MET CS 684 Security Policies and Procedures

PLEASE NOTE: THIS IS THE SYLLABUS TO A PREVIOUS FACE-TO-FACE OFFERING OF THIS COURSE

IT IS NOT UP-TO-DATE

IN PARTICULAR, THE TEXTBOOKS ARE NOT NECESSARILY THE ONES CURRENTLY IN USE

THIS OLD SYLLABUS IS LEFT ONLINE TO PROVIDE A SENSE OF HOW THE COURSE WAS DESIGNED IN THE PAST

SOME ASPECTS REMAIN INTACT

FOR INFORMATION, CALL THE DEPARTMENT FOR INFORMATION

(617)353-2566

Background of the Instructor changed if this is red Learning Objectives changed if this is red
Contacting Eric Braude changed if this is red Plagiarism Warning changed if this is red
Evaluation of Students changed if this is red Policies – Miscellaneous changed if this is red
Forums: Past and Present changed if this is red Textbooks and Materials changed if this is red
Home Page of Eric Braude changed if this is red Topics, Class Dates & Readings changed if this is red
Homework and Due Dates changed if this is red

Description:

This course enables IT professional leaders to identify emerging security risks and implement security policies to support organizational goals. Discussion of methodologies for identifying, quantifying, mitigating and controlling risks. Students implement IT risk management plans that identify alternate sites for processing mission-critical applications, and techniques to recover infrastructure, systems, networks, data and user access. The course also discusses topics such as disaster recovery, handling information security; protection of property, personnel and facilities; protection of sensitive and classified information, privacy issues, and criminal terrorist and hostile activities.

Learning Goals

  • Understand the common Information Systems Security models
  • Review CIA characteristics – confidentiality, integrity and availability
  • Understand security measures from Technology, Policy & Practice and Education/Training/Awareness dimensions.
  • Understand risk management – identification, quantification, response and control.
  • Learn disaster recovery procedures and countermeasures for the business enterprise.

Textbook and Materials

Information Security Policies and Procedures: A Practitioner’s Reference by Thomas R. Peltier, Second edition, Auerbach, ISBN 0-8493-1958-7

Guide to Disaster Recovery Erbschloe, M. (2003) Thomson Course Technology ISBN 9 780619 131227

Security Policies and Procedures: Principles and Practices Sari Greene (2005) Prentice Hall ISBN 0-13-186691-5

Evaluation of Students

Absorbing and creating security system policies will be expected of all students.  To attain excellence, students will be expected to create original analyses and comparisons.  The course grade will be computed from the following

Weekly assignments: 35%

Weekly quizzes: 15%

Class participation: 20%

Final: 30%

Class Participation

Students are required to participate in class or online discussions because this is an effective and, for many, an enjoyable way to learn.  Participation is evaluated as follows.

Make a note of the substantive comments that you make in class or sent to the class via the class site.  I often ask question of the class to encourage participation.  You are encouraged to participate in class at all times in any case.  At any time prior to one week before the final, submit these.  Each should consist of the date, the context of the discussion at the time, and a short paragraph of what you said, a half page at the most.  Here are some context examples.

  • We were discussing how to obtain buy-in from developers for security policies:
  • Responding to a comment raised by another student concerning the use of UML inheritance:
  • Responding to a question put to the class by the professor:
  • Responding to a question by a student:

You are reminded that plagiarism is taken very seriously by the Boston University community; so don’t create imaginary comments, including material from the Internet.  The criteria for participation are as follows:

a. Proportion of substantive contributions. This is the percentage of documented contributions that have significant content.  75% would be a good fraction.  95% is definitely excellent

b. Number of substantive contributions. This counts the number of substantive contributions.  In a class of 15, two per class would be good.  Larger classes result necessarily in proportionately lower contribution per person.

g. Evenness of contributions.  This measures the uniformity of your contributions throughout the semester.  A contribution every week would be good in this respect.

Late homework will not be accepted unless there is a reason why it was impossible to perform the work in time given work and emergency conditions.  In that case, e-mail the written reason should be attached to the homework, which will be graded on a pass/fail basis if the reason is accepted by me.

Warning concerning plagiarism

Please cite all references and uses of the work of other.  All instances of plagiarism must be reported to the College for action.  e-mail, see or call me if you have any doubts about the proper use of others’ material. In any case, clearly acknowledge all sources in the context they are used, including code, of course.

Syllabus

1.  Introduction and Threats to Enterprise Security

1A: Introduction and Threats

  • Vulnerabilities
  • The U.S. National Level
  • Introduction to Risk Thinking

1B: An Overview of Security Responses

Readings: Peltier 287-306; 259-263

Greene Most Helpful: 65 – 72; Additional: 72 – 81

2.  I.T. Enterprise Security Issues

2A: Common Enterprise Security Issues

  • Ethical Issues
  • Legal and Regulatory Issues (Sarbanes-Oxley, HIPAA, FDA, etc.)
  • Asset Security
  • Security Risk

2B: Specialized Security Issues

  • Security in a connected world  (India, Ireland, ….)
  • Runtime security
  • Other security issues

Readings:  Peltier 367-370

Greene Most Helpful: 387 – 396, 425 – 443

Additional: 397-423 page through: 117-137; 425-455; 463-481
See references to risks via index as needed

3.  Security Policies, Standards and Procedures

3A: Security Policies

  • Rationale for Policies, Standards and Procedures
  • Preparing and Gathering Information
  • Policy Parameters
  • Policy Tiers
  • Enterprise-Tier Policies
  • Topic-Tier Policies
  • Application-Tier Policies
  • Asset Classification

3B: Security Standards and Procedures

Readings: Peltier 47-80, 113-162 and 199-241

Greene Most Helpful: 1-25, 35 – 51, 91-106, 185 – 203

4.  I.T. Operational Security Management

4A: Common Operational Security Management

  • Quality Assurance in Software Development
  • Security in system development

4B: Specialized Issues in Operational Security Management

  • The Need to Communicate Security Policies
  • Program Planning Principles
  • Scope and Approvals
  • Assessment of Security State and Needs
  • Program Aspects
  • Implementation
  • Maintenance

Readings: Peltier 325-358

Greene Most Helpful: 311 – 325; Additional: 325-337

5.  I. T. Business Continuity: Preparation

5A: An introduction to business continuity and disaster recovery

  • Reviewing business continuity concepts
  • Establishing principles of disaster recovery planning
  • Reviewing steps for disaster recovery planning
  • Preparing to develop a disaster recovery plan

5B: Preparing for I.T. continuity

  • Assessing risks
  • Prioritizing assets for recovery
  • Developing plans and procedures
  • Learning organizational relationships

Readings: Erbschloe Chapters 1-6

Greene Most Helpful: 351 – 365

6.  Implementation of Disaster Recovery and Continuing Operations

6A: Recovering from disasters

  • Responding to attacks
  • Implementing recovery plans

Reading: Erbschole Chapter 12 (page 317-343)

6B: Ongoing Quality

  • Learning from disasters
  • Measuring quality
  • Managing ongoing quality processes

Review for Final

Readings: Erbschloe Chapter 12 (317-343);  Chapter 3 is background reading for the first part of  lecture 6B

Greene Most Helpful: 365 – 375