New Page 0

BA 4V95

Information Technology Security and Audit

COURSE DESCRIPTION

The increasingly reliance on Information Technology (IT) in the corporate environment and the extension of commercial information services to consumers have brought upon legitimate security concerns associated with information systems. The understanding of security issues for management is crucial to safeguard the interests of organizations. The responsibilities of an IS manager include corporate security management, policy design and operational issues. This involves information assurance, detection and prevention of potential security threats to the organizations information as well as information systems, and contingency planning in case of successful security attacks. In addition, an understanding of security technologies is also essential for an IS manager to better manage and prevent security threats.

COURSE LEARNING OBJECTIVES

To provide an overview to various topics in information security with a balanced focus on both the managerial and technological aspects. Some of the key topics are information security risk management, cryptography, firewall, disaster recovery, etc. In addition, relevant security related social themes such as privacy and legal issues would also be covered in this course. The goal is to provide an overview of common security practices and introduce the concepts related to applied security technologies. This would enable the students to properly identify and analyze corporate security requirements.

MAJOR TOPICS

Principles of Information Security (PIS) - Introduction, Risk Management, Security Technology, Cryptography, Blueprint for Security, Managing the Security Functions, Intrusion Detection and Disaster Recovery, Security Implementation and Maintenance, Law and Forensics.

Computer and Network Security (CCNS) - Security Framework, TCP/IP Architecture, Attack Methods, Security Technology, Authentication, Firewall, Cryptography, Blueprint for Security, Managing the Security
Functions, Intrusion Detection and Disaster Recovery, Hot Security, and Application Security.

Potential Term Topics
1.) Role of Chief Security Officer (CSO)
2.) Evaluation of security related issues in open source software
3.) IT security insurance
4.) Return of Security Investment (ROSI)
5.) Evaluation of security technology (exclude firewall, intrusion detection system)
6.) Security metrics
7.) Security outsourcing

Required Text:

Michael Whitman and Herbert Mattord, Principles of Information Security, Thompson Course Technology, December 2002, ISBN: 0-619-06318-1
Paul Campbell, Ben Calvert and Steven Boswell, Security+ Guide to Network Security Fundamentals, Cisco Learning Institute, December 2002, ISBN: 0-619-12017-7

References:

John E. Canavan, The Fundamental of Network Security, Artech House Publishers, February 2001, ISBN: 158053176
Simson Garfinkel, Gene Spafford and Debby Russell, Web Security, Privacy and Commerce, O’Reilly & Associates, Inc., January 2002, ISBN: 0596000456
Risk Management Guide for Information Technology Systems, Special Publication 800-30, National Institute of Standards and Technology (NIST), January 2002, Technology Administration, U.S. Department of Commerce, August 2001 (Available at http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf)
An Introduction to Computer Security: The NIST Handbook, Special Publication 800-12, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, October 1995. (Available at http://csrc.nist.gov/publications/nistpubs/800-12/)
Wireless Network Security, Special Publication 800-48, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, August 2001
Guidelines on Firewalls and Firewall Policy, Special Publication 800-41, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, January 2002
Intrusion Detection Systems (IDS), Special Publication 800-31, National Institute of Standards and Technology (NIST), Technology Administration, U.S. Department of Commerce, August 2001