Policy Development in Information Assurance (IAP301)
Description
This course delivers a logical sequence of discussions about major concepts and issues related to information assurance policy implementation. Organizational objectives,, threats, risk mitigation and cost-benefit analysis will be explored. The student will utilize industry accepted methodologies to create practical security policy that will communicate the organization’s asset protection objectives.
Main objectives
- LO1 Identify the role of an ISS (Information Systems Security) policy framework in overcoming business challenges.
- LO2 Analyze how security policies help mitigate risks and support business processes in various domains in the IT infrastructure.
- LO3 Describe the components and basic requirements for creating a security policy framework.
- LO4 Describe the different methods, roles, responsibilities, and accountabilities of personnel, along with the governance and compliance of security policy framework.
- LO5 Describe the different ISS policies associated with the User Domain.
- LO6 Describe the different ISS policies associated with the IT infrastructure.
- LO7 Describe the different ISS policies associated with risk management.
- LO8 Describe the different ISS policies associated with IRTs (Incident Response Teams).
- LO9 Describe different issues related to implementing and enforcing ISS policies.
- LO10 Describe the different issues related to defining, tracking, monitoring, reporting, automating, and organizing compliance systems and emerging technologies.
Assessment
- Ongoing assessment:
- 01 Midterm Progress Test: 10%
- Participation in Discussions: 10%
- Group Assignment Presentation: 20%
- 10 Labs: 30%
- Final exam: 30%
- Completion Criteria: Every on-going assessment component > 0 & Average Lab Score >= 4 & Final Exam Score >=4 & Final Result >=5
Course schedule
- Session 1: Lecture 1. Information Assurance Policy Management
- Session 2
- Discussion 1: Importance of Security Policies
- Assignment 1: Security Policies Overcoming Business Challenges
- Session 3: Lab 1: Craft an Organization-Wide Security Management Policy for Acceptable Use
- Session 4: Lecture 2. Risk Mitigation and Business Support Processes
- Session 5-6
- Discussion 2: Risk Mitigation
- Assignment 2: Good Policy Implementation
- Assigned Reading (or a Guest Speaker):
- How will Brexit affect the cyber-security industry in UK and Europe?
- The Social Dilemma of Self-Driving Cars
- ISO/IEC27001 for Mobile Devices, Access Controls
- Session 7: Lab 2: Develop an Organization-Wide Policy Framework Implementation Plan
- Session 8: Lecture 3. Policies, Standards, Procedures, and Guidelines
- Session 9
- Discussion 3: Business Considerations
- Assignment 3: Security Policy Frameworks
- Session 10: Lab 3: Define an Information Systems Security Policy Framework for an IT Infrastructure
- Session 11: Lecture 4. Information Systems Security Policy Framework
- Session 12
- Discussion 4: Separation of Duties (SOD)
- Assignment 4: Security Policy Creation
- Session 13: Lab 4: Craft a Layered Security Management Policy - Separation of Duties
- Session 14: Lecture 5. User Policies
- Session 15
- Discussion 5: Best Practices for User Policies
- Assignment 5: Create User Policy
- Assigned Reading:
- Ultrasound theft results in data breach at health care company Kaiser Permanente, Second Circuit rules in favor of Microsoft, gov’t can’t force access to email on Irish server (SC Magazine, July 2016)
- Office of Budget and Management: Federal Cybersecurity Workforce Strategy (July 2016)
- Session 16: Lab 5: Craft an Organization-Wide Security Awareness Policy
- Session 17
- Review for Midterm
- Midterm Progress Test
- Session 18: Lecture 6. IT Infrastructure Security Policies
- Session 19
- Discussion 6: IT Infrastructure Security Policies
- Assignment 6: IT Infrastructure Policies
- Assigned Reading: Cyber Attack on Ukrainian Power Grid
- Session 20: Lab 6: Define a Remote Access Policy to Support Remote Healthcare Clinics
- Session 21: Lecture 7. IA Policies Associated with Risk Management
- Discussion 7: Fear of Hacking Survey
- Assignment 7: Risk Management in a Business Model”
- Session 22: Lab 7: Identify Necessary Policies for Business Continuity – BIA & Recovery Time Objectives, Focusing on Three Additional Security Requirements Identified in ref.[3]: Incident Response (3.6), Risk Assessment (3.11), Security Assessment (3.12)
- Session 23:
- Lecture 8. Incident Response Team Policies
- Discussion 8: Support Services
- Assignment 8: Create an Incident Response Policy
- Assigned Reading:
- Illinois hospital chain to pay record $5.5M for exposing data about millions of patients
- Famed hacker creates new ratings system for software
- Session 24: Lab 8: Craft a Security or Computer Incident Response Policy – CIRT Response Team
- Session 25
- Lecture 9. Implementing and Maintaining an IT Security Policy Framework
- Discussion 9: Information Dissemination - How to Educate Employees
- Assignment 9: Policy Monitoring and Enforcement Strategy
- Session 26: Lab 9: Assess and Audit an Existing IT Security Policy Framework Definition
- Session 27
- Lecture 10. Automated Policy Compliance Systems
- Discussion 10: Tracking, Monitoring, and Reporting
- Assignment 10: Automated Policy Compliance Systems (Software Evaluation Criteria spreadsheet)
- Assigned Reading: Ransomware as a service business booming and growing, Settlement expected for 50M Home Depot customers (SC Magazine, Aug. 2016)
- Session 28: Lab 10: Align an IT Security Policy Framework to the 7 Domains of a Typical IT Infrastructure
- Session 29: Group Assignment Presentation: a Topic Chosen among 10 Discussions and Assignments
- Session 30: Course Review
Learning material
- Rob Johnson, 2015, Security Policies and Implementation Issues, 2nd Edition, Jones and Bartlett Learning, ISBN:9781284055993
- Seymour Bosworth, M.E. Kabay, Eric Whyne (eds.), Computer Security Handbook, 6th Edition, 2 Volumes, Parts VIII, John Wiley & Sons, 2014.
- Ron Ross, Patrick Viscuso, Gary Guissanie, Kelley Dempsey, Mark Riddle, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, NIST Special Publication 800-171, 2016.
- Barry L. Williams, Information Security Policy Development for Compliance: ISO/IEC 27001, NIST SP 800-53, HIPAA Standard, PCI DSS V2.0, and AUP V5.0, CRC Press, 2013.
- Lecture slides, Lab Manual.