University of Dayton
School of Business Administration
Fall, 2021

MIS 368/MBA/MIS 662A
IS Security Management

FINAL VERSION
PENDING ANY NECESSARY CHANGES AS THE TERM PROGRESSES.
Any substantive changes to this document will appear with Light Pink Highlight.

Something interesting to read about grades. 

Get your grades (available on Isidore), and teams. 
Jump to course schedule

This page was last modified on Friday November 26, 2021

Link to articles from everybody.

NOTE:  ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.

INSTRUCTOR:
OFFICE:
PHONE:
EMAIL:
WEB PAGES:

CLASS MEETINGS:
OFFICE HOURS:
Dr. David Salisbury
Miriam Hall 338
937.229.5085 (office)
salisbury@udayton.edu
http://www.davesalisbury.com/ (professor)
http://Isidore.udayton.edu (follow links on Isidore)
W 635PM-915PM, MH 330
11-12, 1-2 MW and 3-5 W, also by request (email usage is encouraged) at a mutually agreeable time. Hours subject to change due to unforeseen circumstances. Any changes will be communicated to students via email.

Course Overview

This course will equip students to effectively manage computer information and network security by understanding relevant IT governance goals, policies, and standards within both federal and private sector environments. A consistent governance framework for categorizing, selecting, implementing, assessing, authorizing, and monitoring IT security will enhance management of risks and information resources with positive returns on security investments. Topics include discussion of FISMA (Federal Information Security Management Act), FIPS (Federal Information Processing Standards), NIST (National Institute of Standards & Technology), and passing reference to other standards (e.g. Sarbanes-Oxley, HIPAA and FERPA) standards.  Additionally, students will learn about assessing current threats to computer information & network security and perform security tests & evaluation on their personal machines. Student teams will further research curricular issues in MIS programs with respect to security, and develop a term paper regarding these topics, and the MBA students (depending on size of the class) will assess current threats to computer information & network security, perform security tests & evaluation, conduct an applied team research project, perform business risk assessments, and develop IT configuration management, contingency, and system security plans.  This course is intended to introduce students who have a basic understanding of computer hardware, software, and operating systems to concepts that will increase their knowledge, proficiency and skills in computer information & network security management controls.  

In addition to other content, this course will help prepare students for the Certified Authorization Professional (CAP), a vendor-neutral certification provided by the International Information Systems Security Certification Consortium (ISC)2, designed to certify qualified personnel to assess and manage the risks of security threats to information systems. While not a course requirement to take this certification, it is relevant in that topics will include understanding the purpose of security authorization and the phases of that process including preparation and initiation, execution of certification and accreditation, and maintenance involving continuous monitoring. Students are presented methods to achieve information superiority through standardized, affordable, and timely access to reliable and secure information for decision making and operations. Several government and commercial standards for Certification & Accreditation are reviewed that formalize processes used to assess risk and establish security requirements to ensure IT protections are commensurate with the level of exposure.

As with all courses in the School of Business Administration at the University of Dayton, this course attempts to advance the University and School mission, to wit:

The School of Business Administration is a learning community committed in the Marianist tradition to educating the whole person and to connecting learning and scholarship with leadership and service in an innovative business curriculum designed to prepare students for successful careers in the contemporary business environment. 

To this end, the information security management course is designed to bring theory designing information systems to be secure into the course, allow you to put this learning into practice by performing a security assessment on a simple system and by preparing for a relevant practitioner certification test, and by doing so contribute to your understanding of how information systems may be designed and built in a secure fashion so you may eventually apply this knowledge in your future coursework and/or careers. 

Note:  This course is part of a three-course sequence (an undergraduate minor or graduate certificate/concentration) that you may wish to take.  Please see your instructor and/or the UD Course Catalog for more information. 

Course Texts

Some of you may choose to get the books at the UD bookstore.  However, it is anticipated that some will engage in whatever searches are necessary to secure the appropriate books at the lowest cost.  Hence, the ISBN is provided so you may verify that the book you get is the one I'm using.  I am not responsible for books that do not match. 

Dhillon, G. (2018) Information Security: Text and Cases. Burlington, VT: Prospect Press.    

The text is available at the bookstore (see bookstore for details) and direct from the publisher (see below). 

STUDENT DIRECT-ORDERING INFORMATION

Dhillon INFORMATION SECURITY: TEXT & CASES, Edition 2.0
Prospect Press
Copyright 2018

eTextbook: 
ISBN: 978-1-943153-24-4
Student price: $54.00
Available from:
Redshelf and Vitalsource - See instructions below:

Paperback:
ISBN: 978-1-943153-25-1
Student price: $78.00
Available from Redshelf.  See instructions below:

Direct links to online retailers can be found at the publisher's website here:
https://prospectpressvt.com/titles/Dhillon-information-systems-security/
Scroll to "Ordering Information for Students" and click on the orange buttons.

Or, see instructions below for additional details:

REDSHELF.COM -- ebooks and paperbacks
- To order the ebook or paperback, go to www.Redshelf.com, and search by the ISBN. (978-1-943153-24-4 for the eTextbook, 978-1-943153-25-1 for the paperback)
- Or use this link for the title's ordering page and choose the format you want: https://redshelf.com/book/825030
- The Redshelf ebook is ONLINE only with permanent online access.

VITALSOURCE.COM - ebooks only
- If you want the option of both online and a download of your ebook, Vitalsource provides this flexibility.  
- To order a Vitalsource eTextbook, go to www.vitalsource.com/student-etextbooks and search by the eTextbook ISBN (978-1-943153-24-4)
- Or use this link for the title's direct ordering page:  https://www.vitalsource.com/products/information-security-text-and-cases-gurpreet-dhillon-v9781943153244
- The VitalSource ebook provides 365-day online access and a perpetual download.
- VitalSource does not provide a printed option.

Readings available on Isidore

Other materials to be distributed as necessary, either electronically or in class.

A functional laptop computer with appropriate software (note that some software is provided on the server side at links provided by the instructor).

Finally, the following books are not at all required for the course, but are good reads about the concerns in play:

Clark, R. A. and Knake, R. K. (2010). Cyberwar: The Next Threat to National Security and What to do About it. New York: HarperCollins. 

Verton, D. (2003). Black ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne.

Topics and Standards to be Addressed

Course Procedures

Course Assignments

A large proportion of each student's grade in this course will be assessed on the basis of the student's performance on various assignments that are expected to be completed through the semester. All assignments are to be completed by individuals, unless otherwise stated on the assignment. All assignments for this course are to be made via the World Wide Web, at the URL noted above, or on Isidore. 

Timeliness of Assignment Submission

It is important to submit assignments on time. All assignments are due on the assigned date. Late assignments will not be accepted. You are all going to be in the real world someday, and this is how they do it there. This policy will be strictly enforced, except as mentioned under the excuses section. Please also know that if the first assignment is late, you put yourself severely behind for subsequent assignments.   NOTE:  ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.

Please be aware that no excuses except the approved ones noted in this document below will be accepted for assignments not being submitted on time, unless it's really good.

You should also be aware that you are responsible to see that your assignment has been submitted properly. I am not going to be chasing people down to make certain that they have submitted their work. In addition, due to the number of assignments in a class like this, you are also responsible to keep backups of all submitted work in case something gets lost in the shuffle, and you should keep all returned assignments until the end of the semester as proof they were submitted and marked.  Finally, marks which have been posted for one week are final.  Hence, you should keep track regularly of your course marks as posted on the database. 

Finally, to discourage procrastination, I will offer no assistance on class assignments after 5PM on the day before they are due. This policy will be strictly enforced.  If an assignment is due on Wednesday (as an example) the last assistance I will render ends at 5PM on Tuesday. 

Class Attendance and Participation

Class time will be devoted to lectures, case discussion, demonstrations of relevant topics and issues. Contrary to popular belief, my job is not merely to impart information to you, but to help you learn. The mind is not a vessel to be filled, but a fire to be lighted. Your participation is extremely important to the learning process for yourself and the entire class. Consequently, class attendance and participation are strongly encouraged. For your information, I do keep a participation record, and it will influence your mark. Please also note that attendance is not the same as participation.  The way participation is done, everybody starts with C (75).  If you do nothing but show up that's your grade.  If you miss, it goes down.  Finally, please be advised that after three misses (non-excused per policy below) the participation mark will be reduced to zero.

Another encouragement to attend is that you are responsible for anything that transpires in class. If you miss an assignment due date or other changes because you were not in class (or don't get it via email), it is your problem.

A Note on Participation and Attendance under COVID restrictions

Unlike last year, barring change, all students are expected to attend class in the physical setting.  If somebody gets sick (for whatever reason) no accommodation will be made beyond that which would normally be done.  The class will be on Zoom some evenings, but only because that affords the opportunity to bring in guest speakers from a wider geographic area.  Some weeks the speaker will attend physically; others it will be via Zoom.  Be advised, however, that in no case will course lectures be recorded as they would in a hybrid environment.

Of course, everything is contingent on changes that may occur in COVID protocols, but until that happens, we'll be here with masks on. 

This (and the 630 start) brings up a potential challenge.  Students should make certain that they've eaten before coming to class.  Since we aren't socially distancing, the masks need to stay on.  If you need to keep hydrated, take sips but then get your mask back in place.  It's a weird time - we'll work together and get through it.    

Classroom Decorum

You should be aware that your actions in the classroom environment should demonstrate intellectual engagement in the course content, and as well respect for your classmates and for your instructor. As such, talking audibly, passing notes, and other similar juvenile behavior simply have no place in a university classroom. If you find yourself unable to avoid chatting with the person next to you, you should consider sitting elsewhere in the class. Expect to be called out when such behavior is observed.

Other behaviors that are disruptive to others' learning involve various electronic devices. Cell phones, pagers and similar electronic communication devices should be turned off and stowed below the desk in a case or bag during all classes.While these devices are useful in their appropriate context, they create a disruption to the learning environment when they go off in class. Further, leaving the room to take a cell phone call is both inappropriate and rude, and also causes a disruption to the learning environment. As a consequence, failure to comply with this policy will result in appropriate disciplinary action, up to and including referral to university judiciaries.

Relevant to computer use (either in laptop required sections or in the lab), engaging in IM sessions, web-browsing, reading your email and other behavior of this type means that you are not paying attention to the material being discussed. Almost invariably this results in disruption to the learning environment as students who have not been paying attention find themselves behind and ask questions that have already been addressed. When you are attending class, regardless of modality, you are expected to be engaged intellectually.

The instructor reserves the right too limit or prohibit use of any programmable devices (e.g. programmable calculators, laptop computers) and devices for communication and data storage (including but not limited to camera phones, cell phones, pagers, storage media or PDAs) at any time in the classroom. Refusal to comply with a request of this nature will result in sanctions being assessed as appropriate, up to and including referral to university judiciaries.

Please do not leave the class once you have chosen to attend -- it tends to be distracting for the rest of the class. If you must leave early, please sit near the door to make your departure unobtrusive, or do not attend at all. Please do not be late when you attend. Too many people coming after class starts creates a real disturbance. I reserve the right to take corrective action if it becomes a problem.

You should also be aware that being late for classes is no excuse to receive extra time on in-class activities or assignment submission deadlines. To arrive late disrupts the learning environment and, unless there is ample reason (see approved reasons, below) also demonstrates lack of respect for your classmates.  If you are late for class on a day with a required in-class activity you will have less time to complete this. Finally, when assignments are due at the start of class, arriving late to class (i.e. significantly after the assignment has been taken up) is grounds for the assignment due that day to be considered a late submission.

I reserve the right to take corrective action if these issues create problems.

Please know that the intent of these policies is not to be unreasonable; from time to time a student may have reasonable need to leave the classroom prior to the end of class, or may have a legitimate reason that they are late. For example, he/she may be ill, may need a drink of water, may need to avail him/herself of the restroom facilities, or in winter for those driving weather can be a challenge. Further, there are emergency situations in which constant availability via electronic communication may be necessary. In this case, simply notify the instructor of the situation and a reasonable accommodation can be made.

Reading Assignments

While there is not a large amount of material to be covered through this course, it is rather easy to fall behind. Please ensure that you stay current in your readings -- it is expected that you will have read in advance the material to be covered in class on a given day, and be able to discuss it.

Communication with the instructor

While I am around a lot, I am not in perpetually. Consequently, much interaction with me will be through e-mail (salisbury@udayton.edu).  You should also note that I intend to communicate with you via email as well; hence, it is important that you check your email often, and clean out old messages so that you do not exceed your email quota (which would result in the message "bouncing").  

Examination Procedures

The examinations will contain case-based questions, objective-style questions, and problem-solving questions. Exams will be based on the required text, on the in-class material associated with computer software, and on the other readings assigned by the instructor. Please note this carefully: There will be NO make-up examinations, save for university-approved reasons. If you must miss an examination, be prepared to document a university-approved reason. Job interviews, site visits and incarceration due to over-exuberant Halloween at OU participation are examples of reasons that are NOT university-approved.

Grading Scale and Course Components

The grading scale and grading components are presented below. If you make any of the cut-offs, you will receive that mark. For example, if you earn 930 points, you will receive an "A" for the course, or if you receive 885 points, you will receive a "B+" for the course.

 

MIS 368 Grading Scale**

Grade Assignment Grade Components

(A)
(A-)
(B+)
(B)
(B-)
(C+)
(C)
(C-)
(D)
(F)

>=930
>=900 <930
>=870 <900
>=830 <870
>=800 <830
>=770 <800
>=730 <770
>=700 <730
>=600 <700
<600 (failure)

Individual Assignments/Exercises
Team Research Project (in Isidore)
Class Participation
Lowest Exam Score
Highest Exam Score

Total Points

250
175
100

200
275

1000

MBA 662A Grading Scale**

Grade Assignment

Grade Components

(A)
(A-)
(B+)
(B)
(B-)
(C)
(F)

>=930
>=900 <930
>=870 <900
>=830 <870
>=800 <830
>=700 <800
<700 (failure)

Individual Assignments/Exercises
*Team Research Project (in Isidore)
*Team CyberSec Assessment (details follow)
Class Participation
Lowest Exam Score
Highest Exam Score

Total Points

200
175
150
100
150
225

1000

*Please note that in the event of a very small MBA class I have alternative configurations that can be worked out once class has started, depending on the student's ability and interests.  In any case the point is to offer the MBA student a graduate-level experience.

**Please also note that at the start of term I'm redoing Assignments 4 and 6.  They will be done prior to the midterm and hence well before they're due. 

Since the marks in my classes over the long term tend to look like a normal curve, I tend not to force an artificial curve. On the odd chance that there is a curve it will be applied only on the overall grade in all sections I teach. Thus, no question of curving will be entertained until after the final. In addition, no extra credit assignments will be offered; if you are unable to perform well on what has already been assigned, I don't wish to burden you with extra work.  Finally, I encourage you that if you are in trouble, try to demonstrate an effort to improve and ask for help. Do not fail in silence.

Academic Dishonesty

I refer you to the UD Honor Pledge::

I understand that as a student of the University of Dayton, I am a member of our academic and social community; I recognize the importance of my education and the value of experiencing life in such an integrated community.  I believe that the value of my education and degree is critically dependent upon the academic integrity of the University community, and so in order to maintain our academic integrity, I pledge to::

  • Complete all assignments and examinations according to the guidelines provided to me by my instructors
  • Avoid plagiarism and any other form of misrepresenting someone else's work as my own
  • Adhere to the Standards of Conduct as outlined in the Academic Honor Code.   

In doing this, I hold myself and my community to a higher standard of excellence, and set an example for my peers to follow.  Instructors shall make known, within the course syllabus, the expectations for completing assignments and examinations at the beginning of each semester. Instructors shall discuss these expectations with students in a manner appropriate for each course.

I will vigorously pursue the prosecution of academic dishonesty. It is understood and that students often learn and work together; consequently you may be asking questions or getting help from others. Be very clear, however, that there is a reasonably obvious distinction between getting help and getting one's work done by somebody else. In instances where such misconduct is proven, I will invoke University of Dayton policy to the fullest extent, which is to say that, at minimum will assign a zero to the relevant assignment, and, in more serious instances will assign the letter grade of "F" in the course. Please consult the most recent edition of the "Student Handbook" for further information on Student Code of Conduct and Academic Policies.

You should also note that the way individuals carry out their roles as a members of a project team could jeopardize the other members of the team with respect to academic misconduct. Specifically, if a team member fails to participate in the manner called for, and appends his/her name to the team's final product, each member of the team is deemed to have been academically dishonest. Thus, it is in each team member's interests to make certain that all team members participate appropriately, and to bring any occurrences of inadequate participation on the part of other members to my attention. Please be aware that the team defines adequate participation; it is reasonable to assume that on a given portion of the assignment some members will contribute more than others. However, this should balance out, and on the bulk of any given assignment, the level of participation should be equitable for all so that all team members receive a good educational experience.

Intellectual Property Rights

The advent of websites such as Course Hero forces your instructor to issue a reminder regarding the intellectual property rights of various persons or organizations, including but not limited to your instructor, any guest speakers and course text author's rights. You should be aware that
ALL assignments, examinations, worksheets, problems, projects, documents, recordings, or other materials distributed or used in this course cannot be reproduced, distributed, or transmitted in any form or by any means, including but not limited to scanning, photographing, copying, uploading, or other electronic methods, without the prior written permission of the instructor or copyright holder.  Any violation of this notice may result in a charge of academic dishonesty, academic penalties, other University disciplinary action, and/or legal recourse.

Acceptable Excuses for Rescheduling Exams, Late Assignments, etc.

Note::It is conceivable there are other acceptable excuses that I've not anticipated, but you must receive permission from me personally in advance.

Additional Learning Support for Students

The University of Dayton and your instructor are committed to providing equal access to its educational opportunities for all our students, including those in need of accommodation due to disability.   Students who believe they have such need are invited to meet with your instructor privately to discuss specifics.  Formal disability-related accommodations are determined by thee Office of Student Learning Support using specific guidelines.  As a consequence, it is important that a student needing accommodation be registered with SLS and notify your instructor of your eligibility for such accommodation with a signed SLS Self-Identification Form.  With this, and in consultation with the SLS, your instructor will devise the appropriate accommodation(s) for your need.

Even if you do not have special needs per see, you may find resources provided by thee Office of Student Learning Support helpful, with a variety off services to assist you in achieving academic success at the university, including study skills classes and workshops, tutoring and consultations, et cetera.  

Four Easy Ways to Raise Your Grade

Changes to the Syllabus

Since the main objective of this class is for you to learn relevant and useful stuff. I reserve the right too alter the syllabus as necessary to meet this goal. Any such changes will be announced, in class, and will be explained.

Finally

I took this position because I enjoy teaching. I genuinely care about you and your progress in the class. If you have a problem, complaint, comment, concern, etc., please schedule an appointment or drop in during open office hours.

Schedule--Subject to review and change.
Assignment links will be added soon.
All Assignments and Team Evaluation Forms are inn
Isidore

NOTE:  ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.

Class Date
(Class #)

Anticipated Topics

Class Slides, Reading Chapter Assignments & Due Dates

August 25 (1) Course Introduction & Overview
Review of the state of matters
Some very basic stuff about IT & Networks
IT Security Standards

Salisbury, Miller & Turner (2011)
Verizon DBIR
September 1 (2) NIST and why it matters
NIST Cybersecurity Framework
NIST and ISC(2) CAP BOK
Nature and Scope of IS Security
Security Authorization of IS
Dhillon 7,1
Adopt the NIST article

NIST 800-12R1
FIPS 199, NIST 800-60 V1, V2
Individual Assignment 1 NOT DUE, but if you've tried it we can discuss it this evening either in person or online.
8 (3) Guest - BF
Security Authorization of IS continues
Technical System Security
 Dhillon 2,  Salisbury, Ferratt & Wynn (2014)
NIST
 800-18, 800-37, 800-100, 800-64
Grad Student Team Assessment 1 DUE
15 (4) Guest - TW

IS Categorization
Planning for IS Security
Dhillon 5 (moved to week 14 if time)
800-60 (V1R1/V2R1), 800-37R2
 
Individual  Assignment 1 DUE
22 (5) Guest - HV
 
Risk Management
Security Baseline
Dhillon 6
NIST 800-37R2, 800-60 (V1R1/V2R1), 800-30R1
Individual Assignment 3 Proposed Topics (5, ranked) DUE

Team Research Project Proposed Topics DUE
29 (6) Applying Controls
FIPS 199 & 200, 800-155, 800-53, 800-53B
Individual Assignment 2 DUE
Grad Student Team Assessment 2 DUE
October 6 (7) Guest - BM
Assessing Controls
800-64, 800-100, 800-53A, 800-53B  FISMA 2002
13 (8) Responding to a Breach
R
eview
& Catch-Up
Dhillon 8, NIST 800-61R2
Team Research Projects Extended Abstracts DUE (submit Team Evaluation)
20 (9) Midterm Exam (content through 13 October)
Balance of evening coordinate with teams on projects and review materials (CSET Video for next week)
 
27 (10) Guest - MW
NIST 800-171 and CSET
 Security Operations Centers & Cybersecurity
NIST 800-171 (and reading), SOC readings

Individual Assignment 3 Papers & Slide Decks DUE
November 3 (11) Guest - JB
Information System Authorization
Monitoring Security Controls
Individual Assignment 5 Proposed NIST Standards (5, ranked) DUE
 
FISMA 2014

Grad Student Team Assessment 3 DUE

10 (12)

Guest - DH
 
Behavioral  Aspects of IS Security
Culture, Ethics and IS Security
Dhillon 9, 10, 11
Individual Assignment 4
DUE
17 (13) Guest - LR
Legal Stuff about IS Security
A taste of computer forensics
Dhillon 12, 13
Individual Assignment 5
Slides DUE

24

Thanksgiving Holiday (No class)
December 1 (14) A bit on Cryptography, Network Security
Retiring systems from service
Summary, Review & Catch Up
Dhillon 3, 4, 5, 14
FISMA 2014, NIST 800-37, 800-64, 800-88, 800-175, 800-50, NIST Security Awareness Training Website
Grad Student Team Assessment 4 & Presentation
DUE
  8 Feast of the Immaculate Conception (No class) Individual Assignment 6 DUE MONDAY, DECEMBER 6 5PM. 
Team Research Project Final Deliverables DUE FRIDAY, December 10 (submit Team Evaluation also) 3 PM.
Comprehensive Final Examination
Date & Time taken from
UD Final Examination Schedule
Wednesday, December 15, 2021 @ 630 PM