University of Dayton
School of Business Administration
Fall, 2018

NOTE:  Apparently the browser compatibility issues from last year have been (for the most part) resolved.  This said, Chrome and Firefox still seem to work best.  IE works for the most part if put into compatibility mode (ironic since I built the pages using a MS product).  Please advise regarding any difficulties reading the pages.

MIS 368/MBA/MIS 662A
IS Security Management

FINAL VERSION PENDING ANY NECESSARY UPDATES. 

Any substantive changes to this document will appear with Light Pink Highlight.

Something interesting to read about grades. 

Get your grades (available on Isidore), and teams. 
Jump to course schedule

This page was last modified on Monday December 03, 2018

INSTRUCTOR:
OFFICE:
PHONE:
EMAIL:
WEB PAGES:

CLASS MEETINGS:
OFFICE HOURS:
Dr. David Salisbury
Anderson Center, Room 104
937.229.2938 (department office)
salisbury@udayton.edu
http://www.davesalisbury.com/ (professsor)
http://Isidore.udayton.edu (follow links on Isidore)
M 635PM-915PM, MH 207
10-12 MW, 5-6 M, 10-12 R (email usage is encouraged) or by appointment. Hours subject to change due to unforeseen circumstances. Any changes will be communicated to students via email.

PLEASE NOTE:  IN THE EVENT YOU ARE TAKING THIS (OR ANY OF MY CLASSES) ONLINE, YOU ARE RESPONSIBLE TO HAVE A FUNCTIONAL INTERNET CONNECTION.  NO ACCOMMODATION WILL BE MADE DUE TO MISSED EMAILS, INABILITY TO STREAM VIDEO/AUDIO, OR TO ACCESS COURSE RESOURCES ON THE ISIDORE WEBSITE.  BY TAKING ANY CLASS ONLINE YOU ARE AGREEING TO THESE TERMS.  THIS STATEMENT WILL APPEAR ON ALL MY SYLLABI REGARDLESS OF NEED.

Course Overview

This course will equip students to effectively manage computer information and network security by understanding relevant IT governance goals, policies, and standards within both federal and private sector environments. A consistent governance framework for categorizing, selecting, implementing, assessing, authorizing, and monitoring IT security will enhance management of risks and information resources with positive returns on security investments. Topics include discussion of FISMA (Federal Information Security Management Act), FIPS (Federal Information Processing Standards), NIST (National Institute of Standards & Technology), and passing reference to other standards (e.g. Sarbanes-Oxley, HIPAA and FERPA) standards.  Additionally, students will learn about assessing current threats to computer information & network security and perform security tests & evaluation on their personal machines. Student teams will further research curricular issues in MIS programs with respect to security, and develop a term paper regarding these topics, and the MBA students (depending on size of the class) will assess current threats to computer information & network security, perform security tests & evaluation, conduct an applied team research project, perform business risk assessments, and develop IT configuration management, contingency, and system security plans.  This course is intended to introduce students who have a basic understanding of computer hardware, software, and operating systems to concepts that will increase their knowledge, proficiency and skills in computer information & network security management controls.  

In addition to other content, this course will help prepare students for the Certified Authorization Professional (CAP), a vendor-neutral certification provided by the International Information Systems Security Certification Consortium (ISC)2, designed to certify qualified personnel to assess and manage the risks of security threats to information systems. While not a course requirement to take this certification, it is relevant in that topics will include understanding the purpose of security authorization and the phases of that process including preparation and initiation, execution of certification and accreditation, and maintenance involving continuous monitoring. Students are presented methods to achieve information superiority through standardized, affordable, and timely access to reliable and secure information for decision making and operations. Several government and commercial standards for Certification & Accreditation are reviewed that formalize processes used to assess risk and establish security requirements to ensure IT protections are commensurate with the level of exposure.

As with all courses in the School of Business Administration at the University of Dayton, this course attempts to advance the University and School mission, to wit:

The School of Business Administration is a learning community committed in the Marianist tradition to educating the whole person and to connecting learning and scholarship with leadership and service in an innovative business curriculum designed to prepare students for successful careers in the contemporary business environment. 

To this end, the information security management course is designed to bring theory designing information systems to be secure into the course, allow you to put this learning into practice by performing a security assessment on a simple system and by preparing for a relevant practitioner certification test, and by doing so contribute to your understanding of how information systems may be designed and built in a secure fashion so you may eventually apply this knowledge in your future coursework and/or careers. 

Note:  This course is part of a three-course sequence (an undergraduate minor or graduate certificate/concentration) that you may wish to take.  Here is more information about the sequence.  Please note that the flyer at this link is most likely incorrect as to when specific courses will be offered in any given term (and as well as to specific contact information - i.e. individuals); in this context it merely provides information about the courses that we offer in the sequence. 

Course Texts

Some of you may choose to get the books at the UD bookstore.  However, it is anticipated that some will engage in whatever searches are necessary to secure the appropriate books at the lowest cost.  Hence, the ISBN is provided so you may verify that the book you get is the one I'm using.  I am not responsible for books that do not match. 

Dhillon, G. (2018) Information Security: Text and Cases. Burlington, VT: Prospect Press.    

The text is available at the bookstore (see bookstore for details) and direct from the publisher (see below). 

STUDENT DIRECT-ORDERING INFORMATION

Dhillon INFORMATION SECURITY: TEXT & CASES, Edition 2.0
Prospect Press
Copyright 2018

eTextbook: 
ISBN: 978-1-943153-24-4
Student price: $54.00
Available from:
Redshelf and Vitalsource - See instructions below:

Paperback:
ISBN: 978-1-943153-25-1
Student price: $78.00
Available from Redshelf.  See instructions below:

Direct links to online retailers can be found at the publisher's website here:
https://prospectpressvt.com/titles/dhillon-information-systems-security/
Scroll to "Ordering Information for Students" and click on the orange buttons.

Or, see instructions below for additional details:

REDSHELF.COM -- ebooks and paperbacks
- To order the ebook or paperback, go to www.Redshelf.com, and search by the ISBN. (978-1-943153-24-4 for the eTextbook, 978-1-943153-25-1 for the paperback)
- Or use this link for the title's ordering page and choose the format you want: https://redshelf.com/book/825030
- The Redshelf ebook is ONLINE only with permanent online access.

VITALSOURCE.COM - ebooks only
- If you want the option of both online and a download of your ebook, Vitalsource provides this flexibility.  
- To order a Vitalsource eTextbook, go to www.vitalsource.com/student-etextbooks and search by the eTextbook ISBN (978-1-943153-24-4)
- Or use this link for the title's direct ordering page:  https://www.vitalsource.com/products/information-security-text-and-cases-gurpreet-dhillon-v9781943153244
- The VitalSource ebook provides 365-day online access and a perpetual download.
- VitalSource does not provide a printed option.

Readings available on Isidore

Other materials to be distributed as necessary, either electronically or in class.

A functional laptop computer with appropriate software (note that some software is provided on the server side at links provided by the instructor).

Finally, the following books are not at all required for the course, but are good reads about the concerns in play:

Clark, R. A. and Knake, R. K. (2010). Cyberwar: The Next Threat to National Security and What to do About it. New York: HarperCollins. 

Verton, D. (2003). Black ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne.

Topics and Standards to be Addressed

Course Procedures

Course Assignments

A large proportion of each student's grade in this course will be assessed on the basis of the student's performance on various assignments that are expected to be completed through the semester. All assignments are to be completed by individuals, unless otherwise stated on the assignment. All assignments for this course are to be made via the World Wide Web, at the URL noted above, or on Isidore. 

Timeliness of Assignment Submission

It is important to submit assignments on time. All assignments are due on the assigned date. Late assignments will not be accepted. You are all going to be in the real world someday, and this is how they do it there. This policy will be strictly enforced, except as mentioned under the excuses section. Please also know that if the first assignment is late, you put yourself severely behind for subsequent assignments.

Please be aware that no excuses except the approved ones noted in this document below will be accepted for assignments not being submitted on time, unless it's really good.

You should also be aware that you are responsible to see that your assignment has been submitted properly. I am not going to be chasing people down to make certain that they have submitted their work. In addition, due to the number of assignments in a class like this, you are also responsible to keep backups of all submitted work in case something gets lost in the shuffle, and you should keep all returned assignments until the end of the semester as proof they were submitted and marked.  Finally, marks which have been posted for one week are final.  Hence, you should keep track regularly of your course marks as posted on the database. 

Finally, to discourage procrastination, I will offer no assistance on class assignments after 5PM on the day before they are due. This policy will be strictly enforced.  If an assignment is due on Wednesday (as an example)the last assistance I will render ends at 5PM on Tuesday. 

Class Attendance and Participation

Class time will be devoted to lectures, case discussion, demonstrations of relevant topics and issues. Contrary to popular belief, my job is not merely to impart information to you, but to help you learn. The mind is not a vessel to be filled, but a fire to be lighted. Your participation is extremely important to the learning process for yourself and the entire class. Consequently, class attendance and participation are strongly encouraged. For your information, I do keep a participation record, and it will influence your mark. Please also note that attendance is not the same as participation.  Finally, please be advised that after three misses (non-excused per policy below) the participation mark will be reduced to zero.

Another encouragement to attend is that you are responsible for anything that transpires in class. If you miss an assignment due date or other changes because you were not in class (or don't get it via email), it is your problem.

Classroom Decorum

You should be aware that your actions in the classroom environment should demonstrate intellectual engagement in the course content, and as well respect for your classmates and for your instructor. As such, talking audibly, passing notes, and other similar juvenile behavior simply have no place in a university classroom. If you find yourself unable to avoid chatting with the person next to you, you should consider sitting elsewhere in the class. Expect to be called out when such behavior is observed.

Other behaviors that are disruptive to others' learning involve various electronic devices. Cell phones, pagers and similar electronic communication devices should be turned off and stowed below the desk in a case or bag during all classes. While these devices are useful in their appropriate context, they create a disruption to the learning environment when they go off in class. Further, leaving the room to take a cell phone call is both inappropriate and rude, and also causes a disruption to the learning environment. As a consequence, failure to comply with this policy will result in appropriate disciplinary action, up to and including referral to university judiciaries.

Relevant to computer use (either in laptop required sections or in the lab), engaging in IM sessions, web-browsing, reading your email and other behavior of this type means that you are not paying attention to the material being discussed. Almost invariably this results in disruption to the learning environment as students who have not been paying attention find themselves behind and ask questions that have already been addressed. When you are in the classroom, you are expected to be engaged intellectually.

The instructor reserves the right to limit or prohibit use of any programmable devices (e.g. programmable calculators, laptop computers) and devices for communication and data storage (including but not limited to camera phones, cell phones, pagers, storage media or PDAs) at any time in the classroom. Refusal to comply with a request of this nature will result in sanctions being assessed as appropriate, up to and including referral to university judiciaries.

Please do not leave the class once you have chosen to attend -- it tends to be distracting for the rest of the class. If you must leave early, please sit near the door to make your departure unobtrusive, or do not attend at all. Please do not be late when you attend. Too many people coming after class starts creates a real disturbance. I reserve the right to take corrective action if it becomes a problem.

You should also be aware that being late for classes is no excuse to receive extra time on in-class activities or assignment submission deadlines. To arrive late disrupts the learning environment and, unless there is ample reason (see approved reasons, below) also demonstrates lack of respect for your classmates.  If you are late for class on a day with a required in-class activity you will have less time to complete this. Finally, when assignments are due at the start of class, arriving late to class (i.e. significantly after the assignment has been taken up) is grounds for the assignment due that day to be considered a late submission.

I reserve the right to take corrective action if these issues create problems.

Please know that the intent of these policies is not to be unreasonable; from time to time a student may have reasonable need to leave the classroom prior to the end of class, or may have a legitimate reason that they are late. For example, he/she may be ill, may need a drink of water, may need to avail him/herself of the restroom facilities, or in winter for those driving weather can be a challenge. Further, there are emergency situations in which constant availability via electronic communication may be necessary. In this case, simply notify the instructor of the situation and a reasonable accommodation can be made.

Reading Assignments

While there is not a large amount of material to be covered through this course, it is rather easy to fall behind. Please ensure that you stay current in your readings -- it is expected that you will have read in advance the material to be covered in class on a given day, and be able to discuss it.

Communication with the instructor

While I am around a lot, I am not in perpetually. Consequently, much interaction with me will be through e-mail (salisbury@udayton.edu).  You should also note that I intend to communicate with you via email as well; hence, it is important that you check your email often, and clean out old messages so that you do not exceed your email quota (which would result in the message "bouncing"). 

Examination Procedures

The examinations will contain case-based questions, objective-style questions, and problem-solving questions. Exams will be based on the required text, on the in-class material associated with computer software, and on the other readings assigned by the instructor. Please note this carefully: There will be NO make-up examinations, save for university-approved reasons. If you must miss an examination, be prepared to document a university-approved reason. Job interviews, site visits and incarceration due to over-exuberant St. Patrick's Day participation are examples of reasons that are NOT university-approved.

Grading Scale and Course Components

The grading scale and grading components are presented below. If you make any of the cut-offs, you will receive that mark. For example, if you earn 930 points, you will receive an "A" for the course, or if you receive 885 points, you will receive a "B+" for the course.

MIS 368 Grading Scale

Grade Assignment Grade Components

(A)
(A-)
(B+)
(B)
(B-)
(C+)
(C)
(C-)
(D)
(F)

>=930
>=900 <930
>=870 <900
>=830 <870
>=800 <830
>=770 <800
>=730 <770
>=700 <730
>=600 <700
<600 (failure)

Individual Assignments/Exercises
Team Research Project
Class Participation
Lowest Exam Score
Highest Exam Score

Total Points

250
150
75
225
300

1000

MBA 662A Grading Scale

Grade Assignment

Grade Components

(A)
(A-)
(B+)
(B)
(B-)
(C)
(F)

>=930
>=900 <930
>=870 <900
>=830 <870
>=800 <830
>=700 <800
<700 (failure)

Individual Assignments/Exercises
*Team Research Project
*MBA Team System Assessment
Class Participation
Lowest Exam Score
Highest Exam Score

Total Points

200
150
175
50
200
225

1000

*Please note that in the event of a very small MBA class I have alternative configurations that can be worked out once class has started, depending on the student's ability and interests.  In any case the point is to offer the MBA student a graduate-level experience.

Since the marks in my classes over the long term tend to look like a normal curve, I tend not to force an artificial curve. On the odd chance that there is a curve it will be applied only on the overall grade in all sections I teach. Thus, no question of curving will be entertained until after the final. In addition, no extra credit assignments will be offered; if you are unable to perform well on what has already been assigned, I don't wish to burden you with extra work.  Finally, I encourage you that if you are in trouble, try to demonstrate an effort to improve and ask for help. Do not fail in silence.

Academic Dishonesty

I refer you to the UD Honor Pledge:

I understand that as a student of the University of Dayton, I am a member of our academic and social community; I recognize the importance of my education and the value of experiencing life in such an integrated community.  I believe that the value of my education and degree is critically dependent upon the academic integrity of the University community, and so in order to maintain our academic integrity, I pledge to:

  • Complete all assignments and examinations according to the guidelines provided to me by my instructors
  • Avoid plagiarism and any other form of misrepresenting someone else's work as my own
  • Adhere to the Standards of Conduct as outlined in the Academic Honor Code.  

In doing this, I hold myself and my community to a higher standard of excellence, and set an example for my peers to follow.  Instructors shall make known, within the course syllabus, the expectations for completing assignments and examinations at the beginning of each semester. Instructors shall discuss these expectations with students in a manner appropriate for each course.

I will vigorously pursue the prosecution of academic dishonesty. It is understood and that students often learn and work together; consequently you may be asking questions or getting help from others. Be very clear, however, that there is a reasonably obvious distinction between getting help and getting one's work done by somebody else. In instances where such misconduct is proven, I will invoke University of Dayton policy to the fullest extent, which is to say that, at minimum I will assign a zero to the relevant assignment, and, in more serious instances will assign the letter gread of "F" in the course. Please consult the most recent edition of the "Student Handbook" for further information on Student Code of Conduct and Academic Policies.

You should also note that the way individuals carry out their roles as a members of a project team could jeopardize the other members of the team with respect to academic misconduct. Specifically, if a team member fails to participate in the manner called for, and appends his/her name to the team's final product, each member of the team is deemed to have been academically dishonest. Thus, it is in each team member's interests to make certain that all team members participate appropriately, and to bring any occurrences of inadequate participation on the part of other members to my attention. Please be aware that the team defines adequate participation; it is reasonable to assume that on a given portion of the assignment some members will contribute more than others. However, this should balance out, and on the bulk of any given assignment, the level of participation should be equitable for all so that all team members receive a good educational experience.

Intellectual Property Rights

The advent of websites such as Course Hero forces your instructor to issue a reminder regarding the intellectual property rights of various persons or organizations, including but not limited to your instructor, any guest speakers and course text author's rights. You should be aware that
ALL assignments, examinations, worksheets, problems, projects, documents, recordings, or other materials distributed or used in this course cannot be reproduced, distributed, or transmitted in any form or by any means, including but not limited to scanning, photographing, copying, uploading, or other electronic methods, without the prior written permission of the instructor or copyright holder.  Any violation of this notice may result in a charge of academic dishonesty, academic penalties, other University disciplinary action, and/or legal recourse.

Acceptable Excuses for Rescheduling Exams, Late Assignments, etc.

Note: It is conceivable there are other acceptable excuses that I've not anticipated, but you must receive permission from me personally in advance.

Additional Learning Support for Students

The University of Dayton and your instructor are committed to providing equal access to its educational opportunities for all our students, including those in need of accommodation due to disability.  Students who believe they have such need are invited to meet with your instructor privately to discuss specifics.  Formal disability-related accommodations are determined by the Office of Student Learning Support using specific guidelines.  As a consequence, it is important that a student needing accommodation be registered with SLS and notify your instructor of your eligibility for such accommodation with a signed SLS Self-Identification Form.  With this, and in consultation with the SLS, your instructor will devise the appropriate accommodation(s) for your need.

Even if you do not have special needs per se, you may find resources provided by the Office of Student Learning Support helpful, with a variety of services to assist you in achieving academic success at the university, including study skills classes and workshops, tutoring and consultations, et cetera. 

Four Easy Ways to Raise Your Grade

Changes to the Syllabus

Since the main objective of this class is for you to learn relevant and useful stuff. I reserve the right to alter the syllabus as necessary to meet this goal. Any such changes will be announced, in class, and will be explained.

Finally

I took this position because I enjoy teaching. I genuinely care about you and your progress in the class. If you have a problem, complaint, comment, concern, etc., please schedule an appointment or drop in during open office hours.

Schedule--Subject to review and change.
Assignment links will be added soon.

Class Date

Anticipated Topics

Class Slides, Reading Chapter Assignments & Due Dates

August 27
(1)
Course Introduction & Overview
Brief History of IT & IS Security
Salisbury, Miller & Turner (2011)
Verizon DBIR
September 3 Labor Day (no class)  
10
(2)
Guests from GE
Finish overview
Some very basic stuff about IT and Networks

Nature and Scoope of IS Security
NIST and why it matters
Dhillon 1
FIPS 199, NIST 800-100 800-12, 800-64, 800-37, 800-60 V1, V2

Individual Assignment 1 NOT DUE, but if you've tried it we can discuss it this evening.
17
(3)
GUEST - Rebecca Onuskanich
Technical System Security

Dhillon 2
NIST 800-60 V1, V2,  800-37

MBA Team System Assessment 1 DUE
Individual Assignment 1 DUE

24
(4)

Planning for IS Security

Dhillon 5
NIST 800-60 V1, V2, 800-18

October 1
(5)
GUEST - Harrell VanNorman
Risk Management
Dhillon 6
NIST 800-37, 800-60 V1, V2, 800-30 R1

Individual Assignment 3 Proposed Topics (5, ranked) DUE
8
(6)
GUEST - Deral Heiland
Security Standards & Guidelines
Dhillon 7
NIST  800-39, 800-53, 800-53A
FIPS 199, 200
Individual Assignment 2 DUE
Team Research Project Proposed Topics DUE
15
(7)
Behavioral Aspects of IS Security, Review & Catch-Up Dhillon 9
22
(8)
Midterm Exam (content through 15 October)
Balance of evening team project work time
 
29
(9)
GUEST - Dean Halter
Applying & Assessing Controls
R
esponding to a breach
Dhillon 8
NIST
800-37, 800-53, 800-53A, 800-61
MBA Team System Assessment 2
DUE
Team Research Project Extended Abstracts DUE (team evaluation form)
November 5
(10)
Culture, Ethics and IS Security Dhillon 10, 11
Individual Assignment 3 Presentations & Papers DUE
Individual Assignment 5 Proposed NIST Standards (5, ranked) DUE

12
(11)

GUEST - Dr. Raju Patel
Legal Stuff about IS Security

Dhillon 12
Individual Assignment 4 DUE
FIPS 200, NIST 800-64, 800-100, 800-171R1, FISMA 2014
19
(12)
GUEST - Bill Montgomery
A taste of computer forensics
Dhillon 13
Individual Assignment 5
Slides & Presentations DUE

26
(13)

GUEST  - Bryan Fite
Cryptography, Network Security
Retiring systems from service
Dhillon 3, 4
FISMA 2014, NIST 800-37, 800-64, 800-88, 800-175B
MBA Team System Assessment 3 DUE
December 3
(14)
GUEST - Liz Ranz
Summary
Project & Paper Presentations
Dhillon 14
NIST 800-16, 800-50, NIST Security Awareness Training Website
Individual Assignment 6 DUE
Team Research Project Final Deliverables DUE (team evaluation form)
MBA Team System Assessment 4
DUE
Comprehensive Final Examination
Date & Time taken from
UD Final Examination Schedule
Monday, December 10, 2018 @ 630 PM