we all recognize, for a cadre of professions in computer security and information assurance, is right at the top of the list [4]. Education in information security prepares IT students to recognize and combat information system threats and vulnerabilities [5]. The article Integrating Security into the Curriculum argues an educational system that cultivates an appropriate knowledge of computer security will increase the likelihood that the next generation of IT workers will have the background needed to design and develop systems that are engineered to be reliable and secure [6]. The need is so great that the President of the US issued Presidential Decision Directive 63, the Policy on Critical Infrastructure Protection in May 1998, which prompted the National Security Agency to established outreach programs like the Centers of Academic Excellence in Information Assurance Education (CAEIAE). This program s goal is to reduce vulnerabilities in our National Information Infrastructure by promoting higher education in 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 6
7 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance information assurance, and producing a growing number of professionals with IA expertise [7]. According to the US Government document The National Strategy to Secure Cyberspace, Education and outreach play an important role in making users and operators of cyberspace sensitive to security needs. These activities are an important part of the solution for almost all of the issues discussed in the National Strategy to Secure Cyberspace [8]. Even as part of the more recent National strategies: U.S. International Strategy for Cyberspace (May 2011) and the Comprehensive National Cybersecurity Initiative (May 2009), there is a recognized national goal To strengthen the future cybersecurity environment by expanding cyber education; coordinating and redirecting research and development efforts across the Federal Government; and working to define and develop strategies to deter hostile or malicious activity in cyberspace [39]. There are two dominant technology curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards. The IS version of the standard specifies the need for an IS Environment: 15 semester hours which must be a cohesive body of knowledge to prepare the student to function effectively as an IS professional in the IS environment as well as 12 semester hours of advanced IS coursework [20]. The CS standard similarly provides for 16 hours of advanced CS course work. These courses could be used for InfoSec courses or programs. The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest professional technology organizations: Association for Computing Machinery (ACM), Association for Information Systems (AIS) and Association for Information Technology Professional (AITP). IS 2002 is a model curriculum for undergraduate degree programs in Information Systems and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an academic field, encompasses two broad areas: (1) acquisition, deployment, and management of information technology resources and services (the IS function); and (2) development and evolution of technology infrastructures and systems for use in organizational processes (systems development). It also includes a detailed set of course descriptions and advice to [those] who have a stake in the achievement of quality IS degree programs [21]. The IS 2002 (and IS guiding principles have been adopted and revised for this curriculum model development: 1) The model curriculum should represent a consensus from the InfoSec community. 2) The model curriculum should be designed to help InfoSec faculty produce competent and confident entry level graduates well suited to work-place responsibilities. 3) The model curriculum should guide but not prescribe. Using the model curriculum guidelines, faculty can design their own courses. 4) The model curriculum should be based on sound educational methodologies and make appropriate recommendations for consideration by InfoSec faculty. 5) The model curriculum should be flexible and adaptable to most IS/CS programs [21]. Existing courses have been predominantly designed for graduate-level coursework [9,10], for computer science and engineering specific programs [5,11,24], or as pure practitioner-level training programs [12,13,14]. Even established curriculum bodies, like the Association for Computing Machinery (ACM) and the Accreditation Board for Engineering and Technology Computing Accreditation Council (ABET-CAC), do not have formal models established for curriculum in Information Security at the fouryear level. The only recommendation that does exist resulted from a workshop sponsored by the NSF and the American Association of Community Colleges, resulting in the draft recommendation 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 7
![needs. These activities are an important part of the solution for almost all of the issues discussed in the National Strategy to Secure Cyberspace [8].](/docs-images/40/583788/images/page_7.jpg "Even as part of the more recent National strategies: U.S.")
8 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Protecting Information: the Role of Community Colleges in Cybersecurity Education [15]. This report serves as both a starting point for two-year institutions and as a reference for this project. The report provides details for community colleges to design curriculum focused on providing technical skills through training for the security technician, and hinges on the role of certification as an assessment tool. While supportive of the two-year institution s mission, this level of approach is inadequate for the mission of the four-year institution. The proposed model is designed to allow undergraduate Information Systems (IS) and Computer Science (CS) majors to move toward career fields that include and evolve through technical knowledge areas and into the management of information security, an area not usually addressed at the two-year level. Goals and Objectives This project is designed to increase the quality of baccalaureate-level information security education by creating a curriculum model in information security that provides students with technical and managerial skills needed for the IT workforce. The curriculum can be adopted by other institutions with undergraduate technology degree programs as individual courses, minors or concentrations in information security. It is intended to provide adopters of the curriculum with the means to deliver a quality education with breadth and depth of the information security common body of knowledge. The curriculum will adapt current national standards for security training. Standards for training programs do presently exist, but there are no baccalaureate education models. The closest work available to support a standardized baccalaureate curriculum is in The Role of Community Colleges described earlier. There is a clear lack of managerial and administrative education that this project will identify and develop. Approaches to Implementing Information Security Curricula There are five approaches to implementing information security curricula: 1. Elements added to existing courses. In this option, a number of existing courses can have an information security module added to reinforce the need to address information security at all junctures of organizational effort. This is a preferred technique and can be used in conjunction with other approaches. It is important to thread information security through a course, rather than adding it as a single module at the end. The following table provides examples of how information security could be integrated in existing courses Kennesaw State University Center for Information Security Education ( / [email protected]) 8
9 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Existing Course Programming Principles Networking/ Data Communications Systems Analysis & Design Database Principles Operating Systems Information Security Topics Software Assurance (see Applied cryptography Network security principles Use of security tools (firewalls, IDS systems) Security in the SDLC Developing secure database structures Security tools for data management Privacy topics OS Hardening Configuration management 2. Elements added to a capstone course or courses. In this second approach to adding security content, specific modules are added to specific capstone experiences or courses. In our program for example students have two classes that represent their capstone experience. In the first, they are exposed to strategic policy and planning in IT, and presented with a number of guest speakers on various topics. In the second they are required to develop a system to solve a business problem, incorporating all aspects of learning to that point including database, data communications, programming, project management etc. By addressing strategic Information Security planning in the first course and having at least one speaker on an InfoSec topic, we integrate security into this course. By requiring the student teams to demonstrate how they used secure development techniques in the second we reinforce the concepts there. 3. Independent information security courses. The third approach to implementing information security is to create single security courses. This is the approach most commonly used today. Many programs develop one or two classes in security. Unfortunately many of the classes labeled as security classes fail to address the overall comprehensive breadth and scope of what is information security. A class in theoretical cryptography, while interesting does not provide much value to an information security professional-to-be. This requires faculty to develop courses in the manner described in detail the subsequent sections, rather than implementing classes that would be fun to teach. Also indicated in subsequent sections are suggestions for topics and components of individual security classes. 4. Information security certificates / minors. Continually increasing in frequency, the fourth option is to implement a cohesive set of classes, under the title of minor, concentration, specialization, or certificate. This requires detailed planning based on the desired focus and outcome of the program. In our case, we made a conscious decision to focus more on managerial information security, and less on technical information security. While we have courses in the technical arena, the bulk of the foundational courses are on the roles and responsibilities of an information security professional manager, rather than technical. This is purely a choice based on our strengths. There are many institutions out there that could, and should, consider implementing technical programs, if they have 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 9
10 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance the resources and support to do so. 5. Information security degree programs. In our mind, the ultimate goal for enhanced information security curriculum is the baccalaureate-level information security program. As indicated in the statement of the problem, there are several programs in the field that list bachelors in information security degree. When you take a close look, however it is more of a concentration or minor. Nothing wrong with that, but it tends to be misleading to the students. It takes a great deal of effort and support to create enough courses to populate a program of this magnitude, and even more resources to offer it. It does represent the pinnacle of InfoSec education at the baccalaureate level. Which of these approaches should you consider? First one must examine the available resources, time, faculty, money, technology and student demand. It may help to begin with the first two approaches and then slowly roll out additional approaches as demand presents itself. Or just jump in. No pain, no gain. Preliminary Work Completed Education is recognized as a critical component to improve information security throughout the nation [5]. The development of a curriculum model would provide direct benefit to the various academic, business, and governmental agencies, to support formal education efforts. During the initial analysis phase, we, the authors, examined existing literature, reviewed other programs of interest and their implementations. We also examined current and emerging national and international standards and guidelines for the training of InfoSec professionals [15,17,18], instructional methods and materials from programs recognized as NSA centers of excellence across the country [7,19], and general recommendations and constraints from curriculum supporting organizations such as ACM and ABET. In developing the curriculum for our pilot project, we used the Backward Curriculum Design Process [22] a well-known approach to curriculum design that begins with the desired outcomes and goals and works backward to learning objectives grouped into courses. The curriculum model seeks to answer the following question: What should an information security person who graduates from a particular program be qualified to do, and what positions should they expect to be able to hold? Information Security Position and Roles As position descriptions are not sufficiently descriptive of the roles the individuals play in the information security function, the next step was to identify the roles information security professionals assume and then map them to the positions an individual should hold. The following sections are from the text Management of Information Security, 3 rd ed 2010 Course Technology. A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that positions can be classified into one of three types: those that define, those that build and those that administer. Definers provide the policies, guidelines and standards They're the people who do the consulting and the risk assessment, who develop the product and technical architectures. These are senior people with a lot of broad knowledge, but often not a lot of depth. Then you have the builders. They're the real techies, who create and install security solutions Kennesaw State University Center for Information Security Education ( / [email protected]) 10
11 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance... Finally, you have the people who operate and administrate the security tools, the security monitoring function, and the people who continuously improve the processes. [...] What I find is we often try to use the same people for all of these roles. We use builders all the time... If you break your InfoSec professionals into these three groups, you can recruit them more efficiently, with the policy people being the more senior people, the builders being more technical and the operating people being those you can train to do a specific task [30]. A typical organization has a number of individuals with information security responsibilities. While the titles used within any specific organization may be different from one organization to the next, most of the job functions fit one of the following categories: Chief information security officer (CISO) Security managers Security administrators and analysts Security technicians Security staffer CISO The CISO is primarily responsible for the assessment, management, and implementation of the program that secures the organization s information. The CISO may also be called the Manager for Security, the Security Administrator, or a similar title. The CISO usually reports directly to the CIO, although in larger organizations one or more layers of management may exist between the two officers. Security Managers Security managers are accountable for the day-to-day operation of the information security program. They accomplish objectives identified by the CISO, to whom they report as shown in Figure 5-11, and resolve issues identified by technicians, administrators, analysts, or staffers whom they supervise. Managing technology requires an understanding of it, but not necessarily a technical mastery in its configuration, operation, and fault resolution. Within the information security community, there may be team leaders or project managers responsible for management-like functions, such as scheduling, setting priorities, or administering any number of procedural tasks, but who are not necessarily held accountable for making a particular technology function. The accountability for the actions of others is the hallmark of a true manager. The accountability found in true management roles can be used to differentiate between actual managers and other roles that may include the word manager in their job titles but in fact to not have such accountability. Security Administrators and Analysts The security administrator is a hybrid between a security technician (see below) and the security manager, described in the previous section. These individuals have both technical knowledge and managerial skill. They are frequently called upon to manage the day-to-day operations of security technology, as well as assist in the development and conduct of training programs, policy and the like. The security analyst is a specialized security administrator. In traditional IT, the security administrator corresponds to a systems administrator or database administrator, and the security analyst to a systems analyst. The systems analyst, in addition to security administration duties, also must analyze and design security solutions within a specific domain (firewall, IDS, antivirus). Systems analysts must be able to 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 11
![..] What I find is we often try to use the same people for all of these roles. We use builders all the time.](/docs-images/40/583788/images/page_11.jpg ".. If you break your InfoSec professionals into these three groups, you can recruit them more efficiently, with the policy people being the more senior people, the builders being more technical and")
12 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance identify the users needs, as well as understand the technological complexities and capabilities of the security systems they design. Security Technicians Security technicians are the technically qualified individuals who configure firewalls and IDSs, implement security software, diagnose and troubleshoot problems, and coordinate with systems and network administrators to ensure that security technology is properly implemented. A security technician is usually an entry-level position; however, some technical skills are required, which can make it difficult for those new to the field. It is difficult to get a job without experience, and experience comes with a job. Just as in networking, security technicians tend to be specialized, focusing on one major security technology group (firewalls, IDS, servers, routers, or software), and further specializing in one particular software or hardware package within the group, like Checkpoint firewalls, Nokia firewalls, or Tripwire IDS. These technologies are sufficiently complex to warrant a high level of specialization. Security technicians who want to move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining an understanding of the general, organizational issues of information security, as well as all technical areas. Security Staffer or Watchstander This is a catchall title that applies to the individuals who perform routine watch standing activities. It encompasses the people that watch intrusion consoles, monitor accounts, and perform other routine-yet-critical roles that support the mission of the information Security Department. Why is it important to understand these roles? In order to design curriculum one must understand what it is you want the student to be able to accomplish upon graduation. In our curriculum development we use these roles were used as surrogates for positions and mapped to knowledge areas. Knowledge areas represent the specific knowledge needed for each role, and when paired with a multi-level mastery model like Bloom s taxonomy [21], can be used to identify the level of depth of knowledge for each role. For example, a CISO may need great breadth of knowledge, but not as much depth of knowledge in an area as a technician would. The challenge is to completely map and verify the roles, knowledge areas, and levels of mastery needed. Knowledge areas can be obtained from key indices like certifications [27], and from training standards and models [28]. Knowledge areas in InfoSec are many and can be very technical but, there is an agreed upon way to discuss them. Many programs take the short cut and jump straight to the certifications an information security professional could earn like: CISSP, SSCP, GIAC, SCP, TruSecure CSA/CSE, Security+, CISA/CISM. However, programs are hesitant to implement coursework that is focused on a specific applied output. Universities in general prefer to focus more on the true knowledge areas that these certificates test, rather than the specifics of these exams. However if we examine the content of some of the key certifications we can begin to glimpse some of the knowledge areas we would need to integrate with our coursework. The following excerpt from Management of Information Security provides additional detail on the leading certifications in Information Security Kennesaw State University Center for Information Security Education ( / [email protected]) 12
13 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2011 Update: The NICE Definitions of Security Roles and Responsibilities In 2011, a new major initiative has been promoted by a joint group of Federal agencies: NIST, NSA & DHS to name a few. The National Initiative for Cybersecurity Education will have far-reaching implications for information security education in the very near future. What was once referred to as Information Assurance in the federal sector is now referred to as Cybersecurity. According the NIST web site ( [The following section is directly copied from the referred Web site]: The National Initiative for Cybersecurity Education (NICE) has evolved from the Comprehensive National Cybersecurity Initiative, and extends its scope beyond the federal workplace to include civilians and students in kindergarten through post-graduate school. The goal of NICE is to establish an operational, sustainable and continually improving cybersecurity education program for the nation to use sound cyber practices that will enhance the nation s security. The National Institute of Standards and Technology (NIST) is leading the NICE initiative, comprised of over 20 federal departments and agencies, to ensure coordination, cooperation, focus, public engagement, technology transfer and sustainability. Many NICE activities are already underway and NIST will highlight these activities, engage various stakeholder groups and create forums for sharing information and leveraging best practices. NIST will also be looking for gaps in the initiative -- areas of the overarching mission that are not addressed by ongoing activities. The National Initiative for Cybersecurity Education (NICE) will be represented by four Components: Component 1: National Cybersecurity Awareness Lead: Department of Homeland Security (DHS) The National Cybersecurity Awareness Component is being led by the Department of Homeland Security. To boost national cybersecurity awareness, DHS will use public service campaigns to promote cybersecurity and responsible use of the Internet, and make cybersecurity a popular educational and career pursuit for older students. Component 2: Formal Cybersecurity Education Co-Lead Department of Education (DoED) and National Science Foundation (NSF) The Department of Education and the National Science Foundation (NSF) are leading the Formal Cybersecurity Education Component Their mission is to bolster formal cybersecurity education programs encompassing kindergarten through 12th grade, higher education and vocational programs, with a focus on the science, technology, engineering and math disciplines to provide a pipeline of skilled workers for the private sector and government. Component 3: Cybersecurity Workforce Structure Lead: DHS Cybersecurity Workforce Structure goal to define cybersecurity jobs, attraction, recruitment, retention, career path strategies. This component is being lead by DHS and supported by the Office of Personnel Management (OPM). This component contains the following Sub- Component Areas (SCAs): SCA1 Federal Workforce: lead by OPM SCA2 Government Workforce (non-federal): lead by DHS 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 13
14 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance SCA3 Private Sector Workforce: lead by Small Business Administration, Department of Labor, and NIST. Component 4: Cybersecurity Workforce Training and Professional Development Tri- Leads: Department of Defense (DoD), Office of the Director of National Intelligence (ODNI), Department of Homeland Security (DHS). The Cybersecurity Workforce Training and Professional Development Component is led by the Department of Defense, the Office of the Director of National Intelligence and the Department of Homeland Security. Its mission is to intensify training and professional development programs for existing federal cybersecurity workforce. This Component is divided into four functional areas that cover: Functional Area 1: General IT Use (Co-Leads: DHS, Federal CIO Council) Functional Area 2: IT Infrastructure, Operations, Maintenance, and Information Assurance (Co-Leads: DoD, DHS) Functional Area 3: Domestic Law Enforcement and Counterintelligence (Lead: NCIX, DOD/DC3, DOJ, DHS/USSS) Functional Area 4: Specialized Cybersecurity Operations (Lead: NSA) [End Direct Quote] According to the NICE framework, seven distinct functional areas are defined, with corresponding jobs identified within each functional area (or domain) [40]: From this same document the following provides information on these functional areas and workforce specifications: I. Securely Provision Securely Provision consists of those specialty areas concerned with conceptualizing, designing, and building secure IT systems. In other words, each of the roles within the Securely Provision category is responsible for some aspect of the systems development process. Information Assurance Compliance Oversees, evaluates, and supports the documentation, validation, and accreditation processes necessary to assure that new IT systems meet the organization s IA requirements. Ensures compliance from internal and external perspectives. Sample Job Titles: Accreditor; Auditor; Authorizing Official Designated Representative; Certification Agent; Certifying Official; Compliance Manager;Designated Accrediting Authority; IA Compliance Analyst/Manager; IA Manager; IA Officer; Portfolio Manager; Risk/Vulnerability Analyst; Security Control Assessor; Validator Software Engineering Develops, creates, and writes/codes new (or modifies existing) computer applications, software, or specialized utility programs. Sample Job Titles: Analyst Programmer, Computer Programmer,Configuration Manager, IA Engineer, IA Software Developer, IA Software Engineer, R&D Engineer, Secure Software Engineer, Security Engineer, Software Developer, Systems Analyst, Web Application Developer 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 14
15 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Enterprise Architecture Develops the systems concepts and works on the capabilities phases of the systems development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into system and security designs and processes. Sample Job Titles: IA Architect; Information Security Architect; Information Systems Security Engineer; Network Security Analyst; R&D Engineer; Security Architect; Security Engineer; Security Solutions Architect; Systems Engineer; Systems Security Analyst. Technology Demonstration Conducts technology assessment and integration processes; provides and supports a prototype capability and evaluates its utility. Sample Job Titles: - Capabilities and Development Specialist, R&D Engineer Systems Requirements Planning Consults with customers to gather and evaluate functional requirements and translates these requirements into technical solutions. Provides guidance to customers about applicability of information systems to meet business needs. Sample Job Titles: Business Analyst, Business Process Analyst, Computer Systems Analyst, Contracting Officer, Contracting Officer s Technical Representative (COTR), Human Factors Engineer, Requirements Analyst, Solutions Architect, Systems Consultant, Systems Engineer Test and Evaluation Develops and conducts tests of systems to evaluate compliance with specifications and requirements by applying principles and methods for cost-effective planning, evaluating, verifying, and validating of technical, functional, and performance characteristics (including interoperability) of systems or elements of systems incorporating IT. (Example job titles: Application Security Tester; Information Systems Security Engineer; Quality Assurance Tester; R&D Engineer; Systems Engineer; Testing and Evaluation Specialist). Systems Development Works on the development phases of the systems development lifecycle. (Example job titles: IA Developer; IA Engineer; Information Systems Security Engineer; Program Developer; Security Engineer; Systems Engineer II. Operate and Maintain Operate and Maintain includes those specialty areas responsible for providing the support, administration, and maintenance necessary to ensure effective and efficient IT system performance and security. Data Administration Develops and administers databases and/or data management systems that allow for the storage, query, and utilization of data. Sample Job Titles: Content Staging Specialist, Data Architect, Data Manager, Data Warehouse Specialist, Database Administrator, Database Developer, Information Dissemination Manager, Systems Operations Personnel 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 15
16 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Information Systems Security Management Oversees the information assurance program of an information system in or outside the network environment; may include procurement duties (e.g., ISSO). Sample Job Titles: Information Assurance Manager, Information Assurance Program Manager, Information Assurance Security Officer, Information Security Program Manager, Information Systems Security Manager, Information Systems Security Officer (ISSO) Knowledge Management Manages and administers processes and tools that enable the organization to identify, document, and access intellectual capital and information content. Sample Job Titles: Business Analyst, Business Intelligence Manager, Content Administrator, Document Steward, Freedom of Information Act Official, Information Manager, Information Owner, Information Resources Manager Customer Service and Technical Support Addresses problems, installs, configures, troubleshoots, and provides maintenance and training in response to customer requirements or inquiries (e.g., tiered-level customer support). Sample Job Titles: Computer Support Specialist, Customer Support, Help Desk Representative, Service Desk Operator, Systems Administrator, Technical Support Specialist Network Services Installs, configures, tests, operates, maintains, and manages networks and their firewalls, including hardware (hubs, bridges, switches, multiplexers, routers, cables, proxy servers, and protective distributor systems) and software that permit the sharing and transmission of all spectrum transmissions of information to support the security of information and information systems. Sample Job Titles: Cabling Technician, Converged Network Engineer, Network Administrator, Network Analyst, Network Designer, Network Engineer, Network Systems and Data Communications Analyst, Telecommunications Engineer/Personnel/Specialist System Administration Installs, configures, troubleshoots, and maintains server configurations (hardware and software) to ensure their confidentiality, integrity, and availability. Also manages accounts, firewalls, and patches. Responsible for access control, passwords, and account creation and administration. Sample Job Titles: LAN Administrator, Platform Specialist, Security Administrator, Server Administrator, System Operations Personnel, Systems Administrator, Website Administrator Systems Security Analysis Conducts the integration/testing, operations, and maintenance of systems security. Sample Job Titles: IA Operational Engineer, Information Assurance Security Officer, Information Security Analyst/Administrator, Information Systems Security Engineer, Information Systems Security Manager, Platform Specialist, Security Administrator, Security Analyst, Security Control Assessor, Security Engineer 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 16
17 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance III. Protect and Defend Protect and Defend includes specialty areas primarily responsible for the identification, analysis, and mitigation of threats to IT systems and networks. Specialty areas in the Protect and Defend category are closely aligned to computer network defense service provider organizations and responsibilities. Computer Network Defense Uses defensive measures and information collected from a variety of sources to identify, analyze, and report events that occur or might occur within the network in order to protect information, information systems, and networks from threats. Sample Job Titles: CND Analyst (Cryptologic), Cyber Security Intelligence Analyst, Focused Operations Analyst, Incident Analyst, Network Defense Technician, Security Analyst, Security Operator, Sensor Analyst Incident Response Responds to crisis or urgent situations within the pertinent domain to mitigate immediate and potential threats. Uses mitigation, preparedness, and response and recovery approaches, as needed, to maximize survival of life, preservation of property, and information security. Investigates and analyzes all relevant response activities. Sample Job Titles: Computer Crime Investigator, Incident Handler, Incident Responder, Intrusion Analyst Computer Network Defense Infrastructure Support Tests, implements, deploys, maintains, and administers the infrastructure hardware and software that are required to effectively manage the computer network defense service provider network and resources. Monitors network to actively remediate unauthorized activities. Sample Job Titles: IDS Administrator, IDS Engineer, IDS Technician, Information Systems Security Engineer, Network Administrator, Network Analyst, Network Security Engineer, Network Security Specialist, Security Analyst, Security Engineer, Security Specialist, Systems Security Security Program Management Manages relevant security (e.g., information security) implications within the organization, specific program, or other area of responsibility, to include strategic, personnel, infrastructure, policy enforcement, emergency planning, security awareness, and other resources (e.g., CISO). Sample Job Titles: Chief Information Security Officer (CISO), Common Control Provider, Cyber Security Officer, Enterprise Security Officer, Facility Security Officer, IT Director, Principal Security Architect, Risk Executive, Security Domain Specialist, Senior Agency Information Security Officer (SAIS) Vulnerability Assessment and Management Conducts assessments of threats and vulnerabilities, determines deviations from acceptable configurations, enterprise or local policy, assesses the level of risk, and develops and/or recommends appropriate mitigation countermeasures in operational and non-operational situations. Sample Job Titles: Blue Team Technician, Close Access Technician, CND Auditor, Compliance Manager, Ethical Hacker, Governance Manager, Internal Enterprise Auditor, Penetration Tester, Red Team Technician, Reverse Engineer, Risk/Vulnerability Analyst, Vulnerability Manager 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 17
18 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance IV. Investigate Investigate specialty areas are responsible for the investigation of cyber events or crimes which occur within IT systems or networks, as well as the processing and use of digital evidence. Digital Forensics Collects, processes, preserves, analyzes, and presents computer-related evidence in support of network vulnerability mitigation, and/or criminal, fraud, counterintelligence or law enforcement investigations. Sample Job Titles: Computer Network Defense Forensic Analyst; Digital Forensic Examiner; Digital Media Collector; Forensic Analyst; Forensic Analyst (Cryptologic); Forensic Technician; Network Forensic Examiner) Investigation Applies tactics, techniques, and procedures for a full range of investigative tools and processes to include, but not limited to, interview and interrogation techniques, surveillance, countersurveillance, and surveillance detection, and appropriately balances the benefits of prosecution versus intelligence gathering. Sample Job Titles: Computer Crime Investigator, Special Agent V. Operate and Collect Operate and Collect includes specialty areas that have responsibility for the highly specialized collection of cybersecurity information that may be used to develop intelligence. Collection Operations Executes collection using appropriate collection strategies and within the priorities established through the collection management process. Cyber Operations Planning Gathers information and develops detailed Operational Plans and Orders supporting requirements. Conducts strategic and operationallevel planning across the full range of operations for integrated information and cyberspace operations. Cyber Operations Uses automated tools to manage, monitor, and/or execute large-scale cyber operations in response to national and tactical requirements. VI. Analyze Analyze consists of specialty areas responsible for highly specialized review and evaluation of incoming cybersecurity information to determine its usefulness for intelligence. Although not part of the core set of specialty areas, there is also a category of specialty areas that have been determined critical to the support of the primary cybersecurity categories. Cyber Threat Analysis Identifies and assesses the capabilities and activities of cyber criminals or foreign intelligence entities; produces findings to help initialize or support law enforcement and counterintelligence investigations or activities Kennesaw State University Center for Information Security Education ( / [email protected]) 18
19 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Exploitation Analysis Analyzes collected information to identify vulnerabilities and potential for exploitation. Targets Applies current knowledge of one or more regions, countries, non-state entities, and/or technologies. All Source Intelligence Analyzes threat information from multiple sources, disciplines, and agencies across the Intelligence Community. Synthesizes and places intelligence information in context; draws insights about the possible implications. VII. Support Support category includes specialty areas that provide critical support so that others may effectively conduct their cybersecurity work. Legal Advice and Advocacy Provides legally sound advice and recommendations to leadership and staff on a variety of relevant topics within the pertinent subject domain. Advocates legal and policy changes, and makes a case on behalf of client via a wide range of written and oral work products, including legal briefs and proceedings. Sample Job Titles: Legal Advisor/SJA Strategic Planning and Policy Development Applies knowledge of priorities to define an entity s direction, determine how to allocate resources, and identify programs or infrastructure that are required to achieve desired goals within domain of interest. Develops policy or advocates for changes in policy that will support new initiatives or required changes/enhancements. Sample Job Titles: Chief Information Officer (CIO), Command IO, Information Security Policy Analyst, Information Security Policy Manager, Policy Writer and Strategist Education and Training Conducts training of personnel within pertinent subject domain. Develops, plans, coordinates, and evaluates training courses, methods, and techniques as appropriate. Sample Job Titles: Cyber Trainer, Information Security Trainer, Security Training Coordinator (The preceding material was taken directly from [40]). Each of these areas has already had a draft Committee on National Security Systems draft Training standard under development. As such the bulk of our curriculum design from 2011 forward will focus on this material. Throughout this document we will first refer to our historical experiences in development curriculum, then transition to our perspective moving forward Kennesaw State University Center for Information Security Education ( / [email protected]) 19
20 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2013 Update: The Next Generation CAEIAE National Centers of Academic Excellence in Information Assurance/CyberDefense In 2013, the CAEIAE office at NSA announced that the program was being completely overhauled, most likely in response to the release of the new NICE standards. The overhaul will require all CAE s to re-designate to new criteria in order to earn the new NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. Little is known about the details of the new program, most likely because it s still under development. The NSA is hosting workshops where participants discuss what the new program will entail. According to the NSA web site: Coming soon information on NSA/DHS National Center of Academic Excellence in information Assurance and Cyber Defense. The Published CAEIAE/CD FAQ for CAEs to transition to the new designation reads as follows: Transition to the NSA/DHS Center of Academic Excellence in Information Assurance/Cyber Defense (IA/CD) Designations Frequently Asked Questions 1. My current CAE in IA designation expires in June 2013, will this designation be extended? Yes, your current CAE in IA designation will be extended to October The expected launch date for the new program is May 1, (2013 re-designation submissions will be accepted between 1 June 2013 and 31 July 2013.) 2. My current CAE in IA designation expires after June 2013; will it still be honored until its expiration date? All current CAE in IA designations will need to transition to the new CAE in IA/CD designation by December Current designations will be honored until then. We are developing a schedule based on current expiration dates, and school locations to reduce travel costs, as a site visit is now part of the designation process. 3. How long will we have to achieve the new CAE in IA/CD designation? The transition of current CAE in IA designees to the new CAE in IA/CD designation will be completed by December We will work on a schedule based on current expiration dates, and dates of nearby schools to reduce travel costs. 4. Why should we apply for the new designation? After December 2014 the current NSA/DHS CAE in IA designation will no longer be recognized. In order to continue to be designated as a NSA/DHS CAE in IA/CD you must meet the requirements for the new program. 5. We are not a current CAE in IA, when can we apply for the CAE in IA/CD designation? New applications will be accepted beginning June 1, 2013 and will be evaluated based on NIETP resources. 6. How long will we have to complete the CAE in IA/CD application? For CAEs scheduled to re-designate in 2013, the submission window will be June 1 - July 31, For 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 20
21 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance CAEs scheduled to re-designate after this cycle, we will work on a schedule based on current expiration dates. 7. So what does this mean in terms of our CNSS mapping? Did we do all of that work for nothing? Although mapping to the CNSS standards is no longer a prerequisite for applying to the National Centers of Academic Excellence in IA Education Program, your CNSS certificate validates your curriculum still meets these national standards. Your CNSS certificate will remain valid until they expire or the CNSS standards are updated, replaced, or canceled whichever comes first. The work done in mapping your course material to the CNSS standards should make it easier to map that same material to those basic information assurance principles that are also in the knowledge units. 8. Our mapping to the CNSS standards was just approved/not yet submitted, will we still receive recognition for our efforts? Can we submit mapping after 15 January 2013? All new mapping submitted by this year s 15 January 2013 deadline will be considered for review. After validation that all the specific standard elements are met, CNSS certificates will be provided to successful applicants at the annual Colloquium for Information Systems Security Education. Those whose wish to renew CNSS certificates expiring in June 2013 must also recertify their mapping by 15 January If approved, your certificates will be mailed to you. All others - Your CNSS certificate will remain valid until they expire or the CNSS standards are updated, replaced, or canceled whichever comes first. 9. Will the Colloquium be cancelled too? If not, will there still be a CNSS or CAE recognition ceremony? No, the Colloquium is still scheduled to occur in June 2013 in Mobile Bay, Alabama. There will be both a CNSS and CAE recognition ceremony at the Colloquium. 10. How does this affect DoD IASP participation? If you are scheduled to re-designate in 2013, you are eligible to apply for the 2013 DoD IASP cycle. You must designate under the new CAE IA/CD program for 2014 and beyond. By December 2014 all current institutions must designate under the new CAE IA/CD or the established CAE CO programs to be eligible for the DoD IASP. 11. Will our institution still be displayed on the NSA.gov website? Your institution name and link will remain on the nsa.gov website as a CAE in IA until December (Transition_to_CAEIACD.pdf ed January 17, 2013.) The CAE CO program is a new Centers of Academic Excellence in Cyber Operations which is a a deeply technical, inter-disciplinary, higher education program firmly grounded in the computer science (CS), computer engineering (CE), and/or electrical engineering (EE) disciplines, with extensive opportunities for hands-on applications via labs/exercises ( This program was announced in January Kennesaw State University Center for Information Security Education ( / [email protected]) 21
22 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Information Security Professional Certifications Certified Information Systems Security Professional (CISSP) and Systems Security Certified Practitioner (SSCP) Considered the most prestigious certifications for security managers and CISOs, the CISSP is one of two certifications offered by the International Information Systems Security Certification Consortium (ISC) 2 (see The SSCP is the other. CISSP Certification was designed to recognize mastery of an international standard for information security and understanding of a common body of knowledge (CBK). In order to sit for the CISSP exam, the candidate must possess at least three years of direct full-time security professional work in one or more of ten domains. The CISSP covers ten domains of information security body of knowledge: Access control systems and methodology Applications and systems development Business continuity planning Cryptography Law, investigation and ethics Operations security Physical security Security architecture and models Security management practices Telecommunications, network and internet security With the difficulty in mastering all ten domains, many security professionals seek other less rigorous certifications. ISC 2 has developed the SSCP certification to be more focused. Like the CISSP, the SSCP certification is more applicable to the security manager than the technician, since the bulk of its questions focus on the operational nature of information security. The SSCP focuses on practices, roles and responsibilities as defined by experts from major IS industries [31]. However, the information security technician seeking advancement can benefit from this certification. Instead of the ten domains of the CISSP, the SSCP covers seven domains: Access controls Administration Audit and monitoring Risk, response, and recovery Cryptography Data communications Malicious code/malware The SSCP is considered by many to be the little brother of the CISSP. It is a valid certification and is easier to obtain than the CISSP. The seven domains are not a subset of the CISSP domains, but contain slightly more technical content Kennesaw State University Center for Information Security Education ( / [email protected]) 22
23 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance ISC2 has another program, the ISC2 Associate, designed to support those individuals with a desire to earn the CISSP or SSCP but without the required amount of professional experience the ability to take the test prior to earning the experience. The Associate of (ISC)2 program is a mechanism for information security professionals, who are still in the process of acquiring the necessary experience to become CISSPs or SSCPs, to become associated with (ISC)2 and obtain career-related support during this early period in his or her information security career [32]. ISC2 also implemented a concentration component to the CISSP certification allowing standing CISSPs to earn additional recognition [37]: ISSAP CM : Information Systems Security Architecture Professional - The major domains of the CBK covered by ISSAP certification are: Access Control Systems and Methodology Telecommunications and Network Security Cryptography Requirements Analysis and Security Standards, Guidelines, Criteria Technology Related Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) ISSEP CM : Information Systems Security Engineering Professional - The major domains of the CBK covered by ISSEP certification are: Systems Security Engineering Certification and Accreditation Technical Management U.S. Government Information Assurance Regulations ISSMP CM : Information Systems Security Management Professional - The major domains of the CBK covered by ISSMP certification are: Enterprise Security Management Practices Enterprise-Wide System Development Security Overseeing Compliance of Operations Security Understanding Business Continuity Planning (BCP), Disaster Recovery Planning (DRP) and Continuity of Operations Planning (COOP) Law, Investigations, Forensics and Ethics Each of these concentrations require additional exams.. Global Information Assurance Certification (GIAC) SANS (formerly known as the System Administration, Networking and Security organization) ( developed a series of technical security certifications in 1999, known as the GIAC ( At the time, there were no technical certifications. Anyone who wished to work in the technical security field could only obtain networking or computing certifications like the MCSE (Microsoft Certified Systems Engineer) or CNE (Certified Novell Engineer). The GIAC family of certifications can be pursued independently or combined to earn the comprehensive certification, GIAC Security Engineer (GSE). The GIAC Information Security Officer (GISO) is an 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 23
24 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance overview certification that combines basic technical knowledge with understanding of threats, risks, and best practices, similar to the SSCP. Since the initial offering of the GISO, SANS has added a number of managerial certifications and certificates: The GIAC Management Certificates and Certifications include: GIAC Information Security Professional (GISP) GIAC Security Leadership Certification (GSLC) GIAC Certified ISO Specialist (G2700) GIAC Certified Project Manager Certification (GCPM) Most GIAC certifications are offered in conjunction with SANS training. For more information on the GIAC security-related certification requirements, visit Security + From CompTIA ( the company that brought the first vendor-neutral professional IT certifications, the A+ series, comes another certification program, the Security + certification. The CompTIA Security+ certification tests for security knowledge mastery of an individual with two years on-the-job networking experience, with emphasis on security. The exam covers industry wide topics including communication security, infrastructure security, cryptography, access control, authentication, external attack and operational and organization security. CompTIA Security+ curricula are being taught at colleges, universities and commercial training centers around the globe. CompTIA Security+ is being used as an elective or prerequisite to advanced vendor specific and vendor neutral security certifications [35]. The Exam covers the following five domains: 1.0 General Security Concepts 2.0 Communication Security 3.0 Infrastructure Security 4.0 Basics of Cryptography 5.0 Operational/Organizational Security Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) The CISA certification, while not specifically a security certification, does contain many information security components. The CISM is focused on practitioners in the information security field. The sponsoring organization for the CISA, the Information Systems Audit and Control Association & Foundation (ISACA) promotes the certification for auditing, networking and security professionals. The CISA certifications requirements cover the following areas of information systems auditing: The Process of Auditing Information Systems (14 percent) Provide audit services in accordance with IT audit standards to assist the organization with protecting and controlling information systems. Governance and Management of IT (14 percent) Provide assurance that the necessary leadership and organizational structures and processes are in place to achieve objectives and to support the organization s strategy Kennesaw State University Center for Information Security Education ( / [email protected]) 24
25 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Information Systems Acquisition, Development and Implementation (19 percent) Provide assurance that the practices for the acquisition, development, testing, and implementation of information systems meet the organization s strategies and objectives. Information Systems Operations, Maintenance and Support (23 percent) Provide assurance that the processes for information systems operations, maintenance and support meet the organization s strategies and objectives. Protection of Information Assets (30 percent) Provide assurance that the organization s security policies, standards, procedures and controls ensure the confidentiality, integrity and availability of information assets. ( Information-Systems-Auditor/Register-for-the-Exam/Documents/CISA-BOI-June EN.pdf). CISM, the Certified Information Security Manager is another certification program offered by ISACA. This credential is geared toward experienced information security managers and others who may have information security management responsibilities. The CISM can provide executive management with an assurance that those earning the designation have the required background knowledge needed for effective security management and consulting. It is oriented toward information risk management and addresses management, design and technical security issues at a conceptual level. CISM will encompass the following areas: Information Security Governance (24%) establish and maintain an information security governance framework and supporting processes to ensure that the information security strategy is aligned with organizational goals and objectives, information risk is managed appropriately and program resources are managed responsibly. Information Risk Management and Compliance (33%) Manage information risk to an acceptable level to meet the business and compliance requirements of the organization. Information Security Program Development and Management (25%) establish and manage the information security program in alignment with the information security strategy. Information Security Incident Management (18%) Plan, establish and manage the capability to detect, investigate, respond to and recover from information security incidents to minimize business impact. ( Manager/Register-for-the-Exam/Documents/CISM-BOI-June-2013-EN.pdf) Certified Forensics Investigator Certifications Vendor-neutral forensics certifications are difficult to locate. They tend not to last long, before disappearing into obscurity. GIAC now has a forensics module, and there are a number of private certifications. There is a new certification from the International Society of Forensic Computer Examiners ( This group has developed the Certified Computer Examiner certification, which focuses on the following competencies: Ethics - Understand ethics in practice (particularly privacy) and the CCE ethical approach. Law - Awareness of the existence of key pieces of legislation related to digital forensics and understand that this legislation has a direct impact on the practice of digital forensics. Also ensure students are aware of what is expected of professional examiners in court. This content is not intended to interpret or teach specific law, but only to ensure students become familiar with the existence of such legislation and understand that legal counsel may be necessary to ensure work is done in compliance with legislation. Software - Understand software licensing and validation Kennesaw State University Center for Information Security Education ( / [email protected]) 25
26 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance General Personal Computer Hardware Identification - Understand hardware specifically; hardware involved in imaging and data collection activities. Minimum requirements include visual aids and examples of hardware used, hands on demonstrations using hardware. Overview of Networks - Understand networking and its impact on both forensic evidence and site seizures. Review of Commonly Encountered Operating Systems - Familiarity with commonly encountered OS with focus on most common. Seizure Process - Understand standard procedures involved in conducting a complete forensic case. Forensic Examination Procedures - Understand the process of casework and can develop meaningful reporting suitable for submission File Systems - Understand the following common file systems in use and can explain key concepts. Include instruction on file system(s) that comprise Windows operating systems. FAT 12, 16, and 32 file systems with discussion of the File Allocation Table. Commonly Encountered Media - Familiarity with all types of commonly encountered evidence and how to handle that evidence properly. Media Geometry - Understand how drives and storage works physically and logically. Preparation of Sterile Examination Media and Imaging - Proper procedure for forensic media and imaging techniques. Creation and use of Controlled or Forensic Boot Disks - Understand safe boot procedures and forensic boot disks. Low Level Analysis - Understand the manual file recovery process in FAT. Specific Processing Issues - Additional topics which may prove critical to forensic examinations Practical Examination Skills - Practical experience in a controlled environment dealing with real world scenarios and examination techniques. [41]. Established Standards, Models and Practices Another major area of information that could be used to derive the skills needed to become a security professional lay in established standards, models and practices. There are three primary documents which guide the implementation and management of security programs. These are discussed in turn here, in an extract from Management of Information Security: Among the most accessible places to find a quality security management model are U.S. federal agencies and international organizations. One of the most popular security management models has been ratified into an international standard. British Standard 7799 provides two components, each addressing a different area of security management practice. BS 7799:1, once known as ISO/IEC and now ISA 27002, is called Information Technology Code of Practice for Information Security Management. BS 7799:2 now known as ISO/IEC is called Information security management: Specification with guidance for use. These documents are discussed in detail in the following sections. These are proprietary, and organizations wishing to adopt this model must purchase the rights to do so. There are a number of alternatives. The first and foremost of these are free documents provided by the National Institute of Standards and Technology s Computer Security Resources Center ( This site contains a number of publications, including ones containing models and 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 26
27 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance practices. ISO/IEC 27002/17799/BS 7799 One of the most widely referenced and often discussed security models is Information Technology Code of Practice for Information Security Management, which was originally published as the British Standard BS This Code of Practice was adopted as an international standard framework for information security by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC in 2000 and in 2005 as ISO/IEC as part of the new series of Information Security Management Systems (ISMS) standards. While the details of ISO/IEC are available only to buyers of the standard, the structure and general organization are well known: [36] 1. Organizational Security Policy is needed to provide management direction and support for information security. 2. Organizational Security Infrastructure objectives include: o Manage information security within the company o Maintain the security of organizational information processing facilities and information o assets accessed by third parties Maintain the security of information when the responsibility for information processing has been outsourced to another organization 3. Asset Classification and Control is needed to maintain appropriate protection of corporate assets and to ensure that information assets receive an appropriate level of protection. 4. Personnel Security objectives are to: o o o Reduce risks of human error, theft, fraud or misuse of facilities Ensure that users are aware of information security threats and concerns, and are equipped to support the corporate security policy in the course of their normal work Minimize the damage from security incidents and malfunctions and learn from such incidents 5. Physical and Environmental Security objectives include: o Prevent unauthorized access, damage and interference to business premises and information o Prevent loss, damage or compromise of assets and interruption to business activities o Prevent compromise or theft of information and information processing facilities 6. Communications and Operations Management objectives are: o Ensure the correct and secure operation of information processing facilities o Minimize the risk of systems failures o Protect the integrity of software and information o Maintain the integrity and availability of information processing and communication o Ensure the safeguarding of information in networks and the protection of the supporting infrastructure o Prevent damage to assets and interruptions to business activities o Prevent loss, modification or misuse of information exchanged between organizations 7. System Access Control objectives in this area include: o Control access to information o Prevent unauthorized access to information systems o Ensure the protection of networked services 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 27
28 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance o Prevent unauthorized computer access o Detect unauthorized activities o Ensure information security when using mobile computing and telecommunication networks 8. System Development and Maintenance objectives here include: o Ensure security is built into operational systems o Prevent loss, modification or misuse of user data in application systems o Protect the confidentiality, authenticity and integrity of information o Ensure IT projects and support activities are conducted in a secure manner o Maintain the security of application system software and data 9. Business Continuity Planning to counteract interruptions to business activities and to critical business processes from the effects of major failures or disasters. 10. Compliance objectives include: o Avoid breaches of any criminal or civil law, statutory, regulatory or contractual obligations and of any security requirements o o Ensure compliance of systems with organizational security policies and standards Maximize the effectiveness of and minimize interference to/from the system audit process NIST Documents The NIST documents use a common philosophy based on the implementation of 17 areas of controls, divided into three categories: Managerial, Operational and Technical. For example NIST SP Security Self-Assessment Guide for Information Technology Systems provides an overview of the three areas of controls and detailed instruction on assessing an organization s systems to determine the levels of security present. Management Controls 1. Risk Management 2. Review of Security Controls 3. Life Cycle Maintenance 4. Authorization of Processing (Certification and Accreditation) 5. System Security Plan Operational Controls 6. Personnel Security 7. Physical Security 8. Production, Input/Output Controls 9. Contingency Planning 10. Hardware and Systems Software 11. Data Integrity 12. Documentation 13. Security Awareness, Training, and Education 14. Incident Response Capability Technical Controls 15. Identification and Authentication 16. Logical Access Controls 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 28
29 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 17. Audit Trails NIST SP NIST SP Generally Accepted Principles and Practices for Securing Information Technology Systems, provides a number of common IT security practices in the following areas: Policy o Program Policy o Issue-Specific Policy o System-Specific Policy o All Policies Program Management o Central Security Program o System-Level Program Risk Management o Risk Assessment o Risk Mitigation o Uncertainty Analysis Life Cycle Planning o Security Plan o Initiation Phase o Development/Acquisition Phase o Implementation Phase o Operation/Maintenance Phase o Disposal Phase Personnel/User Issues o Staffing o User Administration Preparing for Contingencies and Disasters o Business Plan o Identify Resources o Develop Scenarios o Develop Strategies o Test and Revise Plan Computer Security Incident Handling o Uses of a Capability o Characteristics Awareness and Training Security Considerations in Computer Support and Operations Physical and Environmental Security Identification and Authentication o Identification o Authentication o Passwords o Advanced Authentication Logical Access Control o Access Criteria 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 29
30 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance o Access Control Mechanisms Audit Trails o Contents of Audit Trail Records o Audit Trail Security o Audit Trail Reviews o Keystroke Monitoring Cryptography 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 30
31 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Mapping Positions and Roles to Knowledge Areas With this information the curriculum designers can gain a better feel for what a graduate should know upon seeking a specific job category. The following figure illustrates this mapping. Positions Roles Knowledge Areas Net Admin Firewall Analyst IDS Eng SysAdmin ISO Forensics InfoSec Mgr IRP Handler DR/BCP Mgr InfoSec Cons. CISO InfoSec Mgr InfoSec Analyst InfoSec Tech InfoSec W.S. ACS SA & D BCP Crypto Law & Ethics OpSec PhySec Architecture Sec Mgt NetSec (Varying levels of mastery) In our case, we decided, based on conversations with our local curriculum advisory board, that KSU s information security coursework should be focused on preparing security administrators so that immediately upon graduation they would be prepared for career progression through security manager to CISO. As a result, selected learning objectives were tied to providing the appropriate level of mastery within each knowledge area felt to be critical to an individual s success in that program. We began with a two sets of information: the CISSP Common Body of Knowledge, and the NSTISSC training standards ( From each of the following we examined introductory and advanced knowledge areas we felt were essential to this career progression. Mapping the CISSP Common Body of Knowledge In mapping the CISSP CBK we began with the general categories as indicated in the diagram above, and looked for areas that our graduates should have varying levels of mastery in. As the 10 domains of the CBK were too broad to be of much use, we identified major subordinate areas in each as follows: I. Access Controls Access control fundamentals Access control types Access control attacks Penetration testing methods II. Telecommunications Network types (LAN/WAN) OSI reference model 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 31
32 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance TCP/IP protocol suite Telecomm security management Telecommunications threats and attacks Remote access protocols III. Security Management Security planning Security policies Personnel security Security personnel Data classification and storage Risk Management Security education, training and awareness program Change/configuration management Assessment strategies IV. Applications Security Systems development life cycles Database development and management Systems controls Distributed applications Object oriented concepts Knowledge based systems Application and systems attacks and vulnerabilities Malicious code V. Cryptography Cryptosystems Ciphers and encryption algorithms Asymmetric key systems Symmetric key systems Hybrid key systems Message authentication/message digests Public key infrastructure Key management Digital signatures Alternative cryptosystems Security protocols VI. Security Architecture Security models Information systems evaluation criteria System certification and accreditation Security architectures 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 32
33 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance VII. Operations Security Operations concepts Threats and countermeasures Incident response Auditing Monitoring VIII. Business Continuity Planning Contingency planning Business continuity planning Disaster recovery planning Data backup and recovery methods Crisis management IX. Law and Ethics Law categories and types Computer crimes Computer crime investigations Computer ethics Computer forensics procedures X. Physical Security Site selection and security Guards Keys and locks Doors, walls and gates Intrusion detection systems Fire detection and suppression systems Biometrics CCTV NSTISSC Training Standards We also looked at the National Security Telecommunications and Information Systems Security Committee (NSTISSC) now known as the Committee for National Security Systems (CNSS) documents on training information security professionals ( While we are not preparing training per se, we felt it was useful in two areas: 1) to provide information not found elsewhere and 2) to lay the foundation for eventual certification in the NSA s Information Assurance Courseware Evaluation program. These standards include: NSTISSI No National Training Standard for Information Systems Security (INFOSEC) Professionals, dated 20 June 1994 CNSSI No National Training Standard for Designated Approving Authority (DAA), dated June 2004 CNSSI No National Training Standard for System Administration in Information 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 33
34 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Systems Security, dated March 2004 CNSSI No National Training Standard for Information Systems Security Officers (ISSO), dated April 2004 NSTISSI No National Training Standard for Systems Certifiers, dated December 2000 As stated earlier, an entirely new set of National Training standards that conform to the new NICE initiative are forthcoming and at this time are draft: CNSSI 4021 Securely Provision Specialties CNSSI 4022 Operate and Maintain Specialties CNSSI 4023 Protect and Defend Specialties CNSSI 4024 Investigate Specialties CNSSI 4025 Operate and Collect Specialties CNSSI 4026 Analyze Specialties CNSSI 4027 Support Specialties Even though they are in draft, the forward of these documents clearly state CNSS Instructions replace CNSS/NSTISS Instructions These Issuances should be available from the CNSS web site shortly ( Mapping the CISSP Common Body of Knowledge to NICE Using the modified CISSP CBK domains from earlier we are able to associate the tasks and subjects needed to focus on the positions we desire our students to fill: {Additional Material to be added here as the NICE framework continues to evolve and disseminate} 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 34
35 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Defining the Focus of the Program At this point it is important to define the general thrust of the program and develop overall program objectives. Again, what is it we want our students to learn from the entire program? In order to do this we must define the focus of the program. In information security, there are three general types of programs: Managerial InfoSec Program The managerial program seeks to emphasize what we call the 5 Ps of Information Security: People, Planning, Policy, Programs and Projects. As is evident in the sample syllabus for the Management of Information Security and Assurance later in this document, these areas focus more on the administration and management of information security, than the technological aspects. The managerial student should have an understanding of the types and purposes of various technical security controls, but may not be able to configure, implement or maintain them. Managerial InfoSec programs are frequently found in Colleges of Business, Information Systems programs or other related areas. Technical InfoSec Program The other end of the security spectrum, the technical program focuses more on the technologies of information security. Students in these programs are expected to, in a very hands-on fashion, design, install, configure, test, and maintain various technical security controls and equipment. This could include firewalls, intrusion detection systems, operating systems hardening, etc. The technical student should understand the role and purpose of the managerial aspects, as the technical implementations are guided by the managers in InfoSec, but may not be able to develop these areas. Technical InfoSec programs are frequently found in Colleges of Science, Computer Science programs, technical colleges and schools, or other related areas. Balanced InfoSec Program The balanced InfoSec program is a combination of the managerial and technical programs seeking a balance between the two. Programs in this category generally will not have the level of depth in either management or technology aspect of InfoSec, but will seek to provide an approach that well prepares the student for further education or experience in subsequent institutions or organizations. Balanced InfoSec programs will become the most prevalent programs, eventually replacing the technical programs in popularity. Levels of Mastery Using the detailed list of domains and knowledge areas from the CISSP and other sources we then began to identify what level of mastery was desired for each knowledge area. The taxonomy we used was derived in part from Bloom s taxonomy, but simplified to a great extent. We chose four levels of desired mastery, defined as follows: 1. Understanding: At the understanding level, the student can identify key concepts when presented with a list of alternatives. The student has familiarized themselves with the selected knowledge area and can discuss key concepts. 2. Accomplishment: At the accomplishment level, the student can demonstrate the process necessary to use the knowledge area in a given scenario. The student has a deeper grasp on both theoretical and practical applications of the knowledge area Kennesaw State University Center for Information Security Education ( / [email protected]) 35
36 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 3. Proficiency: At the proficiency level, the student can generate new examples of the application of the knowledge are. The student has demonstrated the ability to critically discuss knowledge area concepts and can easily relate their learning to others. 4. Mastery: At the mastery level, the student can not only freely create new knowledge of the area, but can also evaluate and critique new knowledge created by others. This level is typically obtained through graduate level coursework, or extensive depth of curriculum. An example in the area of information security policy could be: Upon completion of identified material, the student should be able to: Understanding: Know and discuss importance of policy in the organization Accomplishment: Demonstrate procedures needed to design and implement policy Proficiency: Able to develop and implement a variety of security policies Mastery: Able to review and critique all types of security policy at all levels of the organization Determining Numbers of Courses Needed The next step was to determine how many courses would be needed, at a minimum to provide the student with the desired level of mastery in the target knowledge. This step was accomplished by organizing the similar content with corresponding learning objectives into class areas. This information then allowed us to identify minimal prerequisite areas for each class. We used the following template to facilitate this process: 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 36
37 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Mapping Mastery Depth to Courses We determined that three courses would provide this depth as indicated for a specialization. This table shows not only the total level of depth, but also the courses in which the depth would be obtained Kennesaw State University Center for Information Security Education ( / [email protected]) 37
38 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Access Controls Access control fundamentals U A P A Access control types U A P A Access control attacks U A P A Penetration testing methods U A Telecommunications* (Some knowledge areas are prerequisite) Network types (LAN/WAN) OSI reference model Security Management TCP/IP protocol suite Telecomm security management U A Telecommunications threats and U A attacks Remote access protocols U A Security planning U A A P Security policies U A A P Personnel security U A A P Security personnel U A A P Data classification and storage U A A P Risk Management U A A P Security education, training and U A A P awareness program Change/configuration management U A A A P Assessment strategies U A A P A Applications Security* (Some knowledge areas are prerequisite) Systems development life cycles Database development and A management Systems controls U A A A Distributed applications Object oriented concepts* Knowledge based systems* Application and systems attacks and U A P A A U 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 38
39 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Cryptography vulnerabilities Security Architecture Operations Security Malicious code U A A P A Cryptosystems U A A Ciphers and encryption algorithms U A A Asymmetric key systems U A A Symmetric key systems U A A Hybrid key systems U A A Message authentication/message digests U A A Public key infrastructure U A A Key management U A A P Digital signatures U A A Alternative cryptosystems U A A Security protocols U A Security models U A A Information systems evaluation criteria U A A System certification and accreditation U A A Security architectures U A A Operations concepts U A A A P Threats and countermeasures U A A A P Incident response U A A A P Auditing U A A A P Monitoring U A A A P Business Continuity Planning Law and Ethics Contingency planning U A A P Business continuity planning U A A P Disaster recovery planning U A A P Data backup and recovery methods U A A P Crisis management U A A P 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 39
40 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Physical Security Law categories and types U A A P Computer crimes U A A P Computer crime investigations U A A P Computer ethics U A A P Computer forensics procedures U A A Site selection and security U A A Guards U U Keys and locks U U Doors, walls and gates U U Intrusion detection systems U U Fire detection and suppression systems U U Biometrics U A A CCTV U As is obvious, there is substantial overlap both within and between courses with regard to the level of mastery. We found that in some cases, since our sequence of courses would permit a student to take the introduction course and then either the technical OR the managerial, that to obtain the desired level of mastery, duplication of certain levels would be necessary. Duplication between courses also serves to reinforce that desired level of depth. Also evident is the need to obtain both levels of understanding and accomplishment within the same course in order to reach the overall desired level of mastery. It was then a simple matter to re-organize learning objectives in each of the target courses and begin searching for learning materials that would support each of these courses. Since the initial development, our learning objectives have evolved to represent in a more robust fashion what the students should be learning in each course. Learning objectives for each of the core courses implemented are presented with the course descriptions in the next section. As a final note to this phase of the model curriculum, we would like to make the following recommendations: Courses and programs should be created in ways that: Involve all critical stakeholders. Just as in systems development, the use of representative groups from all interested parties (faculty, students, industry advisors) will serve to improve the final product. Create employable students or students who can advance academically. The bottom line is to create a resource that will be in demand. Unless students can expect employability upon 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 40
41 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance completion, they may lose interest in the program, after an initial surge of interest due to the novelty of the program. Capitalize on available resources (faculty, classrooms, labs). We have found that existing labs can be easily modified to support the information security laboratory s unique requirements and exercises. We have also found a wealth of freeware and hackerware tools that provide realistic and valuable experiences to the students. Cultivating several key industry contacts has also resulted in several multi-thousand dollar donations in software and hardware. Support local / state / national program objectives like the National Strategy to Secure Cyberspace. Contributing to these types of programs not only provides visible and demonstrable credibility to the program, but serves as a basis for increasing the validity of your program should you decide to submit for national grants and industry support. Pilot study Based on previous analysis of the literature and curriculum development and accreditation efforts as indicated in previous sections, seven new information security courses were implemented at KSU. These classes were designed to meet existing national security standards, as described previously, and to provide a foundation for the curriculum model. In the pilot project students could select individual courses of interest or a five-course sequence culminating in a Certificate, as major electives in a Bachelor of Science in Information Systems degree. The Certificate in Information Security and Assurance (ISA) offers students both theoretical foundations and applied hands-on experiences with the tools and technologies used to protect information assets. Upon examination of the textbooks, and other learning support materials available at the time of the design of our curriculum, we initially pilot tested the courses with trade press texts, modified to meet the needs of an academic environment. In almost every instance, the trade press texts proved severly lacking in depth and breadth for the classroom. In a stroke of luck, we were approached by the senior editor of a major text publisher and convinced to write a text of our own. We took the opportunity to use the mappings that we were using for our courses and design a text to provide a strong foundation for the first course in our sequence. The curriculum is designed to encompass both technical details and managerial functions. The certificate begins with three core courses: Principles of Information Security & Assurance. An introduction to the various technical and administrative aspects of Information Security and Assurance, this course provides the foundation for understanding key issues associated with protecting information assets, developing protection and response to security incidents, and designing a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. Learning objectives: After successful completion of the course students should be able to: identify and prioritize information assets; identify and prioritize threats to information assets; define an information security strategy and architecture; discuss the components of an incident response plan; describe legal and public relations implications of security and privacy issues; and outline a disaster recovery plan Kennesaw State University Center for Information Security Education ( / [email protected]) 41
42 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Technical Applications in Information Security & Assurance. A detailed examination of the tools, techniques and technologies used in the securing of information assets, this course provides in-depth information on the software and hardware components of Information Security and Assurance. Topics covered include: firewall configurations, hardening Unix and NT servers and specific implementation of security models and architectures. Learning objectives: After successful completion of the course students should be able to: identify the components of Information Security Architectures; specify appropriate security models used in the architecture; identify specific weaknesses and strengths of the security of various networking operating systems; locate and recommend corrections to known vulnerabilities in network infrastructures; specify recommendations for the physical hardening of popular network components; and identify and specify the components of a technology-based security solution. Policy and Administration in Information Security & Assurance A detailed examination of a systems-wide perspective of information security, beginning with a strategic planning process for security. Includes an examination of the policies, procedures and staffing functions necessary to organize and administrate ongoing security functions in the organization. Subjects include security practices, security programs, and continuity planning and disaster recovery planning. Learning objectives: After successful completion of the course students should be able to: write enterprise and issue-specific security policies; design a security infrastructure; build a security team; select necessary security personnel; specify recommendations for the auditing of an information system for security; and design a disaster recovery/business continuity plan. Students then selected two courses to complete the certificate. They may select these from 1) Computer Forensics and either Criminal Investigations or Criminal Law; 2) Unix Administration and Security and Data Communications Protocols; 3) Computer Law and Computer Ethics; 4) Accounting Information Systems class and either EDP Auditing & Control or Accounting Auditing & Assurance; or 5) Internship or Cooperative Study and one course from the above Kennesaw State University Center for Information Security Education ( / [email protected]) 42
43 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance The Draft Curriculum Model Outcomes from the pilot program have been incorporated into the proposed curriculum model. These outcomes included the adjustment of specific learning objectives across all core courses, adjusted use of laboratory exercises within each course, and the movement of some core material to more advanced classes (like forensics material from the technical course to the computer forensics course). Additional outcomes strengthened existing course relationships, and validated instructional approaches. One specific outcome was the identification of a clear lack of academic texts to support the curriculum. As a result we authored their own for two of the course classes. These texts are now part of a suite of academic Information Security texts offered by Course Technology. Table 1 provides an overview of our draft curriculum model Kennesaw State University Center for Information Security Education ( / [email protected]) 43
44 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Table 1: DRAFT CURRICULUM MODEL Subject Bloom s Levels of Knowledge (from [21]) Prerequisite Knowledge General: Computing Foundations, Data Communications Managerial: Also need Management, Accounting Technical: Also need Operating Systems, Computer Org & Arch, Programming, Protocols Foundation 1.0 Introduction to Information Security L1 Knowledge Recognition & Differentiation in Context 1.1 Computer Law & Ethics L2 Comprehension Translation/Extrapolition Use of Knowledge Technical Aspects of Information Security 2.0 Technical Applications in InfoSec L2 Comprehension Translation/Extrapolition Use of Knowledge 2.1 Operating Systems Security L3 Application Knowledge Windows NT/2000 Security L4 Analysis & L5 Synthesis Linux/Unix Security L4 Analysis & L5 Synthesis 2.2 Network Security L3 Application Knowledge 2.3 Applied Cryptography L3 Application Knowledge 2.4 Computer Forensics L3 Application Knowledge 2.5 Firewalls & Intrusion Detection L3 Application Knowledge Sys 2.6????? Managerial Aspects of Information Security 3.0 Management of Information Security L2 Comprehension Translation/Extrapolation (Policy & Administration) Use of Knowledge 3.1 Disaster Recovery/ Business L3 Application Knowledge Continuity Planning 3.2 Risk Management L3 Application Knowledge 3.3 Incident Response L3 Application Knowledge 3.4 Physical Security L3 Application Knowledge 3.5 Security Training & Awareness L3 Application Knowledge Pgms 3.6????? Outside Emphases O1 Criminal Justice O2 Auditing Varies Varies Implementation of the Draft Curriculum Model Our preliminary findings suggest that if an institution has the ability to only implement two courses, they will be best served implementing an introductory course, and then either a technical or managerial course depending on their preferences. If the institution can implement more, an analysis of the intent of 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 44
45 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance the program as described in previous sections will provide additional course recommendations, as illustrated in the table below. Table 2: Implementation of the Proposed Curriculum Model Based on the number of courses an Institution can implement, it is recommended that they should select the courses indicated. Question marks? are used to indicate alternatives. Number of Course the Institution can Implement in InfoSec Courses: Introduction to InfoSec * * * * * * * Technical Applications in InfoSec * or * * * * * Management of InfoSec * * * * * * Additional Courses Selected from:???? Network Security (Win2K/Unix),??? Adv. Network Security, Operating??? Systems Security, Auditing for Security, Computer Forensics, Criminal Justice, Criminal Law, Computer Ethics, Computer Law, Cryptography/ Cryptology, Secure Programming, Internship/Coops Some suggestions based on institutional intent could be as follows: Scenario 1: The institution can only implement one course: For a general or technical program: Introduction to InfoSec For a managerial or business program: Management of InfoSec (with heavy emphasis on foundation material). Scenario 2: The institution can implement two courses: For a general or technical program: Introduction to InfoSec Technical InfoSec For a managerial or business program: Introduction to InfoSec Management of InfoSec Scenario 3: The institution can implement three courses: For all programs: Introduction to InfoSec 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 45
46 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Management of InfoSec Technical InfoSec Scenario 4: The institution can implement four courses: For a general or technical program: Introduction to InfoSec Management of InfoSec Technical InfoSec Advanced Technical topic such as: o Firewalls, IDS & VPNs o OS Security (Unix/Windows) o Computer Forensics For a managerial or business program: Introduction to InfoSec Management of InfoSec Technical InfoSec Advanced Managerial topic such as: o Contingency Planning o Computer Law & Ethics o Security Policy As additional courses are added additional technical or managerial topics can be added. Institutions can then begin drafting specific programs to include electives, existing courses etc. to support their desired outcomes. As a detailed example of our efforts, the Certificate in Information Security and Assurance is presented here with sample course syllabi. Following the Certificate is our newest degree program the Bachelor of Science in Information Security and Assurance with the course syllabi for the new classes associated with this degree Kennesaw State University Center for Information Security Education ( / [email protected]) 46
47 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Certificate in Information Security and Assurance (ISA) The Certificate in Information Systems and Assurance consist of 5 new courses, plus a number of courses in the current catalog from CS, IS, Accounting, Criminal Justice and Political Science degree programs. The Certificate is built on the presumption that students will be sufficiently prepared to enter the program. This includes Preparatory Knowledge Clusters in areas of Principles of Computing, Programming Principles and Data Communications. For students that do not meet this assumption, they can either take undergraduate equivalents (CSIS 2300, 2301 and 2520) or submitting a portfolio of work for exempting one or more preparatory courses. The Committee on National Security Systems and the National Security Agency have certified that Kennesaw State University offers a set of courseware that has been reviewed by National Level Information Assurance Subject Matter Experts and determined to meet National Training Standard for Information Systems Security Professionals (NSTISSI 4011, 4012, 4013, 4014) for academic years Each student will be required to complete the 9-hour core (3 courses) and then select and complete one track (6-hours, 2 courses). All coursework within the certificate program must be completed with a C or better in order to count towards the certificate. CORE: ISA 3100 Principles of Information Security and Assurance ISA 3200 Technical Applications in Information Security and Assurance ISA 3300 Policy and Administration in Information Security and Assurance Plus One Track (6 hours from the following) Track 1. Computer Forensics and Investigation ISA 3350 Computer Forensics and either CJ 3320 Criminal Investigations or POLS 4411 Criminal Law Track 2. Technical Security CSIS 3550 Unix Administration & Security and CSIS 4500 Data Communications Protocols 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 47
48 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Track 3. Computer Law and Ethics CSIS 4510 Computer Law and CSIS 4515 Computer Ethics Track 4. Security Audit ACCT 3300 Accounting Information Systems and either CSIS 4210 EDP Audit & Control or ACCT 4150 Audit & Assurance Track 5. Applied Security One elective from the above tracks or: CSIS 4420 Local Area Networks IT 4525 Electronic Commerce MGT 3100 Management and Behavioral Sciences and either ISA 3398 Internships in Information Security and Assurance or ISA 3396 Coop in Information Security and Assurance 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 48
49 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 49
50 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Sample Syllabi Kennesaw State University DEPARTMENT OF COMPUTER SCIENCE AND INFORMATION SYSTEMS ISA 3100 Principles of Information Security and Assurance Date/Time of Class Dr. Michael E. Whitman, CISSP Course Description: Examination of current standards of due care and best business practices in Information Security. Includes examination of security technologies, methodologies and practices. Focus is on evaluation and selection of optimal security posture. Topics include evaluation of security models, risk assessment, threat analysis, organizational technology evaluation, security implementation, disaster recovery planning and security policy formulation and implementation. Prerequisites: CIS 2520: Data Communications Textbooks: Principles of Information Security, Whitman & Mattord, 2003 Course Technology ISBN: Resources: SP An Introduction to Computer Security: The NIST Handbook, SP Security Self-Assessment Guide for Information Technology Systems SP Risk Management Guide for Information Technology Systems SP Contingency Planning Guide for Information Technology Systems Instructor: Michael E. Whitman, Ph.D., CISSP Office: CL Address: Phone: Note: I seldom check phone messages, best method of communication is via . Office Hours: TBD by and by appointment. Fax Number: Website Address: Kennesaw State University Center for Information Security Education ( / [email protected]) 50
51 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Learning Outcomes: As a result of completing this course, students will be able to: Describe threats to information security Identify methods, tools and techniques for combating these threats. Identify types of attacks and problems that occur when systems are not properly protected. Explain integral parts of overall good information security practices Identify and discuss issues related to access control. Describe the need for and development of information security policies, and identify guidelines and models for writing policies. Define risk management and explain why it is an important component of an information security strategy and practice. Describe the types of contingency plan and the steps involved in developing each. Identify security issues related to personnel decisions, and qualifications of security personnel. Final Grading: A standard 100% evaluation scheme will be used, i.e = A, = B, = C, = D, else = F). Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. NO LATE WORK WILL BE ACCEPTED. Withdrawal Policy: The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice thereof DOES NOT constitute official withdrawal from the course. Students who simply stop attending classes without officially withdrawing usually are assigned failing grades. Students wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a withdrawal form from the Academic Services Department in the Registrar s Office. Enrollment Policy: Only those students who are enrolled in the class may attend lectures, receive assignments, take quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn from this course, they will not be permitted to attend class nor will they receive any grade for the class Kennesaw State University Center for Information Security Education ( / [email protected]) 51
52 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Electronic Devices In order to minimize the level of distraction, all beepers and cellular phones must be on quiet mode during class meeting times. Students who wish to use a computer/pda for note taking need prior approval of the instructor since key clicks and other noises can distract other students. Recording of lectures by any method requires prior approval of the instructor. Students using a laptop in class should not check their , browse the web, or in other way detract from the focus of the class. Classroom Behavior Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for upholding the provision. For more details, visit Students who are in violation of this policy will be asked to leave the classroom and may be subject to disciplinary action by the University. Tentative Course Schedule: Subject to change Week Date Topic & Chapter 1 Introduction & Chapter 1: Introduction 2 Chapter 2: The Need for Security 3 Chapter 3: Legal & Ethical Issues in Security 4 Chapter 4: Risk Management: Identifying and Assessing Risk 5 Chapter 5: Risk Management: Assessing and Controlling Risk 6 Chapter 6: Blueprint For Security 7 Exam 1 8 Labs Last Day to Drop without Academic Penalty 9 Group Meetings 10 Chapter 7: Planning for Continuity and the Systems Development Life Cycle 11 Chapter 8: Security Technology 12 Chapter 9: Physical Security 13 Chapter 10: Implementing Security 14 Chapter 11: Personnel and Security 15 Chapter 12: Maintaining a Security Posture 16 Exam 2 Final Exam Project Presentations 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 52
53 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Special Dates: Holidays/No Class Last day to withdrawal without penalty Last day of class Final Exam Period Graduation Class Format: Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or meet in the SC 363 computer lab for hands-on exercises. Lecture Notes: Class notes can be downloaded from: TBD Assignments: The student will be assigned a number of written projects and reports throughout the course of the semester. These will include: Contribution to a class security links and security readings web pages Sample risk assessment Control spreadsheet Outline of a disaster recovery plan Organizational fair and responsible use policy Additional details will be provided in class. Project Requirements: During the course of the semester, students will be exposed to a fictitious organization, CGT, Inc., a computer gaming company. Students will be expected to analyze and design a complete computer security profile for this organization and its systems. This analysis will be organized and presented at the end of the semester. Students will submit a binder containing all necessary security policies, documents and recommendations. Additional details will be provided in class. Instructor Absence: In the event of an instructor absence, the class will find a notice posted. If the instructor does not arrive within 20 minutes of the start of class, the class should move to the lab and work on their laboratory exercises. Computer Labs: Additional Information on Lab hours and availability will be provided in class Kennesaw State University Center for Information Security Education ( / [email protected]) 53
54 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Assessment: Exam 1 25% Exam 2 25% Assignments and Labs 20% Project 30% 100% Grade Evaluation A 90% - 100% B 89% - 80% C 79% - 70% D 69% - 60% F 59% or below Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. NO LATE WORK WILL BE ACCEPTED. Student Course Evaluation: A standard questionnaire (described below) will be administered during the last two weeks of the semester in all classes. Additional questions developed by the college or instructor(s) may be included as well. It is important that each student provide meaningful feedback to the instructor(s) so that changes can be made in the course to continually improve its effectiveness. We value student feedback about the course, our teaching styles, and course materials, so as to improve our teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify the aspects of the course that most contributed to your learning (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2) Identify the aspects of the course, if any, that might be improved (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring). Acquiring Final Grades: The final grades for this course will be posted to the student s permanent record using the KSU Banner system. Students may acquire their final grades by accessing their Banner account online. Grades are no longer mailed to students. Students needing verification of grades or enrollment should request either an official transcript or an enrollment verification through the Office of the Registrar Kennesaw State University Center for Information Security Education ( / [email protected]) 54
55 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Academic Integrity Statement: Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University's policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct's minimum one semester suspension requirement. Students are encouraged to study together and to work together on class assignments and lab exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic Honesty, KSC Undergraduate Catalog will be strictly enforced in this class. Frequently students will be provided with take-home exams or exercises. It is the student s responsibility to ensure they fully understand to what extent they may collaborate or discuss content with other students. No exam work may be performed with the assistance of others or outside material unless specifically instructed as permissible. If an exam or assignment is designated no outside assistance this includes, but is not limited to, peers, books, publications, the Internet and the WWW. If a student is instructed to provide citations for sources, proper use of citation support is expected. Additional information can be found at the following locations Kennesaw State University Center for Information Security Education ( / [email protected]) 55
56 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Acknowledgment and Acceptance of Academic Integrity Statement: In any academic community, certain standards and ethical behavior are required to ensure the unhindered pursuit of knowledge and the free exchange of ideas. Academic honesty means that you respect the right of other individuals to express their views and opinions, and that you, as a student, not engage in plagiarism, cheating, illegal access, misuse or destruction of college property, or falsification of college records or academic work. As a member of the Kennesaw State University academic community you are expected to adhere to these ethical standards. You are expected to read, understand and follow the code of conduct as outlined in the KSU graduate and undergraduate catalogs. You need to be aware that if you are found guilty of violating these standards you will be subject to certain penalties as outlined in the college judiciary procedures. These penalties include permanent expulsion from KSU. Read the Academic Integrity Statement and then sign and date in the space below. You are required to abide by these ethical standards while you are a student at KSU. Your signature indicates that you understand the ethical standards expected of you in this academic community, and that you understand the consequences of violating these standards. Course Name Instructor Name Print Name Student ID Number Signature Date Kennesaw State University Center for Information Security Education ( / [email protected]) 56
57 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance White Hat Agreement And Code of Ethics This is a working document that provides further guidelines for the course exercise. If you have questions about any of these guidelines, please contact one of the course instructors. When in doubt, the default action should be to ask the instructors. 1) The goal of the project is to search for technical means of discovering information about others with whom you share a computer system. As such, non-technical means of discovering information are disallowed (e.g., following someone home at night to find out where they live). 2) ANY data that is stored outside of the course accounts can be used only if it has been explicitly and intentionally published, (e.g. on a web page), or if it is in a publicly available directory, (e.g. /etc, /usr ). 3) Gleaning information about individuals from anyone ouside of the course is disallowed. 4) Impersonation, e.g. forgery of electronic mail, is disallowed. 5) If you discover a way to gain access to any account other than your own (including root), do NOT access that account, but immediately inform the course instructors of the vulnerability. If you have inadvertently already gained access to the account, IMMEDIATELY exit the account and inform the course instructors. 6) All explorations should be targeted specifically to the assigned course accounts. ANY tool that indiscriminately explores non-course accounts for vulnerabilities is specifically disallowed. 7) Using the web to find exploration tools and methods is allowed. In your reports, provide full attribution to the source of the tool or method. 8) If in doubt at all about whether a given activity falls within the letter or spirit of the course exercise, discuss the activity with the instructors BEFORE exploring the approach further. 9) You can participate in the course exercise only if you are registered for a grade in the class. ANY violation of the course guidelines may result in disciplinary or legal action. 10) Any academic misconduct or action during the course of the class can result in that course not being eligible to count toward the security certificate Kennesaw State University Center for Information Security Education ( / [email protected]) 57
58 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance White Hat Agreement Kennesaw State University Code of Ethics Preamble: (Source Code of ethics) Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior. Therefore, strict adherence to this code is a condition of laboratory admission. Code of Ethics Canons: Protect society, the commonwealth, and the infrastructure. Act honorably, honestly, justly, responsibly, and legally. Provide diligent and competent service to principals. Advance and protect the profession. The following additional guidance is given in furtherance of these goals. Objectives for Guidance Protect society, the commonwealth, and the infrastructure Promote and preserve public trust and confidence in information and systems. Promote the understanding and acceptance of prudent information security measures. Preserve and strengthen the integrity of the public infrastructure. Discourage unsafe practice. Act honorably, honestly, justly, responsibly, and legally Tell the truth; make all stakeholders aware of your actions on a timely basis. Observe all contracts and agreements, express or implied. Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals, individuals, and the profession in that order. Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be truthful, objective, cautious, and within your competence. When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in which you render your service. Provide diligent and competent service to principals Preserve the value of their systems, applications, and information. Respect their trust and the privileges that they grant you. Avoid conflicts of interest or the appearance thereof. Render only those services for which you are fully competent and qualified. Advance and protect the profession Sponsor for professional advancement those best qualified. All other things equal, prefer those who are certified and who adhere to these canons. Avoid professional association with those whose practices or reputation might diminish the profession. Take care not to injure the reputation of other professionals through malice or indifference. Maintain your competence; keep your skills and knowledge current. Give generously of your time and knowledge in training others Kennesaw State University Center for Information Security Education ( / [email protected]) 58
59 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance As part of this course, you may be exposed to systems, tools and techniques related to Information Security. With proper use, these components allow a security or network administrator better understand the vulnerabilities and security precautions in effect. Misused, intentionally or accidentally, these components can result in breaches of security, damage to data or other undesirable results. Since these lab experiments will be carried out in part in a public network that is used by people for real work, you must agree to the following before you can participate. If you are unwilling to sign this form, then you cannot participate in the lab exercises. Student agreement form: I agree to: - only examine the special course accounts for privacy vulnerabilities (if applicable) - report any security vulnerabilities discovered to the course instructors immediately, and not disclose them to anyone else - maintain the confidentiality of any private information I learn through the course exercise - actively use my course account with the understanding that its contents and actions may be discovered by others - hold harmless the course instructors and Kennesaw State University for any consequences of this course - abide by the computing policies of Kennesaw State University and by all laws governing use of computer resources on campus I agree to NOT: - attempt to gain root access or any other increase in privilege on any KSU workstation - disclose any private information that I discover as a direct or indirect result of this course exercise - take actions that will modify or deny access to any data or service not owned by me - attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of the labs. - utilize any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course exercise - pursue any legal action against the course instructors or Kennesaw State University for consequences related to this course Moreover, I consent for my course accounts and systems to be examined for security and privacy vulnerabilities by other students in the course, with the understanding that this may result in information about me being disclosed (if applicable). This agreement has been explained to me to my satisfaction. I agree to abide by the conditions of the Code of Ethics and of the White Hat Agreement. Signed, Date: Printed name: address 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 59
60 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Kennesaw State University DEPARTMENT OF INFORMATION SYSTEMS Fall 201x ISA 3200 Technical Applications in Information Security and Assurance Date/Time of Class Dr. Michael E. Whitman, CISSP Course Description: Detailed examinations of the tools, techniques and technologies used in the technical securing of information assets. This course is designed to provide in-depth information on the software and hardware components of Information Security and Assurance. Topics covered include: firewall configurations, hardening Unix and NT servers, Web and distributed systems security, and specific implementation of security models and architectures. Prerequisites: ISA 3100: Principles of Information Security and Assurance Textbooks: Guide to Network Security 2012 Course Technology ISBN: Resources: SP Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability Naming Scheme, September 2002 SP Wireless Network Security: , Bluetooth, and Handheld Devices, November 2002 SP Guidelines on Firewalls and Firewall Policy, January 2002 SP Procedures for Handling Security Patches, September 2002 SP Underlying Technical Models for Information Technology Security, December 2001 SP Introduction to Public Key Technology and the Federal PKI Infrastructure, February 2001 SP Intrusion Detection Systems (IDS), November 2001 SP Guidelines on Active Content and Mobile Code, October 2001 Plus additional resources as assigned in class. Instructor: Michael E. Whitman, Ph.D., CISSP Office: CL Address: Phone: Note: I seldom check phone messages, best method of communication is via . Office Hours: TBD by and by appointment. Fax Number: Kennesaw State University Center for Information Security Education ( / [email protected]) 60
61 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Website Address: Learning Outcomes: With the increasing exposure of information systems to attacks from natural and man-made disasters, there is an increasing demand on information systems technical staff to use technical information security tools to defend systems from attacks on information systems security. The purpose of this course is to examine technical preventative, detective and responsive measures. As a result of completing this course, students will be able to: Understand the technical details of common information security technical countermeasures. Evaluate each of the included technical countermeasures as to when its use is appropriate and it can be used to provide increased control or reduced risk. Create deployment plans for included technical countermeasures that include impact and risk assessments to IT systems as well as impact and risk to general system users. Apply technical knowledge to simulated deployment planning issues using a case study in a team-based project. Final Grading: A standard 100% evaluation scheme will be used, i.e = A, = B, = C, = D, else = F). Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. NO LATE WORK WILL BE ACCEPTED. Withdrawal Policy: The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice thereof DOES NOT constitute official withdrawal from the course. Students who simply stop attending classes without officially withdrawing usually are assigned failing grades. Students wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a withdrawal form from the Academic Services Department in the Registrar s Office. Enrollment Policy: Only those students who are enrolled in the class may attend lectures, receive assignments, take quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn from this course, they will not be permitted to attend class nor will they receive any grade for the class Kennesaw State University Center for Information Security Education ( / [email protected]) 61
62 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Electronic Devices In order to minimize the level of distraction, all beepers and cellular phones must be on quiet mode during class meeting times. Students who wish to use a computer/pda for note taking need prior approval of the instructor since key clicks and other noises can distract other students. Recording of lectures by any method requires prior approval of the instructor. Students using a laptop in class should not check their , browse the web, or in other way detract from the focus of the class. Classroom Behavior Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for upholding the provision. For more details, visit Students who are in violation of this policy will be asked to leave the classroom and may be subject to disciplinary action by the University. Tentative Course Schedule: Subject to change Week Date Topic & Chapter 1 Introduction & Chapter 1: Foundations of Network Security 2 Chapter 2: Designing a Network Defense 3 Chapter 3: Risk Analysis and Security Policy Design 4 Lab 1 5 Chapter 4: Choosing and Designing Firewalls 6 Chapter 5: Configuring Firewalls 7 Chapter 6: Strengthening and Managing Firewalls 8 Exam 1 9 Lab 2 10 Chapter 7: Setting up a Virtual Private Network 11 Chapter 8: Intrusion Detection: An Overview 12 Chapter 9: Intrusion Detection: Preventive Measures 13 Lab 3 14 Chapter 10: Intrusion Detection: Incident Response 15 Chapter 11: Strengthening Defense Through Ongoing Management 16 Exam 2 Final Exam Project Presentations 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 62
63 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Special Dates: Holidays/No Class Last day to withdrawal without penalty Last day of class Final Exam Period Graduation Class Format: Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or meet in the SC 363 computer lab for hands-on exercises. Lecture Notes: Class notes can be downloaded from: TBD Assignments: Students will issues an assignment schedule during the semester, consisting of requirements from the Information Security Lab Manual, and other relevant requirements. Project Requirements: During the course of the semester, students will be presented with a fictitious organization, CGT, Inc., a computer gaming software company. Students will be expected to assess the vulnerabilities present in CGT s three primary servers. Students will be provided with an assessment toolkit, and asked to design a written report identifiying all vulnerabilities in these systems. In addition, the student will be required to research the vulnerabilities, including the CVE for each, and collect information on the resolution on the vulnerabilities. Students will submit a binder containing all necessary documents and recommendations. Additional details will be provided in class and via WebCT. Instructor Absence: In the event of an instructor absence, the class will find a notice posted. If the instructor does not arrive within 20 minutes of the start of class, the class should move to the lab and work on their laboratory exercises. Computer Labs: Additional Information on Lab hours and availability will be provided in class Kennesaw State University Center for Information Security Education ( / [email protected]) 63
64 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Assessment: Exam 1 20% Exam 2 20% Assignments 15% Labs 20% Project 25% 100% Grade Evaluation A 90% - 100% B 89% - 80% C 79% - 70% D 69% - 60% F 59% or below Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. NO LATE WORK WILL BE ACCEPTED. Student Course Evaluation: A standard questionnaire (described below) will be administered during the last two weeks of the semester in all classes. Additional questions developed by the college or instructor(s) may be included as well. It is important that each student provide meaningful feedback to the instructor(s) so that changes can be made in the course to continually improve its effectiveness. We value student feedback about the course, our teaching styles, and course materials, so as to improve our teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify the aspects of the course that most contributed to your learning (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2) Identify the aspects of the course, if any, that might be improved (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring). Acquiring Final Grades: The final grades for this course will be posted to the student s permanent record using the KSU Banner system. Students may acquire their final grades by accessing their Banner account online. Grades are no longer mailed to students. Students needing verification of grades or enrollment should request either an official transcript or an enrollment verification through the Office of the Registrar. ( Syllabus truncated to remove redundant material from other examples) Kennesaw State University Center for Information Security Education ( / [email protected]) 64
65 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Project Description: Each student will be assigned to a 3-person team. Although assigned to a team, each student will conduct an independent analysis of the target servers. Once each student has scanned the designated targets, the student can then work with their team in identifying the specifics of the vulnerability and its resolution. While detailed knowledge of server administration is not required, a basic understanding of operating systems and networking is expected. Students who do not have this level will be expected to study on their own to understand the systems sufficiently to assist in their preparation for security. Students will be expected to research and recommend upgrades and fixes for known vulnerabilities. Resources to use in your assessment include: Sam Spade, NMAP, Nessus and LanGuard. Resources to use in your investigation of vulnerability include: and other references to be provided in class. At the end of the semester the student team will present a joint presentation overviewing the vulnerabilities found on each server and the severity of the individual vulnerabilities. Each student will submit a binder with an overview of the specification of the system examined, methods and techniques used, and findings, neatly organized, tabbed with appropriate headers and references. Additional materials will be provided in class. Lab Exercises Overview: Selected exercises from the Hands-On Information Security Lab Manual or online Exercises through XanEdu will be selected for this course. These will come from the following (for the lab manual): Chapter 1 Footprinting Ex 1-1 Web Reconnaissance Ex 1-2 WhoIS Ex 1-3 DNS Interrogation Ex 1-4 Network Reconnaissance Chapter 2 Scanning & Enumeration Ex 2-1 Scanning Utilities Ex 2-2 Active Stack Fingerprinting Ex 2-3 Generic Enumeration Ex 2-4 Novell Enumeration Ex 2-5 Unix Enumeration Chapter 3 Firewalls and Intrusion Detection Systems Ex 3-1 Windows Host Based Firewall Setup Ex 3-2 Linux Firewall Setup Ex 3-3 Intrusion Detection Systems Setup Chapter 4 Operating Systems Vulnerability Analysis and Resolution Ex 4-1 Common Win9x/ME Exploits and Protection Ex 4-2 Common WinNT Exploits and Protection Ex 4-3 Common Win2000 Exploits and Protection Ex 4-4 Common UNIX Exploits and Protection 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 65
66 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Ex 4-5 Ex 4-6 Common LINUX Exploits and Protection Common Novell Exploits and Protection Chapter 5 Security Maintenance (Whitman & Shackleford) Ex 5-1 Log Analysis Ex 5-2 Establishing a Virtual Private Network Ex 5-3 Implementing Public Key Encryption Ex 5-4 Using Digital Certificates Ex 5-5 Virus Threats and Hoaxes Ex 5-6 Password and Password Policy Evaluation Chapter 6 Minicase Studies (Whitman) Minicases Analysis of the Minicase Minicase 1 Lab Antivirus Protection Strategy Minicase 2 Personal Firewall Evaluation Minicase 3 The Security Awareness, Training and Education Program Minicase 4 Lab Physical Security Assessment Minicase 5 Lab Document Security Assessment Minicase 6 Local Security Policies Evaluation Chapter 7 Case Studies (Whitman) Case 1 HomeLAN Inc. Residential Solutions Case 2 HomeLAN Inc. Business Solutions Case 3 Computer Gaming Technologies Inc. Case 4 DOTCOM Ltd. Appendix A: Common Utilities and Tutorials (All) Ex A-1: Sam Spade (Whitman) Ex A-2: Ethereal Ex A-3: NESSUS Ex A-4: NMAP Ex A-5: LanGuard Port Scanner Ex A-6: LanGuard Network Scanner Ex A-7: NetCat Ex A-8: SNORT (Shackleford) 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 66
67 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Kennesaw State University DEPARTMENT OF INFORMATION SYSTEMS Semester year ISA 3300 Policy and Administration in Information Security and Assurance Date/Time of Class Dr. Michael E. Whitman, CISSP Course Description: Detailed examinations of a systems-wide perspective of information security, beginning with a strategic planning process for security. Includes an examination of the policies, procedures and staffing functions necessary to organize and administrate ongoing security functions in the organization. Subjects include security practices, security architecture and models, continuity planning and disaster recovery planning. Prerequisites: ISA 3100: Principles of Information Security Textbooks: Management of Information Security, Whitman & Mattord, 2004 Course ISBN: (draft to be distributed in class). Technology Resources: SP An Introduction to Computer Security: The NIST Handbook, SP Security Self-Assessment Guide for Information Technology Systems SP Risk Management Guide for Information Technology Systems SP Contingency Planning Guide for Information Technology Systems Instructor: Michael E. Whitman, Ph.D., CISSP Office: CL Address: [email protected] Phone: Note: I seldom check phone messages; best method of communication is via . Office Hours: TBD, by and by appointment. Fax Number: Website Address: Kennesaw State University Center for Information Security Education ( / [email protected]) 67
68 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Learning Outcomes: As a result of completing this course, students will be able to: Discuss the stages in the risk management process. Conduct a Business Impact Analysis Identify and prioritize threats to information and priorities of organizational information resources. Develop information security policies for all three types. Design a security education, training and awareness program. Make informed choices in selecting security personnel. Develop guidelines for the hiring of non-security personnel sensitive to organizational information protection requirements. Conduct a cost-benefit analysis. Develop a budget for the acquisition of needed security resources. Develop a program to develop plans to respond to business information security contingencies. Final Grading: A standard 100% evaluation scheme will be used, i.e = A, = B, = C, = D, else = F). Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letterquality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. NO LATE WORK WILL BE ACCEPTED. Withdrawal Policy: The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice thereof DOES NOT constitute official withdrawal from the course. Students who simply stop attending classes without officially withdrawing usually are assigned failing grades. Students wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a withdrawal form from the Academic Services Department in the Registrar s Office. Enrollment Policy: Only those students who are enrolled in the class may attend lectures, receive assignments, take quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn from this course, they will not be permitted to attend class nor will they receive any grade for the class Kennesaw State University Center for Information Security Education ( / [email protected]) 68
69 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Electronic Devices In order to minimize the level of distraction, all beepers and cellular phones must be on quiet mode during class meeting times. Students who wish to use a computer/pda for note taking need prior approval of the instructor since key clicks and other noises can distract other students. Recording of lectures by any method requires prior approval of the instructor. Students using a laptop in class should not check their , browse the web, or in other way detract from the focus of the class. Classroom Behavior Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for upholding the provision. For more details, visit Students who are in violation of this policy will be asked to leave the classroom and may be subject to disciplinary action by the University. Tentative Course Schedule: Subject to change Week Date Topic & Chapter 1 Introduction & Chapter 1: Introduction to Mgt of InfoSec 2 Chapter 2: Planning for Security 3 Chapter 3: Planning for Contingencies 4 Chapter 4: Security Policy 5 Chapter 5: Developing Security Programs 6 Chapter 6: Security Management Models and Practices 7 Exam 1 8 Labs Last Day to Drop without Academic Penalty 9 Group Meetings 10 Chapter 7: Risk Assessment 11 Chapter 8: Risk Management and Control 12 Chapter 9: Protection Mechanisms 13 Chapter 10: Personnel and Security 14 Chapter 11: Law & Ethics 15 Chapter 12: Security Project Management 16 Exam 2 Final Exam Project Presentations 2005 Kennesaw State University Center for Information Security Education ( / [email protected]) 69
70 A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance Special Dates: Holidays/No Class Last day to withdrawal without penalty Last day of class Final Exam Period Graduation Class Format: Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or meet in the SC 363 computer lab for hands-on exercises. Lecture Notes: Class notes can be downloaded from: TBD Assignments: The student will be assigned a number of written projects and reports throughout the course of the semester. These will include: Sample risk assessment Control spreadsheet Outline of a disaster recovery plan Organizational security policies Additional details will be provided in class. Project Requirements: Students will be organized into 3-4 person teams, and provided with a case study of an organization in desperate need of information security. Students will analyze the organization and design a security profile including security personnel, a security policy, disaster recovery and continuity plans, and recommendations for periodic auditing of the system. Additional details will be provided in class. Instructor Absence: In the event of an instructor absence, the class will find a notice posted. If the instructor does not arrive within 20 minutes of the start of class, the class should move to the lab and work on their laboratory exercises Kennesaw State University Center for Information Security Education ( / [email protected]) 70
71 A Model Curriculum for Programs of Study in Information Security and Assurance Computer Labs: Additional Information on Lab hours and availability will be provided in class. Assessment: Exam 1 25% Exam 2 25% Assignments and Labs 25% Project 25% 100% Grade Evaluation A 90% - 100% B 89% - 80% C 79% - 70% D 69% - 60% F 59% or below Project will be graded for correctness and completeness. The instructor retains the right to subjectively adjust an individual student's grade in appropriate cases, based upon observed performance. All turned-in assignments will be neatly typed (word-processed) and printed with letterquality type. Specific examples will be provided in class. Students failing to present the information completely, neatly and in the prescribed format will receive minimal credit for their work. Students should double check for spelling and grammar before submitting assignments. Student Course Evaluation: NO LATE WORK WILL BE ACCEPTED. A standard questionnaire (described below) will be administered during the last two weeks of the semester in all classes. Additional questions developed by the college or instructor(s) may be included as well. It is important that each student provide meaningful feedback to the instructor(s) so that changes can be made in the course to continually improve its effectiveness. We value student feedback about the course, our teaching styles, and course materials, so as to improve our teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify the aspects of the course that most contributed to your learning (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2) Identify the aspects of the course, if any, that might be improved (include examples of specific materials, exercises and/or the faculty member's approach to teaching and mentoring). Whitman & Mattord, Kennesaw State University
72 A Model Curriculum for Programs of Study in Information Security and Assurance Acquiring Final Grades: The final grades for this course will be posted to the student s permanent record using the KSU Banner system. Students may acquire their final grades by accessing their Banner account online. Grades are no longer mailed to students. Students needing verification of grades or enrollment should request either an official transcript or enrollment verification through the Office of the Registrar. Academic Integrity Statement: Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University's policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct's minimum one semester suspension requirement. Students are encouraged to study together and to work together on class assignments and lab exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic Honesty, KSC Undergraduate Catalog will be strictly enforced in this class. Frequently students will be provided with take-home exams or exercises. It is the student s responsibility to ensure they fully understand to what extent they may collaborate or discuss content with other students. No exam work may be performed with the assistance of others or outside material unless specifically instructed as permissible. If an exam or assignment is designated no outside assistance this includes, but is not limited to, peers, books, publications, the Internet and the WWW. If a student is instructed to provide citations for sources, proper use of citation support is expected. Additional information can be found at the following locations Additional Duplicative material deleted for brevity. Whitman & Mattord, Kennesaw State University
73 A Model Curriculum for Programs of Study in Information Security and Assurance Project Description: Using the CGT Case RFP provided in class, use the following proposal format to provide the indicated information. For Computer Gaming Technologies Information Security RFP response The following sections should guide the development and submission of the proposal. The final document will be submitted in a 3-ring binder, and single-spaced, with standard margins and fonts. Each section should be properly tabbed, organized, and structured with appropriate headers. Each new section and subsection should begin on a fresh page. All pages should be numbered, and an index placed at the beginning of the document. The group members names should be prominently displayed on the front cover. For each section, address the subjects or components outlined beneath it. If a component requires a separate binder or document, create it as needed. SECTION 1) Overview of CGT Provide an overview of the CGT company history, including an organization chart, physical plant layout (blank), and general description of organization computing and in-place security resources. 2) Problem Definition Create a summary of the situation leading to the issuance of the RFP. organizational needs, situations demanding resolution. Specify specific 3) Enterprise Information Security Policy Create an Enterprise Information Security Policy for CGT, based on the template in the text. Feel free to use assumptions to fill the policy with information as if you are the CISO of CGT, just beginning a new Security SDLC. 4) Issue Specific Policies Create a list outlining the ISSPs that CGT will need, and specify what each policy should address (1 paragraph each). As an example, create an issue specific security policy for the CGT case, based on the template in the text. The issue you are to address is fair and responsible use of office . Feel free to use assumptions to fill the policy with information as if you are the CISO of CGT, just beginning a new Security SDLC. 5) Risk Management Create an assessment of the risks inherent in CGT s current security profile. Include an assessment of threats facing CGT, along with estimated vulnerabilities in the CGT systems. Include weighted tables a) prioritizing threats and b) prioritizing assets. Make recommendations as to general improvements in the information security posture. Basically perform a Risk Assessment/Business Impact Analysis on CGT. 6) Information Security Awareness Program Create an information security awareness program overview document, outlining a projected implementation of awareness in CGT. Feel free to use assumptions to fill the policy with Whitman & Mattord, Kennesaw State University
74 A Model Curriculum for Programs of Study in Information Security and Assurance information as if you are the CISO of CGT, just beginning a new Security SDLC. As part of your program include: 2 examples of Security Awareness Posters in PowerPoint. A training calendar for needed security training (1 month). A sample newsletter (2 4 pages) providing security awareness information to CGT employees. 7) Contingency Planning Provide a planning framework for CGT s contingency planning. Design a contingency planning program, including specifications for the program team, deliverables, timelines etc. Provide a template for each of the following components: Incident Response Plan Disaster Recovery Plan Business Continuity Plan This does not require you to complete these components; only provide a detailed outline that CGT can fill in to create these plans, and a project management plan for the design and development of both the team, and the actual plans. 8) Security Staff Design a Security Team for this size organization (organization chart) including specifications for the numbers and types of security professionals needed. Develop a job advertisement for each position with qualifications and requirements. Whitman & Mattord, Kennesaw State University
75 A Model Curriculum for Programs of Study in Information Security and Assurance Bachelor of Science in Information Security and Assurance In November 2004, the USG Board of Regents approved KSU s request to offer a Bachelor of Science in Information Security and Assurance, representing one of the first such degree programs of its kind in the country, at a public institution. The following section overviews the contents of this program, and discusses some of the development tasks that occurred in the construction of the program. The authors of the program used the information in this guide in developing the curriculum of the degree. Program Objectives The purpose of the proposed Bachelor of Science in Information Security and Assurance (BS-ISA) program is to create technologically proficient, business-savvy information security professionals capable of applying policy, education & training and technology solutions to protect information assets from all aspects of threats, and to manage the risks associated with modern information usage. This program will incorporate existing coursework provided through departments on campus minimizing the need for new courses, yet will create and offer a unique program of study, with up to twelve courses in required Information Security, up to eight courses in Information Technology, five courses in Business, and a host of electives in areas such as Criminal Justice. In preparation for campus SACS accreditation, and as part of the continuous improvement in education program at KSU the Assessment of Learning, the program architects have developed tentative general and specific program objectives: General Program Learning Objectives GPLO1 The graduate is able to demonstrate a thorough understanding of the theoretical foundations and practical applications of information technology. GPLO2 The graduate is able to demonstrate a solid foundation in commonly accepted business principles and practices. GPLO3 The graduate is able to protect the confidentiality, integrity and availability of information while in transmission, storage or processing through the application of policy, education, training and awareness program, and technology. GPLO4 The graduate is able to demonstrate an awareness of and to articulate positive and socially responsible positions on the ethical and legal issues associated with the protection of information and privacy. GPLO5 The graduate is able to demonstrate an understanding of the relationship and interresponsibilities between all three communities of interest in Information Security: General Business, Information Technology, and Information Security. GPLO6 The graduate is able to effectively communicate orally, in writing and using symbolic methods and modeling with all communities of interest; technical and non-technical managers and users. Specific Program Learning Objectives SPLO1 The graduate is able to demonstrate an understanding of the elements of information security management: Policy, Strategic and Continuity Planning, Programs and Personnel. Whitman & Mattord, Kennesaw State University
76 A Model Curriculum for Programs of Study in Information Security and Assurance SPLO2 The graduate is able to analyze and design technical information security controls and safeguards including system specific policies, network and platform security countermeasures and access controls. SPLO3 The graduate is able to investigate and implement the principles and applications of risk management, including business impact and cost-benefit analyses and implementation methods. SPLO4 The graduate is able to demonstrate an understanding of and to implement an assessment of threats, vulnerabilities and assets of modern computing systems, including hardware, software, and networking components. SPLO5 The graduate is able to demonstrate an understanding of the foundations of security programming and the use of security-related scripts. Degree Program Knowledge and Skills Technology Knowledge and Skills While the proposed degree program is independent and unique from the Bachelor of Science in Information Systems and the Bachelor of Science in Computer Science, it does draw from the technology foundation of both. These two existing programs share a common core in programming, database management and advanced technology issues. This foundation, coupled with the available courses that form the Certificate in Information Technology provide the students with a firm foundation in information technology. While Information Security students must have a solid grasp of information technology, Information security itself is not necessarily a technology-centric field. Just as Information Systems majors are focused on using technology to solve business problems, Information Security majors are focused on using policy, education and awareness, and technology to protect organizational information assets. Business Knowledge and Skills The foundation in Business is essential as information security is an area, like information systems, that impacts all aspects of an organization, and requires a strategic understanding of how businesses function. The foundation in business provides the students with a detailed understanding of business financial accounting processes, managerial principles including policy, planning, and personnel administration. Cross-Disciplinary Electives The proposed degree program will also include areas of Criminal Justice, a program related in its approach to Cyber-Crime, a new area in the law enforcement arena. Cyber-Crime incorporates aspects of information security from the criminal and law enforcement perspectives. Coordination with the Criminal Justice program coordinator indicates that this is an excellent cross-disciplinary opportunity to create a new subset of information security professionals, prepared to work in law enforcement or corporate security in areas of cyber-crime and computer forensics. Career Opportunities As a recommended elective component of the program, students can select from a number of careeroriented opportunities, including internships and cooperative studies. There are a number of information security related opportunities with local businesses, the Georgia Bureau of Investigation and numerous public services institutions. The Center for Information Security Education and Awareness employs 5-6 student interns each semester, in support of the current Certificate in Information Security and Assurance. These students learn critical security skills while providing valuable vulnerability assessment, security technology installation and configurations, and policy review and recommendations. The center will continue its support of student internships and cooperative studies Whitman & Mattord, Kennesaw State University
77 A Model Curriculum for Programs of Study in Information Security and Assurance with the proposed degree program. Once the students have completed their educational programs, it is anticipated that the growing demand for information security professionals will continue, as this is one area that organizations will be reluctant to outsource overseas, a trend that is affecting a number of information technology jobs. Through collaboration with the College of Business, the College of Humanities and Social Sciences, the Center for Information Security Education and Awareness, and numerous academic departments, the faculty, staff, and administrators behind this new program strive to actualize the academic environment envisioned behind the university s mission statement: one that fosters high-quality academic preparation, critical thinking, global and multicultural perspectives, effective communication and interpersonal skills, leadership development, social responsibility and lifelong learning. The Department of Computer Science and Information Systems is well prepared for the inaugural class of students for this program. Over the past two years, the department has gained experience in offering information security classes through its efforts with the Certificate in Information Security and Assurance. The proposed program will only require a total of six new courses in order to offer the proposed curriculum and a modest increase in the frequency of offering for the five courses already being offered. Spreading the new course offerings over the two years projected for a student to complete the upper and lower division required and elective components of the course will prove well within the department s capacity. The faculty, staff, classroom, and laboratory resources currently available are also well capable of handling the projected initial demand. Five local information security professionals have offered to teach courses on a part-time or adjunct basis, as demand for the degree grows. National Standards for the degree area. There are currently no standards for Information Security at the baccalaureate level. As such the program architects began with an analysis of curriculum implemented at NSA designated Centers of Academic Excellence in Information Assurance Education, as indicated earlier. NSA's National Centers of Academic Excellence in Information Assurance Education (CAEIAE) program, established in November 1998, helps NSA partner with colleges and universities across the nation to promote higher education in information assurance (IA). This program is an outreach effort that was designed and is operated in the spirit of Presidential Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure Protection, dated May Under this program, 4-year colleges and graduate-level universities apply to NSA to be designated as Centers of Academic Excellence in IA Education. Each applicant must pass a rigorous review demonstrating its commitment to academic excellence in IA education. During the application process applicants are evaluated against stringent criteria for measurement based on IA training standards set nationally by the Committee on National Security Systems. Designation as a CAEIAE is valid for three academic years, after which the school must successfully reapply in order to retain its CAEIAE designation. These training standards (NSTISSI No ) are located at: CAEIAEs receive formal recognition from the U.S. government, as well as prestige and publicity, for their role in securing our nation's information systems. Students attending CAEIAE schools are eligible to apply for scholarships and grants through the Department of Defense Information Assurance Scholarship Program and the Federal Cyber Service Scholarship for Service Program (SFS). Whitman & Mattord, Kennesaw State University
78 A Model Curriculum for Programs of Study in Information Security and Assurance ( Currently KSU has an application in for this program, and the findings from its results are pending. The architects developing this curriculum examined dominant standards for technology curriculum, as a foundation for the security degree. There are two dominant technology curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards. While there are clear standards for curriculum in Information Systems, there are no standards for Information Security. The primary program architect for this proposed program is an ABET-CAC IS program evaluator, having completed formal training and at least one accreditation visit. Lessons learned in developing and evaluating curriculum were incorporated into this program. The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for Undergraduate Degree Programs in Information Systems, cosponsored by the three largest professional technology organizations: Association for Computing Machinery (ACM), Association for Information Systems (AIS) and Association for Information Technology Professional (AITP). IS 2002 is a model curriculum for undergraduate degree programs in Information Systems and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an academic field, encompasses two broad areas: (1) acquisition, deployment, and management of information technology resources and services (the IS function); and (2) development and evolution of technology infrastructures and systems for use in organizational processes (systems development). It also includes a detailed set of course descriptions and advice to [those] who have a stake in the achievement of quality IS degree programs ( The IS 2002 guiding principles have been adopted and revised for this curriculum model development as follows: 1) The model curriculum should represent a consensus from the InfoSec community. 2) The model curriculum should be designed to help InfoSec faculty produce competent and confident entry level graduates well suited to work-place responsibilities. 3) The model curriculum should guide but not prescribe. Using the model curriculum guidelines, faculty can design their own courses. 4) The model curriculum should be based on sound educational methodologies and make appropriate recommendations for consideration by InfoSec faculty. 5) The model curriculum should be flexible and adaptable to most IS/CS programs. When internships or field experiences are required as part of the program, provide information documenting internship availability as well as how students will be assigned and supervised. As a recommended elective component of the program, students can select from a number of careeroriented opportunities, including internships and cooperative studies. There are a number of information security related opportunities with local businesses, the Georgia Bureau of Investigation and numerous public services institutions. Approximately 20 students that have completed or are completing the Certificate in ISA have engaged in Internship Opportunities. On average there are 3-5 internship or cooperative study opportunities available to students off-campus. This is encouraging as most organizations would be reluctant to take a temporary student employee and provide them with access to critical organizational data. The Center for Information Security Education and Awareness employs 5-6 student interns each semester, in support of the current Certificate in Information Security and Assurance. These students learn critical security skills while providing valuable vulnerability assessment, security technology installation and configurations, and policy review and recommendations. It is anticipated that the center Whitman & Mattord, Kennesaw State University
79 A Model Curriculum for Programs of Study in Information Security and Assurance will continue its support of student internships and cooperative studies with the proposed degree program. Once the students have completed their educational programs, it is anticipated that the growing demand for information security professionals will continue, as this is one area that organizations will be reluctant to outsource overseas, a trend that is affecting a number of information technology jobs. Indicate ways in which the proposed program is consistent with national standards. As indicated earlier, The Committee on National Security Systems and the National Security Agency have certified that Kennesaw State University offers a set of courseware that has been reviewed by National Level Information Assurance Subject Matter Experts and determined to meet National Training Standard for Information Systems Security Professionals (NSTISSI 4011, 4012, 4013, 4014) for academic years The goal of the Information Assurance Courseware Evaluation (IACE) Program is to ensure compliance with national standards for information assurance education and training throughout the nation. The Committee on National Security Systems (CNSS) sets these standards. The IACE Program is a major step in meeting the national requirements for IA education and training. IACE is a systematic assessment of the degree to which the courseware from commercial, government, and academic sources maps to the national standards. Through an interactive website, an institution electronically submits data for evaluation. When the institution has met all the elements of a specific standard, then it receives formal certification [ ] The IACE Program was established under the authority of the National Security Telecommunications and Information Systems Security Committee (NSTISSC), the predecessor to today's Committee on National Security Systems (CNSS). This inter-governmental organization sets policy for the security of national security systems for the Federal Government. Presidential Decision Directive 63 (PDD 63) on Critical Infrastructure Protection, issued in May 1998, highlighted the critical shortage of well-trained information assurance professionals and the need for national standards. In January 2000, the NSTISSC initiated the IACE Program to establish those standards, recognizing that the body of knowledge required by the standards was available from a variety of sources: government, commercial industry, and colleges and universities ( The certified coursework forms the foundation for the proposed Information Security degree program. CURRICULUM BS - Information Security and Assurance Degree Requirements University-Wide Degree Requirements 45 Hours AREA A: ESSENTIAL SKILLS - 9 CREDITS English 1101 Composition I 3 credits English 1102 Composition II 3 credits Math 1101 Mathematical Modeling 3 credits AREA B: SOCIAL ISSUES (INSTITUTIONAL OPTION) - 5 CREDITS NTH 2105 or GEOG 2105 or PSYC 2105 or SOCI 2105 Social Issues in Anthropology, Geography, Psychology, or Sociology 2 credits COM 1109 or FL 1002 or PHIL 2200 Human Communication or Foreign Language II or Ways of Knowing 3 credits AREA C: HUMANITIES/FINE ARTS - 6 CREDITS ENGL 2110 World Literature 3 credits Whitman & Mattord, Kennesaw State University
80 A Model Curriculum for Programs of Study in Information Security and Assurance ART 1107 or MUSI 1107 or TPS 1107 Arts in Society (Visual Arts, Music, or Theatre)- 3 credits AREA D: SCIENCE, MATHEMATICS, AND TECHNOLOGY 10 to 11 CREDITS SCI 1101 Interdisciplinary Sciences I (includes a lab) 4 credits or CHEM 1211/CHEM 1211L General Chemistry I (including lab) 4 credits or CHEM 1151/1151L Survey of Chemistry I (including lab) 4 credits or PHYS 1111 Introductory Physics I 4 credits or PHYS 2111/PHYS 2111L Principles of Physics I (including lab) 4 credits SCI 1102 Interdisciplinary Sciences II -3 credits or CHEM 1212/1212L General Chemistry II (including lab) -4 credits or CHEM 1152/1152L Survey of Chemistry II (including lab) -4 credits or PHYS 1112 Introductory Physics II -4 credits or PHYS 2212/PHYS 2212L Principles of Physics II (including lab) 4 credits MATH 1106 Elementary Applied Calculus - 3 credits or MATH 1107 Elementary Statistics - 3 credits or MATH 1190 Calculus - 4 credits AREA E: SOCIAL SCIENCES 12 CREDITS POLS 1101 American Government in a Global Perspective - 3 credits ECON 1100 or ECON 2100 Global Economics or Principles of Microeconomics - 3 credits HIST 1110 Introduction to World Civilizations - 3 credits HIST 2112 America Since credits AREA F: COURSES RELATED TO THE PROGRAM OF STUDY Lower Division Major Requirements 18 Hours Course Description Hours Prerequisites ACCT 2100 Introduction to Financial Accounting 3 ENGL 1101 & MATH 1106 ACCT 2200 Introduction to Managerial Accounting 3 ACCT 2100 & MATH 1106 CSIS 2300 Intro to Computer Information Systems OR 3 Credit level math course BISM 2100 Business Information Systems & Communications NONE CSIS 2520 Introduction to Data Communications 3 CSIS 2301 BLAW 2200 Legal and Ethical Environment of Business 3 NONE CSIS 2301 Programming Principles I 3 CSIS 2300 Upper Division Major Requirements 42 Hours Course Description Hours Prerequisites ENGL 3140 Technical Writing 3 ENGL 2110 MATH 3400 Computer Applications in Statistics 3 CSIS 2300 MGT 3100 Management and Behavioral Sciences 3 60 credit hours CSIS 3210 Project Management 3 CSIS 2301 or ACCT 3100 ISA 3010 Security Script Programming 3 CSIS 2301 ISA 3100 Principles of ISA 3 CSIS 2300 or BISM 2100 ISA 3200 Applications in ISA 3 ISA 3100 & CSIS 2520 ISA 3300 Policy and Administration in ISA 3 ISA 3100 ISA 3350 Computer Forensics 3 ISA 3200 ISA 4210 Client OS Security 3 ISA 3010 & 3200 ISA 4220 Server OS Security 3 ISA 3010 & 3200 ISA 4330 Incident Response and Contingency Planning 3 ISA 3300 & CSIS 2520 ISA 4820 ISA Programs & Strategies 3 ISA 3200 & ISA 4330 IT 3500 Database Technologies OR 3 CSIS 2300 or BISM 2100 BISM 3200 Adv Business Application Systems OR BISM 3100 or 60 hours CSIS 3310 Introduction to Database Systems CSIS 2301 Major Electives (Choose three 3-hour classes) see below for descriptions 9 Hours Whitman & Mattord, Kennesaw State University
81 A Model Curriculum for Programs of Study in Information Security and Assurance ACCT 3100, ACCT 3300, ACCT 4150, ECON 2200, CRJU 1101, CRJU 3305, CRJU 3320, CRJU 4305, CSIS 3550, CSIS 4420, CSIS 4510, CSIS 4515, CSIS 4555, CSIS 4575, ISA 4400, ISA 4490, ISA 4700, IT 3300, IT 3700, IT 4525 Free Electives (Any courses in KSU curriculum totaling 9 hours) Hours Required for Graduation 9 Hours TOTAL 123 Hours General Education 45 Lower Division Major Requirements 18 Upper Division Major Requirements 42 Major Electives 9 Free Electives + 9 TOTAL HOURS 123 Major Electives COURSE TITLE PREREQUISITES Business Electives: (An Accounting & Auditing specialization may be obtained by selecting the following ACCT courses) ACCT 3100 Intermediate Financial Accounting & Audit ACCT 2100 & ACCT 2200 ACCT 3300 Accounting Information Systems ACCT 3100 ACCT 4150 Auditing and Assurance ACCT 3300 & permission of the dept chair ECON 2200 Principles of Macroeconomics ECON 2100 Criminal Justice Electives: (A Criminal Justice & CyberCrime specialization may be obtained by selecting from the following CRJU courses) CRJU 1101 Foundations of Criminal Justice none CRJU 3305 Technological Applications in Criminal Justice CRJU 1101 CRJU 3320 Criminal Investigation CRJU 1101 CRJU 4305 Technology and Cyber Crime CRJU 1101 and CRJU 3305 CSIS Electives: CSIS 3550 Linux Administration and Security CSIS 3600 & CSIS 3530 or ISA 3010 CSIS 4420 Local Area Networks CSIS 2520 CSIS 4510 Computer Law CSIS 3600 or ISA 4330 CSIS 4515 Computer Ethics CSIS 3310 or IT 3500 CSIS 4555 Electronic Business Systems CSIS 3210 CSIS 4575 Technology Commercialization Any 3000 Level CSIS (or ISA) Course Information Security Electives: ISA 3396* Cooperative Study in ISA Approval of Career Services & Dept Chair ISA 3398* Internship in ISA Approval of Career Services & Dept Chair ISA 4400 Directed Study in ISA Approval of Instructor & Dept Chair ISA 4490 Special Topics in ISA varies by topic ISA 4700 Emerging Issues in ISA ISA 4330 Whitman & Mattord, Kennesaw State University
82 A Model Curriculum for Programs of Study in Information Security and Assurance Information Technology Electives: Students may take no more than one of the following: IT 3300 Web Technologies CSIS 2300 or BISM 2100 IT 3700 Information Technology Management CSIS 2300 or BISM 2100 IT 4525 Electronic Commerce CSIS 2300 or BISM 2100 * Internships & Cooperative Studies may only be counted as free electives ISA 3010 Security Script Prog CSIS 3210 Proj Mgmt CSIS 4555 E-biz Systems CSIS 4575 Tech Comm ISA 4210 Client OS Security ISA 4220 Server OS Security CSIS 3550 Linux Sec & Admin ISA 3550 Computer Forenics CSIS 2301 Prog Prin I CSIS 2520 Data Comm CSIS 4420 LAN ISA 3200 Applications - ISA ISA 4820 ISA Programs & Strategy CSIS 2300 or BISM 2100 Intro to Computing ISA 3100 Principles - ISA ISA 3300 Policy & Admin - ISA ISA 4330 Incident Response & Contingency Planning CSIS 4510 Comp Law IT 3500 Database CSIS 4515 Comp Ethics ISA 4700 Emerg Issues - ISA IT 3300 Web Technologies IT 3700 IT Mgmt IT 4525 ecommerce Bold outlines represent new classes Shaded boxes represent major ISA, IT & CSIS electives (Dotted lines simply to prevent confusion on overlaps) As evidenced by this chart, consideration was placed on the flow of students through the program. A balance was created between the need for prerequisite knowledge from course to course, and the need to resolve any potential bottlenecks in the matriculation of students. As a result, the program designers identified the core courses (ISA 3100, 3200 and 3300) that form the critical path through the program. These courses will or are already offered with sufficient frequency to insure students can complete the program in a timely manner. The required core courses in the lower and upper divisions will be offered at least once a semester, with many courses in the CSIS foundations offered in multiple sections. List the entire course of study required and recommended to complete the degree program. Give a sample program of study that might be followed by a representative student. Indicate ways in which the proposed program is consistent with national standards. Sample Programs of Study Four-Year Program of Study for Full-Time Student Status 1 st Semester Program 2 nd Semester Program Whitman & Mattord, Kennesaw State University
83 A Model Curriculum for Programs of Study in Information Security and Assurance Freshman (up to 30 hrs) Sophomore (30-60 hrs) Junior (60-90 hrs) Senior (over 90 hrs) ENGL 1101 (3) MATH 1101 (3) CSIS 2300 (or BISM 2100) (3) HPS 1000 (3) ECON 1100 or ECON 2100 (3) TOTAL HOURS: 15 ENGL 2110 (3) HIST 1110 (3) CSIS 2520 (3) SCI 1101 (4) ACCT 2100 (3) TOTAL HOURS: 16 ISA 3010 (3) ISA 3200 (3) ART 1107 or MUSI 1107 or THTR 1107 ENGL 3140 (3) IT 3500 (3) ANTH 2105 or GEOG 2105 or PSYC 2105 or SOCI 2105 (2) TOTAL HOURS: 17 ISA 3550 (3) CSIS 3210 (3) ISA 4320 (3) Free Elective* (3) Major Elective** (3) TOTAL HOURS: 15 ENGL 1102 (3) MATH 1106 (3) POLS 1101 (3) COM 1109 or FL 2001 or PHIL 2200 (3) CSIS 2301 (3) TOTAL HOURS: 15 HIST 2112 (3) ACCT 2200 (3) BLAW 2200 (3) ISA 3100 (3) SCI 1102 (3) TOTAL HOURS: 15 MGT 3100 (3) ISA 4210 (3) ISA 3300 (3) MATH 3400 (3) Major Elective** (3) TOTAL HOURS: 15 ISA 4220 (3) ISA 4820 (3) Free Elective* (3) Free Elective* (3) Major Elective** (3) TOTAL HOURS: 15 *Prerequisites for electives vary by class. ** Major electives are listed in the current KSU catalog. Whitman & Mattord, Kennesaw State University
84 A Model Curriculum for Programs of Study in Information Security and Assurance Five-Year Program of Study for Part-Time Student (12 Hours) 1 st Semester Program 2 nd Semester Program Freshman (up to 30 hrs) ENGL 1101 (3) MATH 1101 (3) CSIS 2300 (or BISM 2100) (3) HPS 1000 (3) TOTAL HOURS: 12 COM 1109 or FL 2001 or PHIL 2200 (3) POLS 1101 (3) ENGL 2110 (3) HIST 1110 (3) TOTAL HOURS: 12 ACCT 2200 (3) BLAW 2200 (3) ISA 3100 (3) SCI 1102 (3) TOTAL HOURS: 12 IT 3500 (3) ANTH 2105 or GEOG 2105 or PSYC 2105 or SOCI 2105 (2) MGT 3100 (3) ISA 4210 (3) ISA 3300 (3) TOTAL HOURS: 14 Senior (over 90 hrs) ISA 4320 (3) CSIS 3210 (3) Free Elective* (3) Major Elective** (3) ECON 1100 or ECON 2100 (3) ENGL 1102 (3) MATH 1106 (3) CSIS 2301 (3) TOTAL HOURS: 12 Sophomore (30-60 hrs) CSIS 2520 (3) SCI 1101 (4) ACCT 2100 (3) HIST 2112 (3) TOTAL HOURS: 13 Junior (60-90 hrs) ISA 3010 (3) ISA 3200 (3) ART 1107 or MUSI 1107 or THTR 1107 (3) ENGL 3140 (3) TOTAL HOURS: 12 MATH 3400 (3) ISA 3550 (3) Free Elective* (3) Major Elective** (3) TOTAL HOURS: 12 ISA 4220 (3) ISA 4820 (3) Free Elective* (3) Major Elective** (3) TOTAL HOURS: 12 TOTAL HOURS: 12 *Prerequisites for electives vary by class. Check KSU catalog for current prerequisite requirements. ** Major electives are listed in the current KSU catalog. Whitman & Mattord, Kennesaw State University
85 A Model Curriculum for Programs of Study in Information Security and Assurance NEW AND EXISTING COURSES In the Degree requirements example above, new courses are indicated as bold and italic. The new degree program will require the following new courses: ISA 3010 Security Script Programming - In depth discussion of secure methods and techniques in programming, and the role of specialized scripting languages. ISA 4210 Client OS Security - An overview of the security of and vulnerabilities present in modern computing system clients, including computer architectures, and operating systems. ISA 4220 Server OS Security - An overview of the security of and vulnerabilities present in modern computing system servers, including computer architectures, and operating systems. ISA 4330 Contingency Planning and Operations - An examination of the detailed aspects of contingency planning and operations: Incident Response prevention, detection, reaction, recovery, Disaster Recovery & Business Continuity ISA 4400 Directed Study in ISA An independent study of a topic of interest to a particular student and faculty member. ISA 4490 Special Topics in ISA A unique class of interest not part of the existing curriculum. ISA 4700 Emerging Issues in Information Security and Assurance The topics covered in this course vary to maintain currency with current thinking and discussions in the InfoSec profession. Students will choose or be assigned topics to be investigated as groups or individuals. They will perform on-line and library research, prepare and deliver reports and presentations, and analyze and critically evaluate the reports and presentations of other students. ISA 4820 Information Security & Assurance Programs and Strategies (capstone) - This course pulls together the managerial and technical components of the program in one comprehensive course. Individuals focus on risk management, organizational assessment, and certification and accreditation issues, and the roles and responsibilities of the CISO. Course Descriptions for the General Education requirements are available online at Accounting Courses ACCT Introduction to Financial Accounting Prerequisite: ENGL 1101 and MATH An introduction to the language of business. Focuses on financial statements and their use in decision making. Designed for non business and business majors. ACCT Introduction to Managerial Accounting Prerequisite: ACCT 2100.An introduction to how accounting information is used to manage a business. Includes managerial problem-solving techniques and current trends in managerial decision-making. Whitman & Mattord, Kennesaw State University
86 A Model Curriculum for Programs of Study in Information Security and Assurance ACCT Intermediate Financial Accounting & Auditing Prerequisite: Business Majors: Sophomore GPA Requirement; Non business Majors: ACCT 2100 and ACCT Focuses on problems and issues related to the collection, analysis, and reporting of external and internal information. Includes theory and applications in financial accounting and auditing within the framework of accounting as an information system. ACCT Accounting Information Systems Prerequisite: Business Majors: Sophomore GPA Requirement and ACCT 3100; Non business Majors: ACCT A continuation of accounting transaction processing concepts; internal controls and systems analysis and design. ACCT Auditing and Assurance Prerequisite: Business Majors: Sophomore GPA Requirement and ACCT 3300; Non business Majors: ACCT 3300 and permission of department chair. A continuation of audit theory with a focus on specific applications to financial reporting. Also covers other types of attestation and assurance services with a focus on the concepts of risk, control, evidence, and ethics. Computer Science and Information Systems Courses CSIS Principles of Computing Prerequisite: credit level mathematics course. Principles of computing is the first course a student should take to prepare for a career in computer science or information systems. Topics include information systems in organizations, hardware, software, database concepts, telecommunications and networks, the Internet, systems development, security, privacy, ethics, programming logic, algorithms, abstraction, and data structures. CSIS Programming Principles I Prerequisite: CSIS 2300 and any credit level Mathematics course. An introduction to problem-solving methods that lead to the development of correct, well-structured programs. Topics also include the fundamentals of computer systems. CSIS Introduction To Data Communications Prerequisite: CSIS An introduction to the theory and applications of data communications. Topics include communication media, encoding systems, data security and integrity, network topologies, network protocol concepts, Internet protocols, and routing. CSIS Project Management Prerequisite: CSIS 2301 or ACCT Introduction to the principles and application of project management techniques with an emphasis on the design and management of computer information systems projects. Topics include project planning, work team design, project estimation techniques, project reporting, identifying and controlling project risks, budgets, and quality assurance. CSIS Computer Law Prerequisite: CSIS Covers broad areas of law pertaining to the computer industry, including Intellectual Property (Copyright, Patent, Trademark, and Trade Secret), Contract, and the U.S. Constitution. Class will discuss computer crime, privacy, and professional ethics. Whitman & Mattord, Kennesaw State University
87 A Model Curriculum for Programs of Study in Information Security and Assurance CSIS Computer Ethics Prerequisite: CSIS 3310 and ENGL Computer Ethics addresses a definition ofethics, provides a framework for making ethical decisions, and analyzes in detail several areas of ethical issues that computer professionals are likely to encounter in business. Each area includes information regarding U.S. Law. Topics include philosophical, business, and professional ethics, privacy, criminal conduct, property rights, speech, and reliability. CSIS Electronic Business Systems Prerequisite: CSIS Information systems that enable electronic transactions and communication have redefined the ways that firms compete, interact with value chain partners, and relate to customers. In the near future, all business will be e-business, and every organization will be required to effectively implement e-business solutions. This course explores enterprise e-business applications and the issues organizations encounter as they leverage Internet technologies to enhance communication and transactions with stakeholders. CSIS Technology Commercialization Prerequisite: Any 3000 level BIOL, CHEM, CSIS or MATH course. This is a course for junior and senior level science and mathematics majors who may want to be prepared to commercialize technology and start up a company. The course is designed to provide students with the perspective, tools and information necessary to evaluate the market potential of a technical idea, secure patent protection, obtain research and development funding, understand start-up issues, appreciate the value of a technology incubator, obtain venture capital, understand IPOs and grow a technology-based enterprise. Business Law BLAW Legal and Ethical Environment of Business Prerequisite: All developmental studies courses if required. Covers torts, contracts, government regulation of business and the legal system. Also addresses ethical issues arising in a business s internal and external relationships. Criminal Justice Classes CRJU Foundations of Criminal Justice Prerequisite: None. This course provides an overview of the criminal justice system. Emphasis will be on crime in America, the criminal justice process, law enforcement, adjudication, punishment, corrections, and prisons. Other special issues to be addressed include AIDS, changing roles of women, and criminal justice systems in other countries. CRJU Technological Applications in Criminal Justice Prerequisite: CRJU This course will examine current and predicted hardware and software applications of technology by criminal justice agencies, especially law enforcement agencies. Topic areas discussed will include technology associated with forensics, less than lethal force, and crime analysis. Laws pertaining to the use of technology for investigative purposes, privacy issues, and fourth amendment issues will also be examined. CRJU Criminal Investigation Prerequisite: CRJU Whitman & Mattord, Kennesaw State University
88 A Model Curriculum for Programs of Study in Information Security and Assurance This course examines the historical, theoretical, and technological aspects of the investigation of crime. The topic areas include crime scene examinations, the collection and preservation of evidence, forensic and behavioral sciences, interviews/interrogations, and the use of technology by law enforcement agencies. CRJU Technology and Cyber Crime. Prerequisite: CRJU 1101 and CRJU This course provides an overview of cyber crime and computer-related crime issues facing the American criminal justice system, particularly law enforcement. The course looks at law enforcement s ability to respond and discusses law enforcement problems in dealing with computer crime. Students will learn about government response to cyber crime problems, especially from a law enforcement perspective. Future trends of cyber crime and computer-related crime will also be discussed. Economics Classes ECON Principles of Macroeconomics Prerequisite: ECON 2100 and 6 credit hours of MATH numbered 1101 or higher. Analysis of socioeconomic goals, money and credit systems, theories of national income, employment and economic growth. English Classes ENGL Technical Writing Prerequisite: ENGL Analysis of and practice in writing of business and technical documents from the perspective of technical personnel whose writing supplements but does not define their job description. Information Security and Assurance Classes ISA Principles of Information Security and Assurance Prerequisite: CSIS 2520 or permission of the department. An introduction to the various technical and administrative aspects of Information Security and Assurance. This course provides the foundation for understanding the key issues associated with protecting information assets, determining the levels of protection and response to security incidents, and designing a consistent, reasonable information security system, with appropriate intrusion detection and reporting features. ISA Applications in Information Security and Assurance Prerequisite: CSIS 2520 or permission of the department. Detailed examinations of the tools, techniques and technologies used in the technical securing of information assets. This course is designed to provide in-depth information on the software and hardware components of Information Security and Assurance. Topics covered include: firewall configurations, hardening Unix and NT servers, Web and distributed systems security, and specific implementation of security models and architectures. ISA Policy and Administration in Information Security and Assurance Prerequisite: CSIS 2520 or permission of the department. Whitman & Mattord, Kennesaw State University
89 A Model Curriculum for Programs of Study in Information Security and Assurance Detailed examinations of a systems-wide perspective of information security, beginning with a strategic planning process for security. Includes an examination of the policies, procedures and staffing functions necessary to organize and administrate ongoing security functions in the organization. Subjects include security practices, security architecture and models, continuity planning and disaster recovery planning. ISA Computer Forensics Prerequisite: ISA 3100.This course focuses on the detection, isolation and response to security breaches and attacks. It provides a detailed examination of the entire computer forensic process and presents specific procedures required to respond to a computer crime incident. Subjects include recognizing unauthorized access, identifying file anomalies, and traffic monitoring. ISA Cooperative Study in Information Security and Assurance Prerequisite: ISA 3100 and approval of coordinator of cooperative education (Career Services). A supervised work experience for a minimum of two semesters at a site in business, industry or government, focusing on some aspect of information security and assurance. For sophomore, junior or senior level students who wish to obtain on-the-job experience in Information Security and Assurance, in conjunction with their academic training. Students may take a cooperative study for multiple semesters however only three credit hours are applicable toward the Certificate in Information Security and Assurance. Contact the department office for additional information on the requirements and restrictions of the cooperative study. ISA Internships in Information Security and Assurance Prerequisite: ISA 3100 and approval of coordinator of cooperative education (Career Services). A supervised work experience for one semester at a site in business, industry or government, focusing on some aspect of information security and assurance. For sophomore, junior or senior level students who wish to obtain on-the-job experience in Information Security and Assurance, in conjunction with their academic training. Students can earn between three and nine credit hours toward their degree programs but only three hours will be counted toward the Certificate in Information Security and Assurance. Contact the department office for additional information on the requirements and restrictions for the Internship. ISA 4210 Client Operating Systems Security Prerequisite ISA 3200 This course is an exploration of client computer systems security and vulnerabilities, including computer architectures, and operating systems. It provides the detailed technical coverage necessary to protect computer information system clients by presenting the knowledge of client platform computer hardware components, client network devices and interfaces as well as the structure and usage of client operating system software from an information security perspective. Additional learning regarding ongoing maintenance and operational issues of client computing systems will also be included. ISA 4220 Server OS Security An overview of the security of and vulnerabilities present in modern computing system servers, including computer architectures, and operating systems. ISA 4330 Contingency Planning and Operations An examination of the detailed aspects of contingency planning and operations: Incident Response prevention, detection, reaction, recovery. Disaster Recovery Business Continuity Whitman & Mattord, Kennesaw State University
90 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 4400 Directed Study. 1 to 3 credit hours. Prerequisite: Approval of instructor, major area committee, and department chair. Up to three hours may be applied to the major area. Special topics of an advanced nature that are not in the regular course offerings. ISA 4490 Special Topics Special Topics. 1-3 credit hours. Prerequisite: Varies by topic. Selected special or current topics of interest to faculty and students. ISA 4550 Security Script Programming In depth discussion of secure methods and techniques in programming, and the role of specialized scripting. ISA 4700 Emerging Issues in Information Security and Assurance The topics covered in this course vary to maintain currency with current thinking and discussions in the InfoSec profession. Students will choose or be assigned topics to be investigated as groups or individuals. They will perform on-line and library research, prepare and deliver reports and presentations, and analyze and critically evaluate the reports and presentations of other students. ISA 4820 Information Security & Assurance Programs and Strategies (capstone) This course pulls together the managerial and technical components of the program in one comprehensive course. Individuals focus on risk management, organizational assessment, and certification and accreditation issues, and the roles and responsibilities of the CISO. Information Technology Classes IT Web Technologies Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent. Web Technologies will introduce students to the planning, design, implementation and maintenance of World Wide Web applications. Applications will be developed using both high-end development environments as well as html. Topics include tables, image maps, frames, security, ethical issues, application development tools, and development methodologies. IT Database Technologies Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent. Database Technologies covers the essentials of database concepts for non-it careers. Key topics may include searching and querying, validation of electronic data, data mining, data collection principles, privacy and fair use, related intellectual property issues, integration of incompatible data sources, database-driven web sites, and visual database programming. Tools included may include SQL, Visual Basic Web Databases, Personal Oracle, and Access 2000, and various database search engines. IT Information Technology Management Prerequisite: EBIZ 2100 or CSIS Advanced applications of general-purpose software with a special emphasis on integration of multiple software tools and data to solve a wide variety of career related problems. Students study current topics in the application and management of information technology at the worker, department, and enterprise level. Courses Whitman & Mattord, Kennesaw State University
91 A Model Curriculum for Programs of Study in Information Security and Assurance IT Directed Study. 1-3 credit hours. Prerequisite: Approval instructor, major area committee, and department chair. Up to three hours may be applied to the upper division requirements for the IT certificate. Special topics of an advanced nature that are not in the regular course offerings. Students selecting this to complete the IT certificate must select a topic involving technology-applications in the chosen career area. IT Electronic Commerce Prerequisite: EBIZ 2100 or CSIS The application of information technology to the buying and selling of information, products, and services, via computer networks. Topics include EDI, transactions over public networks, corporate digital libraries, advertising and marketing on the Internet, and consumer-data interface. Management Classes MGT Management and Behavioral Sciences Prerequisite: Business Majors: Sophomore GPA Requirement; Non business Majors: 60 credit hours. This course introduces students to the field of management, focusing on basic principles and concepts applicable to all types of organizations. The evolution of functional and behavioral aspects of management and organization theory are presented in the context of political, societal, regulatory, ethical, global, technological and demographic environmental forces. Math Classes MATH Computer Applications In Statistics Prerequisite: CSIS Introduction to the use of computer-based statistical techniques and applications in the analysis and interpretation of data. Topics include both descriptive statistics and inference methods. This course is not for Mathematics or Mathematics Education majors. Whitman & Mattord, Kennesaw State University
92 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 3010 Security Script Programming Syllabus COURSE DESCRIPTION A study of secure programming and security programming techniques. The course examines aspects of developing traditional computer software, applying additional controls and measure to prevent the development of vulnerable and exploitable code. The course then examines programming techniques used in support of ongoing technical security functions, including Perl and CGI scripting. PREREQUISITES CSIS 2301 or permission of the department COURSE OBJECTIVES After completing the course, students will be able to: Design an Incident Response Plan for sustained organizational operations. Design a Disaster Recovery Plan for sustained organizational operations. Design an Business Continuity Plan for sustained organizational operations. Integrate the IRP, DRP, and BCP plans into a coherent strategy to support sustained organizational operations. Understand and be able to discuss incident response options. Understand the escalation process from incident to disaster. RESOURCES Required: Secure Coding: Principles & Practices, By Mark G. Graff, Kenneth R. van Wyk, June 2003, ISBN: O Reilly Perl and CGI for the World Wide Web: Visual QuickStart Guide, 2/E, Elizabeth Castro, ISBN: , Publisher: Peachpit Press Recommended: The Computer Security Resource Center at the National Institute of Standards at The SANS Institute (System and Network Security) at Whitman & Mattord, Kennesaw State University
93 A Model Curriculum for Programs of Study in Information Security and Assurance The Computer Security Institute at Information Security Magazine at Carnegie Mellon SEI CERT/CC at ACM Special Interest Group on Security, Audit and Control (SIGSAC) at Additional supplemental resources will be provided by the instructor. Course Web Site: Various course resources, technology tutorials, assignments, and announcements will be available on the course Web site at WebCT Account: This course will make extensive use of WebCT for several aspects of the course curriculum. In order to facilitate your best use of the system, please verify your access to WebCT at your first opportunity and then forward your WebCT to an address that you read regularly. This will assure you stay up to date with WebCT communications. EVALUATION Evaluation of your performance will be based on five components: Participation 10% Programming Exercises 20% Mid-term Examination 25% Final Exam 25% Programming Project 20% Evaluation criteria explained: Students are expected to be active participants in each class meeting. Full credit for participation will be extended to students who regularly ask questions, share observations, and contribute relevant personal experiences. Participation in online discussions in WebCT is also encouraged. The mid-term examination will consist of program assignments and technological comprehension that cover the lecture material, and assigned readings. Whitman & Mattord, Kennesaw State University
94 A Model Curriculum for Programs of Study in Information Security and Assurance PROJECTS DESCRIPTION The team project will consist of the examination of several archetypal client information systems within one or more defined information security technical architectures. The team will then create an implementation and maintenance plan to implement the necessary technical controls to meet the information security needs of the client information system. They will present their findings in a formal presentation. Peer evaluations will be considered in determining each student s grade on the project. Project guidelines will be available via WebCT. LABS DESCRIPTIONS At various points throughout the semester, as defined in the schedule, the class will meet in SC 363, the Advanced Data Communications Lab. During this time, the students will be assigned a number of hands-on exercises involving information security technical controls as applied to client platforms. Students will perform the labs, and document their activities. These reports will be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be provided with access to the lab after class hours in order to complete these exercises. POLICIES All submitted work should be word-processed. Any work submitted should contain a cover sheet that includes your name, the course and section number, title of the assignment, and date of submission. Late assignments and papers will not be accepted. Please include the course number (i.e. 3100) in the subject field of any message that you send to me during the term. messages I receive that are missing this information in the subject field are likely to be automatically redirected to a folder the contents of which I seldom check. ACADEMIC HONESTY Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University s policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct s minimum one semester suspension requirement. Whitman & Mattord, Kennesaw State University
95 A Model Curriculum for Programs of Study in Information Security and Assurance COURSE OUTLINE This tentative outline is subject to change. Week 1 Secure Code Text: 1. No Straight Thing Topic 2 Secure Code Text: 2. Architecture 3 Secure Code Text: 3. Design 4 Secure Code Text: 4. Implementation 5 Secure Code Text: 5. Operations 6 Secure Code Text: 6. Automation and Testing 7 Exam 1 Chapters Perl & CGI Scripting Text: 1. Introduction. 2. Perl Building Blocks. 9 Perl & CGI Scripting Text: 3. About Servers, Perl, and CGI.pm. 4. Running Perl CGI on a Unix Server. 10 Perl & CGI Scripting Text: 5. Testing Scripts Locally on Windows. 6. Testing Scripts Locally on the Mac. 11 Perl & CGI Scripting Text: 7. Getting Data from Visitors. 8. Environment Variables. 12 Perl & CGI Scripting Text: 9. Getting Data into the Script. 10. Simple Operations with Scalars. 13 Perl & CGI Scripting Text: 11. Conditionals and Loops. 12. Working with Arrays. 14 Perl & CGI Scripting Text: 13. Subroutines. 14. Working with Hashes. 15 Perl & CGI Scripting Text: 15. Analyzing Data. 16. Remembering what Visitors Tell You. 16 Perl & CGI Scripting Text: 17. Formatting, Printing, and HTML. 18. Security. Final Exam Period Whitman & Mattord, Kennesaw State University
96 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 4210 Client Operating System Security Syllabus COURSE DESCRIPTION This course is an exploration of client computer system security and vulnerabilities, including client computer architectures, and operating systems. It provides the detailed technical coverage necessary to protect computer information system clients by presenting the knowledge of client platform computer hardware components, client network devices and interfaces as well as the structure and usage of common client operating system software from an information security perspective. Additional learning regarding ongoing maintenance and operational issues of client computing systems will also be included. PREREQUISITES ISA 3200 or permission of the department COURSE OBJECTIVES After completing the course, students will be able to: Know and understand the nature and use of the hardware devices commonly found in client information systems Know and understand the nature and use of networking hardware and protocols commonly found in client information systems Know and understand the nature and use of commonly used client operating systems Be prepared to understand and implement client components information security technical architecture RESOURCES Required: Guide to Operating System Security, Michael Palmer, ISBN Organization and Architecture text, TBD, ISBN tbd Articles and readings at Articles and readings at Recommended: The Computer Security Resource Center at the National Institute of Standards at The SANS Institute (System and Network Security) at Whitman & Mattord, Kennesaw State University
97 A Model Curriculum for Programs of Study in Information Security and Assurance The Computer Security Institute at Information Security Magazine at Carnegie Mellon SEI CERT/CC at ACM Special Interest Group on Security, Audit and Control (SIGSAC) at Additional supplemental resources will be provided by the instructor. Course Web Site: Various course resources, technology tutorials, assignments, and announcements will be available on the course Web site at WebCT Account: This course will make extensive use of WebCT for several aspects of the course curriculum. In order to facilitate your best use of the system, please verify your access to WebCT at your first opportunity and then forward your WebCT to an address that you read regularly. This will assure you stay up to date with WebCT communications. EVALUATION Evaluation of your performance will be based on five components: Participation 10% Security Lab Exercises 15% Mid-term Examination 25% Final Exam 25% Team Project 25% Evaluation criteria explained: Students are expected to be active participants in each class meeting. Full credit for participation will be extended to students who regularly ask questions, share observations, and contribute relevant personal experiences. Participation in online discussions in WebCT is also encouraged. The mid-term examination will consist of program assignments and technological comprehension that cover the lecture material, and assigned readings. PROJECTS DESCRIPTION The team project will consist of the examination of several archetypal client information systems within one or more defined information security technical architectures. The team will then create an Whitman & Mattord, Kennesaw State University
98 A Model Curriculum for Programs of Study in Information Security and Assurance implementation and maintenance plan to implement the necessary technical controls to meet the information security needs of the client information system. They will present their findings in a formal presentation. Peer evaluations will be considered in determining each student s grade on the project. Project guidelines will be available via WebCT. LABS DESCRIPTIONS At various points throughout the semester, as defined in the schedule, the class will meet in SC 363, the Advanced Data Communications Lab. During this time, the students will be assigned a number of hands-on exercises involving information security technical controls as applied to client platforms. Students will perform the labs, and document their activities. These reports will be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be provided with access to the lab after class hours in order to complete these exercises. POLICIES All submitted work should be word-processed. Any work submitted should contain a cover sheet that includes your name, the course and section number, title of the assignment, and date of submission. Late assignments and papers will not be accepted. Please include the course number (i.e. ISA4210) in the subject field of any message that you send to the instructor during the term. messages received that are missing this information in the subject field are likely to be automatically redirected to a folder the contents of which is seldom checked. ACADEMIC HONESTY Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University s policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct s minimum one semester suspension requirement. COURSE OUTLINE This tentative outline is subject to change. Whitman & Mattord, Kennesaw State University
99 A Model Curriculum for Programs of Study in Information Security and Assurance Week 1 Introduction to the course Topic 2 Client hardware 3 Client O/S structures 4 Client O/S usages 5 Client network technology 6 Exam 7 Client O/S vulnerabilities 8 Client O/S hardening 9 Lab I 10 Client security 11 Managing client malicious code 12 Wireless client security 13 VPN and remote access clients 14 Lab II 15 Client configuration management 16 Project Presentations Final Final Exam Exam Period Whitman & Mattord, Kennesaw State University
100 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 4220 Server Operating System Security Syllabus COURSE DESCRIPTION This course is an exploration of server computer system security and vulnerabilities, including server computer architectures, and operating systems. It provides the detailed technical coverage necessary to protect computer information system servers by presenting the knowledge of server platform computer hardware components, server network devices and interfaces as well as the structure and usage of common server operating system software from an information security perspective. Additional learning regarding ongoing maintenance and operational issues of server computing systems will also be included. PREREQUISITES ISA 3200 or permission of the department COURSE OBJECTIVES After completing the course, students will be able to: Know and understand the nature and use of the hardware devices commonly found in server information systems Know and understand the nature and use of networking hardware and protocols commonly found in server information systems Know and understand the nature and use of commonly used server operating systems Be prepared to understand and implement server components information security technical architecture RESOURCES Required: Guide to Operating System Security, Michael Palmer, ISBN Organization and Architecture text, TBD, ISBN tbd Articles and readings at Articles and readings at Recommended: The Computer Security Resource Center at the National Institute of Standards at Whitman & Mattord, Kennesaw State University
101 A Model Curriculum for Programs of Study in Information Security and Assurance The SANS Institute (System and Network Security) at The Computer Security Institute at Information Security Magazine at Carnegie Mellon SEI CERT/CC at ACM Special Interest Group on Security, Audit and Control (SIGSAC) at Additional supplemental resources will be provided by the instructor. Course Web Site: Various course resources, technology tutorials, assignments, and announcements will be available on the course Web site at WebCT Account: This course will make extensive use of WebCT for several aspects of the course curriculum. In order to facilitate your best use of the system, please verify your access to WebCT at your first opportunity and then forward your WebCT to an address that you read regularly. This will assure you stay up to date with WebCT communications. EVALUATION Evaluation of your performance will be based on five components: Participation 10% Security Lab Exercises 15% Mid-term Examination 25% Final Exam 25% Team Project 25% Evaluation criteria explained: Students are expected to be active participants in each class meeting. Full credit for participation will be extended to students who regularly ask questions, share observations, and contribute relevant personal experiences. Participation in online discussions in WebCT is also encouraged. The mid-term examination will consist of program assignments and technological comprehension that cover the lecture material, and assigned readings. PROJECT DESCRIPTION Whitman & Mattord, Kennesaw State University
102 A Model Curriculum for Programs of Study in Information Security and Assurance The team project will consist of the examination of several archetypal client information systems within one or more defined information security technical architectures. The team will then create an implementation and maintenance plan to implement the necessary technical controls to meet the information security needs of the client information system. They will present their findings in a formal presentation. Peer evaluations will be considered in determining each student s grade on the project. Project guidelines will be available via WebCT. LAB DESCRIPTIONS At various points throughout the semester, as defined in the schedule, the class will meet in SC 363, the Advanced Data Communications Lab. During this time, the students will be assigned a number of hands-on exercises involving information security technical controls as applied to client platforms. Students will perform the labs, and document their activities. These reports will be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be provided with access to the lab after class hours in order to complete these exercises. POLICIES All submitted work should be word-processed. Any work submitted should contain a cover sheet that includes your name, the course and section number, title of the assignment, and date of submission. Late assignments and papers will not be accepted. Please include the course number (i.e. 4220) in the subject field of any message that you send to the instructor during the term. messages received that are missing this information in the subject field are likely to be automatically redirected to a folder the content of which is seldom checked. ACADEMIC HONESTY Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University s policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct s minimum one semester suspension requirement. COURSE OUTLINE This tentative outline is subject to change. Whitman & Mattord, Kennesaw State University
103 A Model Curriculum for Programs of Study in Information Security and Assurance Week 1 Introduction to the course Topic 2 Server hardware 3 Server O/S structures 4 Server O/S usage 5 Server network technologies 6 Exam 7 Server O/S vulnerabilities 8 Server O/S hardening 9 Lab 1 10 Securing organizational servers 11 Authentication and Encryption 12 Lab 2 13 Account-based Security Role-based security 14 File, Directory, and Shared Resource Security 15 Firewalls and Border Security 16 Project presentations Final Final Exam Exam Period Whitman & Mattord, Kennesaw State University
104 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 4330 Incident Response and Contingency Planning Syllabus COURSE DESCRIPTION An examination of the detailed aspects of incident response and contingency planning consisting of incident response planning, disaster recovery planning, and business continuity planning. Developing and executing plans to deal with incidents in the organization is a critical function in information security. This course focuses on the planning processes for all three areas of contingency planning incident response, disaster recovery and business continuity, and the execution of response to human and non-human incidents in compliance with these policies. PREREQUISITES ISA 3200 or permission of the department COURSE OBJECTIVES After completing the course, students will be able to: Design an Incident Response Plan for sustained organizational operations. Design a Disaster Recovery Plan for sustained organizational operations. Design an Business Continuity Plan for sustained organizational operations. Integrate the IRP, DRP, and BCP plans into a coherent strategy to support sustained organizational operations. Understand and be able to discuss incident response options. Understand the escalation process from incident to disaster. RESOURCES Required: Guide to Disaster Recovery, Michael Erbschloe, ISBN: Course Technology Articles and readings at Articles and readings at Recommended: The Computer Security Resource Center at the National Institute of Standards at Whitman & Mattord, Kennesaw State University
105 A Model Curriculum for Programs of Study in Information Security and Assurance The SANS Institute (System and Network Security) at The Computer Security Institute at Information Security Magazine at Carnegie Mellon SEI CERT/CC at ACM Special Interest Group on Security, Audit and Control (SIGSAC) at Additional supplemental resources will be provided by the instructor. Course Web Site: Various course resources, technology tutorials, assignments, and announcements will be available on the course Web site at WebCT Account: This course will make extensive use of WebCT for several aspects of the course curriculum. In order to facilitate your best use of the system, please verify your access to WebCT at your first opportunity and then forward your WebCT to an address that you read regularly. This will assure you stay up to date with WebCT communications. EVALUATION Evaluation of your performance will be based on five components: Participation 10% Mid-term Examination 25% Final Exam 25% Individual Writing Assignments 20% Team Project 20% Evaluation criteria explained: Students are expected to be active participants in each class meeting. Full credit for participation will be extended to students who regularly ask questions, share observations, and contribute relevant personal experiences. Participation in online discussions in WebCT is also encouraged. The mid-term examination will consist of program assignments and technological comprehension that cover the lecture material, and assigned readings. PROJECTS DESCRIPTION Whitman & Mattord, Kennesaw State University
106 A Model Curriculum for Programs of Study in Information Security and Assurance The team project will consist of the examination of several archetypal client information systems within one or more defined information security technical architectures. The team will then create an implementation and maintenance plan to implement the necessary technical controls to meet the information security needs of the client information system. They will present their findings in a formal presentation. Peer evaluations will be considered in determining each student s grade on the project. Project guidelines will be available via WebCT. LABS DESCRIPTIONS At various points throughout the semester, as defined in the schedule, the class will meet in SC 363, the Advanced Data Communications Lab. During this time, the students will be assigned a number of hands-on exercises involving information security technical controls as applied to client platforms. Students will perform the labs, and document their activities. These reports will be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be provided with access to the lab after class hours in order to complete these exercises. POLICIES All submitted work should be word-processed. Any work submitted should contain a cover sheet that includes your name, the course and section number, title of the assignment, and date of submission. Late assignments and papers will not be accepted. Please include the course number (i.e. 3100) in the subject field of any message that you send to me during the term. messages I receive that are missing this information in the subject field are likely to be automatically redirected to a folder the contents of which I seldom check. ACADEMIC HONESTY Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University s policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct s minimum one semester suspension requirement. COURSE OUTLINE This tentative outline is subject to change. Whitman & Mattord, Kennesaw State University
107 A Model Curriculum for Programs of Study in Information Security and Assurance Week Topic 1 1. Introduction to Incident Response, Disaster Recovery and Business Continuity Planning 2 2. Preparing to Develop the IR, DR and BC plan 3 3. Assessing Risks in the Enterprise 4 4. Prioritizing Systems and Functions for Recovery 5 5. Developing Plans and Procedures 6 6. Organizing Relationships in IR/DR/BC 7 Exam 1 Chapters Introduction to Case Project and Overview of Project Deliverables 9 7. Procedures for Responding to Attacks on Computers Developing Procedures for Special Circumstances Implementing IR/DR/BC Plans Testing and Rehearsal Continued Assessment of Needs, Threats, and Solutions Living Through a Disaster 15 Supplemental Lecture Material 16 Project Presentations Final Exam Period Final Exam Chapters 7-12 plus supplemental material ISA 4700 Emerging Issues in Information Security and Assurance Syllabus COURSE DESCRIPTION Whitman & Mattord, Kennesaw State University
108 A Model Curriculum for Programs of Study in Information Security and Assurance The purpose of the course is to explore emerging issues in information security and assurance, and the role of organizational information security in state, regional and national policy. It provides content about the interaction between the organization, society, and public agencies. It examines the role of people versus technical security ideals currently debated by contemporary international organizations. PREREQUISITES ISA 4330 or permission of the department COURSE OBJECTIVES After completing the course, students will be able to: Describe, analyze and assess security relations at a state-societal level in both the developing and developed world; Analyze and evaluate the inter-relationship between global processes and specific information security dynamics; and, Analyze, evaluate and critically discuss the policy responses to organizational, state, regional and national information security agendas, and the alternatives to them. Discuss the viewpoints of information security as a people versus technical problem, and the corresponding use of people versus technical solutions. RESOURCES Required: Articles and readings at Articles and readings at Recommended: The Computer Security Resource Center at the National Institute of Standards at The SANS Institute (System and Network Security) at The Computer Security Institute at Information Security Magazine at Carnegie Mellon SEI CERT/CC at ACM Special Interest Group on Security, Audit and Control (SIGSAC) at Additional supplemental resources will be provided by the instructor. Course Web Site: Various course resources, technology tutorials, assignments, and announcements will be available on the course Web site at Whitman & Mattord, Kennesaw State University
109 A Model Curriculum for Programs of Study in Information Security and Assurance WebCT Account: This course will make extensive use of WebCT for several aspects of the course curriculum. In order to facilitate your best use of the system, please verify your access to WebCT at your first opportunity and then forward your WebCT to an address that you read regularly. This will assure you stay up to date with WebCT communications. EVALUATION Evaluation of your performance will be based on five components: Participation 15% Research Paper 25% Midterm Exam 20% Individual Writing assignments 20% Final Exam 20% Evaluation criteria explained: Students are expected to be active participants in each class meeting. Full credit for participation will be extended to students who regularly ask questions, share observations, and contribute relevant personal experiences. Participation in online discussions in WebCT is also encouraged. The mid-term examination will consist of program assignments and technological comprehension that cover the lecture material, and assigned readings. PAPER DESCRIPTION Students will write a paper on a subject assigned by the instructor on key subjects germane to the management of information security programs. Paper format and content specifications will be provided in class. POLICIES All submitted work should be word-processed. Any work submitted should contain a cover sheet that includes your name, the course and section number, title of the assignment, and date of submission. Late assignments and papers will not be accepted. Whitman & Mattord, Kennesaw State University
110 A Model Curriculum for Programs of Study in Information Security and Assurance Please include the course number (i.e. 4820) in the subject field of any message that you send to the instructor during the term. messages received that are missing this information in the subject field are likely to be automatically redirected to a folder the content of which is seldom checked. ACADEMIC HONESTY Every KSU student is responsible for upholding the provisions of the Student Code of Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of Conduct addresses the University s policy on academic honesty, including provisions regarding plagiarism and cheating, unauthorized access to University materials, misrepresentation/falsification of University records or academic work, malicious removal, retention, or destruction of library materials, malicious/intentional misuse of computer facilities and/or services, and misuse of student identification cards. Incidents of alleged academic misconduct will be handled through the established procedures of the University Judiciary Program, which includes either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct s minimum one semester suspension requirement. Whitman & Mattord, Kennesaw State University
111 A Model Curriculum for Programs of Study in Information Security and Assurance COURSE OUTLINE This tentative outline is subject to change. Week 1 Introduction to Emerging Issues Topic 2 The Human Side of Information Security and Assurance 3 Organizational information security responsibilities 4 State, Regional & National Information Security relationship Infragard Guest Speaker 1 5 Discussion of Topical Subject in Information Security 6 Exam 1 7 National Information Security Policy and Support 8 Discussion of Topical Subjects in Information Security 9 International Considerations in Information Security Theft of Intellectual Property 10 International Considerations in Information Security Hacking and Electronic Extortion 11 Discussion of Topical Subjects in Information Security 12 Guest Speaker 2 13 The Future of Information Security 14 Discussion of Topical Subjects in Information Security 15 Guest Speaker 3 16 Report Presentations Final Exam Period Final Exam Whitman & Mattord, Kennesaw State University
112 A Model Curriculum for Programs of Study in Information Security and Assurance Development of the Degree Program Development of the BS-ISA was an arduous, drawn-out project. It actually began in 2001, when we drafted the Certificate in ISA. In fact, when I proposed the ISA Certificate, I intentionally used a separate prefix (ISA) instead of the department standard (CSIS) to prepare for the eventuality of a degree. Shortly after the certificate was implemented I pulled up the overview of our BS in Information Systems and mused as to what a BS in ISA would look like. I then put it back on the shelf to collect dust, as I really did not expect to be able to pursue it further. When Herb Mattord came on board as a full time faculty member, he declared his mission to see the BS-ISA come to fruition. With the success of the Certificate some 30+ certificates issued in just over 2 years, and with constantly full ISA classes, eventually the other faculty in the department began to agree with us that perhaps an additional major would be a good idea. At the time the department had close to 1400 majors in its four degree programs - BS in IS and CS, and MS in IS and CS. We began the process much the same as the certificate was begun, by looking at the end product the entry level InfoSec professional. We realized that industry would need instruction on the new academically prepared InfoSec professional, and would require a deviation from the traditional promotefrom-within-it, or hire someone else s InfoSec professional model. We began talking to a number of CISOs, CIOs and other regional IT professionals, including fellow CISSPs, to determine what they felt the fresh-college-infosec graduate should look like. We realized that what was missing in the discipline was the bridge between the technical half of infosec, and the managerial half. So our goal was to prepare an individual to work in either half, and eventually to reach the position of CISO. We then went back to our 10 domains of knowledge and began expanding on the foundation provided by the certificate: ISA 3100 Principles of ISA ISA 3200 Applications in ISA ISA 3300 Policy and Administration in ISA ISA 3350 Computer Forensics And began adding areas we found to be critical to the performance of both the InfoSec technical and managerial expert. From the technical side we realized the heart of the technical professional was the protection of servers, and the use of information security technologies (firewalls, intrusion detection systems, antivirus etc.). So we create a split operating systems security class, focusing on the protection of client and serverside security. This allows us to re-tool the 3200 class into a more traditional Network Security class, focusing on the Security Technologies necessary to protect organizations perimeters. We also realized that one area that is lacking in many programs is a secure programming class. So we replaced the CS2 type programming class with one designed to take what the students learn in their programming principles I class, and scrutinize it for security issues. We also added a scripting language (cgi etc) to this class for good measure. From the managerial side, we added an incident response and disaster recovery class, to provide both the planning requirements and the actual hands-on incident response actions. This class is truly a hybrid between managerial planning and technical performance. We cap the program with a how to be a Whitman & Mattord, Kennesaw State University
113 A Model Curriculum for Programs of Study in Information Security and Assurance CISO capstone class, with a major soup-to-nuts security project, requiring the students to examine an organization (real or case) and design and partially implement a security solution. The draft layout of this program was presented to numerous groups, including department advisory boards, and other experts in Information Security, both academic and practitioner. After final reviews, it was submitted through the university s curriculum approval process and eventually to the University System of Georgia s Board of Regents. It is customary for a new degree program to receive supplementary questions prior to the board review and vote. Our questions hit the heart of the issue will the graduates find jobs, is there a demand both by students and by industry for the program? Fortunately the IT market had just begun recovery in earnest and we were able to provide convincing arguments on both accounts. The board met and approved the degree within 5 minutes. Now the work begins. We have to fully flesh out the courses, including lab exercises, homework exercises, lecture notes and the like. To assist in this endeavor, we have requested support from the NSF under the Federal Cyber Service: Scholarship for Service: Capacity Building Grant program. As KSU was designated a National Center of Academic Excellence in Information Assurance Education in April 2004 by the NSA and DHS, we are optimistic about our chances. Whitman & Mattord, Kennesaw State University
114 A Model Curriculum for Programs of Study in Information Security and Assurance Textbooks used in the program: As is obvious from the following list, most of our texts come from Course Technology. We do have a vested interest in the publisher as they are promoting two of our own texts. None the less we have conducted extensive research on the available offerings. Our own library in the Center for Information Security Education and Awareness has over 130 text titles, spanning the breadth and depth of information security topics. These include certification study guides, trade-press applied technical security books, and available academic texts. With VERY few exceptions, there are no texts currently on the market covering the field of Information Security like those offered from Course Technology. We have adopted the following books for our courses, and present a brief table of contents for your consideration: ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec) Text: Principles of Information Security, 4 nd edition by Whitman & Mattord (us) Table of Contents: 1. Introduction to Information Security. 2. The Need for Security. 3. Legal, Ethical, and Professional Issues in Information Security. 4. Risk Management. 5. Planning for Security. 6. Security Technology: Firewalls, VPNs, and Wireless 7. Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools. 8. Cryptography. 9. Physical Security. 10. Implementing Information Security. 11. Security and Personnel. 12. Information Security Maintenance and ediscovery. ISA 3200: Network Security (Technical InfoSec) Text: Guide to Network Security by Whitman, Mattord, Mackey and Green Table of Contents 1. Introduction to Information Security 2. Introduction to Networking 3. Cryptography 4. Firewall Technologies and Administration 5. Access Controls and Remote Access 6. Intrusion Detection and Prevention 7. Wireless Network Security 8. Security of Web Applications 9. Network Vulnerability Assessment 10. Auditing, Monitoring, and Logging 11.Contingency Planning and Networking Incident Response Whitman & Mattord, Kennesaw State University
115 A Model Curriculum for Programs of Study in Information Security and Assurance 12. Digital Forensics and ediscovery ISA 3300: Management of Information Security in a Global Environment Text: Management of Information Security, 3 rd ed. by Whitman & Mattord (Note: 4 th Edition under development) Unit I: INTRODUCTION. 1: Introduction to Management of Information Security. UNIT II: PLANNING. 2: Planning for Security. 3: Planning for Contingencies. UNIT III: POLICY AND PROGRAMS. 4: Security Policy. 5: Developing Security Programs. 6: Security Management Models. 7: Security Management Practices. UNIT IV: PROTECTION. 8: Risk Assessment. 9: Controlling Risk. 10: Protection Mechanisms. UNIT V: PEOPLE. 11: Personnel and Security. 12: Law and Ethics. ISA 4330: Incident Response and Disaster Recovery 2 nd ed. By Whitman, Mattord and Green 1. Introduction and Overview of Contingency Planning. 2. Planning for Organizational Readiness. 3. Data Protection Strategies for IR/DR/BC. 4. Incident Response Planning. 5. Computer Incident Response Teams. 6. Incident Detection and Plan Activation. 7. Incident Response. 8. Incident Response Recovery and Preventative Maintenance. 9. Incident Response Forensics and ediscovery. 10. Disaster Recovery: Preparation and Implementation. 11. Business Continuity Planning and Implementation. 12. Crisis Management and Human Factors. Appendix A: Incident Response Exercises. Whitman & Mattord, Kennesaw State University
116 A Model Curriculum for Programs of Study in Information Security and Assurance ISA 4350: Computer Forensics Text: Guide to Computer Forensics and Investigations, Third Edition By: Phillips, Nelson, Enfinger, Steuart Table of Contents 1. Computer Forensics and Investigations as a Profession 2. Understanding Computer Investigations 3. The Investigator's Office and Laboratory 4. Current Computer Forensics Tools 5. Processing Crime and Incident Scenes 6. Digital Evidence Controls 7. Working with Windows and DOS Systems 8. Macintosh and Linux Boot Processes and File Systems 9. Data Acquisition 10. Computer Forensics Analysis 11. Recovering Image Files 12. Network Forensics 13. Investigations 14. Becoming an Expert Witness and Reporting Results of Investigations Appendices A: Certification Test References B: Computer Forensics References C: Procedures for Corporate High-Technology Investigations Lab Manual used for a variety of ISA courses: Text: Hands-On Information Security Lab Manual, Third Edition BY: Michael Whitman, Herbert Mattord ISBN: X 2006 Table of Contents 1. Information Security Technical Functions. 2. Information Security Technical Exercise Theory. 3. Windows - Based Information Security Exercises. 4/ LINUX - Based Information Security Exercises. Study questions, exercises, project(s). If you would like additional information on these books (i.e. how well they worked in the class, or what support materials are included) please contact us. All Course Technology texts include instructor s ancillaries including PowerPoint slide shows, text banks, and instructor s guides. Whitman & Mattord, Kennesaw State University
117 A Model Curriculum for Programs of Study in Information Security and Assurance 2011 and the Bachelor of Business Administration in Information Security and Assurance In 2010, the Information Systems and Information Security and Assurance faculty members from the Computer Science and Information Systems Department decided to split off and form a new department subsuming existing Information Systems faculty in the Coles College of Business. The result was a unanimous approval and the mandate to re-design the ISA degree to be compatible with the Coles College of Business BBA model. After long and sometimes intense development sessions with Coles representative the following model was developed and approved: Program Description: The purpose of the Bachelor of Business Administration in Information Security and Assurance (BBA- ISA) program is to create technologically proficient, business-savvy information security professionals capable of applying policy, education & training, and technology solutions to protect information assets from all aspects of threats, and to manage the risks associated with modern information usage. Information security is the protection of the confidentiality, integrity, and availability of information while in transmission, storage or processing, through the application of policy, technology, and education and awareness. Information assurance concerns information operations that protect and defend information and information systems by ensuring availability, integrity, authentication, confidentiality, and nonrepudiation. This program spans both areas in its approach to the protection of information in the organization. The Committee on National Security Systems and the National Security Agency have certified that Kennesaw State University offers a set of courseware that has been reviewed by National Level Information Assurance Subject Matter Experts and determined to meet National Training Standard for Information Systems Security Professionals (NSTISSI 4011, and CNSS 4012, 4013E, 4014E). KSU is also designated as a National Center of Academic Excellence in Information Assurance as recognized by the National Security Agency and the Department of Homeland Security. All business majors must meet the Coles College Sophomore GPA Requirement and be admitted to the Coles College Professional Program. In addition, all business majors must earn a grade of C or better in all business courses counted toward their degree. Program Curriculum: GENERAL EDUCATION (42 CREDIT HOURS) see ( for listing of requirements In the General Education requirements, all business majors must take: MATH College Algebra or MATH Precalculus Whitman & Mattord, Kennesaw State University
118 A Model Curriculum for Programs of Study in Information Security and Assurance MATH Elementary Applied Calculus or MATH Calculus I ECON Principles of Microeconomics University-Wide Fitness For Living Requirement (3 Credit Hours) LOWER DIVISION MAJOR REQUIREMENTS (AREA F) (18 CREDIT HOURS) ACCT Introduction to Financial Accounting ACCT Introduction to Managerial Accounting BLAW Legal and Ethical Environment of Business ECON Principles of Microeconomics (hours counted in General Education) ECON Principles of Macroeconomics ECON Business Statistics IS Information Systems and Communication UPPER DIVISION MAJOR REQUIREMENTS (48 CREDIT HOURS) Upper Division Business Core (18 Credit Hours) ECON Applied Statistical and Optimization Models FIN Principles of Finance MGT Management and Behavioral Sciences MGT Operations Management MGT Strategic Management MKTG Principles of Marketing Information Technology Requirement (3 Credit Hours) IS Information Systems Management Major Field Requirements (24 Credit Hours) ISA Security Script Programming ISA Principles of Information Security ISA Network Security ISA Client Systems Security ISA Management of Information Security in a Global Environment ISA Perimeter Defense ISA Server Systems Security ISA Cyber Defense Major Field Electives (6 Credit Hours) ISA Incident Response and Contingency Planning ISA Management of Digital Forensics and ediscovery ISA Directed Study in Information Security and Assurance ISA Special Topics in Information Security and Assurance ISA Emerging Issues in Information Security ISA International Issues in Information Security and Assurance ISA Penetration Testing Whitman & Mattord, Kennesaw State University
119 A Model Curriculum for Programs of Study in Information Security and Assurance ISA Information Security and Assurance Programs and Strategies Business Electives (6 Credit Hours) Six hours of credit from upper-division ( level) course offerings outside the Major, but inside the Coles College of Business. ISA courses cannot be used here. (A maximum of six hours of credit in Information Security and Assurance Co-Ops and Internships may be used in this area. Co-Ops and Internships cannot be used in any other area.) ISA Students are encouraged to take IS courses in this area. Non-Business Electives (3 Credit Hours) Three hours of credit from any lower-division ( level) or upper-division ( level) non-business courses offered at Kennesaw State. Program Total (123 Credit Hours) Program Goals and Objectives With a revision of the program came a revision of the program goals and objectives: The purpose of the program was the same: to create technologically proficient, business-savvy information security professionals capable of applying policy, education & training and technology solutions to protect information assets from all aspects of threats, and to manage the risks associated with modern information usage. In preparation for campus SACS accreditation, and as part of the continuous improvement in education program at KSU the Assessment of Learning, the program architects have developed Program Goals and Objectives to replace the previous general and specific program objectives : Note Goals 1-4 are common to all BBA programs: Goal 1.0 Environmental Factors Business majors will understand, apply and synthesize relevant environmental factors in the decisionmaking process. Goal 2.0 Ethics and Values Business majors will understand, apply and synthesize resolutions to ethical and social concerns in the business environment. Goal 3.0 Analytical Process Business majors will demonstrate problem-solving skills using appropriate analytical techniques. Goal 4.0 Communication and Collaboration Business majors will effectively demonstrate collaboration, leadership and communication skills needed in a business environment. Whitman & Mattord, Kennesaw State University
120 A Model Curriculum for Programs of Study in Information Security and Assurance Goal 5.0 Theoretical foundations and applications of Information Security The graduate has a thorough understanding of the theoretical foundations and practical applications of Information Security (InfoSec). (Knowledge) Objectives 5.1: Define concepts of an InfoSec program and discuss strategies and tools for protecting the confidentiality, integrity and availability of information assets. (Knowledge/skill) 5.2: Differentiate and identify the role and function of various current and emerging InfoSec technologies. (Knowledge/skill) 5.3: Demonstrate how InfoSec is a strategic and integral component of a Global organization. (Knowledge/skill) Goal 6.0 Management of Information Security (InfoSec) Programs. The graduate has a demonstrated comprehension of InfoSec as a managerial problem, resulting from human weaknesses and the use of both managerial solutions (planning, policies, personnel and programs) and technical solutions. (Knowledge/skill) Objectives 6.1: Describe formal approaches to managing InfoSec systems based on modern InfoSec standards. (Knowledge) 6.2: Relate and perform risk management using an established methodology based on modern InfoSec standards for structuring risk problems and controls. (Knowledge/Skill) 6.3: Develop effective InfoSec Policies and Plans to guide organizational InfoSec operations. (Knowledge/skill) 6.4: Match control specifications to technological and non-technological options and perform benefit/cost tradeoff analyses among design options. (Knowledge/Skill) Goal 7.0 Information Asset Assessment and Defense The graduate possesses knowledge, skill and technical depth in the specification, development, implementation and maintenance of an information asset protection strategy using appropriate methods, techniques and tools. (Skill/knowledge) Objectives 7.1: Illustrate the nature and use of information asset defense methodologies and explain the responsibilities at all stages. (Knowledge) 7.2: Identify, analyze and assess threats and vulnerabilities associated with the use of information assets with the appropriate formal tools and methods. (Knowledge/Skill) 7.3: Model the conceptual design of an information asset defense based on modern approaches, tools and techniques. (Knowledge/Skill) 7.4: Develop and implement an information asset defense solution based on the conceptual design incorporating defense in depth, systems protection and network security. (Knowledge/Skill) 7.5: Implement hardware and/or software designs to provide working information asset solutions, including use of appropriate network security tools and the hardening of modern operating systems using contemporary strategies. (Knowledge/Skill) Whitman & Mattord, Kennesaw State University
121 A Model Curriculum for Programs of Study in Information Security and Assurance The ISA Faculty Members are currently in the process of mapping all goals/objectives to the current curriculum as well as mapping their corresponding proficiency levels. Minor in Information Security and Assurance Commensurate with the development of the BBA-ISA Model, the ISA faculty members developed a Minor in ISA: This program is designed to allow non-isa majors to gain a perspective on ISA topics and improve the security of information associated with their home disciplines. Minor Curriculum: Required Courses (15 credit hours) IS Information Systems and Communication ISA Principles of Information Security ISA Network Security ISA Client Systems Security ISA Management of Information Security in a Global Environment Select one of the following (3 credit hours) ISA Perimeter Defense ISA Server Systems Security Program Total (18 credit hours) Whitman & Mattord, Kennesaw State University
122 A Model Curriculum for Programs of Study in Information Security and Assurance The Next Step: The Curriculum Development Project: Design Revision and External Evaluation NSF support has been requested to support further design revision and external review of the curriculum model. It is out intent to obtain outside input on this model, and additional insight as to the quality of the learning objectives, course content and supporting materials needed to complete the curriculum model, as well as further explore prerequisite knowledge areas (i.e. data communications, programming, operating systems etc). Questions remaining include: What areas should be emphasized in a technical program vs. a managerial program vs. a balanced program? What other courses should be added to each area, and what should they entail? Are the proposed levels of knowledge appropriate or should additional depth be pursued? Are there sub-domains below the major and minor topics listed? To answer these questions we must consult with other experts in the field and obtain their insight. NSF support is requested for design revision and extension. We plan to take the preliminary implementation and draft curriculum model to outside experts for commentary at national information security education conferences: the World Conference on Information Security Education and the National Colloquium for Information Systems Security Education. Information from these conferences will be used to shape an InfoSec curriculum development workshop. We have successfully implemented a new ongoing conference for pedagogy and practice of information security education, held annually in September at KSU. Look for the CFP in March/April, with the conference announcement going out in May. Contact us if you don t hear by then. The Information Security Curriculum Development Conference InfoSecCD is one of the first major forums for the presentation of research and pedagogical experiences associated with the development and practice of Information Security Curriculum in higher education in the Southeast. The purpose of the conference is to share novel instructional methods and techniques, pedagogical research findings, curriculum models and methods, and to identify new directions for future research and development work. InfoSecCD seeks to give academicians, researchers and practitioners a unique opportunity to share their perspectives with others interested in the various aspects of Information Security Curriculum Development. Papers offering novel research contributions in any aspect of information security education are solicited for submission to the 2005 InfoSec CD Conference. The primary emphasis is on high-quality original unpublished research, case studies, and implementation experiences. Papers should have practical relevance to the design, development, implementation and best-practices in information security education for the academic track and for best-practices in the design, implementation and management of information security in industry for the Industry Track. Theoretical papers must make convincing argument for the practical significance of the results. Theory must be justified by compelling examples illustrating its application. The primary criterion for appropriateness is demonstrated practical relevance. Whitman & Mattord, Kennesaw State University
123 A Model Curriculum for Programs of Study in Information Security and Assurance Featured at the conference, in additional to keynote addresses by recognized experts and authorities on information security education, are workshops on designing information security curriculum, and conducting information security laboratory exercises, and presentations of academic papers on teaching and designing information security coursework. Also featured is a professional development track, where industry practitioners speak on the practice of information security. Revision of Pilot Model During this phase we will synthesize all inputs and commentary from the workshop at the InfoSecCD and formalize the final prototype model as a report sponsored by the NSF and the Center for Information Security Education. Broader Impacts of This Proposal The ultimate purpose of the curriculum development project is to assist in the advancement of information security education in the country. We feel that many schools are struggling with the same problems that organizations are, in understanding what is needed to support the security of information, and what skills and qualifications are needed in a quality information security applicant. The core of this project is to improve education, by assisting instructors in understanding what must be taught. It seeks to enhance and support educational infrastructure, by providing a curriculum model that provides structure and guidance in the implementation of this critical coursework. Many instructors will be able to master the basics of organizational policy, planning and staffing. The technical components of any curriculum are often the most difficult to master. A framework for the instruction of this technical content will provide strong guidance on the instruction of a wide variety of technical security components. Society will benefit as more qualified security personnel are created, improving the level of security of personal information in organizations around the country. Evaluation Plan The project s evaluation plan is comprised of three elements: 1) Peer review by internal and external academic experts in curriculum development; 2) Peer review by academic Information Security experts, and 3) External review by practitioners in the field of Information Security. Curriculum Development Peer Review. KSU s Center for Excellence in Teaching and Learning (CETL) will serve as an external evaluator of the curriculum developed. The CETL consists of several faculty dedicated to the development of quality curriculum, and as they will be external to the information security field, they will be capable of evaluating the curriculum structure independent of its content. Articles on the curriculum model will also be submitted to educational journals (e.g. Journal for MIS Education, the ACM Journal on Educational Resources in Computing, and to regional conferences (Southern Association for Information Systems) for peer review. We will also develop and apply an assessment program based on the Massachusetts model [26]. Academic Information Security Peer Review. In the upcoming year, draft findings will be submitted to the World Conference on Information Security Education and the National Colloquium for Information Systems Security Education, where we will present the findings and obtain peer review and feedback from academics in the field. Copies of the draft model will also be sent to program coordinators at institutions having earned the Center of Excellence designation for their comment. In the following year, the final findings will be submitted to academic information security and education journals for publication as described in the dissemination Whitman & Mattord, Kennesaw State University
124 A Model Curriculum for Programs of Study in Information Security and Assurance plan. External Practitioner Review. Each year the curriculum model will be presented to practitioners at the Human Firewall Conference. A workshop will be conducted specifically to discuss the development curriculum and collect feedback. Copies will also be submitted to practitioner organizations like ISC2 (sponsor of the CISSP), and the Information Systems Security Association for comment. Upon completion, findings will be summarized and presented to the KSU Computer Science and Information Systems Industry Advisory Board, a board of representatives that provide guidance on curriculum development and department initiatives. DISSEMINATION Subsequent revisions of this document will be disseminated through: 1) Proceedings of the upcoming academic conferences. One of our proposed venues will be the Proceedings of the Annual Conference on Information Security Curriculum Development, to be hosted at Kennesaw State University. This proposed proceedings, will contain accepted papers presented at the academic track, summaries of presentation presented at the practitioner track, and student papers presented at table topics. In addition we will publish our findings at other conferences through their respective proceedings. 2) Inclusion in PIs texts. We plan to include their findings as part of the instructor s materials for their texts and on the texts support web sites. Principles of Information Security 2 nd edition & Management of Information Security. In addition, we are the authors of The Hands-On Information Security Lab Manual,2 nd edition which provides technical hands-on labs for use in information security courses. The findings of the curriculum model will be included in its instructor s manual and support site as well. 3) Course University and Working Connections Series. There are a number of initiatives sponsored by Course Technology, including the Course Technology Annual Conference, at which we frequently present, and numerous requested visits and online presentations. 4) Publication through Educational Portals: ISWORLD ( is the premier academic portal dedicated to the promotion of IS curriculum, teaching and research. Faculty can post works-in-progress and research findings. The portal also provides information on key curriculum and research issues. We will post the findings here for the entire IS community to view and comment on, and distribute the findings to the over 3,750 members of the ISWORLD list server [23]. The CITIDEL project ( is a portal designed will serve the computing education community at all levels, and is part of the National Science, Mathematics, Engineering, and Technology Education Digital Library. The CITIDEL collects educational resources and provides them free of charge to all interested programs. The results of this study will be submitted to this site as well. Whitman & Mattord, Kennesaw State University
125 A Model Curriculum for Programs of Study in Information Security and Assurance 5) Posting on Regional Security Web Sites. The findings will also be posted to the KSU Center for Information Security Education and Awareness Web site ( and the Georgia Tech Information Security Center (GTISC) ( for inclusion in their online documents. KSU already has its information security program cataloged by the Virginia Alliance for Secure Computing and Networking [25] as a result of the recognition described below. 6) Recognition through NSA. Those institutions that are recognized as Centers of Excellence have their web sites linked to the NSA s, providing national dissemination of their work as best practices. This year KSU is applying for Center of Excellence recognition [19]. If recognized, KSU will promote the new curriculum through this venue. The Committee on National Security Systems and the National Security Agency have already certified KSU s Information Security courseware as having met national training standards for Information Systems Security Professionals for , providing KSU national recognition (see 7) Publication in regional and national venues. As with all academic research pursuits, the findings will be submitted to the aforementioned InfoSec conferences, IS educational publications like the Journal for MIS Education, the ACM Journal on Educational Resources in Computing (JERIC), and to regional conferences like the Southern Association for Information Systems. Word-of-mouth dissemination is expected as graduates undertake security related employment. How you can help This draft curriculum model is an ongoing effort to improve information security curriculum. Through our presentations and discussion across the US, we have spoken with a number of faculty members, all eager to learn about developing and implementing information security curriculum. You can help us in two ways: 1) Provide critical but constructive reviews of the curriculum model and materials presented here: Ask yourself the following questions: Does the curriculum model seem comprehensive, robust and scalable? Why or why not? Does the curriculum model follow established curriculum development guidelines? Does the curriculum model work within established curriculum models for technology (or nontechnology) baccalaureate programs? What could be improved in the curriculum model? 2) Let us know you like or are using the curriculum model. Send us a letter on letterhead supporting the curriculum model developed. Your indication of support will be used in subsequent grant activities designed to improve the curriculum model. Whitman & Mattord, Kennesaw State University
126 A Model Curriculum for Programs of Study in Information Security and Assurance Appendix: Information Security Curriculum Development Procedures and Forms for use at your institution: I. Determine interest, scope and intent of the program. Discuss within your department the desired scope and outcomes of a program in Information Security. At this point simply get buy-in that two or more courses in Information Security are desirable. If a concentration, specialization, certificate or degree program is desired, additional information will be required. Scope: General Outcomes: II. Determine stakeholder interest and guidance. Organize a meeting with interested stakeholders, including industry representative of potential employers, alumni, students, and faculty. Obtain their general perception of the idea of courses/programs in Information Security. It may be useful to anonymously survey their opinions. Questions to ask could include: 1) Do you feel the department should consider another program? Why or why not? 2) Do you feel that graduates with coursework/certificate/degree in Information Security would be valuable to regional employers? Why or why not? 3) If the department should consider offering this program, what skills do you feel that the student should possess upon graduation? Summarize their responses. III. Form the curriculum development committee. Form a working committee to begin determining the specific focus, objective, depth, etc of the program. Research the field of potential jobs in your area in Information Security. This information will assist in the selection of the focus of the program. Include the feedback from Step II. Identify available resources in terms of labs, faculty, and course offerings. IV. Map desired positions to knowledge areas. Using the methods outlined in the document, fill in the following table. Feel free to add/remove blanks as needed. If you feel the table in the document is satisfactory as completed go to the next step. 1) Only include the positions you want your students to be able to perform after they complete the program. 2) Include the Roles these positions map based on the definitions earlier. 3) Identify the knowledge areas that correspond to these roles. Use the materials provided earlier as a template. Do not try to map mastery levels yet. Whitman & Mattord, Kennesaw State University
127 A Model Curriculum for Programs of Study in Information Security and Assurance Example: Positions Roles Knowledge Areas Net Admin Firewall Analyst IDS Eng SysAdmin ISO Forensics InfoSec Mgr IRP Handler DR/BCP Mgr InfoSec Cons. CISO InfoSec Mgr InfoSec Analyst InfoSec Tech InfoSec W.S. ACS SA & D BCP Crypto Law & Ethics OpSec PhySec Architecture Sec Mgt NetSec (Varying levels of mastery) Blank: Positions Roles Knowledge Areas Whitman & Mattord, Kennesaw State University
128 A Model Curriculum for Programs of Study in Information Security and Assurance V. Discuss the following constraints on the program. The following questions should be discussed: 1) What should the focus of the courses/program be? Managerial, Technical, or Balanced? 2) How many courses in Information Security can we offer in this program? 3) What courses, that we currently offer, could be included or adapted to support this program? If in answering question 1, the institution desires a security program but just hasn t made up its mind as to which emphasis it wishes to take, the following set of program objectives may assist. The following list of program objectives can be used to determine what focus you desire for your program. Check off the objectives you want graduates of your program to meet, or rather what qualities should your students possess upon graduation. Use caution, as it is our first tendency to check everything! Realize that this may not be feasible unless you are able to implement an entire degree program with 7 or more courses exclusively in Information Security related areas. Once you have checked all desired qualities, the section immediately following the list will provide guidance on what type of program may be best suited for your desired outcomes. Upon completion of the program the student will have the following qualities (Check all that apply): 1. The graduate has a thorough understanding of the types and uses of Information Security policies, and can create examples bases on established frameworks. 2. The graduate is able to recognize, define and implement firewall-related solutions to appropriate threats. 3. The graduate possesses a detailed understanding of the process of organizational planning for information security at strategic, tactical and operational levels. 4. The graduate possesses knowledge, skill and technical depth in implementing cryptographic solutions using appropriate methods, techniques and tools such as PKI and VPNs. 5. The graduate has the ability to critically analyze and articulate positions on the legal and ethical implications and influences of Information Security, including relevant codes of ethics and federal and state laws. 6. The graduate possesses the ability to evaluate a given computer operating system and implement hardened security measures to protect it. 7. The graduate has detailed knowledge of the types, organization, responsibilities and qualifications of Information Security personnel in an organization.. Whitman & Mattord, Kennesaw State University
129 A Model Curriculum for Programs of Study in Information Security and Assurance 8. The graduate has the ability to conduct an effective vulnerability assessment of an organizations Information Security posture and report their findings in a meaningful format. 9. The graduate can implement a risk management program including a detailed risk assessment, and recommend appropriate risk control strategies and measures. 10. The graduate can articulate the composition of popular security models such as BIBA, Bell LaPadula, etc. 11. The graduate can develop and manage plans for dealing with organizational contingencies such as incidents and disasters. 12. The graduate can evaluate and recommend effective security architectures using security technologies, such as bastion hosts, screened subnets and demilitarized zones. 13. The graduate can develop, implement and manage security programs designed to improve employee perception of information security, such as security education, training and awareness programs. 14. The graduate is able to recognize, define and implement intrusion detection systemsbased solutions to appropriate threats, including both host and network IDS. 15. The graduate can evaluate and recommend improvements to the implementation of security procedures in handling personnel in the organization, including hiring, termination, and contract employee issues. 16. The graduate is able to evaluate, define and implement defenses against malicious code attacks such as viruses, worms and denial of services. 17. The graduate can critically discuss popular information security management practices, standards and models such as ISO 17799, NIST SPs 14 & 18, etc. 18. The graduate is able to evaluate, define and implement defenses as part of counter intrusion measures against active and passive hacker attacks. 19. The graduate has the ability to conduct Cost/Benefit Analyses on proposed security countermeasures and present to organizational stakeholders in a meaningful manner. 20. The graduate is able to evaluate, define and implement effective access controls technologies and procedures in accordance with organizational policy. Now that you have specified the desired learning outcomes for your program, add up the number of checks by ODD and EVEN answers. If you find substantially more checks by ODD numbers, say 3 or more, then your inclination is toward a managerial program. If you find substantially more checks by EVEN numbers, again 3 or more, then your inclination is toward a managerial program. If your two Whitman & Mattord, Kennesaw State University
130 A Model Curriculum for Programs of Study in Information Security and Assurance values are approximately equal (within 2 or fewer) your inclination is toward a balanced program. If you have a total of more than 16 checks total you are either very ambitious or desire a balanced program with an emphasis toward one or the other area. Balance this information with the feedback obtained in step II. VI. Define program objectives. From the list above, and the information you have gathered and analyzed, identify the 6-10 program objectives that best map to what you want your students to have achieved upon completion of the material. You can use the list of 20 program objectives in Step V as a starting point. Program Objectives: Whitman & Mattord, Kennesaw State University
131 A Model Curriculum for Programs of Study in Information Security and Assurance VII. Determine the level of mastery desired in the program. Based on desired level of mastery and focus of class determine the level of mastery desired. Perform this exercise within your program using the blank form. Using the following table as a starting point, you can add additional columns to represent additional courses to be added providing additional depth in managerial or technical areas. Also feel free to add or delete specific domain and knowledge area based on your findings in your curriculum efforts. When finished, take a moment to verify that what you have just created matches the Management vs. Technical exercise created earlier. If you find you did not fill in many technical areas with desired depth beyond U (i.e. A or P) and yet you specified a technical program earlier, you may want to revisit one or both of these activities to determine your preferred path. Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Access Controls Access control fundamentals Access control types Access control attacks Penetration testing methods Telecommunications* (Some knowledge areas are prerequisite) Network types (LAN/WAN) OSI reference model TCP/IP protocol suite Telecomm security management Telecommunications threats and attacks Remote access protocols Security Management Security planning Security policies Personnel security Security personnel Data classification and storage Risk Management Whitman & Mattord, Kennesaw State University
132 A Model Curriculum for Programs of Study in Information Security and Assurance Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Security education, training and awareness program Change/configuration management Assessment strategies Applications Security* (Some knowledge areas are prerequisite) Cryptography Systems development life cycles Database development and management Systems controls Distributed applications Object oriented concepts* Knowledge based systems* Application and systems attacks and vulnerabilities Malicious code Cryptosystems Ciphers and encryption algorithms Asymmetric key systems Symmetric key systems Hybrid key systems Message authentication/message digests Public key infrastructure Key management Digital signatures Alternative cryptosystems Security protocols Security Architecture Security models Operations Security Information systems evaluation criteria System certification and accreditation Security architectures Operations concepts Whitman & Mattord, Kennesaw State University
133 A Model Curriculum for Programs of Study in Information Security and Assurance Level of Mastery Desired U: Understanding A: Accomplishment P: Proficiency M: Mastery Courses Implemented Domain Knowledge Area Introduction Technical Management Threats and countermeasures Incident response Auditing Monitoring Business Continuity Planning Law and Ethics Physical Security Contingency planning Business continuity planning Disaster recovery planning Data backup and recovery methods Crisis management Law categories and types Computer crimes Computer crime investigations Computer ethics Computer forensics procedures Site selection and security Guards Keys and locks Doors, walls and gates Intrusion detection systems Fire detection and suppression systems Biometrics CCTV VIII. Determine the number of courses to offer. Based on the constraints in Step V. List the number of courses you can offer in your program. Consider the following table in your decision, influence by the focus of your program (managerial vs technical). Whitman & Mattord, Kennesaw State University
134 A Model Curriculum for Programs of Study in Information Security and Assurance Table 1: DRAFT CURRICULUM MODEL Subject Bloom s Levels of Knowledge (from [21]) Prerequisite Knowledge General: Computing Foundations, Data Communications Managerial: Management, Accounting Technical: Operating Systems, Computer Org & Architecture, Programming, Data Protocols Foundation 1.0 Introduction to Information Security L1 Knowledge Recognition & Differentiation in Context 1.1 Computer Law & Ethics L2 Comprehension Translation/Extrapolition Use of Knowledge Technical Aspects of Information Security 2.0 Technical Applications in InfoSec L2 Comprehension Translation/Extrapolition Use of Knowledge 2.1 Operating Systems Security L3 Application Knowledge Windows NT/2000 Security L4 Analysis & L5 Synthesis Linux/Unix Security L4 Analysis & L5 Synthesis 2.2 Network Security L3 Application Knowledge 2.3 Applied Cryptography L3 Application Knowledge 2.4 Computer Forensics L3 Application Knowledge 2.5 Firewalls & Intrusion Detection L3 Application Knowledge Sys 2.6????? Managerial Aspects of Information Security 3.0 Management of Information Security L2 Comprehension Translation/Extrapolation (Policy & Administration) Use of Knowledge 3.1 Disaster Recovery/ Business L3 Application Knowledge Continuity Planning 3.2 Risk Management L3 Application Knowledge 3.3 Incident Response L3 Application Knowledge 3.4 Physical Security L3 Application Knowledge 3.5 Security Training & Awareness L3 Application Knowledge Pgms 3.6????? Outside Emphases O1 Criminal Justice O2 Auditing Varies Varies Whitman & Mattord, Kennesaw State University
135 A Model Curriculum for Programs of Study in Information Security and Assurance Table 2: Implementation of the Proposed Curriculum Model Based on the number of courses an Institution can implement, it is recommended that they should select the courses indicated. Question marks? are used to indicate alternatives. Number of Course the Institution can Implement in InfoSec Courses: Introduction to InfoSec * * * * * * * Technical Applications in InfoSec * or * * * * * Management of InfoSec * * * * * * Additional Courses Selected from:???? Network Security (Win2K/Unix),??? Adv. Network Security, Operating??? Systems Security, Auditing for Security, Computer Forensics, Criminal Justice, Criminal Law, Computer Ethics, Computer Law, Cryptography/ Cryptology, Secure Programming, Internship/Coops IX. Determine the Prerequisite knowledge areas necessary to support the desired classes. Using the following form as an example, list the classes desired in the middle, the knowledge to be taught in that class on the right, and then determine what a student should know coming into the class on the left. Then match that information to existing courses offered in the institution. If a prerequisite knowledge is needed but not currently taught, it may need to be added to the program. Whitman & Mattord, Kennesaw State University
136 A Model Curriculum for Programs of Study in Information Security and Assurance X. Develop specific course learning objectives. Now that the individual courses are becoming defined it is time to define the specific learning objectives that will go into each course. You can use the examples provides as a starting point. 1) Begin by using syllabi templates and adding other required components. 2) Add learning objectives 3) Select textbooks 4) Define evaluation methods XI. Define laboratory components and required resources. For each course identify any desired laboratory exercises. You can use the table of contents for the lab manual listed earlier for ideas. For each exercise define what hardware and software components will be required. Compare to an inventory of on-hand resources. If a desired resources is not available, determine if it can be acquired prior to the formal offering of the class, else look for alternatives. I find there is a substantial set of shareware/hackerware that is readily available and suitable for exercises. It s the name-brand hardware that tends to be difficult and expensive to acquire. Consider contacting industry advisors and friends of the department for contributions. XII. Pilot test key courses. Select a few key faculty members with experience in information security to pilot test individual courses. Collect information on student satisfaction and performance in the various areas of each course. XIII. Refine and revise as needed. Self-explanatory. Whitman & Mattord, Kennesaw State University
137 A Model Curriculum for Programs of Study in Information Security and Assurance About the Authors Dr. Michael Whitman, CISSP is an Associate Professor of IS and an active researcher in Information Security with over 55 publications in texts, journals, and conference presentations. In addition to a Ph.D. in IS, he has earned the Certified Information Systems Security Professional (CISSP). He is currently co-authoring his second text, Management of Information Security 2004 Course Technology to be published March 2004, by Course Technology. His first text, Principles of Information Security 2003 Course Technology, has already been adopted by over 60 institutions globally. He has also authored The Hands-On Information Security Lab Manual 2003 Thomson Custom Pub. The PI is the Director of the KSU Center for Information Security Education and Awareness, and the Director of the KSU Master of Science in Information Systems program, responsible for graduate IS curriculum. He is also an IS program evaluator for ABET-CAC. Professor Herb Mattord is an Instructor of IS and a former information security manager at Georgia- Pacific Corporation, a multinational forest-products company. He also holds the CISSP and is the coauthor of both Principles of Information Security, and the forthcoming Management of Information Security. He is also the coordinator for the Certificate in Information Security and Assurance, and the Operations Manager for the KSU Center for Information Security Education and Awareness. References: [1] Pfleeger, C. and Cooper, D. Security and Privacy: Promising Advances. IEEE Software. 09/ [2] MSNBC. Chinese hackers call truce in China-U.S. cyberwar. WWW Document. Viewed 5/12/ [3] CSI/FBI Computer Crime and Security Survey." WWW Document. Viewed 5/10/ [4] Bordogna, J. Remarks and Introduction of the Honorable Howard A. Schmidt AACC/NSF Workshop on the Role of Community Colleges in Cybersecurity Education. June 26, WWW Document. Viewed 4/22/ [5] Chin, S-K, Irvine, C.E., & Frinke, D. An Information Security Education Initiative for Engineering and Computer Science. Naval Postgraduate School Technical Report, NPSCS Naval Postgraduate School, Monterey, CA. 12/1997. [6] Irvine, C., Chin S-K., & Frincke, D. Integrating Security into the Curriculum. Computer. 31(12). 12/ [7] National InfoSec Education and Training Program (NIETP). Centers Of Academic Excellence in Information Assurance Education. WWW Document. Viewed 04/6/ Whitman & Mattord, Kennesaw State University
138 A Model Curriculum for Programs of Study in Information Security and Assurance [8] The White House, National Strategy to Secure Cyberspace. WWW Document. Viewed 2/10/ [9] Irvine, C. Goals for Computer Security Education. Proceedings of the IEEE Symposium on Security and Privacy. 05/ [10] Irvine, C. Naval Postgraduate School Center for INFOSEC Studies and Research: Teaching the Science of Computer Security. MILCOM Proceedings. Monterey, CA. (1). 11/ [11] Vaughn R. and Boggess, III, J. Integration of computer security into the software engineering and computer science programs. The Journal of Systems and Software. 12/ [12] National Institute of Standards and Technology Computer Security Resource Center Special Publication Information Technology Security Training Requirements: A Role- and Performance-Based Model. 04/1998. WWW Document. Viewed 04/12/ [13] National Institute of Standards and Technology Computer Security Resource Center. SP Computer Security Training Guidelines. 11/1989. WWW Document. Viewed 04/12/ [14] American Society for Industrial Security. Professional Development. WWW Document. Viewed 5/15/ [15] National Science Foundation and the American Association of Community Colleges Protecting Information: the Role of Community Colleges in Cybersecurity Education Community College Press, Washington D.C. June [16] National InfoSec Education and Training Program (NIETP). Criteria for Measurement. WWW Document. Viewed 04/12/ [17] NSTISSI No National Training Standard for Information Systems Security (INFOSEC) Professionals. 06/1994. WWW Document. Viewed 02/12/ [18] NSTISSI No National Training Standard for Information Systems Security Officers (ISSO). 08/1997. WWW Document. Viewed 02/12/ [19] National InfoSec Education and Training Program (NIETP). NSA Designates Centers of Academic Excellence in Information Assurance Education. WWW Document. Viewed 2/10/ [20] ABET-CAC. Criteria For Accrediting Computing Programs WWW Document. Viewed 2/19/ pdf Whitman & Mattord, Kennesaw State University
139 A Model Curriculum for Programs of Study in Information Security and Assurance [21] ACM, AIS & AITP. IS 2002 Model Curriculum and Guidelines for Undergraduate Degree Programs in Information Systems. WWW Document Viewed 5/8/ [22] Hutton, G. Backward Curriculum Design Process WWW Document. Viewed 5/1/ [23] ISWorld. ISWorld Net List Digest. WWW Document. Viewed 4/15/ [24] Joint Task Force on Computing Curricula (IEEE Computer Society and Association for Computing Machinery Computing Curricula 2001 Computer Science, Final Report December 15, WWW Document. Viewed 5/10/ [25] VASCAN. Universities with NSTISSI Certification. Virginia Alliance for Secure Computing and Networking. WWW Document. Viewed 4/11/2003. ( [26] UMass. Program-Based Review and Assessment: Tools and Techniques for Program Improvement. WWW Document, viewed 5/28/03. [27] KSU Professional Security Certifications WWW Document, Viewed 5/10/ [28] KSU Security Models and Training Standards WWW Document, Viewed 5/10/ [29] Course Technology Working Connections WWW Document. Viewed 3/23/ [30] Eddie Schwartz, Dan Erwin, Vincent Weafer, and Andy Briney. Roundtable: Infosec Staffing Help Wanted! Information Security Magazine Online. April [Cited 22 July 2002]. Available from the World Wide Web < [31] International Information Systems Security Certification Consortium, Inc. About SSCP Certification. ISC 2 Online. [Cited 22 July 2002]. Available from the World Wide Web < [32] ISC2. The Associate ISC2 Program WWW Document, Accessed 6/15/ Whitman & Mattord, Kennesaw State University
140 A Model Curriculum for Programs of Study in Information Security and Assurance [33] Security Certified Programs. Certifications. Ascendant Learning, LLC Online. [Cited 22 July 2002]. Available from the World Wide Web < [34] Trusecure. TICSA Certification. Trusecure Online. [Cited 22 July 2002]. Available from the World Wide Web < [35] CompTIA. CompTIA Security+ Certification. WWW Document. Accessed 7/17/03. [36] Mark Merkow. Standardizing Information Systems Security Across the Globe: A Look at ISO Internet.com Online. 10 September [Cited 24 June 2002]. Available from the World Wide Web < [37] ISC2. (ISC)² Concentrations: Proven Expertise of Specialized Capabilities WWW Document, Accessed 4/11/ [38] ISACA. CISM CertificationExam Content Areas WWW Document Accessed 4/11/ /Content_Areas1/CISM_Certification_Content_Areas.htm. [39] Comprehensive National Cybersecurity Initiative. WWW Document Accessed 9/14/2011 from [40] NICE: National Iniative For Cybersecurity Education CyberSecurity Workforce Framework. WWW Document Accessed 9/15/2011 from [41] ISFCE: CCE Certification Competencies WWW Document viewed 10/15/2011 from Whitman & Mattord, Kennesaw State University
THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK. USER GUIDE Employers
THE NATIONAL CYBERSECURITY WORKFORCE FRAMEWORK USER GUIDE Employers Workforce Framework User Guide Welcome to the User Guide! The Workforce Framework helps Employers to recruit from a larger pool of more
Introduction to NICE Cybersecurity Workforce Framework
Introduction to NICE Cybersecurity Workforce Framework Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy,
NICE and Framework Overview
NICE and Framework Overview Bill Newhouse NIST NICE Leadership Team Computer Security Division Information Technology Lab National Institute of Standards and Technology TABLE OF CONTENTS Introduction to
How to use the National Cybersecurity Workforce Framework. Your Implementation Guide
How to use the National Cybersecurity Workforce Framework Your Implementation Guide A NATIONAL PROBLEM The Nation needs greater cybersecurity awareness. The US workforce lacks cybersecurity experts. Many
SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles
PNNL-24138 SPSP Phase III Recruiting, Selecting, and Developing Secure Power Systems Professionals: Job Profiles March 2015 LR O Neil TJ Conway DH Tobey FL Greitzer AC Dalton PK Pusey Prepared for the
National Initiative for Cyber Security Education
2014/PPWE/SEM2/007 Agenda Item: 5 National Initiative for Cyber Security Education Submitted by: United States Women Business and Smart Technology Seminar Beijing, China 23 May 2014 NICE OVERVIEW Women
NICE Cybersecurity Workforce Framework Tutorial
NICE Cybersecurity Workforce Framework Tutorial Jane Homeyer, Ph.D., Deputy ADNI/HC for Skills and Human Capital Data, ODNI Margaret Maxson, Director, National Cybersecurity Education Strategy, DHS Outline
Actions and Recommendations (A/R) Summary
Actions and Recommendations (A/R) Summary Priority I: A National Cyberspace Security Response System A/R 1-1: DHS will create a single point-ofcontact for the federal government s interaction with industry
FedVTE Training Catalog SPRING 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov
FedVTE Training Catalog SPRING 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk here or email the
FedVTE Training Catalog SUMMER 2015. advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov
FedVTE Training Catalog SUMMER 2015 advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please
workforce operate and maintain protect and defend securely provision support investigate analyze operate and collect CYBERSECURITY framework
introduction The National Initiative for Cybersecurity Education (NICE) is a nationally coordinated effort focused on cybersecurity awareness, education, training, and professional development. Two Executive
Cyber Security at NSU
Cyber Security at NSU Aurelia T. Williams, Ph.D. Chair, Department of Computer Science Associate Professor of Computer Science June 9, 2015 Background Undergraduate computer science degree program began
The Comprehensive National Cybersecurity Initiative
The Comprehensive National Cybersecurity Initiative President Obama has identified cybersecurity as one of the most serious economic and national security challenges we face as a nation, but one that we
Interdisciplinary Program in Information Security and Assurance. By Kossi Edoh NC A&T State University Greensboro
Interdisciplinary Program in Information Security and Assurance By Kossi Edoh NC A&T State University Greensboro Information Assurance The protection of electronic information and infrastructures that
Priority III: A National Cyberspace Security Awareness and Training Program
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense
NSA/DHS Centers of Academic Excellence for Information Assurance/Cyber Defense Cyber Investigations Data Management Systems Security Data Security Analysis Digital Forensics Health Care Security Industrial
Middle Class Economics: Cybersecurity Updated August 7, 2015
Middle Class Economics: Cybersecurity Updated August 7, 2015 The President's 2016 Budget is designed to bring middle class economics into the 21st Century. This Budget shows what we can do if we invest
Forensic Certifications
Forensic Certifications Mayuri Shakamuri CS 489-02 Digital Forensics October 31, 2006 New Mexico Tech Executive Summary Digital Forensics is rapidly growing and evolving to become a scientific practice
MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY
MASTER OF SCIENCE IN INFORMATION ASSURANCE PROGRAM DEPARTMENT OF COMPUTER SCIENCE HAMPTON UNIVERSITY HTTP://SCIENCE.HAMPTONU.EDU/COMPSCI/ The Master of Science in Information Assurance focuses on providing
UNM Information Assurance Scholarship for Service (SFS) Program
UNM Information Assurance Scholarship for Service (SFS) Program What is Information Assurance? Committee on National Security Systems (CNSS) defines information assurance (IA): Measures that protect and
Access FedVTE online at: fedvte.usalearning.gov
FALL 2015 Access FedVTE online at: fedvte.usalearning.gov If you need any assistance please contact the FedVTE Help Desk her e or email the Help Desk at [email protected]. To speak with a Help Desk
Appendix A-2 Generic Job Titles for respective categories
Appendix A-2 for respective categories A2.1 Job Category Software Engineering/Software Development Competency Level Master 1. Participate in the strategic management of software development. 2. Provide
CYBER SECURITY TRAINING SAFE AND SECURE
CYBER SECURITY TRAINING KEEPING YOU SAFE AND SECURE Experts in Cyber Security training. Hardly a day goes by without a cyber attack being reported. With this ever-increasing threat there is a growing need
In Response to Section 942 of the National Defense Authorization Act for Fiscal Year 2014 (Public Law 113-66) Terry Halvorsen DoD CIO
A Department of Defense Report on the National Security Agency and Department of Homeland Security Program for the National Centers of Academic Excellence in Information Assurance Education Matters In
MS Information Security (MSIS)
MS Information Security (MSIS) Riphah Institute of Systems Engineering (RISE) Riphah International University, Islamabad, Pakistan 1. Program Overview: The program aims to develop core competencies in
Defending Against Data Beaches: Internal Controls for Cybersecurity
Defending Against Data Beaches: Internal Controls for Cybersecurity Presented by: Michael Walter, Managing Director and Chris Manning, Associate Director Protiviti Atlanta Office Agenda Defining Cybersecurity
Information Security Specialist Training on the Basis of ISO/IEC 27002
Information Security Specialist Training on the Basis of ISO/IEC 27002 Natalia Miloslavskaya, Alexander Tolstoy Moscow Engineering Physics Institute (State University), Russia, {milmur, ait}@mephi.edu
---Information Technology (IT) Specialist (GS-2210) IT Security Competency Model---
---Information Technology (IT) Specialist (GS-2210) IT Security Model--- TECHNICAL COMPETENCIES Computer Forensics Knowledge of tools and techniques pertaining to legal evidence used in the analysis of
Department of Defense Information Assurance Scholarship Program. Sponsored by the. DoD Chief Information Officer
Department of Defense Information Assurance Scholarship Program Sponsored by the DoD Chief Information Officer SOLICITATION FOR PROPOSALS From Universities Designated by the National Security Agency (NSA)
The National Cybersecurity Workforce Framework. 2015 Delaware Cyber Security Workshop September 29, 2015
The National Cybersecurity Workforce Framework 2015 Delaware Cyber Security Workshop September 29, 2015 Bill Newhouse NICE Program Office at the National Institute of Standards and Technology NICE is a
Cybersecurity Definitions and Academic Landscape
Cybersecurity Definitions and Academic Landscape Balkrishnan Dasarathy, PhD Program Director, Information Assurance Graduate School University of Maryland University College (UMUC) Email: [email protected]
Cyber Defense Operations Graduate Certificate
The SANS Technology Institute makes shorter groups of courses available to students who are unable to commit to a full master s degree program. These certificate programs will augment your skills, provide
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015
JOINT EXPLANATORY STATEMENT TO ACCOMPANY THE CYBERSECURITY ACT OF 2015 The following consists of the joint explanatory statement to accompany the Cybersecurity Act of 2015. This joint explanatory statement
An Overview of Large US Military Cybersecurity Organizations
An Overview of Large US Military Cybersecurity Organizations Colonel Bruce D. Caulkins, Ph.D. Chief, Cyber Strategy, Plans, Policy, and Exercises Division United States Pacific Command 2 Agenda United
Sabbatical Leave Application
LOS RIOS COMMUNITY COLLEGE DISTRICT Sabbatical Leave Application Name Lance Parks College: CRC Present Assignment: CIS Type of Leave Requested: A. Type A One Semester: Fall Spring X Entire Year Will you
Certifications and Standards in Academia. Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute
Certifications and Standards in Academia Dr. Jane LeClair, Chief Operating Officer National Cybersecurity Institute Accreditation What is it? Why is it important? How is it attained? The National Centers
APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS
APPENDIX J INFORMATION TECHNOLOGY MANAGEMENT GOALS Section 5123 of the Clinger-Cohen Act requires that the Department establish goals for improving the efficiency and effectiveness of agency operations
MARYLAND. Cyber Security White Paper. Defining the Role of State Government to Secure Maryland s Cyber Infrastructure.
MARYLAND Cyber Security White Paper Defining the Role of State Government to Secure Maryland s Cyber Infrastructure November 1, 2006 Robert L. Ehrlich, Jr., Governor Michael S. Steele, Lt. Governor Message
Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid
Protecting Energy s Infrastructure and Beyond: Cybersecurity for the Smart Grid Which is it? Cyber Security ~or~ Cybersecurity? Dr. Ernie Lara President Presenters Estrella Mountain Community College Dr.
IT SECURITY EDUCATION AWARENESS TRAINING POLICY OCIO-6009-09 TABLE OF CONTENTS
OFFICE OF THE CHIEF INFORMATION OFFICER Date of Issuance: May 22, 2009 Effective Date: May 22, 2009 Review Date: Section I. PURPOSE II. AUTHORITY III. SCOPE IV. DEFINITIONS V. POLICY VI. RESPONSIBILITIES
CyberSecurity Solutions. Delivering
CyberSecurity Solutions Delivering Confidence Staying One Step Ahead Cyber attacks pose a real and growing threat to nations, corporations and individuals globally. As a trusted leader in cyber solutions
The Next Generation of Security Leaders
The Next Generation of Security Leaders In an increasingly complex cyber world, there is a growing need for information security leaders who possess the breadth and depth of expertise necessary to establish
Stepping Through the Info Security Program. Jennifer Bayuk, CISA, CISM
Stepping Through the Info Security Program Jennifer Bayuk, CISA, CISM Infosec Program How to: compose an InfoSec Program cement a relationship between InfoSec program and IT Governance design roles and
CESG Certification of Cyber Security Training Courses
CESG Certification of Cyber Security Training Courses Supporting Assessment Criteria for the CESG Certified Training (CCT) Scheme Portions of this work are copyright The Institute of Information Security
Information Systems Security Certificate Program
Information Technologies Programs Information Systems Security Certificate Program Accelerate Your Career extension.uci.edu/infosec University of California, Irvine Extension s professional certificate
CYBER SECURITY WORKFORCE
Department of the Navy CYBER SECURITY WORKFORCE SCHEDULE A HIRING AUTHORITY FINAL IMPLEMENTING GUIDANCE Prepared by: DONCIO USMC SPAWAR NAVY CYBER FORCES FFC OCHR HRO HRSC 1 Table of Contents I. Introduction
Preventing and Defending Against Cyber Attacks June 2011
Preventing and Defending Against Cyber Attacks June 2011 The Department of Homeland Security (DHS) is responsible for helping Federal Executive Branch civilian departments and agencies secure their unclassified
DoD Strategy for Defending Networks, Systems, and Data
DoD Strategy for Defending Networks, Systems, and Data November 13, 2013 Department DoDD of Defense Chief Information Officer DoD Strategy for Defending Networks, Systems, and Data Introduction In July
Security Transcends Technology
INTERNATIONAL INFORMATION SYSTEMS SECURITY CERTIFICATION CONSORTIUM, INC. Career Enhancement and Support Strategies for Information Security Professionals Paul Wang, MSc, CISA, CISSP [email protected]
[STAFF WORKING DRAFT]
![[STAFF WORKING DRAFT]](/thumbs/24/2919786.jpg "[STAFF WORKING DRAFT]")
S:\LEGCNSL\LEXA\DOR\OI\PARTIAL\CyberWD..xml [STAFF WORKING DRAFT] JULY, 0 SECTION. TABLE OF CONTENTS. The table of contents of this Act is as follows: Sec.. Table of contents. Sec.. Definitions. TITLE
(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative
(U) Appendix D: Evaluation of the Comprehensive National Cybersecurity Initiative (U) Presidential Directive NSPD 54/HSPD 23, Cybersecurity Policy, established United States policy, strategy, guidelines,
2 Gabi Siboni, 1 Senior Research Fellow and Director,
Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,
Social Media Security Training and Certifications. Stay Ahead. Get Certified. Ultimate Knowledge Institute. ultimateknowledge.com
Ultimate Knowledge Institute ultimateknowledge.com Social Media Security Training and Certifications Social Media Security Professional (SMSP) Social Media Engineering & Forensics Professional (SMEFP)
RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY-274 Privacy, Ethics & Computer Forensics
RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY-274 Privacy, Ethics & Computer Forensics I. Basic Course Information A. Course Number & Title: CISY-274 - Privacy, Ethics, & Computer Forensics B. New
Course Title: ITAP 3471: Web Server Management
Course Title: ITAP 3471: Web Server Management Semester Credit Hours: 4 (3,1) I. Course Overview The primary objective of this course is to give students a comprehensive overview of the tools and techniques
(Instructor-led; 3 Days)
Information Security Manager: Architecture, Planning, and Governance (Instructor-led; 3 Days) Module I. Information Security Governance A. Introduction to Information Security Governance B. Overview of
Department of Defense DIRECTIVE
Department of Defense DIRECTIVE NUMBER 8140.01 August 11, 2015 DoD CIO SUBJECT: Cyberspace Workforce Management References: See Enclosure 1 1. PURPOSE. This directive: a. Reissues and renumbers DoD Directive
Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
7 Homeland. ty Grant Program HOMELAND SECURITY GRANT PROGRAM. Fiscal Year 2008
U.S. D EPARTMENT OF H OMELAND S ECURITY 7 Homeland Fiscal Year 2008 HOMELAND SECURITY GRANT PROGRAM ty Grant Program SUPPLEMENTAL RESOURCE: CYBER SECURITY GUIDANCE uidelines and Application Kit (October
Cisco Advanced Services for Network Security
Data Sheet Cisco Advanced Services for Network Security IP Communications networking the convergence of data, voice, and video onto a single network offers opportunities for reducing communication costs
Department of Defense INSTRUCTION. SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing
Department of Defense INSTRUCTION NUMBER 8560.01 October 9, 2007 ASD(NII)/DoD CIO SUBJECT: Communications Security (COMSEC) Monitoring and Information Assurance (IA) Readiness Testing References: (a) DoD
INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL
INSIGHTS AND RESOURCES FOR THE CYBERSECURITY PROFESSIONAL BY 2 In enterprise IT, there is a single point where everything that matters in information, technology and business converges: Cybersecurity Nexus
An Information Assurance and Security Curriculum Implementation
Issues in Informing Science and Information Technology Volume 3, 2006 An Information Assurance and Security Curriculum Implementation Samuel P. Liles and Reza Kamali Purdue University Calumet, Hammond,
OCCUPATIONAL GROUP: Information Technology. CLASS FAMILY: Security CLASS FAMILY DESCRIPTION:
OCCUPATIONAL GROUP: Information Technology CLASS FAMILY: Security CLASS FAMILY DESCRIPTION: This family of positions provides security and monitoring for the transmission of information in voice, data,
Cyber Incident Annex. Cooperating Agencies: Coordinating Agencies:
Cyber Incident Annex Coordinating Agencies: Department of Defense Department of Homeland Security/Information Analysis and Infrastructure Protection/National Cyber Security Division Department of Justice
Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.
Experience the commitment WHITE PAPER Information Security Continuous Monitoring Charting the Right Course May 2014 cgi.com 2014 CGI GROUP INC. During the last few months of 2013, six federal agencies
SECURITY CONSIDERATIONS FOR LAW FIRMS
SECURITY CONSIDERATIONS FOR LAW FIRMS Enterprise Risk Management Professional consulting firm that specializes in cyber security Founded in 1998 in Miami, Florida Serves more than 150 clients, locally,
Better secure IT equipment and systems
Chapter 5 Central Services Data Centre Security 1.0 MAIN POINTS The Ministry of Central Services, through its Information Technology Division (ITD), provides information technology (IT) services to government
Cyber R &D Research Roundtable
Cyber R &D Research Roundtable 2 May 2013 N A T I O N A L S E C U R I T Y E N E R G Y & E N V I R O N M E N T H E A L T H C Y B E R S E C U R I T Y Changing Environment Rapidly Evolving Threat Changes
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES
AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES Final Report Prepared by Dr Janet Tweedie & Dr Julie West June 2010 Produced for AGIMO by
PRINCIPLES AND PRACTICE OF INFORMATION SECURITY
PRINCIPLES AND PRACTICE OF INFORMATION SECURITY Protecting Computers from Hackers and Lawyers Linda Volonino, Ph.D. Canisius College Stephen R. Robinson Verity Partners, LLC with contributions by Charles
National Initiative for Cybersecurity Education
THE NICE VISION National Initiative for Cybersecurity Education a national campaign to promote cybersecurity awareness and digital literacy from our boardrooms to our classrooms, and to build a digital
Bellevue University Cybersecurity Programs & Courses
Undergraduate Course List Core Courses: CYBR 250 Introduction to Cyber Threats, Technologies and Security CIS 311 Network Security CIS 312 Securing Access Control CIS 411 Assessments and Audits CYBR 320
Department of Homeland Security Federal Government Offerings, Products, and Services
Department of Homeland Security Federal Government Offerings, Products, and Services The Department of Homeland Security (DHS) partners with the public and private sectors to improve the cybersecurity
The Protection Mission a constant endeavor
a constant endeavor The IT Protection Mission a constant endeavor As businesses become more and more dependent on IT, IT must face a higher bar for preparedness Cyber preparedness is the process of ensuring
Appendix A: Gap Analysis Spreadsheet. Competency and Skill List. Critical Thinking
Appendix A: Gap Analysis Spreadsheet Competency and Skill List Competency Critical Thinking Data Collection & Examination Communication & Collaboration Technical Exploitation Information Security Computing
SECTION-BY-SECTION. Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012.
SECTION-BY-SECTION Section 1. Short Title. The short title of the bill is the Cybersecurity Act of 2012. Section 2. Definitions. Section 2 defines terms including commercial information technology product,
KEY TRENDS AND DRIVERS OF SECURITY
CYBERSECURITY: ISSUES AND ISACA S RESPONSE Speaker: Renato Burazer, CISA,CISM,CRISC,CGEIT,CISSP KEY TRENDS AND DRIVERS OF SECURITY Consumerization Emerging Trends Continual Regulatory and Compliance Pressures
Certification and Training
Certification and Training CSE 4471: Information Security Instructor: Adam C. Champion Autumn Semester 2013 Based on slides by a former student (CSE 551) Outline Organizational information security personnel
RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE. CISY 229 Information Security Fundamentals
RARITAN VALLEY COMMUNITY COLLEGE COURSE OUTLINE CISY 229 Information Security Fundamentals I. Basic Course Information A. Course Number & Title: CISY-229 Information Security Fundamentals B. New or Modified
Cybersecurity AAS Program
Cybersecurity AAS Program New Program Proposal State Submission Steve Buchholz, Dean of Accreditation and Advancement July 2015 TABLE OF CONTENTS Executive Summary... 2 Identification and Description of
167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College
167 th Air Wing Fast Track Cyber Program Blue Ridge Community and Technical College Information Security Certificate: Designed to introduce students to programming, security basics, network monitoring,
National Initiative for Cybersecurity Education
ISACA National Capital Area Chapter March 25, 2014 National Initiative for Cybersecurity Education Montana Williams, Branch Chief Benjamin Scribner, Program Director Department of Homeland Security (DHS)
Computer Security and Investigations
Computer Security and Investigations Program Locations: Program Code: Coordinator: Credential: Peterborough CSI Blair Brown Ontario College Advanced Diploma Start Dates: September 06, 2016 January 09,
ISACA S CYBERSECURITY NEXUS (CSX) October 2015
ISACA S CYBERSECURITY NEXUS (CSX) October 2015 DO2 EXECUTIVE OVERVIEW Will you be a Cyber defender? ISACA launched the Cybersecurity Nexus (CSX) program earlier this year. CSX, developed in collaboration
Network Management and Defense Telos offers a full range of managed services for:
Network Management and Defense Telos offers a full range of managed services for: Network Management Operations Defense Cybersecurity and Information Assurance Software and Application Assurance Telos:
IT Security Management 100 Success Secrets
IT Security Management 100 Success Secrets 100 Most Asked Questions: The Missing IT Security Management Control, Plan, Implementation, Evaluation and Maintenance Guide Lance Batten IT Security Management
INCIDENT RESPONSE CHECKLIST
INCIDENT RESPONSE CHECKLIST The purpose of this checklist is to provide clients of Kivu Consulting, Inc. with guidance in the initial stages of an actual or possible data breach. Clients are encouraged
Cyber Security and Privacy - Program 183
Program Program Overview Cyber/physical security and data privacy have become critical priorities for electric utilities. The evolving electric sector is increasingly dependent on information technology