IS 6383/ IS 4473:
Policy Assurance for Infrastructure Assurance
Fall 2011
Department of Information Systems and Technology Management
The University of Texas at San Antonio
Instructor: Prof. Seok-Won Lee, Ph.D.
Web page: http://www.machinediscovery.com
Email: Seok-Won.Lee@utsa.edu (Always insert “IS 6383/IS 4473” in the Subject line)
Office Phone: 210-458-8548
Office Location & Hours: BB 4.02.22, Thursday 4:00 – 5:00 PM
Classroom: MH (previously HSS) 3.01.18
Meeting Time: Tuesdays & Thursdays, 7:00 – 8:15 PM
Course Objectives:
The course provides students with the foundations Information Security Policies, Procedures and Standards. A successful Information Security program relies not only on technical measures but on the convergence of technology, policy and people. The course will discuss fundamentals of designing, creating and deploying information and infrastructure assurance policies. Topics will include: policy development practices, frameworks, writing mechanism, design techniques, standards and best practices, and legal, ethical and privacy issues. Course content is derived from reference text and extensive external sources.
Required Course Materials:
1. Introduction to Computer Security, by M. Bishop (ISBN 0321247442)
Recommended Course Materials (Reference Books):
2. Information Security Policies, Procedures and Standards: Guidelines for Effective Information Security Management, by Thomas R. Peltier (ISBN 0849311373)
3. Information Security Policies and Procedures: A Practitioner’s Reference, by Thomas R. Peltier (ISBN 0849319587)
4. Security Policies and Procedures: Principles and Practices, by Sari Stern Greene, Prentice Hall (ISBN 0131866915)
5. Security in Computing, by C. P. Pfleeger (ISBN 0130355488)
The following is a tentative schedule of topics, textbook references, assignments, and assignment due dates. As circumstances dictate, I reserve the right to change this schedule including but not limited to tests, assignments, due dates, etc. Please review these assignments before they are due so you turn in the proper material
Topics (Tentative)
Overview of Computer Security Overview of Information Protection Fundamentals
Writing Mechanics and the Message Policy Development
Access Control Matrix Security, Confidentiality, Integrity, Hybrid Policies
Design Principles Access Control Mechanisms
Intro to Assurance Evaluating Systems
Vulnerability Analysis Auditing
Security Certification & Accreditation Risk Analysis and Management
Schedule (Tentative)
Meeting |
Date |
Topics (Tentative) |
Due |
Misc |
1 (W1) |
8/25 |
Introduction |
|
|
2 (W2) 3 |
8/30 |
Overview of Computer Security |
|
Bishop Ch1 |
9/1 |
Information Protection Fundamentals, Writing Mechanics, Messages and the Policy Development (Policy, Standard, Process) SANS: Information Security Policy Templates Access Control Matrix |
|
Peltier Ch3
Bishop Ch2 |
|
4 (W3) |
9/6 |
Security Policies |
|
Bishop Ch4 |
9/8 |
Confidentiality Policies |
Project Topics Due |
Bishop Ch5 |
|
6 (W4) |
9/13 |
Integrity Policies///Hybrid Policies |
|
Bishop Ch6,7 |
9/15 |
Reading1: Role-based access control Models by Ravi Sandhu Reading2: Authorization and Authentication using XACML & SAML |
|
|
|
8 (W5) |
9/20 |
Hybrid Policies |
|
Bishop Ch7 |
9/22 |
Design Principles /Access Control Mechanisms |
|
Bishop Ch 12, 14 |
|
10 (W6) |
9/27 |
Role-based Access Control (RBAC) |
|
|
9/29 |
Group Project Midterm Review |
|
|
|
12 (W7) |
10/4 |
Midterm Exam (In Class) |
|
|
10/6 |
Introduction to Assurance |
|
Bishop Ch17 |
|
14 (W8) |
10/11 |
Security Certification & Accreditation |
|
|
10/13 |
Preliminary Presentation on Group Project (by this time, you are expected to have finalized the company description, defined stakeholders, interfaces, threats, and vulnerabilities, reviewed regulations and legislation, and created the structure of policies with their rationales in relation to the company type) Risk Analysis & Management (NIST 800-30) |
|
|
|
16 (W9) |
10/18 |
Identifying Security Controls Graduate Student Presentation |
|
|
10/20 |
Evaluating Systems/Auditing |
|
Bishop Ch 18, 20, 21 |
|
18 (W10) |
10/25 |
XACML (Extensible Access Control Markup Language) |
|
|
10/27 |
Information Categorization, System Categorization and Asset Profiling |
|
|
|
20 (W11) 21 |
11/1 |
Security Compliance & Related Policies |
|
|
11/3 |
Evaluating Security Controls Graduate Student Presentation |
|
|
|
22 (W12) |
11/8 |
SCADA Control Policies |
|
|
11/10 |
Morality and Ethics in Policy Assurance, Managing Trust |
Written Report Due |
|
|
24 (W13) |
11/15 |
Invited Talk: Activity Centric Access Control for Socail Computing |
|
|
11/17 |
Project Presentation |
|
|
|
26 (W14) |
11/22 |
Project Presentation |
|
|
11/24 |
Thanksgiving Holiday 11/24-26 (No Class) |
|
|
|
27 (W15) |
11/29 |
Project Presentation |
|
|
12/1 |
Project Presentation |
|
|
|
29 (W16) |
12/6 |
Project Presentation & Final Reviews |
|
|
12/10 |
Final Exam 5:00 – 7:30 PM (Saturday) |
|
|
Course Requirements:
This course is designed to be highly interactive. I will present the basic concepts, and you are expected to apply them. You should be prepared to attend class, read the assignments (including the material provided from external sources), participate in class discussions, conduct outside research to better understand the material, study for exams, seek help if you do not understand any material, and produce a product that you would be proud to show to others.
Group Project:
There is one project for this class: Design a comprehensive Information Security Policy for an organization in a specific business type. The project would involve understanding the business policies, procedures, operations and strategies for the selected business. The project will also require outside research to familiarize you with legal, privacy and ethical concerns for that business type.
Project Description:
Organize into teams of 3-4 students each (depending upon the class size) to design, formulate and deploy an Information Security Policy. (Note: IS 6383 Graduate students need to organize into teams of 2-3 students. IS 4473 Undergraduate students need to organize into teams of 3-4 students. A team can consist of either undergraduate students or graduate students but not both). Specifically, you are to choose one of the business types and based upon the business type you selected, you are to define a company (real or fictitious) that meets the business type, and then apply the concepts from the chapters, external material, as well as class discussions. You are expected to present the information security policy, focusing on the characteristics of their given company. It will soon become obvious to you that the security policy is not the same for all companies and all situations.
Business types include the following:
• Full Service Bank
• Hospital
• Law Enforcement Agency (ex. Police department)
• Global Telecommunications Company
• Web-based Vendor
• Charitable Organization
• Online Auctions
• Hospitality Firm (ex. Hotel)
• Educational Institution and more…
You may use any other business/industry type. However, you would need my prior permission and I would have to approve the business type.
Topic Selection: Topic selections are on a first come, first serve basis. Each team is expected to send me, via e-mail (Seok-Won.Lee@utsa.edu ) a list of all team members and a ranked order (in case of tie) of your topic selection by Thursday, September 8, 2011.
Written Report: The results of your project are to be presented in the following format - cover page, table of contents (including location of illustrations and exhibits, the report, alphabetical list of references cited, and hard copy of all references cited). The table of contents should list all major headings, exhibits, and illustrations (including page locations).
Write the policy as if you are writing an actual information assurance and security policy for the chose organization. The written report should be at least 15 pages long (not including the title page, table of contents and references). Include at least 15 references other than your textbook. Written reports are due on Thursday, November 10, 2011.
The written report should contain at least the following:
• Organizational Overview
• Description of stakeholders
• Mission Statement
• Objectives
• Current information infrastructure
• Risk assessment and security requirements
• Security Architecture
• Legal issues specific to the organization
• Standards, guidelines, best practices that governed your design
• Policy development approach
• Any design technique utilized (provide detailed analysis)
• Actual written policy for the chosen organization. Some of the suggested specific policies are:
• Email use policy
• Software deployment and use policy
• Password policy
• Asset classification policy
• Laptop use policy
• File sharing policy
• Network use policy
• Anti-virus policy
• Disaster Recovery policy
• Including system backup policy
• Remote access policy
• Training policy
• Approaches to handle security violations
• Vendor selection criteria
• Deployment strategy
• Policy awareness program
• Criteria for evaluating the policy effectiveness
• Policy re-assessment plan
NOTE: The final report should reflect at least eight weeks of work, producing a quality product. Grading will be based upon this amount of expected effort. If you put minimal effort in the project, your project grade will also probably reflect minimal effort.
Submission Guidelines: Your written report is due Thursday, November 10, 2011. Submit to me an electronic copy of your paper (preferably in PDF format, MS Word format also acceptable). Best way to submit the files electronically is through email. Also, where possible, include electronic copies of your cited references. If the reference is from the Web, save a copy, assuring the URL is noted on the footer. If you do not have access to an electronic copy of your reference, either scan the reference or include a hard copy. If you are citing from a book, only include the area referenced within the book. If all citations are in electronic format, you do not need to submit any of your report in hard copy format.
Your final paper submission should contain the following:
• Electronic copy of your paper and project presentation
• Electronic copies of cited papers or the web links to the cited sources
• Hard copy of any papers, books, etc. cited which are NOT in electronic format
Presentation: The presentations offer you the chance to impart knowledge to the rest of the class. Each group will be allocated 25 minutes for presentation. 10 additional minutes will be dedicated to discussion and questions. Presentation content will focus on the methods and process used to finalize the policies presented in the written report. Presentation should clearly identify the information and requirements that were instrumental in the development of the policies. Discussion on actual policies should be restricted to a few key elements.
At the end of your presentation, include a slide that contains two questions pertaining to your presentation that you expect the rest of the class to be able to answer. These questions will be used as study guides for the final exam.
Group presentations will be held during class periods starting from the week of Tuesday, November 15, 2011. Absence of a team member on the day of presentation is not sufficient cause for delaying a presentation.
Peer Evaluation: This is expected to be a group project. All team members are expected to contribute equally to the project. Any team member who does not contribute his or her fair share on the project should not expect to receive the same project grade as others. Following the team presentation, each team is to submit evaluations of each team member. Please use the attached peer evaluation form. If there are three members on a team, A and B evaluate C; B and C evaluate A; and A and C evaluate B. Individual project grade = team project grade * peer evaluation percentage. For example, if your group project grade = 90, and peer evaluation grade = 100, your individual project grade = 90. However, if your team project grade = 90 and peer evaluation grade = 50, your individual project grade = 45!
Peer evaluations are due within one week after your presentation. If I do not receive evaluations by that time, I will assume that all group members received a 100% evaluation
Choose your teammates wisely. If you have a problem with a teammate, try to work it out among yourselves. If you cannot resolve the problem, you can elect to fire a member. However, all other team members must agree, and no member can be fired after Thursday, September 29, 2011.
Class Participation:
Questions, comments, etc. are encouraged. If you do not understand some of the material, please ask questions. You are expected to participate in discussions during the class periods. You may also be called upon to do research on specific topic/topics and present it to the class.
Exams:
Exam content is based on reading assignments, class discussion, and group presentations related to the cases. You are expected to fully understand these topics. Exams may include a mix of multiple choice, short answer and essay questions. Exam questions are based on one’s understanding of the subject, rather than one’s ability to memorize. The best way to study for these exams is to review class and lecture notes, formulate questions related to the content, and write out a detailed response to the question. Also, you are responsible for knowing the answers to the questions posed by presentation groups. Please feel free to see me during office hours (or by appointment) to discuss your proposed questions and responses prior to an exam. Make Up Exams Will Not Be Given. If you miss an exam and notify me prior to the exam, you will be required to take a comprehensive final, and the final exam grade will count twice (for the final and for the exam missed). If you miss an exam and DO NOT notify me prior to the exam, you will receive a zero for the exam.
GRADUATE STUDENT PRESENTATION
Graduate students registered for IS 6383 will have to make two 20 minutes presentations on specified topics. The list of topics represent few key legislations, regulations, standards or best practices that are critical for development of information security policies. Students are expected to present the key elements of the document and how they relate to the information assurance. Instructor will provide more specific guidance in class.
GRADING CRITERIA
IS 4473
Project 130 points (group project * peer evaluation %)
Attendance/Participation 20 points
Exams 300 points
Total 450 points
IS 6383
Project 130 points (group project * peer evaluation %)
Attendance/Participation 20 points
Class Presentation 50 points
Exams 300 points
Total 500 points
FINAL GRADE IS BASED ON POINTS ACCUMULATED
IS 4473 IS 6383
A = 405 – 450 points A = 450 – 500 points
B = 360 – 404 points B = 400 – 449 points
C = 315 – 459 points C = 350 – 399 points
D = 270 – 314 points D = 300 – 349 points
F = < 270 points F = < 300 points
Special Notes:
Academic Honesty:
As written in the UTSA Student Code of Conduct, “The University can best function and accomplish its objectives in an atmosphere of high ethical standards. All students are expected and encouraged to contribute to such an atmosphere in every way possible, especially by observing all accepted principles of academic honesty. It is recognized, however, that a large university will include a few students who do not understand, appreciate or practice these principles. Consequently, alleged cases of academic dishonesty involving UTSA students will inevitably occur.
Academic or scholastic dishonesty includes, but is not limited to, cheating, plagiarism, collusion, the submission for credit of any work or materials that are attributable in whole or in part to another person, taking an examination for another person, any act designed to give unfair advantage to a student or the attempt to commit such acts. Academic dishonesty is a violation of the Student Code of Conduct.” Students are expected to follow the UTSA honor pledge:
"On my honor, as a student of The University of Texas at San Antonio, I will uphold the highest standards of academic integrity and personal accountability for the advancement of the dignity and the reputation of our university and myself.”
IS 6383 / IS 4473
FALL 2011
PROJECT PRESENTATION GRADING CRITERIA
GROUP_______________________________
ORGANIZATION__________________________
(Maximum Points = 30 points)
Was the presentation clear (i.e. did not read presentation to audience,
spoke clearly and loudly)?
(0-10) ___________________
Provided in-depth coverage of the subject- clearly evident that group relied
upon material other than that available in the text book
(0-10) ___________________
Provided well thought out secure design for given company and
conditions
(0-10) ___________________
TOTAL ___________________
Presentation exceeded or was significantly under the allotted time
(Loss of 5 points) ___________________
IS 6383 / IS 4473
FALL 2011
PROJECT WRITTEN REPORT GRADING CRITERIA
GROUP_______________________________
ORGANIZATION__________________________
(Maximum Points = 100 points)
Was the paper well organized, well written, and thorough?
(0-20) ___________________
Was the paper in format specified (cover page, TOC, illustrations and/or tables,
references, etc.)?
(0-10) ___________________
Did the paper provide a convincing, well thought out policy for the company? Was the
policy tailored to specific company rather than generic? Did the group explain how
they arrived at the policy? Was the quality of paper indicative of 8 weeks of work?
(0-50) ___________________
Did the group perform a thorough review of the literature? Were at least 15 references
cited, and were they of high quality, directly related to the given topic?
(0-10) ___________________
Was the paper properly referenced? Were electronic copies of each article submitted?
(0-10) ___________________
TOTAL ___________________
Evidence of plagiarism will result in a project grade of zero for all team members. All team members are expected to have fully reviewed the paper before submission.
IS 6383 / IS 4473
FALL 2011
PEER EVALUATION FORM
GROUP_______________________________
ORGANIZATION__________________________
Each category is rated on a scale of 1 to 5 in which 5 = outstanding, 4 = very good, 3 = acceptable, 2 = had some problems, 1 = poor, and 0 = totally unacceptable.
Team Member Name |
|
|
Completed assignments on |
|
|
Provided Quality Work |
|
|
Provided Valuable input |
|
|
Was available, when needed, |
|
|
Would like to work with this |
|
|
Total |
|
|
Percentage = Total X 4 |
|
|
Evaluating team member:
Name ____________________________ Signature ___________________________
Submit one form per evaluating team member. Team members do not participate in evaluation of themselves