University of Dayton
School of Business Administration
Fall, 2021

MIS 368/MBA/MIS 662A
IS Security Management

Something interesting to read about grades. 

Get your grades (available on Isidore), and teams. 
Jump to course schedule. 

This course will equip students to effectively manage computer information and network security by understanding relevant IT governance goals, policies, and standards within both federal and private sector environments. A consistent governance framework for categorizing, selecting, implementing, assessing, authorizing, and monitoring IT security will enhance management of risks and information resources with positive returns on security investments. Topics include discussion of FISMA (Federal Information Security Management Act), FIPS (Federal Information Processing Standards), NIST (National Institute of Standards & Technology), and passing reference to other standards (e.g. Sarbanes-Oxley, HIPAA and FERPA) standards.  Additionally, students will learn about assessing current threats to computer information & network security and perform security tests & evaluation on their personal machines. Student teams will further research curricular issues in MIS programs with respect to security, and develop a term paper regarding these topics, and the MBA students (depending on size of the class) will assess current threats to computer information & network security, perform security tests & evaluation, conduct an applied team research project, perform business risk assessments, and develop IT configuration management, contingency, and system security plans.  This course is intended to introduce students who have a basic understanding of computer hardware, software, and operating systems to concepts that will increase their knowledge, proficiency and skills in computer information & network security management controls.  

Finally, the following books are not at all required for the course, but are good reads about the concerns in play:

Clark, R. A. and Knake, R. K. (2010). Cyberwar: The Next Threat to National Security and What to do About it. New York: HarperCollins. 

Verton, D. (2003). Black ice: The Invisible Threat of Cyber-Terrorism. New York: McGraw-Hill/Osborne.

Topics and Standards to be Addressed

• Information Security awareness of threats, vulnerabilities, critical information, confidentiality, integrity, availability, information states, security countermeasures, and risk management
• IT Governance Policies, Procedures, Guidelines, Instructions, and Federal Information Processing Standards (FIPS)
• Certification and Accreditation (C&A) Roles and Responsibilities
• System Characterization, Security Categorization, Accreditation Boundaries, Security Controls
• Compliance with Ethics, Laws and Policy (including but not limited to the Gramm-Leach-Bliley Act, Health Insurance Portability and Accountability Act [HIPAA], Federal Information Security Management Act [FISMA], Clinger-Cohen Act, Privacy Act, Sarbanes-Oxley, etc.)
• FIPS 199, February 2004, Standards for Security Categorization of Federal Information Systems
• FIPS 200, March 2006, Minimum Security Requirements for Federal Information Systems
• NIST SP 800-12R1, June 2017, An Introduction to Information Security
• NIST SP 800-18R1, February 2006, Guide for Developing Security Plans for Federal Information Systems
• NIST SP 800-30R1, September 2012, Guide for Conducting Risk Assessments
• NIST SP 800-37 R2, December 2018, Guide for Applying the Risk Management Framework to Federal Information Systems
• NIST SP 800-39, March 2011, Managing Information Security Risk: Organization, Mission, and Information System View
• NIST 800-50, October 2003, Building an Information Technology Security Awareness and Training Program
• NIST SP 800-53 R5, September 2020/800-53A R4, June 2014, Recommended Security Controls for IS & Organizations (53R5 is current; 53AR5 is in draft).
• NIST SP 800-60 (V1 & 2), August 2008, Guide for Mapping Types of Information Systems to Security Categories
• NIST SP 800-61R2, August 2012, Computer Security Incident Handling Guide
• NIST SP 800-88R1, December 2014, Guidelines for Media Sanitization
• NIST SP 800-100, October 2007, Information Security Handbook: A Guide for Managers
• NIST SP 800-137/137A, September 2011/May, 2020, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations/Assessing Information Security Continuous Monitoring (ISCM) Programs:
  Developing an ISCM Program Assessment
• NIST SP 800-160V1, November 2016, Systems Security Engineering: Considerations for a Multidisciplinary Approach in the Engineering of Trustworthy Secure Systems
• NIST SP 800-171 R2, February 2020, Protecting Controlled Unclassified Information in Nonfederal Systems & Organizations

A large proportion of each student's grade in this course will be assessed on the basis of the student's performance on various assignments that are expected to be completed through the semester. All assignments are to be completed by individuals, unless otherwise stated on the assignment. All assignments for this course are to be made via the World Wide Web, at the URL noted above, or on Isidore. 

It is important to submit assignments on time. All assignments are due on the assigned date. Late assignments will not be accepted. You are all going to be in the real world someday, and this is how they do it there. This policy will be strictly enforced, except as mentioned under the excuses section. Please also know that if the first assignment is late, you put yourself severely behind for subsequent assignments.   NOTE:  ALL ASSIGNMENTS ARE DUE AT START OF CLASS ON THE DATE THEY'RE DUE UNLESS OTHERWISE INDICATED.

Please be aware that no excuses except the approved ones noted in this document below will be accepted for assignments not being submitted on time, unless it's really good.

You should also be aware that you are responsible to see that your assignment has been submitted properly. I am not going to be chasing people down to make certain that they have submitted their work. In addition, due to the number of assignments in a class like this, you are also responsible to keep backups of all submitted work in case something gets lost in the shuffle, and you should keep all returned assignments until the end of the semester as proof they were submitted and marked.  Finally, marks which have been posted for one week are final.  Hence, you should keep track regularly of your course marks as posted on the database. 

Finally, to discourage procrastination, I will offer no assistance on class assignments after 5PM on the day before they are due. This policy will be strictly enforced.  If an assignment is due on Wednesday (as an example) the last assistance I will render ends at 5PM on Tuesday. 

Class time will be devoted to lectures, case discussion, demonstrations of relevant topics and issues. Contrary to popular belief, my job is not merely to impart information to you, but to help you learn. The mind is not a vessel to be filled, but a fire to be lighted. Your participation is extremely important to the learning process for yourself and the entire class. Consequently, class attendance and participation are strongly encouraged. For your information, I do keep a participation record, and it will influence your mark. Please also note that attendance is not the same as participation.  The way participation is done, everybody starts with C (75).  If you do nothing but show up that's your grade.  If you miss, it goes down.  Finally, please be advised that after three misses (non-excused per policy below) the participation mark will be reduced to zero.

Another encouragement to attend is that you are responsible for anything that transpires in class. If you miss an assignment due date or other changes because you were not in class (or don't get it via email), it is your problem.

Please do not leave the class once you have chosen to attend -- it tends to be distracting for the rest of the class. If you must leave early, please sit near the door to make your departure unobtrusive, or do not attend at all. Please do not be late when you attend. Too many people coming after class starts creates a real disturbance. I reserve the right to take corrective action if it becomes a problem.

While there is not a large amount of material to be covered through this course, it is rather easy to fall behind. Please ensure that you stay current in your readings -- it is expected that you will have read in advance the material to be covered in class on a given day, and be able to discuss it.

While I am around a lot, I am not in perpetually. Consequently, much interaction with me will be through e-mail (salisbury@udayton.edu).  You should also note that I intend to communicate with you via email as well; hence, it is important that you check your email often, and clean out old messages so that you do not exceed your email quota (which would result in the message "bouncing").  

The examinations will contain case-based questions, objective-style questions, and problem-solving questions. Exams will be based on the required text, on the in-class material associated with computer software, and on the other readings assigned by the instructor. Please note this carefully: There will be NO make-up examinations, save for university-approved reasons. If you must miss an examination, be prepared to document a university-approved reason. Job interviews, site visits and incarceration due to over-exuberant Halloween at OU participation are examples of reasons that are NOT university-approved.

The grading scale and grading components are presented below. If you make any of the cut-offs, you will receive that mark. For example, if you earn 930 points, you will receive an "A" for the course, or if you receive 885 points, you will receive a "B+" for the course.

MIS 368 Grading Scale**

MBA 662A Grading Scale**

*Please note that in the event of a very small MBA class I have alternative configurations that can be worked out once class has started, depending on the student's ability and interests.  In any case the point is to offer the MBA student a graduate-level experience.

**Please also note that at the start of term I'm redoing Assignments 4 and 6.  They will be done prior to the midterm and hence well before they're due. 

Since the marks in my classes over the long term tend to look like a normal curve, I tend not to force an artificial curve. On the odd chance that there is a curve it will be applied only on the overall grade in all sections I teach. Thus, no question of curving will be entertained until after the final. In addition, no extra credit assignments will be offered; if you are unable to perform well on what has already been assigned, I don't wish to burden you with extra work.  Finally, I encourage you that if you are in trouble, try to demonstrate an effort to improve and ask for help. Do not fail in silence.

You should also note that the way individuals carry out their roles as a members of a project team could jeopardize the other members of the team with respect to academic misconduct. Specifically, if a team member fails to participate in the manner called for, and appends his/her name to the team's final product, each member of the team is deemed to have been academically dishonest. Thus, it is in each team member's interests to make certain that all team members participate appropriately, and to bring any occurrences of inadequate participation on the part of other members to my attention. Please be aware that the team defines adequate participation; it is reasonable to assume that on a given portion of the assignment some members will contribute more than others. However, this should balance out, and on the bulk of any given assignment, the level of participation should be equitable for all so that all team members receive a good educational experience.

Acceptable Excuses for Rescheduling Exams, Late Assignments, etc.

• Verifiable Illness
• Death/Major Illness in the immediate family.
• Required attendance at another university event.

Note::It is conceivable there are other acceptable excuses that I've not anticipated, but you must receive permission from me personally in advance.

The University of Dayton and your instructor are committed to providing equal access to its educational opportunities for all our students, including those in need of accommodation due to disability.   Students who believe they have such need are invited to meet with your instructor privately to discuss specifics.  Formal disability-related accommodations are determined by thee Office of Student Learning Support using specific guidelines.  As a consequence, it is important that a student needing accommodation be registered with SLS and notify your instructor of your eligibility for such accommodation with a signed SLS Self-Identification Form.  With this, and in consultation with the SLS, your instructor will devise the appropriate accommodation(s) for your need.

Even if you do not have special needs per see, you may find resources provided by thee Office of Student Learning Support helpful, with a variety off services to assist you in achieving academic success at the university, including study skills classes and workshops, tutoring and consultations, et cetera.  

• Show up.
• Ask questions.
• Read and follow all written directions.
• Turn in all assignments; a very low mark is better than a zero, and a zero is better than a null.

Since the main objective of this class is for you to learn relevant and useful stuff. I reserve the right too alter the syllabus as necessary to meet this goal. Any such changes will be announced, in class, and will be explained.

I took this position because I enjoy teaching. I genuinely care about you and your progress in the class. If you have a problem, complaint, comment, concern, etc., please schedule an appointment or drop in during open office hours.