SANS Technology Institute Program Proposal for a Substantial Modification Master of Science in Information Security Management May, 2014 A. Centrality to institutional mission statement and planning priorities: 1. Provide a description of the program, including each area of concentration (if applicable), and how it relates to the institution s approved mission. The program leading to a Master of Science in Information Security Management (MSISM) is a 36 credit hour, graduate level program comprised of an integrated mix of technical and management courses, research, projects, assessments, and simulations that progressively develop the capabilities required lead and manage information security teams. It was initially established and approved by the Maryland Higher Education Commission in 2005. The program is designed to be completed in three years by full-time, working professionals who have at least a year or more of experience in information technology, information security, or audit. It is not meant as an introduction to the information security field, but as a program that will advance the capabilities and careers of individuals who are employed already in the field. Students are often supported in the program by their employer and most expect to stay employed by their current employer after graduation. While the program cannot be completed entirely at-a-distance, most of the courses are offered in multiple formats, allowing an individual student the option to take more than 50% of the program at-a-distance using one or more of our online modalities, or, conversely, to take 50% or more of the program via instruction provided at our in-person residential institute events. The formal Mission of the SANS Technology Institute is: The SANS Technology Institute develops leaders to strengthen enterprise and global information security. The SANS Technology Institute educates managers and engineers in information security practices and techniques, attracts top scholar-practitioners as faculty, and engages both students and faculty in real-world applied research. The formal Vision of the SANS Technology Institute is: The SANS Technology Institute aspires to be the preeminent graduate institution translating contemporary information security practice and scholarship into effective educational experiences. Our graduates will be highly valued because they design stateof-the-art, enterprise-level cyber defenses, champion the adoption of those defenses, and manage their implementation and ongoing operation. In so doing, STI will:
1. Enable private and public sector enterprises of the United States and its allies to preserve social order and protect their economic rights and military capabilities in the face of cyber attacks; 2. Provide the national defense establishment, critical industries, businesses and government agencies with information security engineers and managers who have the most current and critical knowledge and skills needed to respond effectively to the evolving cyber attack landscape; and, 3. Perform leading-edge research that continually identifies current best practice and enhances the state of the art in the practice of information security. The MSISM program therefore fits directly within the focused mission of the SANS Technology Institute in developing managers of information security groups and technically knowledgeable professionals who can effectively lead information security technology programs. The Master of Science in Information Security Management (MSISM) Program is designed to accelerate the development of information security managers by providing practical experience that can be applied immediately on the job. Students learn from the industry experts how to see the world from an attacker s view, audit information systems, assess legal implications of an incident, and develop risk-based secure enterprise-level solutions that enable an organization s business processes to function in spite of the increasing threat presence. In addition to developing hands-on technical skills, the program emphasizes the development of communication and leadership skills that will improve the student s ability to implement information security solutions within their organization. This proposal is the result of modifications we seek to make to the existing MSISM program that will enable us to manage students and the curriculum more effectively. We make these modifications to the program as a direct result of the outcomes of our accreditation self-study, part of which identified the issues we were having managing students given the fragmented nature of their program requirements. As a simple example, our prior curricula had awarded credits when a graduate student completed three separate course requirements, but each of these elements was paid for individually and not required to be completed in a set timeframe. Oftentimes, students would complete certain requirements swiftly while other requirements were left unaddressed for long periods of time. In order to address such fragmentation, we decided to reformulate how we present and manage our master s programs, the most significant artifact of which is an entirely new course numbering system that often just places these separate elements under a single course name, syllabus, and time requirement. If evaluated from the perspective of work done by the students, these modifications do not appear to exceed 33% of the program. However, because we have reanalyzed our intended program and course learning outcomes and adjusted all course names to accommodate a tight integration of related work into named and aggregated courses, the impact on our ability to manage student progress has been profound. The work itself has not changed by much, but how we now manage student progress has changed substantially. The modifications made to the MSISM program have not changed the program intent, or the relationship with institutional mission. Rather, revisions made to the MSISM program have strengthened the program and further enabled STI to continue to meet our mission.
To contextualize the nature of the curriculum changes we have included four examples below, with commentary. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: MGT 512: SANS Security Name: ISM 5100: Enterprise Leadership Essentials For Managers with Information Security Knowledge Compression, GIAC GSLC Gold Course elements: - MGT 512 class instruction, - GSLC exam - GSLC Gold Paper Course elements: - MGT 512 class instruction, - GSLC exam - GSLC Gold Paper 4 credit hours 4 credit hours Summary of changes: This is the most typical of the changes made to the course names under the newest curriculum, relative to the student work required in the curriculum from 2010. As shown, none of the work requirements for this group of activities changed. In the past, each course element could be engaged individually with no temporal relationship required between them. In the new curriculum, these activities are formally related under a course number and name, and must be completed within a fixed period of time (4 months). Of the 32 credit hours of work associated with curriculum v2.0, the majority are associated with only changes associated with naming or re- grouping. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: SEC 504: Hacker Techniques, Name: ISM 5200: Hacking Techniques & Exploits, and Incident Handling, GIAC Incident Response GCIH Gold Course elements: Course elements: - SEC 504 class instruction - SEC 504 class instruction - GCI exam - GCI exam - GCI Gold Paper - NetWars simulation experience 4 credit hours 4 credit hours Summary of changes: In this example, the faculty changed one of the elements required to earn 4 credit hours for the SEC 504 instructional component, from writing a 15-20 page peer- reviewed research paper relative to the topic of the course and exam, to passing a hands- on simulation- based test experience. In this case, 2 credits were simply renamed and re- grouped, while 2 credits would be considered a change in work requirements.
Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Community Project Requirements: New course numbers and names: Required elements: - ISM 5700: Situational Response - Group discussion & written project, Practicum 1 credit hour; - 2 oral presentations - ISM 5500: Research Presentation 1 1 - Joint written project, credit hour; - Security awareness talk, - ISM 5900: Research Presentation 2-1 credit hour; 3 credit hours total - ISM 6100: Security Project Practicum 1 credit hour; - ISM 6900: Information Security Fieldwork-.5 credit hour Summary of changes: Summary of changes: In the case of what the v1.8 curriculum referred to as a group of Community Project Requirements done in total for 3 credits, during our self- study these course activities were formalized into individual courses and evaluated for their work requirements and faculty interactions. Student course work remained the same however each requirement was given a new course code, name and an associated credit value. For example, the instruction and work leading to the oral presentations given on one s research paper at a public event to a knowledgeable audience did not change but was renamed ISM 5500: Research Presentation 1, and evaluated on its individual work activity. The result of this analysis was to increase the total credit hours assigned to the program due to this coursework, from 3 to 5.5 credit hours. Curriculum v2.0 July, 2010 Curriculum v3.0 April, 2014 Name: MGT 438: How to establish a Name: ISM 5300: Building Security Security Awareness Program, Awareness Exam/Substitute, Written Assignment Course elements: - MGT 438 Class Instruction - Exam/substitute - Written Assignment Course elements: - MGT 433: Securing the Human: Building and Deploying an Effective Security Awareness Program - Writing Exercise 1 credit hour 1 credit hour Summary of changes: The technical instruction component has been updated by enough that the class had been renamed (in the fast- changing world of information technology, substantial updates to the content of instruction is frequent) over this time period, but still focuses on the same topics. The former Exam/substitute and Written Assignment had typically been implemented as requiring the development of a written Security awareness plan, so ISM 5300 now has a single assessment requirement to write a Security Awareness Plan. Assigned credit hours
for this work remained unchanged. 2. Explain how the proposed program supports the institution s strategic goals and provide evidence that affirms it is an institutional priority. The SANS Technology Institute is tightly focused on developing information security leaders who have a combination of deep technical skills, knowledge of effective practice and leadership competencies that will allow them to design, deploy, and manage effective enterprise information security environments. Every major element of the college from admissions to courses, student advising, research, and public service is closely aligned with that mission. Given the small number of programs offered at STI, the success of the MSISM program remains a key strategic goal for STI and is further outlined in our strategic plan. STI updated the institutional strategic plan in 2013 - focusing on the next 4 years, which we believe are critical for the success of the institution. As a result the following strategic goals were established 1) Enhance Academic Quality; 2) Increase Student Enrollment; 3) Enhance Quality and Quantity of Research; 4) Achieve and Maintain Accreditation. Sub-goals for enhancing academic quality include making quality improvements to the MSISM program that were addressed in the cover letter of this proposal and subsequently, seeking endorsement for the changes. Changes in how the MSISM program is managed have increased transparency in presenting program and course requirements and have provided faculty the freedom to use different pedagogical techniques to ensure students meet established learning outcomes. B. Adequacy of curriculum design and delivery to related learning outcomes consistent with Regulation.10 of this chapter: 1. Provide a list of courses with title, semester credit hours and course descriptions, along with a description of program requirements. Required Courses in the MSISM Program: ISM 5000 Research & Communications Methods SANS class: MGT 305 Research & Communications Methods 0.5 Credit Hours; Course length: 45 days ISM 5000 covers strategies for conducting research and the oral and written communication that follows. The class allows the student to refine their ability to research and write professional quality reports, and to create and deliver oral presentations. Topics such as developing a convincing argument, synthesizing research and writing technical reports for non-technical audiences, and managing the communication environment are covered. Students participate in an editing exercise as well as a hands-on report writing and presentation development workshop, with a required oral presentation assessment. ISM 5100 Enterprise Information Security SANS class: MGT 512 Security Leadership Essentials
4 Credit Hours; Course length: 120 days ISM 5100 is the introductory, survey course in the information security management master s program. It establishes the foundations for developing, assessing and managing security functions at the end-user, network and enterprise levels of an organization. The faculty instruction, readings, exam, and required student paper are coordinated to introduce and develop the core technical, management, and enterprise-level capabilities that will be developed throughout the master s program. ISM 5200 Hacking Techniques & Incident Response SANS class: SEC504 Hacker Techniques, Exploits & Incident Handling 4 Credit Hours; Course length: 120 days By adopting the viewpoint of a hacker, ISM 5200 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, exam, and NetWars simulation are coordinated to develop and test a student s ability to utilize the core capabilities required for incident handling. ISM 5300 Building Security Awareness SANS class: MGT 433 Securing the Human: Building and Deploying an Effective Security Awareness Program 1 Credit Hour; Course length: 45 days One of the most effective ways to secure the human factor in an enterprise is an active awareness and education program that goes beyond compliance and leads to actual changes in behaviors. In ISM 5300, students learn the key concepts and skills to plan, implement, and maintain an effective security awareness programs that make organizations both more secure and compliant. In addition, metrics are introduced to measure the impact of the program and demonstrate value. Finally, through a series of labs and exercises, students develop their own project and execution plan, so they can immediately implement a customized awareness program for their organization. ISM 5400 IT Security Planning, Policy & Leadership SANS class: MGT 514 IT Security Strategic Planning, Policy, and Leadership 4 Credit Hours; Course length: 120 days ISM 5400 covers the entire strategic planning process: how to plan the plan, horizon analysis, visioning, environmental scans (SWOT, PEST, Porter's etc.), historical analysis, mission, vision, and value statements. The course also reviews the planning process core, candidate initiatives, the prioritization process, resource and IT change management in planning, how to build a roadmap, setting up assessments, and revising the plan. ISM 5500 Research Presentation 1 1 Credit Hour; Course length: 45 days
ISM 5500 gives students the ability to convert written material to a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written in a previous course in the curriculum to build and deliver a 30-minute presentation, typically given at a SANS training conference. ISM 5600 Legal Issues in Data Security and Investigations SANS class: LEG 523 Legal Issues in Information Technology and Security 4 Credit Hours; Course length: 120 days ISM 5600 introduces students to the new laws on privacy, e-discovery, and data security so students can bridge the gap between the legal department and the IT department. It also provides students with skills in the analysis and use of contracts, policies, and records management procedures. ISM 5700 Situational Response Practicum 1 Credit Hour; Course length: 45 days In ISM 5700, a small group of students is given an information security scenario that is partly based on current events, and requires a broad knowledge of information security concepts. Their task is to evaluate the scenario and to recommend a course of action. This experience is a timed 24-hour event and culminates in a group written report and presentation at the end of the 24-hour preparation time. ISM 5800 IT Security Project Management SANS class: MGT 525 IT Project Management, Effective Communication, and PMP Exam Prep 3 Credit Hours; Course length: 120 days In ISM 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISM 5800 follows the basic project management structure from the PMBOK Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered - from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes. ISM 5900 Research Presentation 2 1 Credit Hour; Course length: 45 days ISE 5900 gives a chance to further develop their skills at converting written material into a persuasive oral presentation such as might be appropriate in an enterprise environment. Students use research material written from previous courses in the curriculum to build and deliver a 30- minute presentation, either at a SANS training conference, or in an online environment. ISM 6000 Standards Based Implementation of Security SANS class: SEC 566 Implementing and Auditing the Twenty Critical Security Controls 4 Credit Hours; Course length: 120 days
Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ISM 6000 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization s security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks. ISM 6100 Security Project Practicum 2 Credit Hours; Course length: 45 days In ISM 6100, a small group of students is given an information security project that requires a broad knowledge of information security concepts. Their task is to evaluate the project assignment and to recommend a course of action. This experience is a timed 30-day event. Students receive the project assignment from faculty, and must respond with a project plan to address the assignment within 5 days. The group then uses their plan to address the assignment, and deliver a written report at the end of the 30-day period. ISM 6200 Auditing Networks, Perimeters and Systems SANS class: AUD 507 Auditing Networks, Perimeters, and Systems 4 Credit Hours; Course length: 120 days ISM 6200 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples. ISM 6900 Information Security Fieldwork 0.5 Credit Hours; Course length: 45 days In ISM 6900, students move into the field to prepare and present on a project that will help increase computer security awareness. Students devise their own project content, based upon a defined need. Students are also responsible for inviting an audience to review the results of their project work. It is expected that at least one representative from the student's own organization (place of employment) will be present to provide evidence of the presentation MSISM Capstone Assessment: GSM 0 Credit Hours The GSM exam Capstone experience is a two day hands-on lab exercise where students demonstrate their ability to formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology. Students work through scenarios which require them to: construct information
security approaches that balance organizational needs, apply standards-based approaches to information security risk management, and devise incident response strategies. Technical Elective Courses (MSISM Students Choose One): ISE 6215 Advanced Security Essentials SANS class: SEC 501 Advanced Security Essentials - Enterprise Defender 3 Credit Hours; Course length: 120 days. ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device. Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics. ISE 6220 Network Perimeter Protection SANS class: SEC 502 Perimeter Protection In-Depth 3 Credit Hours; Course length: 120 days. ISE 6220 provides a comprehensive analysis of a wide breadth of technologies. In fact, this is probably the most diverse course in the STI catalog, as mastery of multiple security techniques is required to defend networks from remote attacks. The course moves beyond a focus on single operating systems or security appliances. The course teaches that a strong security posture must be comprised of multiple layers. The course was developed to give students the knowledge and tools necessary at every layer to ensure their network is secure. ISE 6230: Securing Windows and Resisting Malware SANS class: SEC 505 Securing Windows and Resisting Malware 3 Credit Hours; Course length: 120 days. ISE 6230 shows students how to secure Windows and how to minimize the impact of these changes on users of these changes. Through live demonstrations of the important steps, students follow along on their laptops. Where other courses focus on detection or remediation after the fact, the goal of this course is to prevent the infection in the first place. Students learn to write PowerShell scripts, but don't need any prior scripting experience. ISE 6235: Securing Linux/Unix SANS class: SEC 506 Securing Linux/Unix 3 Credit Hours; Course length: 120 days.
ISE 6235 provides students with experience in in-depth coverage of Linux and Unix security issues, examining how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix. This course provides specific configuration guidance and practical, real-world examples, tips, and tricks. ISE 6315: Web App Penetration Testing and Ethical Hacking SANS class: SEC 542 Web App Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen. ISE 6320: Network Penetration Testing and Ethical Hacking SANS class: SEC 560 Network Penetration Testing and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6320 prepares students to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed handson exercises and practical tips for doing the job safely and effectively. Students will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization. ISE 6325: Mobile Device Security SANS class: SEC 575 Mobile Device Security and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6325 helps students resolve their organization s struggles with mobile device security by equipping then with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches students to build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in their organization. ISE 6330: Wireless Penetration Testing SANS class: SEC 617 Wireless Ethical Hacking, Penetration Testing, and Defenses 3 Credit Hours; Course length: 120 days.
ISE 6330 takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students will navigate through the techniques attackers use to exploit WiFi networks, Bluetooth devices, and a variety of other wireless technologies. Using assessment and analysis techniques, this course will show students how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems. ISE 6360: Advanced Network Penetration Testing SANS class: SEC 660 Advanced Penetration Testing, Exploits, and Ethical Hacking 3 Credit Hours; Course length: 120 days. ISE 6360 builds upon ISE 6320 Network Penetration Testing and Ethical Hacking. This advanced course introduces students to the most prominent and powerful attack vectors, allowing students to perform these attacks in a variety of hands-on scenarios. This course is an elective course in the Penetration Testing & Ethical Hacking certificate program, and an elective choice for the master s program in Information Security Engineering. ISE 6420: Computer Forensic Investigations - Windows SANS class: FOR 408 Computer Forensic Investigations - Windows In-Depth 3 Credit Hours; Course length: 120 days. ISE 6105 Computer Forensic Investigations Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime. ISE 6425: Advanced Computer Forensic Analysis and Incident Response SANS class: FOR 508 Advanced Computer Forensic Analysis and Incident Response 3 Credit Hours; Course length: 120 days. ISE 6420 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack. ISE 6440: Advanced Network Forensic Analysis SANS class: FOR 572 Advanced Network Forensics and Analysis
3 Credit Hours; Course length: 120 days. ISE 6440 focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Students will employ a wide range of open source and commercial tools, exploring real-world scenarios to help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks. ISE 6460: Malware Analysis and Reverse Engineering SANS class: FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques 3 Credit Hours; Course length: 120 days. ISE 6425 teaches students how to examine and reverse engineer malicious programs spyware, bots, Trojans, etc. that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident. ISE 6615: Defending Web Applications Security Essentials SANS class: DEV 522 Defending Web Applications Security Essentials 3 Credit Hours; Course length: 120 days. ISE 6615 covers the OWASP Top 10 and provides students with a better understanding of web application vulnerabilities, enabling them to properly defend organizational web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective are discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities is also covered so students can ensure their application is tested for the vulnerabilities discussed in class. MSISM Graduation Requirements The MSISM program requires completion of 36 credit hours with a 3.0 G.P.A, within 5 years. Students must complete the following requirements: Required Course Credits ISM 5000 Research & Communications Methods 0.5 ISM 5100 Enterprise Information Security 4 ISM 5200 Hacking Techniques & Incident Response 4 ISM 5300 Building Security Awareness 1
ISM 5400 IT Security Planning, Policy and Leadership 3 ISM 5500 Research Presentation 1 1 ISM 5600 Legal Issues in Data Security and Investigations 4 ISM 5700 Incident Response Practicum 1 ISM 5800 IT Security Project Management 3 ISM 5900 Research Presentation 2 1 ISM 6000 Standards Based Implementation of Security 4 ISM 6100 Security Project Practicum 2 ISM 6200 Auditing Networks, Perimeters and Systems 4 ISM 6900 Information Security Fieldwork 0.5 Technical Elective (1 course)* 3 Required Program Capstone 0 Total 36 2. Describe the educational objectives and intended student learning outcomes. The Master of Science in Information Security Management (MSISM) degree program is designed to help a candidate prepare for responsibilities at the highest-ranking management level with IT security responsibilities in an organization. In the government, this is often called the Designated Approving Authority, Information Assurance Manager, or Chief Information Security Officer. In the private sector, titles such as Chief Security Officer or Chief Information Security Officer are often used. Graduates of this program will be able to assess the effectiveness of information security programs, see their strengths and weaknesses, and analyze the design of specific security enhancements. They will also have strong oral presentation and writing skills, knowledge of legal issues in security, and project management skills. Graduates will be able to develop and manage an enterprise-level information security program, including the ability to sponsor adaptive security paradigms that foster rapid detection and mitigation of new and existing attacks, and to measure response strategies to threats as they emerge. The MSISM program approaches the development of information security leaders from a different vector than its sister MSISE program, focusing more on communications, policy, and standards-based management and less on bolstering hands-on skills and capabilities, while still ensuring a facility with the latter. The introductory survey course has no technical labs and materially increased (relative) management and policy content. The MSISM program has two three additional required four credit courses with papers, focused on the leadership, legal and auditing aspects of information security management, while it offers only one choice of a technical elective course. The MSISM capstone practical exam is entirely different and specific to the program than the GIAC Security Expert exam requirement. The MSISM program shares the following General Learning Outcomes with the MSISE program: Formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology.
Demonstrate a solid foundation in information security strategies and apply their knowledge by assessing an information security situation and prescribing an appropriate security approach. Construct an information security approach that balances organizational needs with those of confidentiality, integrity and availability. Solutions require a comprehensive approach that aligns with policy, technology, and organizational education, training and awareness programs. Effectively communicate information security assessments, plans and actions for technical and nontechnical audiences/stakeholders. Identify emerging information security issues, utilize knowledge of information security theory to investigate causes and solutions, and delineate strategies guided by evolving information security research and theory. The following Learning Outcomes are specific to the MSISM program: Assess and balance the relationship and inter-responsibilities between all three communities of interest in Information Security: General Business, Information Technology, and Information Security. Apply a standards based approach to implement the principles and applications of risk management, including business impact analyses, cost-benefit analyses, and implementation methods that map to business needs/requirements. Integrate the elements of information security management - Policy, Strategic and Continuity Planning, Programs and Personnel - into a coordinated operation. Articulate positive and socially responsible positions on ethical and legal issues associated with the protection of information and privacy. Devise incident response strategies, including business continuity planning/disaster recovery planning (BCP/DRP) initiatives, while focusing on cost effectiveness from both a proactive and reactive perspective. 3. Discuss how general education requirements will be met, if applicable. General education requirements are not applicable to SANS Technology Institute or the MSISM program, because both are entirely focused on post-baccalaureate studies. Students are required to have completed a bachelor s degree before admittance. 4. Identify any specialized accreditation or graduate certification requirements for this program and its students. Currently no specialized accreditations are required for the MSISM program and its students. 5. If contracting with another institution or non-collegiate organization, provide a copy of the written contract. The modifications made to the MSISM program precipitating this Program Proposal neither include nor impact any changes to any relationship the SANS Technology Institute has with another institution or non-collegiate organization. All courses are authored and taught by
members of the faculty of the SANS Technology Institute. Commensurate with the approval of the SANS Technology Institute as a degree-granting institution in the State of Maryland in 2005, and as reviewed and accredited by the Middle States Commission on Higher Education, the SANS Technology Institute will continue to engage the support services of its parent, the Escal Institute for Advanced Technologies (d/b/a/ SANS Institute) and its sister subsidiary, GIAC. The agreements are not designed specifically for the MSISM program, but as supporting structures for STI, support the delivery and management of this program. The two Memorandum of Understandings between the SANS Technology Institute and the SANS Institute and GIAC are included as Attachments B-2 and B-3. C. Critical and compelling regional or Statewide need as identified in the State Plan: 1. Demonstrate demand and need for the program in terms of meeting present and future needs of the region and the State in general based on one or more of the following: o The need for the advancement and evolution of knowledge; o Societal needs, including expanding educational opportunities and choices for minority and educationally disadvantaged students at institutions of higher education; o The need to strengthen and expand the capacity of historically black institutions to provide high quality and unique educational programs. 2. Provide evidence that the perceived need is consistent with the Maryland State Plan for Postsecondary Education (pdf). Technological progress is related to, and the direct result of, the advancement and evolution of knowledge. Together with the increased prevalence in the use and applicability of information technology, and the benefits of substantial increases in productivity and efficiency, comes the need to protect information-based assets from new adversaries, criminals, foreign nation-states, and vectors of attack. The MSISM program is directly supportive of the development of professionals with the skills and capabilities to manage the protection of information assets that are central to the advancement and evolution of knowledge in the information age. Despite the fact that the MSISM program is, by definition, focused exclusively on postbaccalaureate students and not all post-secondary students, it makes substantial contributions to Maryland s goals by seeking to increase the number and quality of Science, Technology, Engineering, and Mathematics (STEM) degrees in the State. From the 2013 Maryland State Plan for Postsecondary Education: Increasing the number of STEM degrees awarded to students is another key goal for Maryland postsecondary education. STEM-related occupations are critical because they are closely tied to technological innovation, economic growth, and increased productivity. Currently, workers with STEM competencies and degrees are in high demand. Data from the Georgetown University 10 Center for Education and the Workforce (2011) rank STEM jobs as the second fastest-growing occupational category in the nation, behind health care. The MSISM program focuses on producing additional highly impactful Information Security leaders with proficiency in STEM-related areas of practice.
D. Quantifiable & reliable evidence and documentation of market supply & demand in the region and State: 1. Present data and analysis projecting market demand and the availability of openings in a job market to be served by the new program. 2. Discuss and provide evidence of market surveys that clearly provide quantifiable and reliable data on the educational and training needs and the anticipated number of vacancies expected over the next 5 years. 3. Data showing the current and projected supply of prospective graduates. The need for technically educated information security professionals has been steadily increasing. In July 2010 the CSIS (Center for Strategic and International Studies) Commission on Cybersecurity for the 44 th President 1 released a white paper titled A Human Capital Crisis in Cybersecurity. The white paper presents compelling evidence of a shortage of highly technical information security professionals who can both design secure networks and systems and create the tools needed to detect, mitigate, and recover from compromises. The report cited the number of such professionals currently employed in government is estimated to be around 1,000 with a need for up to 30,000. 2 In 2013 the US Defense Department released plans to increase the number of information security professionals employed from 900 to 4,900, with an anticipated workforce of 6,000 cyber professionals. 3 The new positions will have 3 distinct focuses: a defensive national mission force to protect systems that support electrical grids, power plants and other critical infrastructure; a combat mission force to help overseas military commanders plan and execute offensive operations; and cyber protection force to bolster Defense Department networks. 4 In 2012 the U.S. Department of Homeland Security Task Force on Cyber Skills called for DHS to hire 600 world-class cyber technologists. 5 The Job Outlook, 2010-20 for Information Security Analysts, Web Developers, and Computer Network Architects published in the Bureau of Labor Statistics Occupational Outlook Handbook anticipates that employment for that category will grow 22% from 2010 to 2020, faster than average for all occupations, with favorable job prospects for all three occupations. 6 This category is projected to grow by 24% in Maryland over a similar time period. 7. 1 Eric Cole, DPS, the Director of our Master of Science in Information Security Engineering program, was a member of this commission. 2 White paper can be found at http://csis.org/files/publication/a%20human%20capital%20crisis%20in%20cybersecurity.pdf 3 http://rt.com/usa/pentagon-triple-cyber-security-089/ 4 http://www.redorbit.com/news/technology/1112772556/cyber-security-staff-increases-by-the-pentagon-012913/ 5 Homeland Security Advisory Council s Cyberskills Task Force Report, Fall, 2012 (Page 4, Objective 4) 6 Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2012-13 Edition, Information Security Analysts, Web Developers, and Computer Network Architects, on the Internet at http://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts-web-developers-andcomputer-network-architects.htm (visited September 24, 2013). 7 http://www.careerinfonet.org/occ_rep.asp?next=occ_rep&level=&optstatus=111111111&jobfam=15&id=1&nodei d=2&soccode=151122&stfips=24&x=61&y=9
Even if those organizations, and hundreds of others that are seeking talent, can find the tens of thousands of technical cybersecurity experts they jointly seek, they will still need people of sufficient expertise who can organize, manage, and lead the work of these experts. Teams of security professionals are most productive when led by people with substantial technical expertise and experience, just as successful air attack groups are led by active but senior pilots, or surgical departments are led by practicing but senior surgeons. Under pressure, as information security people often find themselves, having a manager or team leader who is not qualified or lacks experience often leads to critical mistakes in a line of work that can ill afford them. In other words, if society hopes to protect itself against the increasing wave of attacks, a program needs to be created to develop technical information security leaders. STI was created to help government and industry develop that missing layer of technical cybersecurity managers. That goal is embodied in STI s mission. STI used data available through IPEDS to obtain a general estimate of the number of graduates from Computer and Information Systems Security programs (specifically CIP Code 11.1003). In 2009-2010 583 degrees were awarded, among 36 programs. To date STI has awarded 2 Master of Science in Information Security Management degrees. The need for qualified information security professionals is outpacing the number of professionals with the appropriate credentials and experience. The MSISM program will continue to play an integral part in decreasing the gap. E. Reasonableness of program duplication: 1. Identify similar programs in the State and/or same geographical area. Discuss similarities and differences between the proposed program and others in the same degree to be awarded. This proposal for a Substantial Modification to the SANS Technology Institute s MSISM program does not alter the number or nature of programs related to Information Security in Maryland, nor how our program relates to those programs. The learning outcomes sought have been reformulated but remain substantially the same. Using the MHEC program inventory database we identified the following institutions who offer master s programs with the same CIP code 11.1003 Computer and Information Systems Security: John s Hopkins University Master s Degrees in Cybersecurity and Security Informatics University of Maryland University College Master s degrees in Cybersecurity and Cybersecurity Policy The following Maryland institutions are advertising similar master s programs, however are not listed in the MHEC program inventory database: Capitol College Information Assurance Master s Degree University of Maryland Baltimore College Master s In Professional Studies: Cybersecurity
It is our strong belief, after a review of the courses and course descriptions offered by these programs and courses, combined with our own understanding of the content of our courses, that the MSISM program continues to be distinguished in focus by those offered by these other institutions. Our technical courses are well known by governments and corporations to impart hands-on skills that enable our graduates to design, implement, and manage information security defenses. Our programs are designed specifically because of the problems driven by having managers of information security systems who might have apparently relevant credentials but who don t have an adequate understanding of the underlying technologies and hence how to design relevant defenses in the event of a breach. Our management, policy, audit, and legal courses central to the MSISM program have been authored and are taught by practitioners in the field, and seek to establish clear connections between the more commonly taught high-level policy and audit standards with specific case studies of implementation mechanisms. It is this persistent connection of higher-level architecture and policy review and detailed implementation requirements in the real world that sets our program apart from existing, alternative offerings from other institutions in the State. For example, the MSISM program requires a course entitled ISM 6200: Auditing Networks, Perimeters, and Systems. ISM 6200 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatedly verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples. ISM 5600: Law of Data Security and Investigations, similarly connects higher level legal issues with specific skills in the analysis and use of contracts and records management procedures. From a broad foundation, the course delves into specifics of (for example) preparing credible, defensible reports, whether for cyber, forensics incident response, human resources, or other investigations. The MSISM degree ensures that our graduates understand, at the basic technical level, how operating systems and networks operate, how they can be broken, and therefore what one can do to protect them. On this grounding and with this level of understanding effective information security professionals can develop and implement effective defenses. Lastly, the MSISM program provides for multiple courses that integrate a student s understanding of the technical and management aspects information security and develop their capabilities through real-world simulations. Two one-credit courses (ISM 5500 and ISM 5900) assist the student in the development of presentations of their research that they then need to present faculty at a residential institute in the presence of 10-80 of their information security peers and professionals, many of whom are well versed in the topic(s) being presented and come prepared with challenging questions. Like their real-world responsibilities, graduate students must develop and prove the proficiency at distilling complex topics into an understandable oral presentation, MSISM students also fulfill the requirements of ISM 5700: Incident Response Practicum, in which a small group of students is given an information security incident scenario
based partly on real-world events, and they must recommend a course of action to a CIO board within a fixed 24-hour preparation timeframe, preparing an official written report thereafter. Through ISM 6100: Security Project Practicum, students must work in virtual groups over a 30- day period to evaluate an custom-tailored information security implementation project and also integrate their work into a unified, written project presentation. Practically-driven, integrative coursework like these, combined with formal instruction courses, exams, and research that span high-level information security management concepts with real-world, practical implementation topics are the hallmark of the MSISM program experience and a key differentiator from other programs in the State. 2. Provide justification for the proposed program. Since MHEC authorized STI to award master s programs, the MSISM program remains critical and importantly distinct from other programs in Maryland (and the nation): 1. The SANS Technology Institute builds on the technical training of the SANS Institute, which has trained more than 120,000 information security professionals and teachers since 1989. The SANS Institute is the largest cybersecurity training organization, serving the National Security Agency, the FBI, and the US military, as well as their counterparts in many U.S. allied nations. Intelligence, military, and law enforcement organizations account for approximately 20% of SANS students. Others come from more than 5,000 enterprises of all types, ranging from hospitals to banks, utilities, state governments, and churches. Well over 1,500 faculty members and cybersecurity staff from U.S. and international colleges and universities have attended SANS courses. 2. The SANS Technology Institute takes the deep technical instruction of the SANS Institute to an entirely new level. The MSISM program focuses on building a foundation of technical knowledge that students can utilize in managing enterprise level security strategy. The enterprise level view is reinforced through the Critical Controls framework pioneered by STI and SANS and now adopted by the U.S. Department of Homeland Security and the British government s Centre for the Protection of Critical Infrastructure. 3. Further, STI focuses on developing technical communications skills as well as project management skills essential for gaining support for technical cybersecurity programs and succeeding as a leader. Because time away from work is very limited and individuals tend to focus their training on technical skills, it is uncommon for security practitioners to enroll in professional development courses. But these courses are essential for leadership positions, as one of STI s students wrote in 2013: I have to admit that I would not have chosen the project management course if it were not in the STI curriculum, but I am quick to admit that it has helped me greatly at work. I apply a lot of the content at work each day, leading a multi-year, multi-million dollar program. I believe the stakeholder management and guarding against (future) stakeholder scope creep are my biggest takeaways from your course. You did a great job delivering the content and keeping the class engaged.