A Model Curriculum
A Modelfor Programs
Curriculum of Study
for Programs of Study
in and Assurance
in Information Security
mwhitman@kennesaw.edu
hmattord@kennesaw.edu
*A limited use license is granted to adopt parts of this curriculum for use in your institution. Specific
permission is required to reproduced or republish this content. Contact the authors for additional details.
A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance
Table of Contents
Introduction..................................................................................................................................... 5
Statement of the Problem................................................................................................................ 5
Goals and Objectives ...................................................................................................................... 7
Approaches to Implementing Information Security Curricula ................................................... 7
Preliminary Work Completed ......................................................................................................... 9
Information Security Position and Roles .................................................................................... 9
CISO ..................................................................................................................................... 10
Security Managers ................................................................................................................ 10
Security Administrators and Analysts .................................................................................. 10
Security Technicians............................................................................................................. 10
Security Staffer or Watchstander .......................................................................................... 11
Information Security Professional Certifications...................................................................... 11
Certified Information Systems Security Professional (CISSP) and Systems Security
Certified Practitioner (SSCP)................................................................................................ 11
Global Information Assurance Certification (GIAC) ........................................................... 13
Security Certified Professional ............................................................................................. 14
Security + .............................................................................................................................. 14
Certified Information Systems Auditor (CISA) and Certified Information Security Manager
(CISM) .................................................................................................................................. 15
Certified Information Systems Forensics Investigator ......................................................... 15
Established Standards, Models And Practices .......................................................................... 16
ISO 17799/BS 7799 .............................................................................................................. 17
Mapping Positions and Roles to Knowledge Areas.................................................................. 20
Mapping the CISSP Common Body of Knowledge ................................................................. 20
NSTISSC Training Standards ............................................................................................... 22
Defining the Focus of the Program........................................................................................... 23
Managerial InfoSec Program ................................................................................................ 23
Technical InfoSec Program................................................................................................... 23
Balanced InfoSec Program ................................................................................................... 24
Levels of Mastery ..................................................................................................................... 24
Determining Numbers of Courses Needed ............................................................................... 25
Mapping Mastery Depth to Courses ......................................................................................... 25
Pilot study ..................................................................................................................................... 29
Principles of Information Security & Assurance. ..................................................................... 29
Technical Applications in Information Security & Assurance. ................................................ 30
Introduction
Greetings! We would like to take this opportunity to thank you for allowing us to share our
lessons learned in the development of Information Security Curriculum. As part of our ongoing
commitment to Information Security education, we have decided to formally compile our
information into a single packet and provide it to any who seek it, without any requirements,
associated costs or restrictions. As a courtesy we would like to ask that if you like what you see,
and would like to adopt the contents in whole or in part, that you send us a letter indicating your
intent. This is to allow us to maintain a contact within institutions that are adopting our
curriculum and to gather feedback on its feasibility and use. This document begins with pieces
of the overall curriculum model as defined in an NSF proposal. We then continue through a
discussion of the specific courses and programs implemented at Kennesaw State University,
along with accompanying course materials. We then conclude with the intended next steps in the
development of this curriculum. We invite you to participate in this process by forwarding
suggestions, constructive criticisms, and ideas to us at the address above or by email to
mwhitman@kennesaw.edu.
The following sections overview our experiences and findings in developing security curriculum.
At the end of this discussion an abbreviated copy of our methodology is repeated with blank
worksheet so that you may duplicate our process yourself.
Assurance Education (CAEIAE). This program’s goal is “to reduce vulnerabilities in our
National Information Infrastructure by promoting higher education in information assurance, and
producing a growing number of professionals with IA expertise” [7]. According to the US
Government document The National Strategy to Secure Cyberspace, “Education and outreach
play an important role in making users and operators of cyberspace sensitive to security needs.
These activities are an important part of the solution for almost all of the issues discussed in the
National Strategy to Secure Cyberspace” [8].
There are two dominant technology curriculum guidelines currently in use. The first is the
ABET-CAC accreditation standards. The IS version of the standard specifies the need for an IS
Environment: “15 semester hours which must be a cohesive body of knowledge to prepare the
student to function effectively as an IS professional in the IS environment as well as 12 semester
hours of advanced IS coursework” [20]. The CS standard similarly provides for 16 hours of
advanced CS course work. These courses could be used for InfoSec courses or programs.
The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for
Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest
professional technology organizations: Association for Computing Machinery (ACM),
Association for Information Systems (AIS) and Association for Information Technology
Professional (AITP). “IS 2002 is a model curriculum for undergraduate degree programs in
Information Systems… and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an
academic field, encompasses two broad areas: (1) acquisition, deployment, and management of
information technology resources and services (the IS function); and (2) development and
evolution of technology infrastructures and systems for use in organizational processes (systems
development). It also includes a detailed set of course descriptions and advice to [those] who
have a stake in the achievement of quality IS degree programs” [21]. The IS 2002 guiding
principles have been adopted and revised for this curriculum model development:
“1) The model curriculum should represent a consensus from the InfoSec community. 2) The
model curriculum should be designed to help InfoSec faculty produce competent and confident
entry level graduates well suited to work-place responsibilities. 3) The model curriculum should
guide but not prescribe. Using the model curriculum guidelines, faculty can design their own
courses. 4) The model curriculum should be based on sound educational methodologies and
make appropriate recommendations for consideration by InfoSec faculty. 5) The model
curriculum should be flexible and adaptable to most IS/CS programs” [21].
Existing courses have been predominantly designed for graduate-level coursework [9,10], for
computer science and engineering specific programs [5,11,24], or as pure practitioner-level
training programs [12,13,14]. Even established curriculum bodies, like the Association for
Computing Machinery (ACM) and the Accreditation Board for Engineering and Technology –
Computing Accreditation Council (ABET-CAC), do not have formal models established for
curriculum in Information Security at the four-year level. The only recommendation that does
exist resulted from a workshop sponsored by the NSF and the American Association of
Community Colleges, resulting in the draft recommendation Protecting Information: the Role of
Community Colleges in Cybersecurity Education [15]. This report serves as both a starting point
for two-year institutions and as a reference for this project. The report provides details for
community colleges to design curriculum focused on providing technical skills through training
for the security technician, and hinges on the role of certification as an assessment tool. While
supportive of the two-year institution’s mission, this level of approach is inadequate for the
mission of the four-year institution. The proposed model is designed to allow undergraduate
Information Systems (IS) and Computer Science (CS) majors to move toward career fields that
include and evolve through technical knowledge areas and into the management of information
security, an area not addressed at the two-year level.
1. Elements added to existing courses. In this option, a number of existing courses can have an
information security module added to reinforce the need to address information security at all
junctures of organizational effort. This is a preferred technique and can be used in
conjunction with other approaches. It is important to thread information security through a
course, rather than adding it as a single module at the end. The following table provides
examples of how information security could be integrated in existing courses.
2. Elements added to a capstone course or courses. In this second approach to adding security
content, specific modules are added to specific capstone experiences or courses. In our
program for example students have two classes that represent their capstone experience. In
the first, they are exposed to strategic policy and planning in IT, and presented with a number
of guest speakers on various topics. In the second they are required to develop a system to
solve a business problem, incorporating all aspects of learning to that point including
database, data communications, programming, project management etc. By addressing
strategic Information Security planning in the first course and having at least one speaker on
an InfoSec topic, we integrate security into this course. By requiring the student teams to
demonstrate how they used secure development techniques in the second we reinforce the
concepts there.
5. Information security degree programs. In our mind, the ultimate goal for enhanced
information security curriculum is the baccalaureate-level information security program. As
indicated in the statement of the problem, there are several programs in the field that list
bachelors in information security degree. When you take a close look, however it is more of a
concentration or minor. Nothing wrong with that, but it tends to be misleading to the
students. It takes a great deal of effort and support to create enough courses to populate a
program of this magnitude, and even more resources to offer it. It does represent the
pinnacle of InfoSec education at the baccalaureate level.
Which of these approaches should you consider? First one must examine the available
resources, time, faculty, money, technology and student demand. It may help to begin with the
first two approaches and then slowly roll out additional approaches as demand presents itself. Or
just jump in. No pain, no gain.
In developing the curriculum for our pilot project, we used the “Backward Curriculum Design
Process” [22] a well-known approach to curriculum design that begins with the desired outcomes
and goals and works backward to learning objectives grouped into courses. The curriculum
model seeks to answer the following question:
A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that
positions can be classified into one of three types: those that define, those that build and those
that administer.
“Definers provide the policies, guidelines and standards…They're the people who
do the consulting and the risk assessment, who develop the product and technical
architectures. These are senior people with a lot of broad knowledge, but often not
a lot of depth. Then you have the builders. They're the real techies, who create
and install security solutions. ... Finally, you have the people who operate and
administrate the security tools, the security monitoring function, and the people
who continuously improve the processes. [...] What I find is we often try to use
the same people for all of these roles. We use builders all the time... If you break
your InfoSec professionals into these three groups, you can recruit them more
efficiently, with the policy people being the more senior people, the builders
being more technical and the operating people being those you can train to do a
specific task” [30].
CISO
The CISO is primarily responsible for the assessment, management, and implementation of the
program that secures the organization’s information. The CISO may also be called the Manager
for Security, the Security Administrator, or a similar title. The CISO usually reports directly to
the CIO, although in larger organizations one or more layers of management may exist between
the two officers.
Security Managers
Security managers are accountable for the day-to-day operation of the information security
program. They accomplish objectives identified by the CISO, to whom they report as shown in
Figure 5-11, and resolve issues identified by technicians, administrators, analysts, or staffers
whom they supervise. Managing technology requires an understanding of it, but not necessarily a
technical mastery in its configuration, operation, and fault resolution. Within the information
security community, there may be team leaders or project managers responsible for
management-like functions, such as scheduling, setting priorities, or administering any number
of procedural tasks, but who are not necessarily held accountable for making a particular
technology function. The accountability for the actions of others is the hallmark of a true
manager. The accountability found in true management roles can be used to differentiate
between actual managers and other roles that may include the word manager in their job titles but
in fact to not have such accountability.
Security Technicians
Security technicians are the technically qualified individuals who configure firewalls and IDSs,
implement security software, diagnose and troubleshoot problems, and coordinate with systems
and network administrators to ensure that security technology is properly implemented. A
security technician is usually an entry-level position; however, some technical skills are required,
which can make it difficult for those new to the field. It is difficult to get a job without
experience, and experience comes with a job. Just as in networking, security technicians tend to
be specialized, focusing on one major security technology group (firewalls, IDS, servers, routers,
or software), and further specializing in one particular software or hardware package within the
group, like Checkpoint firewalls, Nokia firewalls, or Tripwire IDS. These technologies are
sufficiently complex to warrant a high level of specialization. Security technicians who want to
move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining
an understanding of the general, organizational issues of information security, as well as all
technical areas.
Why is it important to understand these roles? In order to design curriculum one must
understand what it is you want the student to be able to accomplish upon graduation. In our
curriculum development we use these roles were used as surrogates for positions and mapped to
knowledge areas. Knowledge areas represent the specific knowledge needed for each role, and
when paired with a multi-level mastery model like Bloom’s taxonomy [21], can be used to
identify the level of depth of knowledge for each role. For example, a CISO may need great
breadth of knowledge, but not as much depth of knowledge in an area as a technician would.
The challenge is to completely map and verify the roles, knowledge areas, and levels of mastery
needed. Knowledge areas can be obtained from key indices like certifications [27], and from
training standards and models [28]. Knowledge areas in InfoSec are many and can be very
technical but, there is an agreed upon way to discuss them. Many programs take the short cut
and jump straight to the certifications an information security professional could earn like:
CISSP, SSCP, GIAC, SCP, TruSecure CSA/CSE, Security+, CISA/CISM. However, programs
are hesitant to implement coursework that is focused on a specific applied output. Universities in
general prefer to focus more on the true knowledge areas that these certificates test, rather than
the specifics of these exams. However if we examine the content of some of the key
certifications we can begin to glimpse some of the knowledge areas we would need to integrate
with our coursework. The following excerpt from Management of Information Security provides
additional detail on the leading certifications in Information Security.
understanding of a common body of knowledge (CBK). In order to sit for the CISSP exam, the
candidate must possess at least three years of direct full-time security professional work in one or
more of ten domains. The CISSP covers ten domains of information security body of
knowledge:
With the difficulty in mastering all ten domains, many security professionals seek other less
rigorous certifications. ISC2 has developed the SSCP certification to be more focused. Like the
CISSP, the SSCP certification is more applicable to the security manager than the technician,
since the bulk of its questions focus on the operational nature of information security. The SSCP
focuses “on practices, roles and responsibilities as defined by experts from major IS industries”
[31]. However, the information security technician seeking advancement can benefit from this
certification. Instead of the ten domains of the CISSP, the SSCP covers seven domains:
• Access controls
• Administration
• Audit and monitoring
• Risk, response, and recovery
• Cryptography
• Data communications
• Malicious code/malware
The SSCP is considered by many to be the little brother of the CISSP. It is a valid certification
and is easier to obtain than the CISSP. The seven domains are not a subset of the CISSP
domains, but contain slightly more technical content.
ISC2 has another program, the ISC2 Associate, designed to support those individuals with a
desire to earn the CISSP or SSCP but without the required amount of professional experience the
ability to take the test prior to earning the experience. “The Associate of (ISC)2 program is a
mechanism for information security professionals, who are still in the process of acquiring the
necessary experience to become CISSPs or SSCPs, to become associated with (ISC)2 and obtain
career-related support during this early period in his or her information security career” [32].
ISC2 also implemented a concentration component to the CISSP certification allowing standing
CISSPs to earn additional recognition [37]:
ISSEPCM: Information Systems Security Engineering Professional - The major domains of the
CBK® covered by ISSEP certification are:
• Systems Security Engineering
• Certification and Accreditation
• Technical Management
• U.S. Government Information Assurance Regulations
The GIAC family of certifications can be pursued independently or combined to earn the
comprehensive certification, GIAC Security Engineer (GSE). The GIAC Information Security
Officer (GISO) is an overview certification that combines basic technical knowledge with
understanding of threats, risks, and best practices, similar to the SSCP. The various individual
GIAC Certifications include:
The SCNA program focuses more on authentication areas including biometrics and PKI. The
two areas of study in the SCNA certification are:
While not as detailed as the GIAC certifications, these programs provide a useful migration into
new areas of security, while developing a vendor-neutral core of practitioner knowledge
evaluations.
Security +
From CompTIA (www.comptia.com), the company that brought the first vendor-neutral
professional IT certifications, the A+ series, comes another certification program, the Security +
certification. “The CompTIA Security+ certification tests for security knowledge mastery of an
individual with two years on-the-job networking experience, with emphasis on security. The
exam covers industry wide topics including communication security, infrastructure security,
cryptography, access control, authentication, external attack and operational and organization
security. CompTIA Security+ curricula are being taught at colleges, universities and commercial
training centers around the globe. CompTIA Security+ is being used as an elective or
prerequisite to advanced vendor specific and vendor neutral security certifications”[35]. The
Exam covers the following five domains:
1.0 General Security Concepts
2.0 Communication Security
3.0 Infrastructure Security
4.0 Basics of Cryptography
5.0 Operational/Organizational Security
CISM, the Certified Information Security Manager is another certification program offered by
ISACA. This credential is geared toward experienced information security managers and others
who may have information security management responsibilities. The CISM can provide
executive management with an assurance that those earning the designation have the required
background knowledge needed for effective security management and consulting. It is oriented
toward information risk management and addresses management, design and technical security
issues at a conceptual level.
CISM will encompass the following areas
enforcement, and auditing incidences. Although the certification exam has not been developed
yet, the common body of knowledge has been tentatively defined to include information on:
• Counter measures
• Auditing
• Incident response teams
• Law enforcement and investigation
• Traceback
Another major area of information that could be used to derive the skills needed to become a
security professional lay in established standards, models and practices. There are three primary
documents which guide the implementation and management of security programs. These are
discussed in turn here, in an extract from Management of Information Security:
Among the most accessible places to find a quality security management model are U.S. federal
agencies and international organizations. One of the most popular security management models
has been ratified into an international standard. British Standard 7799 provides two components,
each addressing a different area of security management practice. BS 7799:1, now known as
ISO/IEC 17799, is called “Information Technology – Code of Practice for Information Security
Management.” BS 7799:2 is called “Information security management: Specification with
guidance for use.” These documents are discussed in detail in the following sections. These are
proprietary, and organizations wishing to adopt this model must purchase the rights to do so.
There are a number of alternatives. The first and foremost of these are free documents provided
by the National Institute of Standards and Technology’s Computer Security Resources Center
(http://csrc.nist.gov). This site contains a number of publications, including ones containing
models and practices, such as:
NIST Documents
The NIST documents use a common philosophy based on the implementation of 17 areas of
controls, divided into three categories: Managerial, Operational and Technical. For example
NIST SP 800-26- Security Self-Assessment Guide for Information Technology Systems provides
an overview of the three areas of controls and detailed instruction on assessing an organization’s
systems to determine the levels of security present.
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing (Certification and Accreditation)
5. System Security Plan
Operational Controls
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident Response Capability
Technical Controls
15. Identification and Authentication
NIST SP 800-14
NIST SP 800-14 - Generally Accepted Principles and Practices for Securing Information
Technology Systems, provides a number of common IT security practices in the following areas:
• Policy
o Program Policy
o Issue-Specific Policy
o System-Specific Policy
o All Policies
• Program Management
o Central Security Program
o System-Level Program
• Risk Management
o Risk Assessment
o Risk Mitigation
o Uncertainty Analysis
• Life Cycle Planning
o Security Plan
o Initiation Phase
o Development/Acquisition Phase
o Implementation Phase
o Operation/Maintenance Phase
o Disposal Phase
• Personnel/User Issues
o Staffing
o User Administration
• Preparing for Contingencies and Disasters
o Business Plan
o Identify Resources
o Develop Scenarios
o Develop Strategies
o Test and Revise Plan
• Computer Security Incident Handling
o Uses of a Capability
o Characteristics
• Awareness and Training
• Security Considerations in Computer Support and Operations
• Physical and Environmental Security
• Identification and Authentication
o Identification
o Authentication
o Passwords
o Advanced Authentication
• Logical Access Control
oAccess Criteria
oAccess Control Mechanisms
• Audit Trails
o Contents of Audit Trail Records
o Audit Trail Security
o Audit Trail Reviews
o Keystroke Monitoring
• Cryptography
I. Access Controls
• Access control fundamentals
• Access control types
• Access control attacks
• Penetration testing methods
II. Telecommunications
• Network types (LAN/WAN)
• OSI reference model
• TCP/IP protocol suite
• Telecomm security management
• Telecommunications threats and attacks
• Remote access protocols
V. Cryptography
• Cryptosystems
• Ciphers and encryption algorithms
• Asymmetric key systems
• Symmetric key systems
• Hybrid key systems
• Message authentication/message digests
• Public key infrastructure
• Key management
• Digital signatures
• Alternative cryptosystems
• Security protocols
X. Physical Security
• Site selection and security
• Guards
• Keys and locks
• Doors, walls and gates
• Intrusion detection systems
• Fire detection and suppression systems
• Biometrics
• CCTV
Committee (NSTISSC) now known as the Committee for National Security Systems (CNSS)
documents on training information security professionals
(http://www.nstissc.gov/html/library.html). While we are not preparing training per se, we felt it
was useful in two areas: 1) to provide information not found elsewhere and 2) to lay the
foundation for eventual certification in the NSA’s Information Assurance Courseware Evaluation
program. These standards include:
• NSTISSI No. 4011 - National Training Standard for Information Systems Security
(INFOSEC) Professionals, dated 20 June 1994
• NSTISSI No. 4012 - National Training Standard for Designated Approving Authority
(DAA), dated August 1997
• NSTISSI No. 4013 - National Training Standard for System Administration in
Information Systems Security, dated August 1997
• NSTISSI No. 4014 - National Training Standard for Information Systems Security
Officers (ISSO), dated August 1997
• NSTISSI No. 4015 - National Training Standard for Systems Certifiers, dated December
2000
At this point it is important to define the general thrust of the program and develop overall
program objectives. Again, what is it we want our students to learn from the entire program? In
order to do this we must define the focus of the program. In information security, there are three
general types of programs:
Levels of Mastery
Using the detailed list of domains and knowledge areas from the CISSP and other sources we
then began to identify what level of mastery was desired for each knowledge area. The
taxonomy we used was derived in part from Bloom’s taxonomy, but simplified to a great extent.
We chose four levels of desired mastery, defined as follows:
1. Understanding: At the understanding level, the student can identify key concepts when
presented with a list of alternatives. The student has familiarized themselves with the
selected knowledge area and can discuss key concepts.
2. Accomplishment: At the accomplishment level, the student can demonstrate the process
necessary to use the knowledge area in a given scenario. The student has a deeper grasp
on both theoretical and practical applications of the knowledge area.
3. Proficiency: At the proficiency level, the student can generate new examples of the
application of the knowledge are. The student has demonstrated the ability to critically
discuss knowledge area concepts and can easily relate their learning to others.
4. Mastery: At the mastery level, the student can not only freely create new knowledge of
the area, but can also evaluate and critique new knowledge created by others. This level
is typically obtained through graduate level coursework, or extensive depth of
curriculum.
Access Controls
Access control fundamentals U AP A
Access control types U AP A
Access control attacks U AP A
Penetration testing methods U A
Telecommunications* (Some knowledge areas are prerequisite)
Network types (LAN/WAN)
OSI reference model
TCP/IP protocol suite
Telecomm security management U A
Telecommunications threats and attacks U A
Remote access protocols U A
Security Management
Security planning UA AP
Security policies UA AP
Personnel security UA AP
Security personnel UA AP
Data classification and storage UA AP
Risk Management UA AP
Security education, training and UA AP
awareness program
Change/configuration management UA A AP
Assessment strategies UA AP A
Applications Security* (Some knowledge areas are prerequisite)
Systems development life cycles A
Database development and management A
Systems controls UA A A
Distributed applications U
Object oriented concepts*
Knowledge based systems*
Application and systems attacks and U AP A
vulnerabilities
Malicious code UA AP A
Cryptography
Cryptosystems U A A
Ciphers and encryption algorithms U A A
Asymmetric key systems U A A
Symmetric key systems U A A
Hybrid key systems U A A
Message authentication/message digests U A A
Public key infrastructure U A A
Key management U A AP
Digital signatures U A A
Alternative cryptosystems U A A
Security protocols U A
Security Architecture
Security models U A A
Information systems evaluation criteria U A A
System certification and accreditation U A A
Security architectures U A A
Operations Security
Operations concepts UA A AP
Threats and countermeasures UA A AP
Incident response UA A AP
Auditing UA A AP
Monitoring UA A AP
Business Continuity Planning
Contingency planning UA AP
Business continuity planning UA AP
Disaster recovery planning UA AP
Data backup and recovery methods UA AP
Crisis management UA AP
Law and Ethics
Law categories and types UA AP
Computer crimes UA AP
Computer crime investigations UA AP
Computer ethics UA AP
Computer forensics procedures UA A
Physical Security
Site selection and security UA A
Guards U U
Keys and locks U U
Doors, walls and gates U U
Intrusion detection systems U U
Fire detection and suppression systems U U
Biometrics U A A
CCTV U
As is obvious, there is substantial overlap both within and between courses with regard to the
level of mastery. We found that in some cases, since our sequence of courses would permit a
student to take the introduction course and then either the technical OR the managerial, that to
obtain the desired level of mastery, duplication of certain levels would be necessary. Duplication
between courses also serves to reinforce that desired level of depth. Also evident is the need to
obtain both levels of understanding and accomplishment within the same course in order to reach
the overall desired level of mastery.
It was then a simple matter to re-organize learning objectives in each of the target courses and
begin searching for learning materials that would support each of these courses. Since the initial
development, our learning objectives have evolved to represent in a more robust fashion what the
students should be learning in each course. Learning objectives for each of the core courses
implemented are presented with the course descriptions in the next section.
As a final note to this phase of the model curriculum, we would like to make the following
recommendations: Courses and programs should be created in ways that:
• Involve all critical stakeholders. Just as in systems development, the use of
representative groups from all interested parties (faculty, students, industry advisors) will
serve to improve the final product.
• Create employable students or students who can advance academically. The bottom line
is to create a resource that will be in demand. Unless students can expect employability
upon completion, they may lose interest in the program, after an initial surge of interest
due to the novelty of the program.
• Capitalize on available resources (faculty, classrooms, labs). We have found that existing
labs can be easily modified to support the information security laboratory’s unique
requirements and exercises. We have also found a wealth of freeware and “hackerware”
tools that provide realistic and valuable experiences to the students. Cultivating several
key industry contacts has also resulted in several multi-thousand dollar donations in
software and hardware.
• Support local / state / national program objectives like the National Strategy to Secure
Cyberspace. Contributing to these types of programs not only provides visible and
demonstrable credibility to the program, but serves as a basis for increasing the validity
of your program should you decide to submit for national grants and industry support.
Pilot study
Based on previous analysis of the literature and curriculum development and accreditation efforts
as indicated in previous sections, seven new information security courses were implemented at
KSU. These classes were designed to meet existing national security standards, as described
previously, and to provide a foundation for the curriculum model. In the pilot project students
could select individual courses of interest or a five-course sequence culminating in a Certificate,
as major electives in a Bachelor of Science in Information Systems degree. The Certificate in
Information Security and Assurance (ISA) offers students both theoretical foundations and
applied hands-on experiences with the tools and technologies used to protect information assets.
Upon examination of the textbooks, and other learning support materials available at the time of
the design of our curriculum, we initially pilot tested the courses with trade press texts, modified
to meet the needs of an academic environment. In almost every instance, the trade press texts
proved severly lacking in depth and breadth for the classroom. In a stroke of luck, we were
approached by the senior editor of a major text publisher and convinced to write a text of our
own. We took the opportunity to use the mappings that we were using for our courses and
design a text to provide a strong foundation for the first course in our sequence.
The curriculum is designed to encompass both technical details and managerial functions. The
certificate begins with three core courses:
Students then selected two courses to complete the certificate. They may select these from 1)
Computer Forensics and either Criminal Investigations or Criminal Law; 2) Unix Administration
and Security and Data Communications Protocols; 3) Computer Law and Computer Ethics; 4)
Accounting Information Systems class and either EDP Auditing & Control or Accounting
Auditing & Assurance; or 5) Internship or Cooperative Study and one course from the above.
Our preliminary findings suggest that if an institution has the ability to only implement two
courses, they will be best served implementing an introductory course, and then either a technical
or managerial course depending on their preferences. If the institution can implement more, an
analysis of the intent of the program as described in previous sections will provide additional
course recommendations, as illustrated in the table below.
• Management of InfoSec
• Technical InfoSec
As additional courses are added additional technical or managerial topics can be added.
Institutions can then begin drafting specific programs to include electives, existing courses etc. to
support their desired outcomes.
As a detailed example of our efforts, the Certificate in Information Security and Assurance is
presented here with sample course syllabi.
Following the Certificate is our newest degree program – the Bachelor of Science in Information
Security and Assurance with the course syllabi for the new classes associated with this degree.
The Certificate in Information Systems and Assurance consist of 5 new courses, plus a number
of courses in the current catalog from CS, IS, Accounting, Criminal Justice and Political Science
degree programs. The Certificate is built on the presumption that students will be sufficiently
prepared to enter the program. This includes Preparatory Knowledge Clusters in areas of
Principles of Computing, Programming Principles and Data Communications. For students that
do not meet this assumption, they can either take undergraduate equivalents (CSIS 2300, 2301
and 2520) or submitting a portfolio of work for exempting one or more preparatory courses.
“The Committee on National Security Systems and the National Security Agency have certified
that Kennesaw State University offers a set of courseware that has been reviewed by National
Level Information Assurance Subject Matter Experts and determined to meet National Training
Standard for Information Systems Security Professionals (NSTISSI 4011, 4012, 4013, 4014) for
academic years 2003 - 2006.”
Each student will be required to complete the 9-hour core (3 courses) and then select and
complete one track (6-hours, 2 courses).
All coursework within the certificate program must be completed with a “C” or better in order to
count towards the certificate.
CORE:
ISA 3100 – Principles of Information Security and Assurance
and either
ISA 3398 – Internships in Information Security and Assurance
or
ISA 3396 – Coop in Information Security and Assurance
Sample Syllabi
Kennesaw State University
DEPARTMENT OF COMPUTER SCIENCE AND INFORMATION SYSTEMS
Fall 2003
Course Description:
Examination of current standards of due care and best business practices in Information Security.
Includes examination of security technologies, methodologies and practices. Focus is on
evaluation and selection of optimal security posture. Topics include evaluation of security
models, risk assessment, threat analysis, organizational technology evaluation, security
implementation, disaster recovery planning and security policy formulation and implementation.
Prerequisites:
CIS 2520: Data Communications
Textbooks:
Principles of Information Security, Whitman & Mattord, © 2003 Course Technology ISBN:
0-619-06318-1
Resources:
http://csrc.nist.gov/publications/nistpubs/index.html
SP 800-12 An Introduction to Computer Security: The NIST Handbook,
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-34 Contingency Planning Guide for Information Technology Systems
http://infosec.kennesaw.edu
Learning Outcomes:
As a result of completing this course, students will be able to:
• Describe threats to information security
• Identify methods, tools and techniques for combating these threats.
• Identify types of attacks and problems that occur when systems are not properly protected.
• Explain integral parts of overall good information security practices
• Identify and discuss issues related to access control.
• Describe the need for and development of information security policies, and identify
guidelines and models for writing policies.
• Define risk management and explain why it is an important component of an information
security strategy and practice.
• Describe the types of contingency plan and the steps involved in developing each.
• Identify security issues related to personnel decisions, and qualifications of security
personnel.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 - 79.49 =
C, 59.5 - 69.49 = D, else = F).
Project will be graded for correctness and completeness.
The instructor retains the right to subjectively adjust an individual student's grade in appropriate
cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality
type. Specific examples will be provided in class. Students failing to present the information
completely, neatly and in the prescribed format will receive minimal credit for their work.
Students should double check for spelling and grammar before submitting assignments.
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice
thereof DOES NOT constitute official withdrawal from the course. Students who simply stop
attending classes without officially withdrawing usually are assigned failing grades. Students
wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a
withdrawal form from the Academic Services Department in the Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments, take
quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn
from this course, they will not be permitted to attend class nor will they receive any grade for the
class.
Electronic Devices
In order to minimize the level of distraction, all beepers and cellular phones must be on quiet
mode during class meeting times. Students who wish to use a computer/PDA for note taking need
prior approval of the instructor since key clicks and other noises can distract other students.
Recording of lectures by any method requires prior approval of the instructor. Students using a
laptop in class should not check their email, browse the web, or in other way detract from the
focus of the class.
Classroom Behavior
Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as
published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for
upholding the provision. For more details, visit
http://ww.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf . Students
who are in violation of this policy will be asked to leave the classroom and may be subject to
disciplinary action by the University.
Special Dates:
Holidays/No Class
Last day to withdrawal without penalty
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or
meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Class notes can be downloaded from: TBD
Assignments:
The student will be assigned a number of written projects and reports throughout the course of the
semester. These will include:
Contribution to a class “security links” and “security readings” web pages
Sample risk assessment
Control spreadsheet
Outline of a disaster recovery plan
Organizational fair and responsible use policy
Additional details will be provided in class.
Project Requirements:
During the course of the semester, students will be exposed to a fictitious organization, CGT,
Inc., a computer gaming company. Students will be expected to analyze and design a complete
computer security profile for this organization and its systems. This analysis will be organized
and presented at the end of the semester. Students will submit a binder containing all necessary
security policies, documents and recommendations. Additional details will be provided in class.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does not
arrive within 20 minutes of the start of class, the class should move to the lab and work on their
laboratory exercises.
Computer Labs:
Assessment:
Exam 1 25%
Exam 2 25%
Assignments and Labs 20%
Project 30%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below
A standard questionnaire (described below) will be administered during the last two weeks of the
semester in all classes. Additional questions developed by the college or instructor(s) may be
included as well. It is important that each student provide meaningful feedback to the instructor(s)
so that changes can be made in the course to continually improve its effectiveness. We value
student feedback about the course, our teaching styles, and course materials, so as to improve our
teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify
the aspects of the course that most contributed to your learning (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2)
Identify the aspects of the course, if any, that might be improved (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring).
Acquiring Final Grades:
The final grades for this course will be posted to the student’s permanent record using the KSU
Banner system. Students may acquire their final grades by accessing their Banner account online.
Grades are no longer mailed to students. Students needing verification of grades or enrollment
should request either an official transcript or an enrollment verification through the Office of the
Registrar.
Students are encouraged to study together and to work together on class assignments and lab
exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic
Honesty, KSC Undergraduate Catalog will be strictly enforced in this class.
Frequently students will be provided with “take-home” exams or exercises. It is the student’s
responsibility to ensure they fully understand to what extent they may collaborate or discuss
content with other students. No exam work may be performed with the assistance of others or
outside material unless specifically instructed as permissible. If an exam or assignment is
designated “no outside assistance” this includes, but is not limited to, peers, books, publications,
the Internet and the WWW. If a student is instructed to provide citations for sources, proper use
of citation support is expected. Additional information can be found at the following locations.
http://www.apa.org/journals/webref.html
http://www.lib.duke.edu/libguide/citing.htm
http://bailiwick.lib.uiowa.edu/journalism/cite.html
http://www.cas.usf.edu/english/walker/papers/copyright/ipdummie.html
http://www.indiana.edu/~wts/wts/plagiarism.html
http://plagiarism.phys.virginia.edu/links.html
http://www.arts.ubc.ca/doa/plagiarism.htm
http://alexia.lis.uiuc.edu/%7ejanicke/plagiary.htm
http://webster.commnet.edu/mla/plagiarism.htm
http://www.virtualsalt.com/antiplag.htm
http://www.engr.washington.edu/~tc231/course_info/plagiarism.html
http://quarles.unbc.edu/lsc/rpplagia.html
In any academic community, certain standards and ethical behavior are required to ensure the
unhindered pursuit of knowledge and the free exchange of ideas. Academic honesty means that
you respect the right of other individuals to express their views and opinions, and that you, as a
student, not engage in plagiarism, cheating, illegal access, misuse or destruction of college
property, or falsification of college records or academic work.
As a member of the Kennesaw State University academic community you are expected to adhere
to these ethical standards. You are expected to read, understand and follow the code of conduct
as outlined in the KSU graduate and undergraduate catalogs. You need to be aware that if you
are found guilty of violating these standards you will be subject to certain penalties as outlined in
the college judiciary procedures. These penalties include permanent expulsion from KSU.
Read the Academic Integrity Statement and then sign and date in the space below. You are
required to abide by these ethical standards while you are a student at KSU. Your signature
indicates that you understand the ethical standards expected of you in this academic community,
and that you understand the consequences of violating these standards.
________________________________ ________________________________
Course Name Instructor Name
Signature Date
________________________________
email
This is a working document that provides further guidelines for the course exercise. If you have questions about any
of these guidelines, please contact one of the course instructors. When in doubt, the default action should be to ask
the instructors.
1) The goal of the project is to search for technical means of discovering information about others with whom you
share a computer system. As such, non-technical means of discovering information are disallowed (e.g., following
someone home at night to find out where they live).
2) ANY data that is stored outside of the course accounts can be used only if it has been explicitly and intentionally
published, (e.g. on a web page), or if it is in a publicly available directory, (e.g. /etc, /usr ).
3) Gleaning information about individuals from anyone ouside of the course is disallowed.
5) If you discover a way to gain access to any account other than your own (including root), do NOT access that
account, but immediately inform the course instructors of the vulnerability. If you have inadvertently already gained
access to the account, IMMEDIATELY exit the account and inform the course instructors.
6) All explorations should be targeted specifically to the assigned course accounts. ANY tool that indiscriminately
explores non-course accounts for vulnerabilities is specifically disallowed.
7) Using the web to find exploration tools and methods is allowed. In your reports, provide full attribution to the
source of the tool or method.
8) If in doubt at all about whether a given activity falls within the letter or spirit of the course exercise, discuss the
activity with the instructors BEFORE exploring the approach further.
9) You can participate in the course exercise only if you are registered for a grade in the class. ANY violation of the
course guidelines may result in disciplinary or legal action.
10) Any academic misconduct or action during the course of the class can result in that course not being eligible to
count toward the security certificate.
As part of this course, you may be exposed to systems, tools and techniques related to Information Security. With
proper use, these components allow a security or network administrator better understand the vulnerabilities and
security precautions in effect. Misused, intentionally or accidentally, these components can result in breaches of
security, damage to data or other undesirable results.
Since these lab experiments will be carried out in part in a public network that is used by people for real work, you
must agree to the following before you can participate. If you are unwilling to sign this form, then you cannot
participate in the lab exercises.
I agree to:
- only examine the special course accounts for privacy vulnerabilities (if applicable)
- report any security vulnerabilities discovered to the course instructors immediately, and not disclose them to
anyone else
- maintain the confidentiality of any private information I learn through the course exercise
- actively use my course account with the understanding that its contents and actions may be discovered by others
- hold harmless the course instructors and Kennesaw State University for any consequences of this course
- abide by the computing policies of Kennesaw State University and by all laws governing use of computer
resources on campus
I agree to NOT:
- attempt to gain root access or any other increase in privilege on any KSU workstation
- disclose any private information that I discover as a direct or indirect result of this course exercise
- take actions that will modify or deny access to any data or service not owned by me
- attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of
the labs.
- utilize any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course
exercise
- pursue any legal action against the course instructors or Kennesaw State University for consequences related to
this course
Moreover, I consent for my course accounts and systems to be examined for security and privacy vulnerabilities by
other students in the course, with the understanding that this may result in information about me being disclosed (if
applicable).
This agreement has been explained to me to my satisfaction. I agree to abide by the conditions of the Code of Ethics
and of the White Hat Agreement.
Printed name:____________________________
Prerequisites:
ISA 3100: Principles of Information Security and Assurance
Textbooks:
Guide to Network Defense and Countermeasures, Greg Holden © 2003 Course Technology
ISBN: 0-619-13124-1
Resources:
http://csrc.nist.gov/publications/nistpubs/index.html
• SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability
Naming Scheme, September 2002
• SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices,
November 2002
• SP 800-41 Guidelines on Firewalls and Firewall Policy, January 2002
• SP 800-40 Procedures for Handling Security Patches, September 2002
• SP 800-33 Underlying Technical Models for Information Technology Security, December
2001
• SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure,
February 2001
• SP 800-31 Intrusion Detection Systems (IDS), November 2001
• SP 800-28 Guidelines on Active Content and Mobile Code, October 2001
• Plus additional resources as assigned in class.
http://infosec.kennesaw.edu
Learning Outcomes:
With the increasing exposure of information systems to attacks from natural and man-made
disasters, there is an increasing demand on information systems technical staff to use technical
information security tools to defend systems from attacks on information systems security. The
purpose of this course is to examine technical preventative, detective and responsive measures.
As a result of completing this course, students will be able to:
• Understand the technical details of common information security technical
countermeasures.
• Evaluate each of the included technical countermeasures as to when its use is appropriate
and it can be used to provide increased control or reduced risk.
• Create deployment plans for included technical countermeasures that include impact and
risk assessments to IT systems as well as impact and risk to general system users.
• Apply technical knowledge to simulated deployment planning issues using a case study in
a team-based project.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 - 79.49 =
C, 59.5 - 69.49 = D, else = F).
Project will be graded for correctness and completeness.
The instructor retains the right to subjectively adjust an individual student's grade in appropriate
cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality
type. Specific examples will be provided in class. Students failing to present the information
completely, neatly and in the prescribed format will receive minimal credit for their work.
Students should double check for spelling and grammar before submitting assignments.
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice
thereof DOES NOT constitute official withdrawal from the course. Students who simply stop
attending classes without officially withdrawing usually are assigned failing grades. Students
wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a
withdrawal form from the Academic Services Department in the Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments, take
quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn
from this course, they will not be permitted to attend class nor will they receive any grade for the
class.
Electronic Devices
In order to minimize the level of distraction, all beepers and cellular phones must be on quiet
mode during class meeting times. Students who wish to use a computer/PDA for note taking need
prior approval of the instructor since key clicks and other noises can distract other students.
Recording of lectures by any method requires prior approval of the instructor. Students using a
laptop in class should not check their email, browse the web, or in other way detract from the
focus of the class.
Classroom Behavior
Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as
published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for
upholding the provision. For more details, visit
http://ww.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf . Students
who are in violation of this policy will be asked to leave the classroom and may be subject to
disciplinary action by the University.
Special Dates:
Holidays/No Class
Last day to withdrawal without penalty
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or
meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Class notes can be downloaded from: TBD
Assignments:
Students will issues an assignment schedule during the semester, consisting of requirements from
the Information Security Lab Manual, and other relevant requirements.
Project Requirements:
During the course of the semester, students will be presented with a fictitious organization, CGT,
Inc., a computer gaming software company. Students will be expected to assess the vulnerabilities
present in CGT’s three primary servers. Students will be provided with an assessment toolkit,
and asked to design a written report identifiying all vulnerabilities in these systems. In addition,
the student will be required to research the vulnerabilities, including the CVE for each, and
collect information on the resolution on the vulnerabilities. Students will submit a binder
containing all necessary documents and recommendations. Additional details will be provided in
class and via WebCT.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does not
arrive within 20 minutes of the start of class, the class should move to the lab and work on their
laboratory exercises.
Computer Labs:
Assessment:
Exam 1 20%
Exam 2 20%
Assignments 15%
Labs 20%
Project 25%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below
A standard questionnaire (described below) will be administered during the last two weeks of the
semester in all classes. Additional questions developed by the college or instructor(s) may be
included as well. It is important that each student provide meaningful feedback to the instructor(s)
so that changes can be made in the course to continually improve its effectiveness. We value
student feedback about the course, our teaching styles, and course materials, so as to improve our
teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify
the aspects of the course that most contributed to your learning (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2)
Identify the aspects of the course, if any, that might be improved (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring).
Acquiring Final Grades:
The final grades for this course will be posted to the student’s permanent record using the KSU
Banner system. Students may acquire their final grades by accessing their Banner account online.
Grades are no longer mailed to students. Students needing verification of grades or enrollment
should request either an official transcript or an enrollment verification through the Office of the
Registrar.
Project Description:
Each student will be assigned to a 3-person team. Although assigned to a team, each student will
conduct an independent analysis of the target servers. Once each student has scanned the
designated targets, the student can then work with their team in identifying the specifics of the
vulnerability and its resolution. While detailed knowledge of server administration is not
required, a basic understanding of operating systems and networking is expected. Students who
do not have this level will be expected to study on their own to understand the systems
sufficiently to assist in their preparation for security. Students will be expected to research and
recommend upgrades and fixes for known vulnerabilities. Resources to use in your assessment
include: Sam Spade, NMAP, Nessus and LanGuard. Resources to use in your investigation of
vulnerability include: http://cve.mitre.org, http://icat.nist.gov/icat.cfm, http://www.opensec.org/
and other references to be provided in class.
At the end of the semester the student team will present a joint presentation overviewing the
vulnerabilities found on each server and the severity of the individual vulnerabilities. Each
student will submit a binder with an overview of the specification of the system examined,
methods and techniques used, and findings, neatly organized, tabbed with appropriate headers
and references. Additional materials will be provided in class.
Chapter 1 Footprinting
Ex 1-1 Web Reconnaissance
Ex 1-2 WhoIS
Ex 1-3 DNS Interrogation
Ex 1-4 Network Reconnaissance
Course Description:
Detailed examinations of a systems-wide perspective of information security, beginning with
a strategic planning process for security. Includes an examination of the policies, procedures
and staffing functions necessary to organize and administrate ongoing security functions in
the organization. Subjects include security practices, security architecture and models,
continuity planning and disaster recovery planning.
Prerequisites:
ISA 3100: Principles of Information Security
Textbooks:
Management of Information Security, Whitman & Mattord, © 2004 Course Technology
ISBN: 0-619-21515-1 (draft to be distributed in class).
Resources:
http://csrc.nist.gov/publications/nistpubs/index.html
SP 800-12 An Introduction to Computer Security: The NIST Handbook,
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-34 Contingency Planning Guide for Information Technology Systems
Learning Outcomes:
As a result of completing this course, students will be able to:
• Discuss the stages in the risk management process.
• Conduct a Business Impact Analysis
• Identify and prioritize threats to information and priorities of organizational information
resources.
• Develop information security policies for all three types.
• Design a security education, training and awareness program.
• Make informed choices in selecting security personnel.
• Develop guidelines for the hiring of non-security personnel sensitive to organizational
information protection requirements.
• Conduct a cost-benefit analysis.
• Develop a budget for the acquisition of needed security resources.
• Develop a program to develop plans to respond to business information security
contingencies.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 -
79.49 = C, 59.5 - 69.49 = D, else = F).
Project will be graded for correctness and completeness.
The instructor retains the right to subjectively adjust an individual student's grade in
appropriate cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-
quality type. Specific examples will be provided in class. Students failing to present the
information completely, neatly and in the prescribed format will receive minimal credit for
their work. Students should double check for spelling and grammar before submitting
assignments.
NO LATE WORK WILL BE ACCEPTED.
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral
notice thereof DOES NOT constitute official withdrawal from the course. Students who
simply stop attending classes without officially withdrawing usually are assigned failing
grades. Students wishing to withdraw after the scheduled change period (add/drop) must
obtain and complete a withdrawal form from the Academic Services Department in the
Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments,
take quizzes and exams, and receive a grade in the class. If a student is administratively
withdrawn from this course, they will not be permitted to attend class nor will they receive
any grade for the class.
Electronic Devices
In order to minimize the level of distraction, all beepers and cellular phones must be on quiet
mode during class meeting times. Students who wish to use a computer/PDA for note taking need
prior approval of the instructor since key clicks and other noises can distract other students.
Recording of lectures by any method requires prior approval of the instructor. Students using a
laptop in class should not check their email, browse the web, or in other way detract from the
focus of the class.
Classroom Behavior
Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as
published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for
upholding the provision. For more details, visit
http://www.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf .
Students who are in violation of this policy will be asked to leave the classroom and may be
subject to disciplinary action by the University.
Special Dates:
Holidays/No Class
Last day to withdrawal without penalty
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn
or meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Class notes can be downloaded from: TBD
Assignments:
The student will be assigned a number of written projects and reports throughout the course of
the semester. These will include:
Sample risk assessment
Control spreadsheet
Outline of a disaster recovery plan
Organizational security policies
Additional details will be provided in class.
Project Requirements:
Students will be organized into 3-4 person teams, and provided with a case study of an
organization in desperate need of information security. Students will analyze the organization
and design a security profile including security personnel, a security policy, disaster recovery
and continuity plans, and recommendations for periodic auditing of the system. Additional
details will be provided in class.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does
not arrive within 20 minutes of the start of class, the class should move to the lab and work on
their laboratory exercises.
Computer Labs:
Assessment:
Exam 1 25%
Exam 2 25%
Assignments and Labs 25%
Project 25%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below
A standard questionnaire (described below) will be administered during the last two weeks of the
semester in all classes. Additional questions developed by the college or instructor(s) may be
included as well. It is important that each student provide meaningful feedback to the instructor(s)
so that changes can be made in the course to continually improve its effectiveness. We value
student feedback about the course, our teaching styles, and course materials, so as to improve our
teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify
the aspects of the course that most contributed to your learning (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2)
Identify the aspects of the course, if any, that might be improved (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring).
Students are encouraged to study together and to work together on class assignments and lab
exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic
Honesty, KSC Undergraduate Catalog will be strictly enforced in this class.
Frequently students will be provided with “take-home” exams or exercises. It is the student’s
responsibility to ensure they fully understand to what extent they may collaborate or discuss
content with other students. No exam work may be performed with the assistance of others or
outside material unless specifically instructed as permissible. If an exam or assignment is
designated “no outside assistance” this includes, but is not limited to, peers, books, publications,
the Internet and the WWW. If a student is instructed to provide citations for sources, proper use
of citation support is expected. Additional information can be found at the following locations.
http://www.apa.org/journals/webref.html
http://www.lib.duke.edu/libguide/citing.htm
http://bailiwick.lib.uiowa.edu/journalism/cite.html
http://www.cas.usf.edu/english/walker/papers/copyright/ipdummie.html
http://www.indiana.edu/~wts/wts/plagiarism.html
http://plagiarism.phys.virginia.edu/links.html
http://www.arts.ubc.ca/doa/plagiarism.htm
http://alexia.lis.uiuc.edu/%7ejanicke/plagiary.htm
http://webster.commnet.edu/mla/plagiarism.htm
http://www.virtualsalt.com/antiplag.htm
http://www.engr.washington.edu/~tc231/course_info/plagiarism.html
http://quarles.unbc.edu/lsc/rpplagia.html
Project Description: Using the CGT Case RFP provided in class, use the following proposal
format to provide the indicated information.
The following sections should guide the development and submission of the proposal. The final
document will be submitted in a 3-ring binder, and single-spaced, with standard margins and
fonts. Each section should be properly tabbed, organized, and structured with appropriate
headers. Each new section and subsection should begin on a fresh page. All pages should be
numbered, and an index placed at the beginning of the document. The group members’ names
should be prominently displayed on the front cover. For each section, address the subjects or
components outlined beneath it. If a component requires a separate binder or document, create it
as needed.
SECTION
1) Overview of CGT
Provide an overview of the CGT company history, including an organization chart,
physical plant layout (blank), and general description of organization computing and in-
place security resources.
2) Problem Definition
Create a summary of the situation leading to the issuance of the RFP. Specify specific
organizational needs, situations demanding resolution.
5) Risk Management
Create an assessment of the risks inherent in CGT’s current security profile. Include an
assessment of threats facing CGT, along with estimated vulnerabilities in the CGT
systems. Include weighted tables a) prioritizing threats and b) prioritizing assets. Make
recommendations as to general improvements in the information security posture.
Basically perform a Risk Assessment/Business Impact Analysis on CGT.
policy with information as if you are the CISO of CGT, just beginning a new Security
SDLC. As part of your program include:
• 2 examples of Security Awareness Posters in PowerPoint.
• A training calendar for needed security training (1 month).
• A sample newsletter (2 – 4 pages) providing security awareness information to
CGT employees.
7) Contingency Planning
Provide a planning framework for CGT’s contingency planning. Design a contingency
planning program, including specifications for the program team, deliverables, timelines
etc. Provide a template for each of the following components:
• Incident Response Plan
• Disaster Recovery Plan
• Business Continuity Plan
This does not require you to complete these components; only provide a detailed outline
that CGT can fill in to create these plans, and a project management plan for the design
and development of both the team, and the actual plans.
8) Security Staff
Design a Security Team for this size organization (organization chart) including
specifications for the numbers and types of security professionals needed. Develop a job
advertisement for each position with qualifications and requirements.
Program Objectives
The purpose of the proposed Bachelor of Science in Information Security and Assurance (BS-
ISA) program is to create technologically proficient, business-savvy information security
professionals capable of applying policy, education & training and technology solutions to
protect information assets from all aspects of threats, and to manage the risks associated with
modern information usage. This program will incorporate existing coursework provided through
departments on campus minimizing the need for new courses, yet will create and offer a unique
program of study, with up to twelve courses in required Information Security, up to eight courses
in Information Technology, five courses in Business, and a host of electives in areas such as
Criminal Justice.
In preparation for campus SACS accreditation, and as part of the continuous improvement in
education program at KSU – the Assessment of Learning, the program architects have developed
tentative general and specific program objectives:
Career Opportunities
As a recommended elective component of the program, students can select from a number of
career-oriented opportunities, including internships and cooperative studies. There are a number
of information security related opportunities with local businesses, the Georgia Bureau of
Investigation and numerous public services institutions. The Center for Information Security
Education and Awareness employs 5-6 student interns each semester, in support of the current
Certificate in Information Security and Assurance. These students learn critical security skills
while providing valuable vulnerability assessment, security technology installation and
configurations, and policy review and recommendations. The center will continue its support of
student internships and cooperative studies with the proposed degree program. Once the students
have completed their educational programs, it is anticipated that the growing demand for
information security professionals will continue, as this is one area that organizations will be
reluctant to outsource overseas, a trend that is affecting a number of information technology jobs.
Through collaboration with the College of Business, the College of Humanities and Social
Sciences, the Center for Information Security Education and Awareness, and numerous academic
departments, the faculty, staff, and administrators behind this new program strive to actualize the
academic environment envisioned behind the university’s mission statement: one “that fosters
high-quality academic preparation, critical thinking, global and multicultural perspectives,
effective communication and interpersonal skills, leadership development, social responsibility
and lifelong learning.” The Department of Computer Science and Information Systems is well
prepared for the inaugural class of students for this program. Over the past two years, the
department has gained experience in offering information security classes through its efforts with
the Certificate in Information Security and Assurance. The proposed program will only require a
total of six new courses in order to offer the proposed curriculum and a modest increase in the
frequency of offering for the five courses already being offered. Spreading the new course
offerings over the two years projected for a student to complete the upper and lower division
required and elective components of the course will prove well within the department’s capacity.
The faculty, staff, classroom, and laboratory resources currently available are also well capable
of handling the projected initial demand. Five local information security professionals have
offered to teach courses on a part-time or adjunct basis, as demand for the degree grows.
Under this program, 4-year colleges and graduate-level universities apply to NSA to be
designated as Centers of Academic Excellence in IA Education. Each applicant must pass a
rigorous review demonstrating its commitment to academic excellence in IA education. During
the application process applicants are evaluated against stringent criteria for measurement based
on IA training standards set nationally by the Committee on National Security Systems.
Designation as a CAEIAE is valid for three academic years, after which the school must
successfully reapply in order to retain its CAEIAE designation. These training standards
(NSTISSI No. 4011-4015) are located at: http://www.nstissc.gov/html/library.html.
CAEIAEs receive formal recognition from the U.S. government, as well as prestige and
publicity, for their role in securing our nation's information systems. Students attending CAEIAE
schools are eligible to apply for scholarships and grants through the Department of Defense
Information Assurance Scholarship Program and the Federal Cyber Service Scholarship for
Service Program (SFS).” (http://www.nsa.gov/ia/academia/caeiae.cfm). Currently KSU has an
application in for this program, and the findings from its results are pending.
The architects developing this curriculum examined dominant standards for technology
curriculum, as a foundation for the security degree. There are two dominant technology
curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards.
While there are clear standards for curriculum in Information Systems, there are no standards for
Information Security. The primary program architect for this proposed program is an ABET-
CAC IS program evaluator, having completed formal training and at least one accreditation visit.
Lessons learned in developing and evaluating curriculum were incorporated into this program.
The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for
Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest
professional technology organizations: Association for Computing Machinery (ACM),
Association for Information Systems (AIS) and Association for Information Technology
Professional (AITP). “IS 2002 is a model curriculum for undergraduate degree programs in
Information Systems… and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an
academic field, encompasses two broad areas: (1) acquisition, deployment, and management of
information technology resources and services (the IS function); and (2) development and
evolution of technology infrastructures and systems for use in organizational processes (systems
development). It also includes a detailed set of course descriptions and advice to [those] who
have a stake in the achievement of quality IS degree
programs”(http://www.aisnet.org/Curriculum/IS2002-12-31.pdf). The IS 2002 guiding
principles have been adopted and revised for this curriculum model development as follows:
“1) The model curriculum should represent a consensus from the InfoSec community. 2) The
model curriculum should be designed to help InfoSec faculty produce competent and confident
entry level graduates well suited to work-place responsibilities. 3) The model curriculum should
guide but not prescribe. Using the model curriculum guidelines, faculty can design their own
courses. 4) The model curriculum should be based on sound educational methodologies and
make appropriate recommendations for consideration by InfoSec faculty. 5) The model
curriculum should be flexible and adaptable to most IS/CS programs”.
When internships or field experiences are required as part of the program, provide
information documenting internship availability as well as how students will be assigned
and supervised.
As a recommended elective component of the program, students can select from a number of
career-oriented opportunities, including internships and cooperative studies. There are a number
of information security related opportunities with local businesses, the Georgia Bureau of
Investigation and numerous public services institutions. Approximately 20 students that have
completed or are completing the Certificate in ISA have engaged in Internship Opportunities.
On average there are 3-5 internship or cooperative study opportunities available to students off-
campus. This is encouraging as most organizations would be reluctant to take a temporary
student employee and provide them with access to critical organizational data.
The Center for Information Security Education and Awareness employs 5-6 student interns each
semester, in support of the current Certificate in Information Security and Assurance. These
students learn critical security skills while providing valuable vulnerability assessment, security
technology installation and configurations, and policy review and recommendations. It is
anticipated that the center will continue its support of student internships and cooperative studies
with the proposed degree program. Once the students have completed their educational
programs, it is anticipated that the growing demand for information security professionals will
continue, as this is one area that organizations will be reluctant to outsource overseas, a trend that
is affecting a number of information technology jobs.
Indicate ways in which the proposed program is consistent with national standards.
As indicated earlier, The Committee on National Security Systems and the National Security
Agency have certified that Kennesaw State University offers a set of courseware that has been
reviewed by National Level Information Assurance Subject Matter Experts and determined to
meet National Training Standard for Information Systems Security Professionals (NSTISSI
4011, 4012, 4013, 4014) for academic years 2003 - 2006.
“The goal of the Information Assurance Courseware Evaluation (IACE) Program is to ensure
compliance with national standards for information assurance education and training throughout
the nation. The Committee on National Security Systems (CNSS) sets these standards. The
IACE Program is a major step in meeting the national requirements for IA education and
training. IACE is a systematic assessment of the degree to which the courseware from
commercial, government, and academic sources maps to the national standards. Through an
interactive website, an institution electronically submits data for evaluation. When the institution
has met all the elements of a specific standard, then it receives formal certification […]
The IACE Program was established under the authority of the National Security
Telecommunications and Information Systems Security Committee (NSTISSC), the predecessor
to today's Committee on National Security Systems (CNSS). This inter-governmental
organization sets policy for the security of national security systems for the Federal Government.
Presidential Decision Directive 63 (PDD 63) on Critical Infrastructure Protection, issued in May
1998, highlighted the critical shortage of well-trained information assurance professionals and
the need for national standards. In January 2000, the NSTISSC initiated the IACE Program to
establish those standards, recognizing that the body of knowledge required by the standards was
available from a variety of sources: government, commercial industry, and colleges and
universities” (http://www.nsa.gov/ia/academia/iace.cfm). The certified coursework forms the
foundation for the proposed Information Security degree program.
CURRICULUM
BS - Information Security and Assurance Degree Requirements
Major Electives
(Choose three 3-hour classes) see below for descriptions 9 Hours
ACCT 3100, ACCT 3300, ACCT 4150, ECON 2200, CRJU 1101, CRJU 3305, CRJU 3320, CRJU 4305, CSIS
3550, CSIS 4420, CSIS 4510, CSIS 4515, CSIS 4555, CSIS 4575, ISA 4400, ISA 4490, ISA 4700, IT 3300,
IT 3700, IT 4525
Free Electives
(Any courses in KSU curriculum totaling 9 hours) 9 Hours
Major Electives
COURSE TITLE PREREQUISITES
Business Electives:
(An Accounting & Auditing specialization may be obtained by selecting the following ACCT courses)
ACCT 3100 Intermediate Financial Accounting & Audit ACCT 2100 & ACCT 2200
ACCT 3300 Accounting Information Systems ACCT 3100
ACCT 4150 Auditing and Assurance ACCT 3300 & permission of the dept chair
CSIS Electives:
CSIS 3550 Linux Administration and Security CSIS 3600 & CSIS 3530 or ISA 3010
CSIS 4420 Local Area Networks CSIS 2520
CSIS 4510 Computer Law CSIS 3600 or ISA 4330
CSIS 4515 Computer Ethics CSIS 3310 or IT 3500
CSIS 4555 Electronic Business Systems CSIS 3210
CSIS 4575 Technology Commercialization Any 3000 Level CSIS (or ISA) Course
ISA 4210
Client OS Security
ISA 3010
Security Script Prog
ISA 4220
Server OS Security
CSIS 4555
E-biz Systems
CSIS 3210
CSIS 3550
Proj Mgmt
Linux Sec & Admin
CSIS 4575
Tech Comm
ISA 3550
Computer Forenics
CSIS 4420
LAN
CSIS 2301 CSIS 2520
Prog Prin I Data Comm
IT 3300
Web Technologies
IT 3700
IT Mgmt
Bold outlines represent new classes
Shaded boxes represent major ISA, IT & CSIS electives
(Dotted lines simply to prevent confusion on overlaps)
IT 4525
eCommerce
As evidenced by this chart, consideration was placed on the flow of students through the
program. A balance was created between the need for prerequisite knowledge from course to
course, and the need to resolve any potential bottlenecks in the matriculation of students. As a
result, the program designers identified the core courses (ISA 3100, 3200 and 3300) that form
the critical path through the program. These courses will or are already offered with sufficient
frequency to insure students can complete the program in a timely manner. The required core
courses in the lower and upper divisions will be offered at least once a semester, with many
courses in the CSIS foundations offered in multiple sections.
List the entire course of study required and recommended to complete the degree program. Give
a sample program of study that might be followed by a representative student. Indicate ways in
which the proposed program is consistent with national standards.
In the Degree requirements example above, new courses are indicated as bold and italic. The
new degree program will require the following new courses:
ISA 3010 – Security Script Programming - In depth discussion of secure methods and
techniques in programming, and the role of specialized scripting languages.
ISA 4210 – Client OS Security - An overview of the security of and vulnerabilities present in
modern computing system clients, including computer architectures, and operating systems.
ISA 4220 – Server OS Security - An overview of the security of and vulnerabilities present in
modern computing system servers, including computer architectures, and operating systems.
ISA 4330 – Contingency Planning and Operations - An examination of the detailed aspects of
contingency planning and operations: Incident Response – prevention, detection, reaction,
recovery, Disaster Recovery & Business Continuity
ISA 4400 – Directed Study in ISA – An independent study of a topic of interest to a particular
student and faculty member.
ISA 4490 – Special Topics in ISA – A unique class of interest not part of the existing
curriculum.
ISA 4700 – Emerging Issues in Information Security and Assurance – The topics covered in
this course vary to maintain currency with current thinking and discussions in the InfoSec
profession. Students will choose or be assigned topics to be investigated as groups or
individuals. They will perform on-line and library research, prepare and deliver reports and
presentations, and analyze and critically evaluate the reports and presentations of other students.
ISA 4820 – Information Security & Assurance Programs and Strategies (capstone) - This
course pulls together the managerial and technical components of the program in one
comprehensive course. Individuals focus on risk management, organizational assessment, and
certification and accreditation issues, and the roles and responsibilities of the CISO.
Course Descriptions for the General Education requirements are available online at
www.kennesaw.edu.
Accounting Courses
ACCT 2100. Introduction to Financial Accounting. 3-0-3. Prerequisite: ENGL 1101 and MATH
1101.
An introduction to the language of business. Focuses on financial statements and their use in
decision making. Designed for non business and business majors.
ACCT 3100. Intermediate Financial Accounting & Auditing. 3-0-3. Prerequisite: Business
Majors: Sophomore GPA Requirement; Non business Majors: ACCT 2100 and ACCT 2200.
Focuses on problems and issues related to the collection, analysis, and reporting of external and
internal information. Includes theory and applications in financial accounting and auditing within
the framework of accounting as an information system.
ACCT 3300. Accounting Information Systems. 3-0-3. Prerequisite: Business Majors: Sophomore
GPA Requirement and ACCT 3100; Non business Majors: ACCT 3100.
A continuation of accounting transaction processing concepts; internal controls and systems
analysis and design.
ACCT 4150. Auditing and Assurance. 3-0-3. Prerequisite: Business Majors: Sophomore GPA
Requirement and ACCT 3300; Non business Majors: ACCT 3300 and permission of department
chair.
A continuation of audit theory with a focus on specific applications to financial reporting. Also
covers other types of attestation and assurance services with a focus on the concepts of risk,
control, evidence, and ethics.
CSIS 2300. Principles of Computing. 3-0-3. Prerequisite: credit level mathematics course.
Principles of computing is the first course a student should take to prepare for a career in
computer science or information systems. Topics include information systems in organizations,
hardware, software, database concepts, telecommunications and networks, the Internet, systems
development, security, privacy, ethics, programming logic, algorithms, abstraction, and data
structures.
CSIS 2301. Programming Principles I. 3-0-3. Prerequisite: CSIS 2300 and any credit level
Mathematics course.
An introduction to problem-solving methods that lead to the development of correct, well-
structured programs. Topics also include the fundamentals of computer systems.
CSIS 3210. Project Management. 3-0-3. Prerequisite: CSIS 2301 or ACCT 3100.
Introduction to the principles and application of project management techniques with an
emphasis on the design and management of computer information systems projects. Topics
include project planning, work team design, project estimation techniques, project reporting,
identifying and controlling project risks, budgets, and quality assurance.
CSIS 4515. Computer Ethics. 3-0-3.Prerequisite: CSIS 3310 and ENGL 3140.
Computer Ethics addresses a definition ofethics, provides a framework for making ethical
decisions, and analyzes in detail several areas of ethical issues that computer professionals are
likely to encounter in business. Each area includes information regarding U.S. Law. Topics
include philosophical, business, and professional ethics, privacy, criminal conduct, property
rights, speech, and reliability.
CSIS 4575. Technology Commercialization. 3-0-3. Prerequisite: Any 3000 level BIOL, CHEM,
CSIS or MATH course.
This is a course for junior and senior level science and mathematics majors who may want to be
prepared to commercialize technology and start up a company. The course is designed to provide
students with the perspective, tools and information necessary to evaluate the market potential of
a technical idea, secure patent protection, obtain research and development funding, understand
start-up issues, appreciate the value of a technology incubator, obtain venture capital, understand
IPOs and grow a technology-based enterprise.
Business Law
BLAW 2200. Legal and Ethical Environment of Business. 3-0-3. Prerequisite: All developmental
studies courses if required.
Covers torts, contracts, government regulation of business and the legal system. Also addresses
ethical issues arising in a business’s internal and external relationships.
CRJU 3305. Technological Applications in Criminal Justice. 3-0-3. Prerequisite: CRJU 1101.
This course will examine current and predicted hardware and software applications of
technology by criminal justice agencies, especially law enforcement agencies. Topic areas
discussed will include technology associated with forensics, “less than” lethal force, and crime
analysis. Laws pertaining to the use of technology for investigative purposes, privacy issues, and
fourth amendment issues will also be examined.
CRJU 4305. Technology and Cyber Crime. Prerequisite: CRJU 1101 and CRJU 3305.
This course provides an overview of cyber crime and computer-related crime issues facing the
American criminal justice system, particularly law enforcement. The course looks at law
enforcement’s ability to respond and discusses law enforcement problems in dealing with
computer crime. Students will learn about government response to cyber crime problems,
especially from a law enforcement perspective. Future trends of cyber crime and computer-
related crime will also be discussed.
Economics Classes
ECON 2200. Principles of Macroeconomics. 3-0-3. Prerequisite: ECON 2100 and 6 credit hours
of MATH numbered 1101 or higher.
Analysis of socioeconomic goals, money and credit systems, theories of national income,
employment and economic growth.
English Classes
ISA 3100. Principles of Information Security and Assurance. 3-0-3. Prerequisite: CSIS 2520 or
permission of the department.
An introduction to the various technical and administrative aspects of Information Security and
Assurance. This course provides the foundation for understanding the key issues associated with
protecting information assets, determining the levels of protection and response to security
incidents, and designing a consistent, reasonable information security system, with appropriate
intrusion detection and reporting features.
ISA 3200. Applications in Information Security and Assurance. 3-0-3. Prerequisite: CSIS 2520
or permission of the department.
Detailed examinations of the tools, techniques and technologies used in the technical securing of
information assets. This course is designed to provide in-depth information on the software and
hardware components of Information Security and Assurance. Topics covered include: firewall
configurations, hardening Unix and NT servers, Web and distributed systems security, and
specific implementation of security models and architectures.
ISA 3300. Policy and Administration in Information Security and Assurance. 3-0-3. Prerequisite:
CSIS 2520 or permission of the department.
Detailed examinations of a systems-wide perspective of information security, beginning with a
strategic planning process for security. Includes an examination of the policies, procedures and
staffing functions necessary to organize and administrate ongoing security functions in the
organization. Subjects include security practices, security architecture and models, continuity
planning and disaster recovery planning.
ISA 3350. Computer Forensics. 3-0-3. Prerequisite: ISA 3100.This course focuses on the
detection, isolation and response to security breaches and attacks. It provides a detailed
examination of the entire computer forensic process and presents specific procedures required to
respond to a computer crime incident. Subjects include recognizing unauthorized access,
identifying file anomalies, and traffic monitoring.
ISA 3396. Cooperative Study in Information Security and Assurance. 3-0-3. Prerequisite: ISA
3100 and approval of coordinator of cooperative education (Career Services).
A supervised work experience for a minimum of two semesters at a site in business, industry or
government, focusing on some aspect of information security and assurance. For sophomore,
junior or senior level students who wish to obtain on-the-job experience in Information Security
and Assurance, in conjunction with their academic training. Students may take a cooperative
study for multiple semesters however only three credit hours are applicable toward the
Certificate in Information Security and Assurance. Contact the department office for additional
information on the requirements and restrictions of the cooperative study.
ISA 3398. Internships in Information Security and Assurance. 3-0-3. Prerequisite: ISA 3100 and
approval of coordinator of cooperative education (Career Services).
A supervised work experience for one semester at a site in business, industry or government,
focusing on some aspect of information security and assurance. For sophomore, junior or senior
level students who wish to obtain on-the-job experience in Information Security and Assurance,
in conjunction with their academic training. Students can earn between three and nine credit
hours toward their degree programs but only three hours will be counted toward the Certificate in
Information Security and Assurance. Contact the department office for additional information on
the requirements and restrictions for the Internship.
ISA 4210 – Client Operating Systems Security. 3-0-3. Prerequisite ISA 3200
This course is an exploration of client computer systems security and vulnerabilities, including
computer architectures, and operating systems. It provides the detailed technical coverage
necessary to protect computer information system clients by presenting the knowledge of client
platform computer hardware components, client network devices and interfaces as well as the
structure and usage of client operating system software from an information security perspective.
Additional learning regarding ongoing maintenance and operational issues of client computing
systems will also be included.
ISA 4400 – Directed Study. 1 to 3 credit hours. Prerequisite: Approval of instructor, major area
committee, and department chair. Up to three hours may be applied to the major area.
Special topics of an advanced nature that are not in the regular course offerings.
ISA 4490 – Special Topics Special Topics. 1-3 credit hours. Prerequisite: Varies by topic.
Selected special or current topics of interest to faculty and students.
ISA 4820 – Information Security & Assurance Programs and Strategies (capstone)
This course pulls together the managerial and technical components of the program in one
comprehensive course. Individuals focus on risk management, organizational assessment, and
certification and accreditation issues, and the roles and responsibilities of the CISO.
IT 3300. Web Technologies. 3-0-3. Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent.
Web Technologies will introduce students to the planning, design, implementation and
maintenance of World Wide Web applications. Applications will be developed using both high-
end development environments as well as html. Topics include tables, image maps, frames,
security, ethical issues, application development tools, and development methodologies.
IT 3500. Database Technologies. 3-0-3. Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent.
Database Technologies covers the essentials of database concepts for non-IT careers. Key topics
may include searching and querying, validation of electronic data, data mining, data collection
principles, privacy and fair use, related intellectual property issues, integration of incompatible
data sources, database-driven web sites, and visual database programming. Tools included may
include SQL, Visual Basic Web Databases, Personal Oracle, and Access 2000, and various
database search engines.
IT 4400. Directed Study. 1-3 credit hours. Prerequisite: Approval instructor, major area
committee, and department chair. Up to three hours may be applied to the upper division
requirements for the IT certificate.
Special topics of an advanced nature that are not in the regular course offerings. Students
selecting
this to complete the IT certificate must select a topic involving technology-applications in the
chosen career area.
Management Classes
MGT 3100. Management and Behavioral Sciences. 3-0-3. Prerequisite: Business Majors:
Sophomore GPA Requirement; Non business Majors: 60 credit hours.
This course introduces students to the field of management, focusing on basic principles and
concepts applicable to all types of organizations. The evolution of functional and behavioral
aspects of management and organization theory are presented in the context of political, societal,
regulatory, ethical, global, technological and demographic environmental forces.
Math Classes
Syllabus
COURSE DESCRIPTION
A study of secure programming and security programming techniques. The course examines
aspects of developing traditional computer software, applying additional controls and measure to
prevent the development of vulnerable and exploitable code. The course then examines
programming techniques used in support of ongoing technical security functions, including Perl
and CGI scripting.
PREREQUISITES
COURSE OBJECTIVES
Integrate the IRP, DRP, and BCP plans into a coherent strategy to support
sustained organizational operations.
Understand and be able to discuss incident response options.
Understand the escalation process from incident to disaster.
RESOURCES
Required:
Secure Coding: Principles & Practices, By Mark G. Graff, Kenneth R. van Wyk, June 2003 ,
ISBN: 0-596-00242-4 O’Reilly
Perl and CGI for the World Wide Web: Visual QuickStart Guide, 2/E, Elizabeth Castro, ISBN:
0-201-73568-7, Publisher: Peachpit Press
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 10%
Programming Exercises 20%
Mid-term Examination 25%
Final Exam 25%
Programming Project 20%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
• The mid-term examination will consist of program assignments and technological
comprehension that cover the lecture material, and assigned readings.
PROJECTS DESCRIPTION
The team project will consist of the examination of several archetypal client information systems
within one or more defined information security technical architectures. The team will then
create an implementation and maintenance plan to implement the necessary technical controls to
meet the information security needs of the client information system. They will present their
findings in a formal presentation. Peer evaluations will be considered in determining each
student’s grade on the project. Project guidelines will be available via WebCT.
LABS DESCRIPTIONS
At various points throughout the semester, as defined in the schedule, the class will meet in SC
363, the Advanced Data Communications Lab. During this time, the students will be assigned a
number of hands-on exercises involving information security technical controls as applied to
client platforms. Students will perform the labs, and document their activities. These reports will
be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be
provided with access to the lab after class hours in order to complete these exercises.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 3100) in the subject field of any e-mail message that you
send to me during the term. E-mail messages I receive that are missing this information in the
subject field are likely to be automatically redirected to a folder the contents of which I seldom
check.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 Secure Code Text: 1. No Straight Thing
9 Perl & CGI Scripting Text: 3. About Servers, Perl, and CGI.pm.
4. Running Perl CGI on a Unix Server.
12 Perl & CGI Scripting Text: 9. Getting Data into the Script.
10. Simple Operations with Scalars.
16 Perl & CGI Scripting Text: 17. Formatting, Printing, and HTML.
18. Security.
Final Exam
Period
Syllabus
COURSE DESCRIPTION
PREREQUISITES
COURSE OBJECTIVES
RESOURCES
Required:
Guide to Operating System Security, Michael Palmer, ISBN 0-619-16040-3 © 2004.
Organization and Architecture text, TBD, ISBN tbd © 2004.
Articles and readings at http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%20Secu
rity/
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 10%
Security Lab Exercises 15%
Mid-term Examination 25%
Final Exam 25%
Team Project 25%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
PROJECTS DESCRIPTION
The team project will consist of the examination of several archetypal client information systems
within one or more defined information security technical architectures. The team will then
create an implementation and maintenance plan to implement the necessary technical controls to
meet the information security needs of the client information system. They will present their
findings in a formal presentation. Peer evaluations will be considered in determining each
student’s grade on the project. Project guidelines will be available via WebCT.
LABS DESCRIPTIONS
At various points throughout the semester, as defined in the schedule, the class will meet in SC
363, the Advanced Data Communications Lab. During this time, the students will be assigned a
number of hands-on exercises involving information security technical controls as applied to
client platforms. Students will perform the labs, and document their activities. These reports will
be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be
provided with access to the lab after class hours in order to complete these exercises.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. ISA4210) in the subject field of any e-mail message that
you send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the contents
of which is seldom checked.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 Introduction to the course
2 Client hardware
3 Client O/S structures
Syllabus
COURSE DESCRIPTION
PREREQUISITES
COURSE OBJECTIVES
RESOURCES
Required:
Guide to Operating System Security, Michael Palmer, ISBN 0-619-16040-3 © 2004.
Organization and Architecture text, TBD, ISBN tbd © 2004.
Articles and readings at http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%20Secu
rity/
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 10%
Security Lab Exercises 15%
Mid-term Examination 25%
Final Exam 25%
Team Project 25%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
PROJECT DESCRIPTION
The team project will consist of the examination of several archetypal client information systems
within one or more defined information security technical architectures. The team will then
create an implementation and maintenance plan to implement the necessary technical controls to
meet the information security needs of the client information system. They will present their
findings in a formal presentation. Peer evaluations will be considered in determining each
student’s grade on the project. Project guidelines will be available via WebCT.
LAB DESCRIPTIONS
At various points throughout the semester, as defined in the schedule, the class will meet in SC
363, the Advanced Data Communications Lab. During this time, the students will be assigned a
number of hands-on exercises involving information security technical controls as applied to
client platforms. Students will perform the labs, and document their activities. These reports will
be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be
provided with access to the lab after class hours in order to complete these exercises.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 4220) in the subject field of any e-mail message that you
send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the content of
which is seldom checked.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 Introduction to the course
2 Server hardware
3 Server O/S structures
16 Project presentations
Final Final Exam
Exam
Period
Syllabus
COURSE DESCRIPTION
PREREQUISITES
COURSE OBJECTIVES
Integrate the IRP, DRP, and BCP plans into a coherent strategy to support
sustained organizational operations.
Understand and be able to discuss incident response options.
Understand the escalation process from incident to disaster.
RESOURCES
Required:
Guide to Disaster Recovery, Michael Erbschloe, ISBN: 0-619-13122-5 © 2003 Course
Technology
Articles and readings at http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%20Secu
rity/
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 10%
Mid-term Examination 25%
Final Exam 25%
Individual Writing Assignments 20%
Team Project 20%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
PROJECTS DESCRIPTION
The team project will consist of the examination of several archetypal client information systems
within one or more defined information security technical architectures. The team will then
create an implementation and maintenance plan to implement the necessary technical controls to
meet the information security needs of the client information system. They will present their
findings in a formal presentation. Peer evaluations will be considered in determining each
student’s grade on the project. Project guidelines will be available via WebCT.
LABS DESCRIPTIONS
At various points throughout the semester, as defined in the schedule, the class will meet in SC
363, the Advanced Data Communications Lab. During this time, the students will be assigned a
number of hands-on exercises involving information security technical controls as applied to
client platforms. Students will perform the labs, and document their activities. These reports will
be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be
provided with access to the lab after class hours in order to complete these exercises.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 3100) in the subject field of any e-mail message that you
send to me during the term. E-mail messages I receive that are missing this information in the
subject field are likely to be automatically redirected to a folder the contents of which I seldom
check.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 1. Introduction to Incident Response, Disaster Recovery and Business
Continuity Planning
2 2. Preparing to Develop the IR, DR and BC plan
16 Project Presentations
Syllabus
COURSE DESCRIPTION
The purpose of the course is to explore emerging issues in information security and assurance, and the
role of organizational information security in state, regional and national policy. It provides content about
the interaction between the organization, society, and public agencies. It examines the role of people
versus technical security ideals currently debated by contemporary international organizations.
PREREQUISITES
COURSE OBJECTIVES
Describe, analyze and assess security relations at a state-societal level in both the developing
and developed world;
Analyze and evaluate the inter-relationship between global processes and specific information
security dynamics; and,
Analyze, evaluate and critically discuss the policy responses to organizational, state, regional and
national information security agendas, and the alternatives to them.
Discuss the viewpoints of information security as a people versus technical problem, and the
corresponding use of people versus technical solutions.
RESOURCES
Required:
Articles and readings at http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%20Secu
rity/
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 15%
Research Paper 25%
Midterm Exam 20%
Individual Writing assignments 20%
Final Exam 20%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
• The mid-term examination will consist of program assignments and technological
comprehension that cover the lecture material, and assigned readings.
PAPER DESCRIPTION
Students will write a paper on a subject assigned by the instructor on key subjects germane to the
management of information security programs. Paper format and content specifications will be
provided in class.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 4820) in the subject field of any e-mail message that you
send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the content of
which is seldom checked.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 Introduction to Emerging Issues
2 The Human Side of Information Security and Assurance
3 Organizational information security responsibilities
Syllabus
COURSE DESCRIPTION
This is the senior capstone course for the Information Security and Assurance major
and the course must be taken in the final year of the student’s degree. The course
integrates learning from all ISA courses and encourages the student to develop skills in
synthesis and communication (both written and oral) as well as teaching new material
about the role of the CISO and the strategic and tactical planning and operation of the
information security department in a variety of organizations. A research paper will be
prepared and presented in the course. Outside speakers will supplement the course
and provide the student additional, outside perspective on the information security
industry.
PREREQUISITES
COURSE OBJECTIVES
RESOURCES
Required:
The Information Systems Security Officer's Guide: Establishing and Managing an Information
Protection Program, Second Edition, by Gerald Kovacich. ISBN: 0750676566, 2003
BUTTERWORTH HEINEMANN
The following documents are available for download from http://csrc.nist.gov
• SP 800-18 Guide for Developing Security Plans for Information Technology Systems,
December 1998
• SP 800-27 Engineering Principles for Information Technology Security (A Baseline for
Achieving Security), June 2001
Recommended:
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Participation 15%
Research Paper 25%
Midterm Exam 20%
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
• The mid-term examination will consist of program assignments and technological
comprehension that cover the lecture material, and assigned readings.
PAPER DESCRIPTION
Students will write a paper on a subject assigned by the instructor on key subjects germane to the
management of information security programs. Paper format and content specifications will be
provided in class.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 4820) in the subject field of any e-mail message that you
send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the content of
which is seldom checked.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s
minimum one semester suspension requirement.
COURSE OUTLINE
Week Topic
1 Introduction to the course
2 The Working Environment of a CISO
We began the process much the same as the certificate was begun, by looking at the end product
– the entry level InfoSec professional. We realized that industry would need instruction on the
new academically prepared InfoSec professional, and would require a deviation from the
traditional promote-from-within-IT, or hire someone else’s InfoSec professional model. We
began talking to a number of CISOs, CIOs and other regional IT professionals, including fellow
CISSPs, to determine what they felt the fresh-college-InfoSec graduate should look like. We
realized that what was missing in the discipline was the bridge between the technical half of
infosec, and the managerial half. So our goal was to prepare an individual to work in either half,
and eventually to reach the position of CISO.
We then went back to our 10 domains of knowledge and began expanding on the foundation
provided by the certificate:
ISA 3100 – Principles of ISA
ISA 3200 – Applications in ISA
ISA 3300 – Policy and Administration in ISA
ISA 3350 – Computer Forensics
And began adding areas we found to be critical to the performance of both the InfoSec technical
and managerial expert.
From the technical side we realized the heart of the technical professional was the protection of
servers, and the use of information security technologies (firewalls, intrusion detection systems,
antivirus etc.). So we create a split operating systems security class, focusing on the protection
of client – and server- side security. This allows us to re-tool the 3200 class into a more
traditional Network Security class, focusing on the Security Technologies necessary to protect
organizations’ perimeters. We also realized that one area that is lacking in many programs is a
secure programming class. So we replaced the CS2 – type programming class with one designed
to take what the students learn in their programming principles I class, and scrutinize it for
security issues. We also added a scripting language (cgi etc) to this class for good measure.
From the managerial side, we added an incident response and disaster recovery class, to provide
both the planning requirements and the actual hands-on incident response actions. This class is
truly a hybrid between managerial planning and technical performance. We cap the program
with a “how to be a CISO” capstone class, with a major soup-to-nuts security project, requiring
the students to examine an organization (real or case) and design and partially implement a
security solution.
The draft layout of this program was presented to numerous groups, including department
advisory boards, and other experts in Information Security, both academic and practitioner. After
final reviews, it was submitted through the university’s curriculum approval process and
eventually to the University System of Georgia’s Board of Regents. It is customary for a new
degree program to receive supplementary questions prior to the board review and vote. Our
questions hit the heart of the issue – will the graduates find jobs, is there a demand both by
students and by industry for the program? Fortunately the IT market had just begun recovery in
earnest and we were able to provide convincing arguments on both accounts. The board met and
approved the degree within 5 minutes.
Now the work begins. We have to fully flesh out the courses, including lab exercises, homework
exercises, lecture notes and the like. To assist in this endeavor, we have requested support from
the NSF under the Federal Cyber Service: Scholarship for Service: Capacity Building Grant
program. As KSU was designated a National Center of Academic Excellence in Information
Assurance Education in April 2004 by the NSA and DHS, we are optimistic about our chances.
We have adopted the following books for our courses, and present a brief table of contents for
your consideration:
Table of Contents:
4. Risk Management
7. Security Technology: Intrusion Detection, Access Control, and Other Security Tools
8. Cryptography
9. Physical Security
Table of Contents
1. Information Security Fundamentals
2. Attackers and their Attacks
3. Security Basics
4. Security Baselines
5. Securing the Network Infrastructure
6. Web Security
7. Protecting Advanced Communications
8. Scrambling Through Cryptography
9. Using and Managing Keys
10. Operational Security
11. Policies and Procedures
12. Security Management
13. Advanced Security and Beyond
Appendices
A: CompTIA Security+ Examination Objectives
B: Linux and Windows Security
C: Common TCP/IP Ports and Their Threats
D: Sample Acceptable Use Policy
TOC:
Unit I: INTRODUCTION
Chapter 1: Introduction to Management of Information Security
Table of Contents
1. Computer Forensics and Investigations as a Profession
2. Understanding Computer Investigations
3. The Investigator's Office and Laboratory
4. Current Computer Forensics Tools
5. Processing Crime and Incident Scenes
6. Digital Evidence Controls
7. Working with Windows and DOS Systems
8. Macintosh and Linux Boot Processes and File Systems
9. Data Acquisition
10. Computer Forensics Analysis
11. Recovering Image Files
12. Network Forensics
13. E-Mail Investigations
14. Becoming an Expert Witness and Reporting Results of Investigations
Appendices
A: Certification Test References
B: Computer Forensics References
C: Procedures for Corporate High-Technology Investigations
Table of Contents
1. Footprinting
2. Scanning and Enumeration
3. Operating System Vulnerabilities and Resolutions
4. Network Security Tools and Technologies
5. Secuirity Maintenance
6. Information Security Management
7. File System Security and Cryptography
8. Computer Forensics
Appendix A: Common Utilities Setup and Use
Appendix B: Student Answer Sheets
Appendix C: Contents of the CD
If you would like additional information on these books (i.e. how well they worked in the class,
or what support materials are included) please contact us. All Course Technology texts include
instructor’s ancillaries including PowerPoint slide shows, text banks, and instructor’s guides.
To answer these questions we must consult with other experts in the field and obtain their
insight. NSF support is requested for design revision and extension. We plan to take the
preliminary implementation and draft curriculum model to outside experts for commentary at
national information security education conferences: the World Conference on Information
Security Education and the National Colloquium for Information Systems Security Education.
Information from these conferences will be used to shape an InfoSec curriculum development
workshop.
We have successfully implemented a new ongoing conference for pedagogy and practice of
information security education, held annually in September at KSU. Look for the CFP in
March/April, with the conference announcement going out in May. Contact us if you don’t hear
by then.
The Information Security Curriculum Development Conference
InfoSecCD is one of the first major forums for the presentation of research and pedagogical
experiences associated with the development and practice of Information Security Curriculum in
higher education in the Southeast. The purpose of the conference is to share novel instructional
methods and techniques, pedagogical research findings, curriculum models and methods, and to
identify new directions for future research and development work.
its application. The primary criterion for appropriateness is demonstrated practical relevance.
Evaluation Plan
The project’s evaluation plan is comprised of three elements: 1) Peer review by internal and
external academic experts in curriculum development; 2) Peer review by academic Information
Security experts, and 3) External review by practitioners in the field of Information Security.
Curriculum Development Peer Review. KSU’s Center for Excellence in Teaching and Learning
(CETL) will serve as an external evaluator of the curriculum developed. The CETL consists of
several faculty dedicated to the development of quality curriculum, and as they will be external
to the information security field, they will be capable of evaluating the curriculum structure
independent of its content. Articles on the curriculum model will also be submitted to
educational journals (e.g. Journal for MIS Education, the ACM Journal on Educational
Resources in Computing, and to regional conferences (Southern Association for Information
Systems) for peer review. We will also develop and apply an assessment program based on the
Massachusetts model [26].
DISSEMINATION
Subsequent revisions of this document will be disseminated through:
curriculum, teaching and research. Faculty can post works-in-progress and research findings.
The portal also provides information on key curriculum and research issues. We will post the
findings here for the entire IS community to view and comment on, and distribute the findings to
the over 3,750 members of the ISWORLD list server [23]. The CITIDEL project
(www.citidel.org) is a portal designed will serve the computing education community at all
levels, and is part of the National Science, Mathematics, Engineering, and Technology Education
Digital Library. The CITIDEL collects educational resources and provides them free of charge to
all interested programs. The results of this study will be submitted to this site as well.
2) Let us know you like or are using the curriculum model. Send us a letter on letterhead
supporting the curriculum model developed. Your indication of support will be used in
subsequent grant activities designed to improve the curriculum model.
1) Do you feel the department should consider another program? Why or why not?
3) If the department should consider offering this program, what skills do you feel that the
student should possess upon graduation?
Summarize their responses.
Example:
Positions Roles Knowledge Areas
Blank:
3) What courses, that we currently offer, could be included or adapted to support this
program?
If in answering question 1, the institution desires a security program but just hasn’t made up its
mind as to which emphasis it wishes to take, the following set of program objectives may assist.
The following list of program objectives can be used to determine what focus you desire for your
program. Check off the objectives you want graduates of your program to meet, or rather what
qualities should your students possess upon graduation. Use caution, as it is our first tendency to
check everything! Realize that this may not be feasible unless you are able to implement an
entire degree program with 7 or more courses exclusively in Information Security related areas.
Once you have checked all desired qualities, the section immediately following the list will
provide guidance on what type of program may be best suited for your desired outcomes.
Upon completion of the program the student will have the following qualities (Check all
that apply):
5. The graduate has the ability to critically analyze and articulate positions on the
legal and ethical implications and influences of Information Security, including
relevant codes of ethics and federal and state laws.
10. The graduate can articulate the composition of popular security models such as
BIBA, Bell LaPadula, etc.
11. The graduate can develop and manage plans for dealing with organizational
contingencies such as incidents and disasters.
12. The graduate can evaluate and recommend effective security architectures using
security technologies, such as bastion hosts, screened subnets and demilitarized
zones.
13. The graduate can develop, implement and manage security programs designed
to improve employee perception of information security, such as security
education, training and awareness programs.
14. The graduate is able to recognize, define and implement intrusion detection
systems-based solutions to appropriate threats, including both host and network
IDS.
16. The graduate is able to evaluate, define and implement defenses against
malicious code attacks such as viruses, worms and denial of services.
17. The graduate can critically discuss popular information security management
practices, standards and models such as ISO 17799, NIST SPs 14 & 18, etc.
18. The graduate is able to evaluate, define and implement defenses as part of
counter intrusion measures against active and passive hacker attacks.
19. The graduate has the ability to conduct Cost/Benefit Analyses on proposed
security countermeasures and present to organizational stakeholders in a
meaningful manner.
20. The graduate is able to evaluate, define and implement effective access controls
technologies and procedures in accordance with organizational policy.
Now that you have specified the desired learning outcomes for your program, add up the number
of checks by ODD and EVEN answers. If you find substantially more checks by ODD numbers,
say 3 or more, then your inclination is toward a managerial program. If you find substantially
more checks by EVEN numbers, again 3 or more, then your inclination is toward a managerial
program. If your two values are approximately equal (within 2 or fewer) your inclination is
toward a balanced program. If you have a total of more than 16 checks total you are either very
ambitious or desire a balanced program with an emphasis toward one or the other area.
Balance this information with the feedback obtained in step II.
From the list above, and the information you have gathered and analyzed, identify the 6-10
program objectives that best map to what you want your students to have achieved upon
completion of the material. You can use the list of 20 program objectives in Step V as a starting
point.
Program Objectives:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
Based on desired level of mastery and focus of class determine the level of mastery desired.
Perform this exercise within your program using the blank form. Using the following table as a
starting point, you can add additional columns to represent additional courses to be added
providing additional depth in managerial or technical areas. Also feel free to add or delete
specific domain and knowledge area based on your findings in your curriculum efforts.
When finished, take a moment to verify that what you have just created matches the
Management vs. Technical exercise created earlier. If you find you did not fill in many technical
areas with desired depth beyond U (i.e. A or P) and yet you specified a technical program earlier,
you may want to revisit one or both of these activities to determine your preferred path.
Access Controls
Access control fundamentals
Access control types
Access control attacks
Penetration testing methods
Telecommunications* (Some knowledge areas are prerequisite)
Network types (LAN/WAN)
OSI reference model
TCP/IP protocol suite
Telecomm security management
Telecommunications threats and attacks
Remote access protocols
Security Management
Security planning
Security policies
Personnel security
Security personnel
Data classification and storage
Risk Management
Security education, training and
awareness program
Change/configuration management
Assessment strategies
Applications Security* (Some knowledge areas are prerequisite)
Systems development life cycles
Database development and management
Systems controls
Distributed applications
Object oriented concepts*
Knowledge based systems*
Application and systems attacks and
vulnerabilities
Malicious code
Cryptography
Cryptosystems
Ciphers and encryption algorithms
Asymmetric key systems
Symmetric key systems
Hybrid key systems
Message authentication/message digests
Public key infrastructure
Key management
Digital signatures
Alternative cryptosystems
Security protocols
Security Architecture
Security models
Information systems evaluation criteria
System certification and accreditation
Security architectures
Operations Security
Operations concepts
Threats and countermeasures
Incident response
Auditing
Monitoring
Business Continuity Planning
Contingency planning
Business continuity planning
Disaster recovery planning
Data backup and recovery methods
Crisis management
Law and Ethics
Law categories and types
Computer crimes
Computer crime investigations
Computer ethics
Computer forensics procedures
Physical Security
Site selection and security
Guards
Keys and locks
Doors, walls and gates
Intrusion detection systems
Fire detection and suppression systems
Biometrics
CCTV
References:
[1] Pfleeger, C. and Cooper, D. “Security and Privacy: Promising Advances.” IEEE
Software. 09/1997. 27-32.
[2] MSNBC. “Chinese hackers call truce in China-U.S. cyberwar.” WWW Document.
Viewed 5/12/2001. http://www.msnbc.com/news/571091.asp.
[3] CSI/FBI. “2003 Computer Crime and Security Survey." WWW Document. Viewed
5/10/2003. http://www.gocsi.com.
[5] Chin, S-K, Irvine, C.E., & Frinke, D. “An Information Security Education Initiative for
Engineering and Computer Science.” Naval Postgraduate School Technical Report,
NPSCS-97-003. Naval Postgraduate School, Monterey, CA. 12/1997.
[6] Irvine, C., Chin S-K., & Frincke, D. “Integrating Security into the Curriculum.”
Computer. 31(12). 12/1998. 25-30.
[7] National InfoSec Education and Training Program (NIETP). “Centers Of Academic
Excellence in Information Assurance Education.” WWW Document. Viewed 04/6/2003.
http://www.nsa.gov/isso/programs/coeiae/index.htm .
[8] The White House, “National Strategy to Secure Cyberspace.” WWW Document. Viewed
2/10/2003. http://www.whitehouse.gov/pcipb.
[9] Irvine, C. “Goals for Computer Security Education.” Proceedings of the IEEE
Symposium on Security and Privacy. 05/1996. 24-25.
[10] Irvine, C. “Naval Postgraduate School Center for INFOSEC Studies and Research:
Teaching the Science of Computer Security.” MILCOM Proceedings. Monterey, CA. (1).
11/1997. 405-409.
[11] Vaughn R. and Boggess, III, J. “Integration of computer security into the software
engineering and computer science programs.” The Journal of Systems and Software.
12/1999. 149-153.
[12] National Institute of Standards and Technology Computer Security Resource Center
“Special Publication 800-16 Information Technology Security Training Requirements: A
Role- and Performance-Based Model.” 04/1998. WWW Document. Viewed 04/12/2003.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.
[13] National Institute of Standards and Technology Computer Security Resource Center. “SP
500-172 Computer Security Training Guidelines.” 11/1989. WWW Document. Viewed
04/12/2003. http://csrc.nist.gov/publications/nistpubs/index.html.
[15] National Science Foundation and the American Association of Community Colleges
Protecting Information: the Role of Community Colleges in Cybersecurity Education
Community College Press, Washington D.C. June 2002.
[16] National InfoSec Education and Training Program (NIETP). “Criteria for Measurement.”
WWW Document. Viewed 04/12/2002.
http://www.nsa.gov/isso/programs/coeiae/measure.htm.
[17] “NSTISSI No. 4011 – National Training Standard for Information Systems Security
(INFOSEC) Professionals.” 06/1994. WWW Document. Viewed 02/12/2002.
http://www.nstissc.gov/Assets/pdf/4011.pdf.
[18] “NSTISSI No. 4014 - National Training Standard for Information Systems Security
Officers (ISSO).” 08/1997. WWW Document. Viewed 02/12/2002.
http://www.nstissc.gov/Assets/pdf/4014.pdf
[19] National InfoSec Education and Training Program (NIETP). “NSA Designates Centers of
Academic Excellence in Information Assurance Education.” WWW Document.
Viewed 2/10/2002. http://www.nsa.gov/isso/programs/nietp/newspg1.htm#Universities.
[21] ACM, AIS & AITP. “IS 2002 Model Curriculum and Guidelines for Undergraduate
Degree Programs in Information Systems.” WWW Document Viewed 5/8/2003.
http://www.aisnet.org/Curriculum/IS2002-12-31.pdf.
[22] Hutton, G. “Backward Curriculum Design Process” WWW Document. Viewed 5/1/2003.
http://www.g4v.com/~glen.hutton/ED3601/BackwardDesignFeb11_03.pdf.
[23] ISWorld. “ISWorld Net List Digest.” WWW Document. Viewed 4/15/2002. http://disc-
nt.cba.uh.edu/isworldlist/index.htm
[24] Joint Task Force on Computing Curricula (IEEE Computer Society and Association for
Computing Machinery Computing Curricula 2001 Computer Science, Final Report
December 15, 2001. WWW Document. Viewed 5/10/2002.
http://www.acm.org/sigcse/cc2001/cc2001.pdf.
[25] VASCAN. “Universities with NSTISSI Certification.” Virginia Alliance for Secure
Computing and Networking. WWW Document. Viewed 4/11/2003.
(http://www.vascan.org/training/training_materials/certification/nstissi_cert.pdf).
[26] UMass. Program-Based Review and Assessment: Tools and Techniques for Program
Improvement.” WWW Document, viewed 5/28/03.
http://www.umass.edu/oapa/assessment/onlinehandbooks/.
[28] KSU “Security Models and Training Standards” WWW Document, Viewed 5/10/2003.
http://infosec.kennesaw.edu/tngstandards.html.
[30] Eddie Schwartz, Dan Erwin, Vincent Weafer, and Andy Briney. “Roundtable: Infosec
Staffing Help Wanted!” Information Security Magazine Online. April 2001. [Cited 22
July 2002]. Available from the World Wide Web
<http://www.infosecuritymag.com/articles/april01/features_roundtable.shtml>.
[31] International Information Systems Security Certification Consortium, Inc. “About SSCP
Certification.” ISC2 Online. [Cited 22 July 2002]. Available from the World Wide Web
<http://www.isc2.org/cgi/content.cgi?category=20>.
[32] ISC2. “The Associate ISC2 Program” WWW Document, Accessed 6/15/2003.
https://www.isc2.org/cgi/content.cgi?category=84#cat07.
[33] Security Certified Programs. “Certifications.” Ascendant Learning, LLC Online. [Cited
22 July 2002]. Available from the World Wide Web
<http://www.securitycertified.net/certifications.htm>.
[34] Trusecure. “TICSA Certification.” Trusecure Online. [Cited 22 July 2002]. Available
from the World Wide Web <http://www.truesecure.com/solutions/certifications/ticsa/>.
[36] Mark Merkow. “Standardizing Information Systems Security Across the Globe: A Look
at ISO17799.” Internet.com Online. 10 September 2001. [Cited 24 June 2002]. Available
from the World Wide Web
<http://ecommerce.internet.com/news/insights/outlook/article/0,3371,10535_881531,00.h
tml>.