Skip Navigation
 

ISSC661 - Information Assurance: Assessment and Evaluation

Course Details

Course Code: ISSC661 Course ID: 4103 Credit Hours: 3 Level: Graduate

This course is an advanced study of the principles, practices, procedures, and methodologies to assure the protection and availability of vital digital information systems assets. It examines information assurance, incident management and response, and security standards; and it appraises the convergence between information security, information systems security, and information warfare. This course appraises organizational, legal, technical, and ethical issues related to securing vital digital assets. Topics include: the role of the corporate security officer, corporate cybercrime, electronic commerce, cryptography, and international standards, policies, and security acts. (Prerequisite: ISSC660)





Prerequisites

Course Schedule

Registration Dates Course Dates Session Weeks
05/27/19 - 11/01/19 11/04/19 - 12/29/19 Fall 2019 Session I 8 Week session
07/29/19 - 01/03/20 01/06/20 - 03/01/20 Winter 2020 Session B 8 Week session
09/30/19 - 02/28/20 03/02/20 - 04/26/20 Winter 2020 Session D 8 Week session

Current Syllabi

A successful student will fulfill the following learning objectives:

  1. Assess organizational networks, systems, and information storage solutions.
  2. Analyze a presented business case for information security principles.
  3. Synthesize security governance objectives and risk management objectives to develop security strategies.
  4. Assess peer reviewed information security resources that represent professional thought and viewpoints for security risk assessment activities.
  5. Develop a cost-effective security strategy using meaningful security program metrics.
  6. Identify adversarial and non-adversarial threats to a selected information system based on relevant information security management metrics.
  7. Describe a cost-effective security strategy using meaningful security program metrics.
  8. Apply security metrics to a risk assessment case study focused on adversarial and non-adversarial threats.

This course has a strong writing component. The goal is to organize, synthesize, and demonstrate your comprehension of core concepts investigated during this course by applying a combination of the terms, concepts, and details you have learned in a systematic way. As important as "the details" that you analyze and arrange in your writing, however, are the conclusions you draw from those details, and your predictions, responses to, and ultimate interpretation of those details. Complementing the critical thinking aspect of these writing assignments is the application of the standard academic style guidelines in the APA 6th Edition style guide, the standard for APU writing, as well as the writing expectations contained in this Syllabus. Ensure you fully understand the Writing Expectations for each writing activity as laid out later in the Syllabus.

Forum Assignments: There will be eight Forum assignments during the course. The assignments will count as 24% of the final grade. Students should expect to post an initial response to the Forum topic / question by Wednesday of each week; commenting on other student postings by Friday, and seeking to engage in a dialogue on the topics offered with their peers. Forum postings should express complete responses / thoughts, documented by academic resources that offer support for anecdotal views and personal exemplars. The objective is to provide an understanding of the topic under discussion and to engage in a scholarly dialogue with other members of the class to expand overall understanding and knowledge of the topic.

Assignment - Initial Assessment: Select an organization of your choosing to perform an abbreviated assessment on and then write a 3-4 page information assurance security plan outline that lays out key considerations for decreasing risk and mitigating assessed vulnerabilities. The outline should contain a brief summary of the assessed challenges, a discussion of key IA considerations, options for addressing assessed risk items, and a recommended mitigation approach for each assessed risk. This assignment is intended to gain an initial application of your IA knowledge and to help you focus on the considerations you might address in your research paper. Further, the selection of a particular organizational network, system or information storage solution will set the stage for the Week 8 risk assessment case study. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. Due: Week 1. Points: 1%.

Assignment - Research Paper Topic. You must submit a Research Paper Topic in Week 2 of the course. Your topic must be related to IA Assessments and Evaluations and course objectives as outlined. That topic must be reviewed and approved by the course Professor prior to pursuing the next steps in the Research Paper process. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. Please be aware that this is a progressive research development process that will carry the same approved topic throughout the research paper development process and related assignments. Due: Week 2. Points: 5%.

Assignment - Research Paper Outline: You must submit a Research Paper Outline by the end of Week 3 of the course. Your topic must be related to IA Assessments and Evaluations and course objectives as outlined, using the approved topic submitted during Week 2. Your initial Research Paper References should be included and references must be formatted according to APA 6th Edition style guidelines. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. The objective of this assignment is to synthesize the various information security governance and risk management objectives to help develop the security strategy aspect of your research paper, applying the readings and discussions from the course. Development of 2-3 key information security metrics that would underpin your research is also required, with a brief description of what the metric is, how it will be measured, and why it is important or related to your security strategy. Due: Week 3. Points: 5%.

Assignment - Research Paper Annotated References: You must use a minimum of five (5) sources beyond the course textbooks in Week 4. These sources should be from industry articles, journals, academic and professional books, and case studies. You may not use Wikipedia or Webopedia or any of the ‘pedias’ as a reference. Your references must be formatted according to APA 6th Edition style guidelines. See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance. The objective of this assignment is to provide the research basis for your research paper effort, expose you to the APUS on-line library to explore peer reviewed materials acceptable for scholarly research, and offer a means to advance your overall knowledge of the information security literature holdings. Due: Week 4. Points: 10%.

Assignment - Draft Research Paper: The Draft Research Paper is due at the end of Week 5 of the course (6 - 8 pages not including the Cover Page or the References listing – APA 6th Edition formatting). The draft will count as 15% of the final grade and the final will count as 25% of the final grade. The paper will follow a conventional paper format (Cover page, Body of Paper with introduction, discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. The objective of creating a draft research paper includes the desire to review your progress and to provide feedback on key aspects that may require additional research and / or development. As this is a progressive research paper activity, within this draft paper your cost-effective security strategy, underpinned by security metrics, should be assessing and identifying issues associated with your selected research topic discussion. Further, initial insights should be emerging at this point that will turn into recommended mitigation actions in your final research paper. Due: Week 5. Points: 15%.

Assignment - Risk Assessment Tables: This assignment will use NIST Special Publication 800-30 (available at http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf or in the Course Resources area) as its basis. The selected computing system can be your personal home network (e.g., from ISP appliance to connections within your home location), a work oriented network, or a public network (e.g., public library, commercial venue, free Wifi hotspot). In this assignment, initial creation and population of adversarial and a non-adversarial risk assessment tables patterned after Table I-5 and Table I-7 in NIST SP 800-30 will be performed. This assignment is intended to prepare for the Week 8 applied risk assessment assignment, wherein you will use these populated tables to gain insight in the selected system's risks, apply knowledge from this course, apply relevant information security metrics, and discuss the considerations that should go into an actual information security risk assessment discussion -- limited to adversarial and non-adversarial threats. This means that you should fill out those two templates as a minimum as part of your The deliverable for this assignment should be a brief description of your selected information system and Tables I-5 and I-7 created and populated. Due: Week 6. Points: 10%.

Assignment - Final Research Paper: The Final Research Paper is due at the end of Week 7 of the course (10 - 12 pages not including the Cover Page or the References listing – APA 6th Edition formatting). The final will count as 20% of the final grade. The paper will follow a conventional paper format (Cover page, Body of Paper with introduction, discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. The objective of creating the final research paper includes the finalization of your research paper development process, describing and defending a cost-effective security strategy, and basing those upon meaningful security program metrics in order to identify information security responses and outcomes that are effective. As this is the culmination of the progressive research paper activity, you should provide your cost-effective security strategy, underpinned by security metrics, assessing and identifying issues associated with your selected research topic discussion. Further, gained insights from your research and reflection should result in recommended mitigation actions for your selected information security system. Due: Week 7. Points: 20%.

Assignment - Risk Assessment Case Study: The Risk Assessment case study will use NIST Special Publication 800-30 (available at http://csrc.nist.gov/publications/drafts/800-30-rev1/SP800-30-Rev1-ipd.pdf or in the Course Resources area) as the basis for performing a risk assessment of a selected computing system. Using the Week 6 information wherein you selected your information system for assessment a initially populated Tables I-5 and I-7 from the NIST SP800-30, you will now finalize the creation and population of your adversarial and a non-adversarial risk assessment patterned after Table I-5 and Table I-7 in NIST SP 800-30 – this means that you should fill out those two templates as a minimum as part of your assessment – and provide discussion and analysis from that assessment. This case study will count for 10% of the final grade. This case study will be due at the end of Week 8. The case study should be between 7-8 pages long (not counting the Cover and Reference pages), the Tables can either be embedded in the text of your discussion or included as attachments to your paper, and will follow a conventional paper format (Cover page, Body of Paper with introduction, risk assessment / discussion / analysis / argument / body, conclusion, and references pages). See the Writing Expectations contained in the Policies section of the Syllabus for specific focus areas / guidance as well as conforming with APA 6th edition style guidelines. Due: Week 8. Points: 10%.

See Appendix A – Grading Rubric for Grading Criteria on assignments listed above.

NameGrade %
Forums 24.00 %
Week 6 Forum 3.00 %
Week 1 Forum 3.00 %
Week 2 Forum 3.00 %
Week 3 Forum 3.00 %
Week 4 Forum 3.00 %
Week 5 Forum 3.00 %
Week 7 Forum 3.00 %
Week 8 Forum 3.00 %
Initial Assignment 1.00 %
Week 1 Assignment: Initial Assessment 1.00 %
Research Paper Topic & Outline 10.00 %
Week 2 Assignment - Research Paper Topic 5.00 %
Week 3 Assignment - Research Paper Outline 5.00 %
Research Paper References 10.00 %
Week 4 Assignment - Research Paper Annotated References 10.00 %
Research Paper Draft Assignment 15.00 %
Week 5 Assignment - Draft Research Paper 15.00 %
Research Paper Final 20.00 %
Week 7 Assignment - Final Research Paper 20.00 %
Risk Assessments 20.00 %
Week 8 Assignment - Risk Assessment Case Study 10.00 %
Week 6 Assignment - Risk Assessment Tables 10.00 %

Selected References

Web Resources for Information Assurance: Assessment and Evaluation

  1. Information Security Risk Management

Risk Management Guide for Information Technology Systems. (2002) Retrieved from http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf

Sound Practices for the Management and Supervision of Operational Risk Management. (2003). Retrieved from http://www.bis.org/publ/bcbs96.pdf

The ISO 27001 Directory. Retrieved from http://www.27000.org/

  1. Quantitative v/s. Qualitative Risk Assessment

Data Centric Quantitative Computer Security Risk Assessment. Retrieved from http://www.sans.org/reading_room/whitepapers/auditing/data-centric-quantitative-computer-security-risk-assessment_1209

Rot, A. (2003). IT Risk Assessment: Quantitative and Qualitative Approach. Retrieved from http://www.iaeng.org/publication/WCECS2008/WCECS2008_pp1073-1078.pdf

  1. Security Control Development and Evaluation

The Center for Internet Security. Retrieved from http://www.cisecurity.org

US-CERT: United States Computer Emergency Readiness Team. Retrieved from http://www.us-cert.gov

  1. Business Impact Analysis

ISO 27001 & BS 25999 Business Impact Analysis. Retrieved from http://blog.iso27001standard.com/tag/business-impact-analysis/

  1. FRAAP

Peltier, T. Effective Risk Analysis. (2000) Retrieved from http://csrc.nist.gov/nissc/2000/proceedings/papers/304slide.pdf

  1. Risk Assessment Process

Cline, B. (2007). “The Information Security Assessment and Evaluation Methodologies: A DoD Framework for Control Self-assessment.” ISACA Journal, Vol 2. http://www.isaca.org/Journal/Past-Issues/2007/Volume-2/Documents/jopdf0702-info-security-request.pdf

Information Systems Security Assessment Framework. Retrieved from http://www.oissg.org/downloads/issaf-0.2/information-systems-security-assessment-framework-issaf-draft-0.2.1a/view.html

Mencik, S. How to Conduct an Information Security (INFOSEC) Assessment. Retrieved from http://searchsecurity.techtarget.com/searchSecurity/downloads/StephenMencik.ppt

  1. Security Controls & Risk Acceptance

Lennon, E. IT Security Metrics. Retrieved from http://www.itl.nist.gov/lab/bulletns/bltnaug03.htm

20 Critical Security Controls. Retrieved from http://www.sans.org/critical-security-controls/

  1. Reporting

Elements of a Good Security Assessment Report. Retrieved from http://searchenterprisedesktop.techtarget.com/tip/0,289483,sid192_gci1235715,00.html

Book Title:Information Security Management Metrics (Ebook available through the APUS Online Library)
ISBN:9781420052855
Publication Info:Auerbach Publications
Author:Brotby, W. Krag
Unit Cost:$91.35
Book Title:REFERENCE ONLY- Information Security Fundamentals, 2nd edition-This text will be REQUIRED in ISSC661 and ISSC680. This text will be used as a reference only for the other courses in the ISSC program.
ISBN:9781439810620
Publication Info:Auerbach Publications
Author:Thomas R. Peltier
Unit Cost:$79.95
Book Title:Security Risk Assessment Handbook, 2nd ed
ISBN:9781439821480
Publication Info:Taylor & Francis/CRC Press
Author:Landoll, Douglas J.
Unit Cost:$91.35

Previous Syllabi

Not current for future courses.