University of Dayton
School of Business Administration
Fall, 2021
MIS 368/MBA/MIS 662A
IS Security Management
FINAL VERSION
PENDING ANY NECESSARY CHANGES AS THE TERM PROGRESSES.
Any substantive changes to this document will
appear with Light Pink Highlight.
Something interesting to read about grades.
Get your
grades (available on
Isidore), and teams.
Jump to course schedule.
This page was last modified on Wednesday December 08, 2021
Link to articles from everybody.
NOTE: ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.
INSTRUCTOR: OFFICE: PHONE: EMAIL: WEB PAGES: CLASS MEETINGS: OFFICE HOURS: |
Dr. David Salisbury Miriam Hall 338 937.229.5085 (office) salisbury@udayton.edu http://www.davesalisbury.com/ (professor) http://Isidore.udayton.edu (follow links on Isidore) W 635PM-915PM, MH 330 |
Course Overview
This course will equip students to effectively manage computer information and network security by understanding relevant IT governance goals, policies, and standards within both federal and private sector environments. A consistent governance framework for categorizing, selecting, implementing, assessing, authorizing, and monitoring IT security will enhance management of risks and information resources with positive returns on security investments. Topics include discussion of FISMA (Federal Information Security Management Act), FIPS (Federal Information Processing Standards), NIST (National Institute of Standards & Technology), and passing reference to other standards (e.g. Sarbanes-Oxley, HIPAA and FERPA) standards. Additionally, students will learn about assessing current threats to computer information & network security and perform security tests & evaluation on their personal machines. Student teams will further research curricular issues in MIS programs with respect to security, and develop a term paper regarding these topics, and the MBA students (depending on size of the class) will assess current threats to computer information & network security, perform security tests & evaluation, conduct an applied team research project, perform business risk assessments, and develop IT configuration management, contingency, and system security plans. This course is intended to introduce students who have a basic understanding of computer hardware, software, and operating systems to concepts that will increase their knowledge, proficiency and skills in computer information & network security management controls.
In addition to other content, this course will help prepare students for the Certified Authorization Professional (CAP), a vendor-neutral certification provided by the International Information Systems Security Certification Consortium (ISC)2, designed to certify qualified personnel to assess and manage the risks of security threats to information systems. While not a course requirement to take this certification, it is relevant in that topics will include understanding the purpose of security authorization and the phases of that process including preparation and initiation, execution of certification and accreditation, and maintenance involving continuous monitoring. Students are presented methods to achieve information superiority through standardized, affordable, and timely access to reliable and secure information for decision making and operations. Several government and commercial standards for Certification & Accreditation are reviewed that formalize processes used to assess risk and establish security requirements to ensure IT protections are commensurate with the level of exposure.
As with all courses in the School of Business Administration at the University of Dayton, this course attempts to advance the University and School mission, to wit:
The School of Business Administration is a learning community committed in the Marianist tradition to educating the whole person and to connecting learning and scholarship with leadership and service in an innovative business curriculum designed to prepare students for successful careers in the contemporary business environment.
To this end, the information security management course is designed to bring theory designing information systems to be secure into the course, allow you to put this learning into practice by performing a security assessment on a simple system and by preparing for a relevant practitioner certification test, and by doing so contribute to your understanding of how information systems may be designed and built in a secure fashion so you may eventually apply this knowledge in your future coursework and/or careers.
Note: This course is part of a three-course sequence (an undergraduate minor or graduate certificate/concentration) that you may wish to take. Please see your instructor and/or the UD Course Catalog for more information.
Course Texts
Some of you may choose to get the books at the UD bookstore. However, it is anticipated that some will engage in whatever searches are necessary to secure the appropriate books at the lowest cost. Hence, the ISBN is provided so you may verify that the book you get is the one I'm using. I am not responsible for books that do not match.
Dhillon, G. (2018) Information Security: Text and Cases. Burlington, VT: Prospect Press.
The text is available at the bookstore (see bookstore for details) and direct from the publisher (see below).
Readings available on Isidore.
Other materials to be distributed as necessary, either electronically or in class.
A functional laptop computer with appropriate software (note that some software is provided on the server side at links provided by the instructor).
Finally, the following books are not at all required for the course, but are good reads about the concerns in play:
Clark, R. A. and Knake, R. K. (2010). Cyberwar: The Next Threat to National Security and What to do About it. New York: HarperCollins.
Verton, D. (2003). Black ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne.
Topics and Standards to be Addressed
Course Procedures
Course Assignments
A large proportion of each student's grade in this course will be assessed on the basis of the student's performance on various assignments that are expected to be completed through the semester. All assignments are to be completed by individuals, unless otherwise stated on the assignment. All assignments for this course are to be made via the World Wide Web, at the URL noted above, or on Isidore.
Timeliness of Assignment Submission
It is important to submit assignments on time. All assignments are due on the assigned date. Late assignments will not be accepted. You are all going to be in the real world someday, and this is how they do it there. This policy will be strictly enforced, except as mentioned under the excuses section. Please also know that if the first assignment is late, you put yourself severely behind for subsequent assignments. NOTE: ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.
Please be aware that no excuses except the approved ones noted in this document below will be accepted for assignments not being submitted on time, unless it's really good.
You should also be aware that you are responsible to see that your assignment has been submitted properly. I am not going to be chasing people down to make certain that they have submitted their work. In addition, due to the number of assignments in a class like this, you are also responsible to keep backups of all submitted work in case something gets lost in the shuffle, and you should keep all returned assignments until the end of the semester as proof they were submitted and marked. Finally, marks which have been posted for one week are final. Hence, you should keep track regularly of your course marks as posted on the database.
Finally, to discourage procrastination, I will offer no assistance on class assignments after 5PM on the day before they are due. This policy will be strictly enforced. If an assignment is due on Wednesday (as an example) the last assistance I will render ends at 5PM on Tuesday.
Class Attendance and Participation
Class time will be devoted to lectures, case discussion, demonstrations of relevant topics and issues. Contrary to popular belief, my job is not merely to impart information to you, but to help you learn. The mind is not a vessel to be filled, but a fire to be lighted. Your participation is extremely important to the learning process for yourself and the entire class. Consequently, class attendance and participation are strongly encouraged. For your information, I do keep a participation record, and it will influence your mark. Please also note that attendance is not the same as participation. The way participation is done, everybody starts with C (75). If you do nothing but show up that's your grade. If you miss, it goes down. Finally, please be advised that after three misses (non-excused per policy below) the participation mark will be reduced to zero.
Another encouragement to attend is that you are responsible for anything that transpires in class. If you miss an assignment due date or other changes because you were not in class (or don't get it via email), it is your problem.
A Note on Participation and Attendance under COVID restrictions
Unlike last year, barring change, all students are expected to attend class in the physical setting. If somebody gets sick (for whatever reason) no accommodation will be made beyond that which would normally be done. The class will be on Zoom some evenings, but only because that affords the opportunity to bring in guest speakers from a wider geographic area. Some weeks the speaker will attend physically; others it will be via Zoom. Be advised, however, that in no case will course lectures be recorded as they would in a hybrid environment.
Of course, everything is contingent on changes that may occur in COVID protocols, but until that happens, we'll be here with masks on.
This (and the 630 start) brings up a potential challenge. Students should make certain that they've eaten before coming to class. Since we aren't socially distancing, the masks need to stay on. If you need to keep hydrated, take sips but then get your mask back in place. It's a weird time - we'll work together and get through it.
Classroom Decorum
You should be aware that your actions in the classroom environment should demonstrate intellectual engagement in the course content, and as well respect for your classmates and for your instructor. As such, talking audibly, passing notes, and other similar juvenile behavior simply have no place in a university classroom. If you find yourself unable to avoid chatting with the person next to you, you should consider sitting elsewhere in the class. Expect to be called out when such behavior is observed.
Other behaviors that are disruptive to others' learning involve various electronic devices. Cell phones, pagers and similar electronic communication devices should be turned off and stowed below the desk in a case or bag during all classes.While these devices are useful in their appropriate context, they create a disruption to the learning environment when they go off in class. Further, leaving the room to take a cell phone call is both inappropriate and rude, and also causes a disruption to the learning environment. As a consequence, failure to comply with this policy will result in appropriate disciplinary action, up to and including referral to university judiciaries.
Relevant to computer use (either in laptop required sections or in the lab), engaging in IM sessions, web-browsing, reading your email and other behavior of this type means that you are not paying attention to the material being discussed. Almost invariably this results in disruption to the learning environment as students who have not been paying attention find themselves behind and ask questions that have already been addressed. When you are attending class, regardless of modality, you are expected to be engaged intellectually.
The instructor reserves the right too limit or prohibit use of any programmable devices (e.g. programmable calculators, laptop computers) and devices for communication and data storage (including but not limited to camera phones, cell phones, pagers, storage media or PDAs) at any time in the classroom. Refusal to comply with a request of this nature will result in sanctions being assessed as appropriate, up to and including referral to university judiciaries.
Please do not leave the class once you have chosen to attend -- it tends to be distracting for the rest of the class. If you must leave early, please sit near the door to make your departure unobtrusive, or do not attend at all. Please do not be late when you attend. Too many people coming after class starts creates a real disturbance. I reserve the right to take corrective action if it becomes a problem.
You should also be aware that being late for classes is no excuse to receive extra time on in-class activities or assignment submission deadlines. To arrive late disrupts the learning environment and, unless there is ample reason (see approved reasons, below) also demonstrates lack of respect for your classmates. If you are late for class on a day with a required in-class activity you will have less time to complete this. Finally, when assignments are due at the start of class, arriving late to class (i.e. significantly after the assignment has been taken up) is grounds for the assignment due that day to be considered a late submission.
I reserve the right to take corrective action if these issues create problems.
Please know that the intent of these policies is not to be unreasonable; from time to time a student may have reasonable need to leave the classroom prior to the end of class, or may have a legitimate reason that they are late. For example, he/she may be ill, may need a drink of water, may need to avail him/herself of the restroom facilities, or in winter for those driving weather can be a challenge. Further, there are emergency situations in which constant availability via electronic communication may be necessary. In this case, simply notify the instructor of the situation and a reasonable accommodation can be made.
Reading Assignments
While there is not a large amount of material to be covered through this course, it is rather easy to fall behind. Please ensure that you stay current in your readings -- it is expected that you will have read in advance the material to be covered in class on a given day, and be able to discuss it.
Communication with the instructor
While I am around a lot, I am not in perpetually. Consequently, much interaction with me will be through e-mail (salisbury@udayton.edu). You should also note that I intend to communicate with you via email as well; hence, it is important that you check your email often, and clean out old messages so that you do not exceed your email quota (which would result in the message "bouncing").
Examination Procedures
The examinations will contain case-based questions, objective-style questions, and problem-solving questions. Exams will be based on the required text, on the in-class material associated with computer software, and on the other readings assigned by the instructor. Please note this carefully: There will be NO make-up examinations, save for university-approved reasons. If you must miss an examination, be prepared to document a university-approved reason. Job interviews, site visits and incarceration due to over-exuberant Halloween at OU participation are examples of reasons that are NOT university-approved.
Grading Scale and Course Components
The grading scale and grading components are presented below. If you make any of the cut-offs, you will receive that mark. For example, if you earn 930 points, you will receive an "A" for the course, or if you receive 885 points, you will receive a "B+" for the course.
MIS 368 Grading Scale**
Grade Assignment | Grade Components | ||
(A) |
>=930 |
Individual Assignments/Exercises |
250 175 100 200 275 1000 |
MBA 662A Grading Scale**
Grade Assignment |
Grade Components |
||
(A) |
>=930 |
Individual Assignments/Exercises Total Points |
200 1000 |
*Please note that in the event of a very small MBA class I have alternative configurations that can be worked out once class has started, depending on the student's ability and interests. In any case the point is to offer the MBA student a graduate-level experience.
**Please also note that at the start of term I'm redoing Assignments 4 and 6. They will be done prior to the midterm and hence well before they're due.
Since the marks in my classes over the long term tend to look like a normal curve, I tend not to force an artificial curve. On the odd chance that there is a curve it will be applied only on the overall grade in all sections I teach. Thus, no question of curving will be entertained until after the final. In addition, no extra credit assignments will be offered; if you are unable to perform well on what has already been assigned, I don't wish to burden you with extra work. Finally, I encourage you that if you are in trouble, try to demonstrate an effort to improve and ask for help. Do not fail in silence.
Academic Dishonesty
I refer you to the UD Honor Pledge::
I understand that as a student of the University of Dayton, I am a member of our academic and social community; I recognize the importance of my education and the value of experiencing life in such an integrated community. I believe that the value of my education and degree is critically dependent upon the academic integrity of the University community, and so in order to maintain our academic integrity, I pledge to::
In doing this, I hold myself and my community to a higher standard of excellence, and set an example for my peers to follow. Instructors shall make known, within the course syllabus, the expectations for completing assignments and examinations at the beginning of each semester. Instructors shall discuss these expectations with students in a manner appropriate for each course.
I will vigorously pursue the prosecution of academic dishonesty. It is understood and that students often learn and work together; consequently you may be asking questions or getting help from others. Be very clear, however, that there is a reasonably obvious distinction between getting help and getting one's work done by somebody else. In instances where such misconduct is proven, I will invoke University of Dayton policy to the fullest extent, which is to say that, at minimum will assign a zero to the relevant assignment, and, in more serious instances will assign the letter grade of "F" in the course. Please consult the most recent edition of the "Student Handbook" for further information on Student Code of Conduct and Academic Policies.
You should also note that the way individuals carry out their roles as a members of a project team could jeopardize the other members of the team with respect to academic misconduct. Specifically, if a team member fails to participate in the manner called for, and appends his/her name to the team's final product, each member of the team is deemed to have been academically dishonest. Thus, it is in each team member's interests to make certain that all team members participate appropriately, and to bring any occurrences of inadequate participation on the part of other members to my attention. Please be aware that the team defines adequate participation; it is reasonable to assume that on a given portion of the assignment some members will contribute more than others. However, this should balance out, and on the bulk of any given assignment, the level of participation should be equitable for all so that all team members receive a good educational experience.
Intellectual Property RightsAcceptable Excuses for Rescheduling Exams, Late Assignments, etc.
Note::It is conceivable there are other acceptable excuses that I've not anticipated, but you must receive permission from me personally in advance.
Additional Learning Support for Students
The University of Dayton and your instructor are committed to providing equal access to its educational opportunities for all our students, including those in need of accommodation due to disability. Students who believe they have such need are invited to meet with your instructor privately to discuss specifics. Formal disability-related accommodations are determined by thee Office of Student Learning Support using specific guidelines. As a consequence, it is important that a student needing accommodation be registered with SLS and notify your instructor of your eligibility for such accommodation with a signed SLS Self-Identification Form. With this, and in consultation with the SLS, your instructor will devise the appropriate accommodation(s) for your need.
Even if you do not have special needs per see, you may find resources provided by thee Office of Student Learning Support helpful, with a variety off services to assist you in achieving academic success at the university, including study skills classes and workshops, tutoring and consultations, et cetera.
Four Easy Ways to Raise Your Grade
Changes to the Syllabus
Since the main objective of this class is for you to learn relevant and useful stuff. I reserve the right too alter the syllabus as necessary to meet this goal. Any such changes will be announced, in class, and will be explained.
Finally
I took this position because I enjoy teaching. I genuinely care about you and your progress in the class. If you have a problem, complaint, comment, concern, etc., please schedule an appointment or drop in during open office hours.
Schedule--Subject to review and change.
Assignment links will be added soon.
All Assignments and Team Evaluation Forms are inn
Isidore
NOTE: ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.
Class Date |
Anticipated Topics |
Class Slides, Reading Chapter Assignments & Due Dates |
|
August | 25 (1) |
Course Introduction & Overview Review of the state of matters Some very basic stuff about IT & Networks IT Security Standards |
Salisbury, Miller & Turner (2011) Verizon DBIR |
September | 1 (2) |
NIST and why it matters NIST Cybersecurity Framework NIST and ISC(2) CAP BOK Nature and Scope of IS Security Security Authorization of IS |
Dhillon 7,1 Adopt the NIST article NIST 800-12R1 FIPS 199, NIST 800-60 V1, V2 Individual Assignment 1 NOT DUE, but if you've tried it we can discuss it this evening either in person or online. |
8 (3) |
Guest - BF Security Authorization of IS continues Technical System Security |
Dhillon 2,
Salisbury, Ferratt & Wynn (2014) NIST 800-18, 800-37, 800-100, 800-64 Grad Student Team Assessment 1 DUE |
|
15 (4) |
Guest - TW IS Categorization Planning for IS Security |
Dhillon 5 (moved
to week 14 if time) 800-60 (V1R1/V2R1), 800-37R2 Individual Assignment 1 DUE |
|
22 (5) |
Guest - HV Risk Management Security Baseline |
Dhillon 6
NIST 800-37R2, 800-60 (V1R1/V2R1), 800-30R1 Individual Assignment 3 Proposed Topics (5, ranked) DUE Team Research Project Proposed Topics DUE |
|
29 (6) |
Applying Controls |
FIPS 199 & 200, 800-155, 800-53, 800-53B Individual Assignment 2 DUE Grad Student Team Assessment 2 DUE |
|
October | 6 (7) |
Guest -
BM Assessing Controls |
800-64, 800-100,
800-53A, 800-53B
FISMA 2002 |
13 (8) |
Responding to a Breach Review & Catch-Up |
Dhillon 8, NIST 800-61R2 Team Research Projects Extended Abstracts DUE (submit Team Evaluation) |
|
20 (9) |
Midterm Exam (content
through 13 October) Balance of evening coordinate with teams on projects and review materials (CSET Video for next week) |
||
27 (10) |
Guest - MW NIST 800-171 and CSET Security Operations Centers & Cybersecurity |
NIST 800-171 (and reading),
SOC readings Individual Assignment 3 Papers & Slide Decks DUE |
|
November | 3 (11) |
Guest -
JB Information System Authorization Monitoring Security Controls |
Individual Assignment 5
Proposed NIST Standards (5, ranked)
DUE FISMA 2014 Grad Student Team Assessment 3 DUE |
10 (12) |
Guest - DH Behavioral Aspects of IS Security Culture, Ethics and IS Security |
Dhillon 9, 10, 11 Individual Assignment 4 DUE |
|
17 (13) |
Guest - LR Legal Stuff about IS Security A taste of computer forensics |
Dhillon 12, 13 Individual Assignment 5 Slides DUE |
|
24 |
Thanksgiving Holiday (No class) | ||
December | 1 (14) |
A bit on Cryptography, Network Security Retiring systems from service Summary, Review & Catch Up |
Dhillon 3, 4, 5,
14 FISMA 2014, NIST 800-37, 800-64, 800-88, 800-175, 800-50, NIST Security Awareness Training Website Grad Student Team Assessment 4 & Presentation DUE |
8 | Feast of the Immaculate Conception (No class) |
Individual Assignment 6
DUE MONDAY, DECEMBER 6 5PM. Team Research Project Final Deliverables DUE FRIDAY, December 10 (submit Team Evaluation also) 3 PM. |
|
Comprehensive Final
Examination Date & Time taken from UD Final Examination Schedule Wednesday, December 15, 2021 @ 630 PM |