Course Description
This course examines the fundamental principles of computer security as applied to information technology. The course covers foundations, psychology, prevention, detection, human factors, technical considerations, management processes and future considerations for the security of information technology.
Course Objectives
This course is designed and developed to cover the 10 domains in the Information Security Common Body of Knowledge. They include: Security Management Practices, Security Architecture and Models, Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP), Law, Investigations, and Ethics, Physical Security, Operations Security, Access Control Systems and Methodology, Cryptography, Telecommunications, Network, and Internet Security.
Week 1
Lecture: Why Study Information Security?
Outcomes
- Recognize the growing importance of information security specialists to the Information Technology (IT) infrastructure and how this can translate into a rewarding career
- Develop a strategy for pursuit of a career in information security
- Comprehend information security in the context of the mission of a business
- Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations
- Distinguish between the three main security goals
- Learn how to design and apply the principle of defense in depth
- Comprehend human vulnerabilities in security systems to better design solutions to counter them
- Explain the difference between functional and assurance requirements
- Comprehend the fallacy of security through obscurity to avoid using it as a measure of security
- Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business
- Determine which side of the open disclosure debate you would take
Week 2
Lecture: Certification Programs and the Common Body of Knowledge
Outcomes
- Analyze the Certified Information Systems Security Professional (CISSP) certificate program as the gold standard in Information Technology (IT) certification
- Define and describe the role of the International Information Systems Security Certifications Consortium
- Distinguish the contents of the 10 domains of the Common Body of Knowledge
- Distinguish the CISSP from other security certification programs in the industry
- Build an awareness of 12 generally accepted basic principles of information security to help you determine how these basic principles are applied to real-life situations
- Distinguish between the three main security goals
- Learn how to design and apply the principle of defense in depth
- Comprehend human vulnerabilities in security systems to better design solutions to counter them
- Explain the difference between functional and assurance requirements
- Comprehend the fallacy of security through obscurity to avoid using it as a measure of security
- Comprehend the importance of risk analysis and risk management tools and techniques for balancing the needs of business
- Determine which side of the open disclosure debate you would take
Week 3
Lecture: Security Architecture and Models
Outcomes
- Summarize the concept of a Trusted Computing Base (TCB)
- Illustrate the concept of rings of trust
- Distinguish among the protection mechanisms used in a TCB
- Defend the purposes of security assurance testing
- Apply the Trusted Computer Security Evaluation Criteria (TCSEC) for software evaluations
- Categorize the role of the Federal Criteria for Information Technology Security
- Apply the Common Criteria for Information Security Evaluation
- Distinguish between the Business Continuity Plan (BCP) and the Disaster Recovery Plan (DRP)
- Inform business executives why planning is important
- Define the scope of the business continuity plan
- Outline the contents of a Business Impact Analysis (BIA)
- Discuss recovery strategies and the importance of crisis management
- Explain backup and recovery techniques including shared-site and alternate-site agreements
Week 4
Lecture: Law, Investigations and Ethics
Outcomes
- Identify the types and targets of computer crime
- Summarize the major types of attacks performed by cyber criminals
- Understand the context of the computer in the legal system
- Appreciate the complexities of intellectual property law
- Discuss the issues surrounding computer security and privacy rights
- Articulate the challenges of computer forensics
- Recognize ethical issues related to information security
- Comprehend the information security concepts and practices in Chapters 1–7
Week 5
Lecture: Physical Security Control
Outcomes
- Distinguish between logical and physical security, and explain the reasons for placing equal emphasis on both
- Recognize the importance of the physical security domain
- Outline the major categories of physical security threats
- Classify the techniques to mitigate risks to an organization's physical security
- Classify the five main categories of physical security controls, including their strengths and limitations
- Propose how smart cards can be used for physical access control
- Categorize the different types of biometric access controls and determine their respective strengths and weaknesses
- Outline the types of controls needed for secure operations of a data center
- Explain the principle of least privilege
- Differentiate between the principle of least privilege and the principle of separation of duties
- Define the control mechanisms commonly found in data center operations
- Create a model of controls that incorporates people, process and technology-based control mechanisms
Week 6
Lecture: Access Control Systems and Methodology
Outcomes
- Apply access control techniques to meet confidentiality and integrity goals
- Implement the major terms and concepts related to access control and relate them to system security
- Apply Discretionary Access Controls (DAC) and Mandatory Access Controls (MAC) techniques as appropriate
- Choose effective passwords and avoid password limitations
- Implement password alternatives including smart cards, password tokens and other multifactor techniques
- Apply the goals of single sign-on concepts to business and common users
- Use the techniques described to control remote user access
- Explain common terms used in the field of cryptography
- Outline what mechanisms constitute a strong cryptosystem
- Demonstrate how to encrypt and decrypt messages using the transposition method
- Demonstrate how to encrypt messages using the substitution method
- Explain the differences between symmetric and asymmetric cryptography
- Evaluate commercial implementations of Public-Private Key (PPK) cryptography
Week 7
Lecture: Telecommunications, Networks and Internet Security
Outcomes
- Classify the International Standards Organization/Open Systems Interconnection (ISO/OSI) layers and characteristics
- Summarize the fundamentals of communications and network security and their vulnerabilities
- Distinguish between Wide Area Networks (WANs), Local Area Networks (LANs), and the Internet, intranets, and extranets
- Outline the roles of packet-filtering routers, firewalls, and intrusion detection technology in network perimeter security
- Classify the various configurations and architectures for firewalls
- Illustrate the elements of IP Security (IPSec) and how virtual private networks implement IPSec
- Determine the importance of security considerations as a part of the System Development Life Cycle (SDLC)
- Outline an accelerated history of the SDLC and its purpose
- Analyze the structure and roles of the SDLC task force committee subgroups
- Categorize application development issues related to InfoSec
- Apply their understanding of these issues to the distributed software environment (i.e., the client/server implementation)
Week 8
Lecture: Securing the Future
Outcomes
- Establish plans for continuous monitoring and compliance enforcement
- Discuss the future of Information Technology (IT) software security developments and the outlook for InfoSec professionals
- Discuss the issues that drive the growth of the industry, technology and regulations
- Comprehend the information security concepts and practices in Chapters 8–14
The course description, objectives and learning outcomes are subject to change without notice based on enhancements made to the course. May 2011
