Description

  • This course provides an overview of security challenges and strategies of countermeasure in the information systems environment. Topics include definition of terms, concepts, elements, and goals incorporating industry standards and practices with a focus on availability, vulnerability, integrity, and confidentiality aspects of information systems.
  • Major Instructional Areas
    1. Information Systems Security fundamentals
    2. Seven domains of a typical Information Technology (IT) infrastructure
    3. Risks, threats, and vulnerabilities found in a typical IT infrastructure 4.Security countermeasures for combating risks, threats, and vulnerabilities commonly found in an ITare infrastructure
    4. (ISC)2 Systems Security Certified Practitioner (SSCP®) Common Body of Knowledge – SSCP® domains
    5. Six domains of the CompTIA Security+ certification”

Learning Outcomes

  1. Explain the concepts of information systems security (ISS) as applied to an IT infrastructure.
  2. Assess the current methods of business communications today and the associated risks and threats.
  3. Describe how malicious attacks, threats, and vulnerabilities impact an IT infrastructure.
  4. Explain the role of access controls in implementing a security policy.
  5. Explain the role of operations and administration in effective implementation of security policy
  6. Explain the importance of security audits, testing, and monitoring to effective security policy.
  7. Explain how businesses apply cryptography in maintaining information security.
  8. Understand malicious attacks, threats, and vulnerabilities and explain the means attackers use to compromise systems and networks and defenses used by organizations.
  9. Use international and domestic information security standards and compliance laws in real-world applications in both the private and public sector.

Assessment structure

  • Ongoing assessment (OA):
    • 02 Progress Tests: 20%
    • 08 Labs: 30%
    • 01 Group Presenatation: 10%
  • Final examination (FE): 40%
  • Completion criteria:
    • Final Result >=5 & Final Exam Score >= 4
    • Every on-going assessment component > 0

Course schedule

  1. Information Systems Security
    • 1.1 Information Systems Security
    • 1.2 Tenets of Information Systems Security
    • 1.3 The Seven Domains of a Typical IT Infrastructure
  2. Information Systems Security (cont.)
    • 1.4 Weakest Link in the Security of an IT Infrastructure
    • 1.5 IT Security Policy Framework
    • 1.6 Data Classification Standards
  3. Changing How People and Businesses Communicate
    • 2.1 Evolution of Voice Communications
    • 2.2 VoIP and SIP Risks, Threats, and Vulnerabilities
    • 2.3 Converting to a TCP/IP World
    • 2.4 Multimodal Communications
  4. Changing How People and Businesses Communicate (cont.)
    • 2.5 Evolution from Brick-and-Mortar to e-Commerce
    • 2.6 Why Businesses Today Need an Internet Marketing Strategy
    • 2.7 The Web Effect on People, Businesses, and Other Organizations
    • Reading 1: The Internet of Things Is Changing How We Live
  5. Lab 1: Performing Reconnaissance and Probing Using Common Tools
  6. The Drivers of the Information Security Business
    • 4.1 Defining Risk Management
    • 4.2 Implementing a BIA, a BCP, and a DRP
    • 4.3 Assessing Risks, Threats, and Vulnerabilities
  7. Lab 2: Performing a Vulnerability Assessment
  8. The Drivers of the Information Security Business (cont.)
    • 4.4 Closing the Information Security Gap
    • 4.5 Adhering to Compliance Laws
    • 4.6 Keeping Private Data Confidential
    • Reading 2: The Integrated IA Model
  9. Lab 3: Performing Packet Capture and Traffic Analysis
  10. Review Chapters 1, 2, 4 & Progress Test 1 (30’)
  11. Access Controls
    • 5.1, 5.2 Four Parts and Two Types of Access Control
    • 5.4 Identification Methods and Guidelines
    • 5.5 Authentication Processes and Requirements
  12. Access Controls (cont.)
    • 5.7 Formal Models of Access Control
    • 5.8 Threats to Access Controls
    • 5.9 Effects of Access Control Violations
  13. Lab 4: Enabling Windows Active Directory and User Access Controls
  14. Security Operations and Administration
    • 6.1 Security Administration
    • 6.2 Compliance
    • 6.4 The Infrastructure for an IT Security Policy
  15. Security Operations and Administration (cont.)
    • 6.5 The Change Management Process
    • 6.6 The System Development Life Cycle (SDLC)
    • 6.8 Software Development and Security
  16. Lab 5: Implementing an Information Systems Security Policy
  17. Auditing, Testing, and Monitoring
    • 7.1 Security Auditing and Analysis
    • 7.4 Audit Data–Collection Methods
    • 7.5 Post-Audit Activities 18
    • 7.6 Security Monitoring
    • 7.8 How to Verify Security Controls
    • 7.9 Monitoring and Testing Security Systems
  18. Lab 6: Using Group Policy Objects and Microsoft Baseline Security Analyzer for Change Control
    • Reading 3: Chapter 8: Role of Risk Management, Response, and Recovery for IT Systems, Applications, and Data
  19. Role of Cryptography in Maintaining Confidentiality and Privacy of Data
    • 9.1 What Is Cryptography?
    • 9.2 Cryptographic Business and Security Requirements
    • 9.4 Cryptographic Principles
    • 9.5 Cryptographic Applications, Tools, and Resources
    • 9.6 Principles of Certificates and Key Management
  20. Lab 7: Using Encryption to Enhance Confidentiality and Integrity
    • Reading 4: Chapter 10. Network and Communication
  21. Review Chapters 5, 6, 7, 9 & Progress Test 2 (30’)
  22. Mitigation of Risk and Threats from Attacks and Malicious Code Information
    • 11.2 The Main Types of Malware
    • 11.3 A Brief History of Malicious Code Threats
    • 11.4 Threats to Business Organizations
  23. Chapter 11 (cont.)
    • 11.5 Anatomy of an Attack
    • 11.6 Attack Prevention Tools and Techniques
    • 11.7 Incident Detection Tools and Techniques
  24. Lab 8: Performing a Web Site and Database Attack by Exploiting Identified Vulnerabilities
  25. Information Security Standards
    • 12.1 Standards Organizations
    • 12.3 ISO/IEC 27002
    • 12.4 Payment Card Industry Data Security Standard (PCI DSS)
    • Reading 5: Examine Real-World Implementations of Security Standards and Compliance Laws
  26. U.S. Compliance Laws
    • 15.1 Compliance Is the Law
    • 15.2 Federal Information Security
    • 15.3 The Health Insurance Portability and Accountability Act (HIPAA)
  27. U.S. Compliance Laws (cont.)
    • 15.6 The Family Educational Rights and Privacy Act
    • 15.7 The Children’s Internet Protection Act
    • 15.8 Making Sense of Laws for Information Security Compliance
  28. Group Presentation (one of 5 readings)
  29. Course Review

Learning material

  • David Kim, Michael G. Solomon, Fundamentals of Information Systems Security, 2nd Edition, Jones & Bartlett, 2014.
  • The Internet of Things Is Changing How We Live, Chapter 2 in “David Kim, Michael G. Solomon, Fundamentals of Information Systems Security, 3rd Edition, Jones & Bartlett, 2016”.
  • Michael E. Whitman, Herbert J. Mattord, Principles of Information Security, 5th Edition. Course Technology, Cengage Learning, 2015.
  • Michael E. Whitman, Herbert J. Mattord, Management of Information Security, 4th Edition. Course Technology, Cengage Learning, 2014.
  • Lecture slides, Lab manual, supplementary material
  • Tools: Internet, Wireshark, OpenVAS, NetWitness Investigator, Zenmap, AD DS, PBIS, GPO Editor, RDP, MBSA, FileZilla, Kleopatra, DVWA.