Course Code: ISSC661 Course ID: 4103 Credit Hours: 3 Level: Graduate
This course is an advanced study of the principles, practices, procedures, and methodologies to assure the protection and availability of vital digital information systems assets. It examines information assurance, incident management and response, and security standards; and it appraises the convergence between information security, information systems security, and information warfare. This course appraises organizational, legal, technical, and ethical issues related to securing vital digital assets. Topics include: the role of the corporate security officer, corporate cybercrime, electronic commerce, cryptography, and international standards, policies, and security acts. (Prerequisite: ISSC660)
|Registration Dates||Course Dates||Session||Weeks|
|11/30/20 - 04/30/21||05/03/21 - 06/27/21||Spring 2021 Session I||8 Week session|
|01/25/21 - 07/02/21||07/05/21 - 08/29/21||Summer 2021 Session B||8 Week session|
|04/26/21 - 10/01/21||10/04/21 - 11/28/21||Fall 2021 Session B||8 Week session|
A successful student will fulfill the following learning objectives:
- Assess organizational networks, systems, and information storage solutions.
- Analyze a presented business case for information security principles.
- Synthesize security governance objectives and risk management objectives to develop security strategies.
- Assess peer reviewed information security resources that represent professional thought and viewpoints for security risk assessment activities.
- Develop a cost-effective security strategy using meaningful security program metrics.
- Identify adversarial and non-adversarial threats to a selected information system based on relevant information security management metrics.
- Describe a cost-effective security strategy using meaningful security program metrics.
- Apply security metrics to a risk assessment case study focused on adversarial and non-adversarial threats.
This course has a strong writing component. The goal is to organize, synthesize, and demonstrate your comprehension of core concepts investigated during this course by applying a combination of the terms, concepts, and details you have learned in a systematic way. As important as "the details" that you analyze and arrange in your writing, however, are the conclusions you draw from those details, and your predictions, responses to, and ultimate interpretation of those details. Complementing the critical thinking aspect of these writing assignments is the application of the standard academic style guidelines in the APA 6th Edition style guide, the standard for APU writing, as well as the writing expectations contained in this Syllabus. Ensure you fully understand the Writing Expectations for each writing activity as laid out later in the Syllabus.
Forum Assignments: There will be eight Forum assignments during the course. The assignments will count as 24% of the final grade. Students should expect to post an initial response to the Forum topic / question by Wednesday of each week; commenting on other student postings by Friday, and seeking to engage in a dialogue on the topics offered with their peers. Forum postings should express complete responses / thoughts, documented by academic resources that offer support for anecdotal views and personal exemplars. The objective is to provide an understanding of the topic under discussion and to engage in a scholarly dialogue with other members of the class to expand overall understanding and knowledge of the topic.
Assignment - Initial Assessment: Select an organization of your choosing to perform an abbreviated assessment on and then write a 3-4 page information assurance security plan outline that lays out key considerations for decreasing risk and mitigating assessed vulnerabilities. The outline should contain a brief summary of the assessed challenges, a discussion of key IA considerations, options for addressing assessed risk items, and a recommended mitigation approach for each assessed risk. This assignment is intended to gain an initial application of your IA knowledge and to help you focus on the considerations you might address in your research paper. Further, the selection of a particular organizational network, system or information storage solution will set the stage for the Week 8 risk assessment case study. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. Due: Week 1. Points: 1%.
Assignment - Research Paper Topic. You must submit a Research Paper Topic in Week 2 of the course. Your topic must be related to IA Assessments and Evaluations and course objectives as outlined. That topic must be reviewed and approved by the course Professor prior to pursuing the next steps in the Research Paper process. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. Please be aware that this is a progressive research development process that will carry the same approved topic throughout the research paper development process and related assignments. Due: Week 2. Points: 5%.
Assignment - Research Paper Outline: You must submit a Research Paper Outline by the end of Week 3 of the course. Your topic must be related to IA Assessments and Evaluations and course objectives as outlined, using the approved topic submitted during Week 2. Your initial Research Paper References should be included and references must be formatted according to APA 6th Edition style guidelines. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. The objective of this assignment is to synthesize the various information security governance and risk management objectives to help develop the security strategy aspect of your research paper, applying the readings and discussions from the course. Development of 2-3 key information security metrics that would underpin your research is also required, with a brief description of what the metric is, how it will be measured, and why it is important or related to your security strategy. Due: Week 3. Points: 5%.
Assignment - Research Paper Annotated References: You must use a minimum of five (5) sources beyond the course textbooks in Week 4. These sources should be from industry articles, journals, academic and professional books, and case studies. You may not use Wikipedia or Webopedia or any of the ‘pedias’ as a reference. Your references must be formatted according to APA 6th Edition style guidelines. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. The objective of this assignment is to provide the research basis for your research paper effort, expose you to the APUS on-line library to explore peer reviewed materials acceptable for scholarly research, and offer a means to advance your overall knowledge of the information security literature holdings. Due: Week 4. Points: 10%.
Assignment - Draft Research Paper: The Draft Research Paper is due at the end of Week 5 of the course (6 - 8 pages not including the Cover Page or the References listing – APA 6th Edition formatting). The draft will count as 15% of the final grade and the final will count as 25% of the final grade. The paper will follow a conventional paper format (Cover page, Body of Paper with introduction, discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. The objective of creating a draft research paper includes the desire to review your progress and to provide feedback on key aspects that may require additional research and / or development. As this is a progressive research paper activity, within this draft paper your cost-effective security strategy, underpinned by security metrics, should be assessing and identifying issues associated with your selected research topic discussion. Further, initial insights should be emerging at this point that will turn into recommended mitigation actions in your final research paper. Due: Week 5. Points: 15%.
Assignment - Risk Assessment Tables: This assignment will use NIST Special Publication 800-30 (available at http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf or in the Course Resources area) as its basis. The selected computing system can be your personal home network (e.g., from ISP appliance to connections within your home location), a work oriented network, or a public network (e.g., public library, commercial venue, free Wifi hotspot). In this assignment, initial creation and population of adversarial and a non-adversarial risk assessment tables patterned after Table I-5 and Table I-7 in NIST SP 800-30 will be performed. This assignment is intended to prepare for the Week 8 applied risk assessment assignment, wherein you will use these populated tables to gain insight in the selected system's risks, apply knowledge from this course, apply relevant information security metrics, and discuss the considerations that should go into an actual information security risk assessment discussion -- limited to adversarial and non-adversarial threats. This means that you should fill out those two templates as a minimum as part of your The deliverable for this assignment should be a brief description of your selected information system and Tables I-5 and I-7 created and populated. Due: Week 6. Points: 10%.
Assignment - Final Research Paper: The Final Research Paper is due at the end of Week 7 of the course (10 - 12 pages not including the Cover Page or the References listing – APA 6th Edition formatting). The final will count as 20% of the final grade. The paper will follow a conventional paper format (Cover page, Body of Paper with introduction, discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. The objective of creating the final research paper includes the finalization of your research paper development process, describing and defending a cost-effective security strategy, and basing those upon meaningful security program metrics in order to identify information security responses and outcomes that are effective. As this is the culmination of the progressive research paper activity, you should provide your cost-effective security strategy, underpinned by security metrics, assessing and identifying issues associated with your selected research topic discussion. Further, gained insights from your research and reflection should result in recommended mitigation actions for your selected information security system. Due: Week 7. Points: 20%.
Assignment - Risk Assessment Case Study: The Risk Assessment case study will use NIST Special Publication 800-30 (available at http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf or in the Course Resources area) as the basis for performing a risk assessment of a selected computing system. Using the Week 6 information wherein you selected your information system for assessment a initially populated Tables I-5 and I-7 from the NIST SP800-30, you will now finalize the creation and population of your adversarial and a non-adversarial risk assessment patterned after Table I-5 and Table I-7 in NIST SP 800-30 – this means that you should fill out those two templates as a minimum as part of your assessment – and provide discussion and analysis from that assessment. This case study will count for 10% of the final grade. This case study will be due at the end of Week 8. The case study should be between 7-8 pages long (not counting the Cover and Reference pages), the Tables can either be embedded in the text of your discussion or included as attachments to your paper, and will follow a conventional paper format (Cover page, Body of Paper with introduction, risk assessment / discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. Due: Week 8. Points: 10%.
See Appendix A – Grading Rubric for Grading Criteria on assignments listed above.
|Week 6 Forum||3.00 %|
|Week 1 Forum||3.00 %|
|Week 2 Forum||3.00 %|
|Week 3 Forum||3.00 %|
|Week 4 Forum||3.00 %|
|Week 5 Forum||3.00 %|
|Week 7 Forum||3.00 %|
|Week 8 Forum||3.00 %|
|Initial Assignment||1.00 %|
|Week 1 Assignment: Initial Assessment||1.00 %|
|Research Paper Topic & Outline||10.00 %|
|Week 2 Assignment - Research Paper Topic||5.00 %|
|Week 3 Assignment - Research Paper Outline||5.00 %|
|Research Paper References||10.00 %|
|Week 4 Assignment - Research Paper Annotated References||10.00 %|
|Research Paper Draft Assignment||15.00 %|
|Week 5 Assignment - Draft Research Paper||15.00 %|
|Research Paper Final||20.00 %|
|Week 7 Assignment - Final Research Paper||20.00 %|
|Risk Assessments||20.00 %|
|Week 8 Assignment - Risk Assessment Case Study||10.00 %|
|Week 6 Assignment - Risk Assessment Tables||10.00 %|
Web Resources for Information Assurance: Assessment and Evaluation
- Information Security Risk Management
Risk Management Guide for Information Technology Systems. (2002) Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
Sound Practices for the Management and Supervision of Operational Risk Management. (2003). Retrieved from http://www.bis.org/publ/bcbs96.pdf
The ISO 27001 Directory. Retrieved from http://www.27000.org/
- Quantitative v/s. Qualitative Risk Assessment
Data Centric Quantitative Computer Security Risk Assessment. Retrieved from http://www.sans.org/reading_room/whitepapers/auditing/data-centric-quantitative-computer-security-risk-assessment_1209
Rot, A. (2003). IT Risk Assessment: Quantitative and Qualitative Approach. Retrieved from http://www.iaeng.org/publication/WCECS2008/WCECS2008_pp1073-1078.pdf
- Security Control Development and Evaluation
The Center for Internet Security. Retrieved from http://www.cisecurity.org
US-CERT: United States Computer Emergency Readiness Team. Retrieved from http://www.us-cert.gov
- Business Impact Analysis
ISO 27001 & BS 25999 Business Impact Analysis. Retrieved from http://blog.iso27001standard.com/tag/business-impact-analysis/
Peltier, T. Effective Risk Analysis. (2000) Retrieved from http://csrc.nist.gov/nissc/2000/proceedings/papers/304slide.pdf
- Risk Assessment Process
Cline, B. (2007). “The Information Security Assessment and Evaluation Methodologies: A DoD Framework for Control Self-assessment.” ISACA Journal, Vol 2. http://www.isaca.org/Journal/Past-Issues/2007/Volume-2/Documents/jopdf0702-info-security-request.pdf
Information Systems Security Assessment Framework. Retrieved from http://www.oissg.org/downloads/issaf-0.2/information-systems-security-assessment-framework-issaf-draft-0.2.1a/view.html
Mencik, S. How to Conduct an Information Security (INFOSEC) Assessment. Retrieved from http://searchsecurity.techtarget.com/searchSecurity/downloads/StephenMencik.ppt
- Security Controls & Risk Acceptance
Lennon, E. IT Security Metrics. Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnaug03.htm
20 Critical Security Controls. Retrieved from http://www.sans.org/critical-security-controls/
Elements of a Good Security Assessment Report. Retrieved from http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1235715,00.html
|Book Title:||Information Security Management Metrics - eBook available in the APUS Online Library|
|Publication Info:||Auerbach Publications|
|Author:||Brotby, W. Krag|
|Book Title:||REFERENCE ONLY- Information Security Fundamentals, 2nd edition-This text will be REQUIRED in ISSC661 and ISSC680. This text will be used as a reference only for the other courses in the ISSC program. - eBook available in the APUS Online Library|
|Publication Info:||Auerbach Publications|
|Author:||Thomas R. Peltier|
|Book Title:||Security Risk Assessment Handbook, 2nd ed - eBook available in the APUS Online Library|
|Publication Info:||Taylor & Francis/CRC Press|
|Author:||Landoll, Douglas J.|
Not current for future courses.