Course Description

This course presents a systems engineering approach to implementing and managing effective information security in contemporary highly networked enterprises. The course provides an overview of the security challenges faced by individuals and organizations in the information age and introduces the complex and dynamic state of information assurance in cyberspace. It is intended to sensitize managers and computer professionals to the pitfalls and dangers of doing business in an interconnected world, and to familiarize the student with various organizations and materials that can be turned to for assistance in understanding how to operate and use modern computer systems and networks securely.

Disclaimer

This course examines inter alia ethical and legal dimensions of on-line behavior. However, it is not intended to turn information technology professionals or managers into lawyers. One or more of the course lecturers may be lawyers and many of the topics to be discussed will be concerned with the law and the legal implications of certain behavior. Every effort will be made to provide accurate and complete information. Please note, however, that at no time during this course will legal advice be offered. Any student or attendee needing legal advice should seek the services of a lawyer authorized to practice in the appropriate jurisdiction.

This class will explore both technology and management issues related to managing the elements of holistic information security. Specific technologies and techniques used by hackers, crackers, spies and thieves to obtain access to sensitive, private information are discussed and explored.

Students are reminded that it is a violation of Federal and some states’ laws to attempt to gain unauthorized access to information assets or systems belonging to others, or to exceed authorized on systems to which they have been granted access.

At no time in this class should any student violate either laws or confidences.

Course Objectives

Upon completion of this course, the student should be able to:

1. Identify and critically assess issues and concepts related to the protection of information and information systems.
2. Define security attributes confidentiality, integrity, and availability. Describe confidentiality requirements for an enterprise environment. Describe integrity requirements for an enterprise environment. Describe availability requirements for an enterprise environment.
3. Analyze and evaluate proposed or extant information security policies, practices and procedures in order to assess potential advantages and disadvantages that might flow from implementing them. Describe how confidentiality can be protected. Describe how integrity can be protected. Describe how availability can be protected. Describe how failures of protections can be detected. Describe how attacks can be detected. Describe how impacts from an attack can be mitigated.
4. Use risk management principles to assess threats, vulnerabilities, countermeasures and impact contributions to risk in information systems. Perform a risk analysis for an environment. Create a management plan for security in an environment.
5. Evaluate policies, strategies and standard operating procedures for securing information and communication systems.
6. Identify and critically assess the legal, moral and ethical implications of behavior in an on-line world.
7. Describe and use a systems engineering approach to define a security architecture for a given operational environment.

Course Materials

Management of Information Security Michael E. Whitman and Herbert J. Mattord Thomson Course Technologies ISBN 0-619-21515-1

http://www.course.com/catalog/product.cfm?isbn=0-619-21515-1

Turabian, Kate L. A Manual for Writers of Term Papers, Theses, and Dissertations (Sixth Edition). Chicago: The University of Chicago Press, 1996. ISBN 0-226-81627-3

Bruce Schneier, Beyond Fear: Thinking Sensibly About Security in an Uncertain World (BF) Copernicus Books, 2003. [ISBN: 0-387-02620-7] One of his best works!

Randall K. Nichols and Panos C. Lekkas, Wireless Security (WS) McGraw-Hill Professional Books, January 2002. [ISBN: 0-07-138038-8] One of the most comprehensive references on the subject of wireless security design, by far.

Reading Assignments:

Reading assignments are noted on the class schedule included at the end of this syllabus.

Grading

The final grade will be determined as follows:

Participation -- 20%
Project -- 5%
Research paper and Presentation -- 35%
Major Quiz-- 40% each
Extra Credit-- 5%

All written assignments (research papers and major quiz) must contain the following certification:

"This paper or presentation is my own work. Any assistance I received in its preparation is acknowledged within the paper or presentation, in accordance with academic practice. If I used data, ideas, words, diagrams, pictures, or other information from any source, I have cited the sources fully and completely in footnotes and bibliography entries. This includes sources which I have quoted or paraphrased. Furthermore, I certify that this paper or presentation was prepared by me specifically for this class and has not been submitted, in whole or in part, to any other class in this University or elsewhere, or used for any purpose other than satisfying the requirements of this class, except that I am allowed to submit the paper or presentation to a professional publication, peer reviewed journal, or professional conference. In adding my name following the word 'Signature', I intend that this certification will have the same authority and authenticity as a document executed with my hand-written signature.

Signature _____________________________"

1. Project: Practical Cryptography 5%

The requirements for this first project are that each student exchange encrypted email with the instructor. The purpose of this project is to give each student hands on experience with using a cryptography product. In order to accomplish this project, the following steps are required:

• Acquire a copy of PGP. If you are a US citizen, you may get a copy from http://web.mit.edu. If you are not a US citizen, you may get a copy of the international version of PGP from http://www.pgpi.com/. Alternatively, you may purchase a commercial version from http://www.pgp.com/. It is the student's responsibility to ensure that the version acquired works with the student's computer.
• Install the software on a computer and create a key pair for yourself.
• Deliver your public key half to the professor via email. The Professor will send you his/her public key when you have successfully transmitted your key to the Professor.
• Send a signed and encrypted email to the Professor. The Professor will reply with a signed and encrypted email to you when you have successfully sent an encrypted email.
• Note that exchange is a robust authentication. Further instructions will be given to the class on exactly how this is accomplished.

2. Research Paper: Security Technologies 35%

The purpose of the term paper is to provide every student in the class with an opportunity to explore what available technologies can contribute to enterprise security, along with an appreciation for cost and technical issues. This paper will allow the student to explore some area at greater depth than is allowed by the pace of the class in general.

For this project, each student will select one of the technologies listed below and write a term paper analyzing the technology.

The paper must be turned in electronically in the form of a Microsoft Word document. It may be submitted by email to profrknichols@comcast.net or turned in on a 3.5 inch floppy disk. Documents and/or disks should be scanned for malicious code using an up-to-date antiviral program before submission to the instructor.

• Each student must research a different technology. Therefore, each student must register with the Professor as to which technology will be chosen for this project and receive permission from the Professor before beginning the paper.
• Students will make short presentations of their papers to the class during Classes 13 and 14.

Technologies:

• Access control management system
• Anti-virus software
• Audit data reduction system
• Authentication systems
• Automated Security Policy Planning Systems
• Content Scanning System
• Data Partitioning System
• Disk Drive Lock
• Symmetric Encryption Systems and Key Management
• Firewall Systems
• Host-based Intrusion Detection Systems
• Network-based Intrusion Detection Systems
• Network mapping system
• Password Cracking System
• Public Key Infrastructure (PKI) Systems
• Redundant data storage systems
• Risk Assessment Systems
• Theft Detection Systems
• Transaction Auditing Systems
• Uninterruptible Power Supplies (UPS)
• Virtual Private Networks
• Vulnerability Scanning Systems

The report should analyze the chosen technology with regard to its capabilities and limitations in the areas of confidentiality, integrity, and availability. The analysis should cover usefulness, cost, and implementation complexity -- at the very minimum. Technologies should be rated for utility in today's environment. For example, technologies that are only applicable to DOS 3.2 are clearly not as useful today as technologies that are both applicable to Windows 98 and Windows NT environments.

The report must be a minimum of 5000 words, exclusive of title page, table of contents, footnotes and bibliography, and conform to the format for term and research papers described in Turabian. A minimum of 25 references are required for this project. These must be distinct and separate references. A book counts as one reference for the terms of this requirement even if you use multiple items from the book. A journal article counts as one reference; multiple articles published in the same edition count as multiple, distinct references.

Do NOT simply copy and paste information from manufacturer's web-sites or marketing materials – if you fail to properly cite your sources this is plagiarism and will result in a charge of violating the University's academic integrity policy. Even if you do cite your sources properly, a paper that consists of large blocks of copied material is not a good paper and won’t get a good grade.

The grade for this project will be heavily weighted towards the quality and insightfulness of the analysis -- if there is no analysis, expect a very low grade.

The Research Paper is due not later than 2200 EST on November 16, 2004. It should be turned in to the Professor by email at profrknichols@comcast.net or cto@infosec-technologies.com. The Professor will send a receipt by return email, so if you do not receive a receipt within 24 hours of submission, please contact the Professor and resubmit your paper. For every day the paper is late, ten (10) points will be deducted. Do not forget to include the required certification paragraph and signature.

3. Major Quiz 40%

There will be a take-home major quiz. You may use any materials you can find, but may not work together or discuss the quiz with your classmates or anyone else until it is turned in and grades have been awarded. The Major Quiz is due not later than 2200 EST on December 8, 2003. It should be turned in to the Professor by email at profrknichols@comcast.net or cto@infosec-technologies.com . The Professor will send a receipt by return email, so if you do not receive a receipt within 24 hours of submission, please contact the Professor and resubmit your paper. Do not forget to include the required certification paragraph and signature.

4. Extra Credit 5%

Frequently, there will be a short quiz at the start of class. Each quiz will consist of ten multiple choice questions. Five of the questions will be from materials covered in the previous class, and five will be based on the readings for the class in which the quiz is given. At the end, the scores for these quizzes will be averaged and the average prorated across 5% of the total points for the course. If you fail to take a quiz, you will receive a zero for that quiz. So you can earn from 0% to 5% extra credit, depending on how well you do on these short quizzes.

Depth of Reading and Research:

The assigned readings will serve both to develop an understanding of the course objectives and to integrate them into class discussions and activities. Because of the nature of information security, a topic may continue to be discussed over several days or weeks, not merely during the week the topic first appears. Consequently, all reading for a given week may not match the topic at hand that week. Nonetheless, the order of topics presented will follow that shown in the syllabus.

The scope of this course is very broad, and a large amount of reading will, of necessity, be assigned. However, the relative importance of materials, as specified in the course outline, varies. Specifically assigned materials must be read in detail. Materials to which students are directed or for which copies are provided but which are not specifically assigned are recommended for added understanding of required material, but are optional in the sense that students will not be held explicitly responsible for anything that appears only in these materials. They are appropriate either for students who have difficulty with the subject matter based on the required readings or for those who want a deeper understanding of the material. Recommended background reading is valuable for overall understanding; may provide a technical depth beyond the requirements of the class; may provide valuable material for student research topics; and may be useful in responding to comprehensive essay questions.

Since much of what is happening in information security is happening now, current events will play a role in class discussions. As professionals, it is crucial for you to keep up with events as they unfold. There is no substitute for regular reading of business and technology news in a major newspaper, for following current journal articles, visiting key web sites, and for noting the direction of industry organizations such as the IEEE, IETF, and the ACM. You should constantly consider how what you read in such sources fits into the subject you are studying. Current articles, including Web articles, may be assigned as supplementary reading as the course progresses.

Students are encouraged to use as many and varied sources as possible in exploring the questions presented during the course, and to share those sources with their classmates. References to sources should be explicit in exchanges among the students and instructor, and will be considered in determining the extent to which each student participated for purposes of awarding grades.

The Grade Of I (Incomplete): The grade of I is exceptional and given only to students whose completed coursework has been qualitatively satisfactory but who have been unable to complete all course requirements because of illness or other extenuating circumstances beyond their control. We all have heavy workloads, so that alone is not sufficient justification for an Incomplete.

The grade of I will be considered only for students who formally request it, and then only for students who have completed at least fifty (50) percent of the total coursework requirements and who have received a passing grade on all the coursework that has been completed. The instructor retains the right to make the final decision on granting a student's request for an I, even though the student may meet the eligibility requirements for this grade.

If the instructor agrees to enter an Incomplete, the symbol I (Incomplete) indicates that a satisfactory explanation has been given the instructor for the student's inability to complete the required course work during the semester of enrollment. At the option of the instructor, the symbol I may be recorded if a student, for reasons beyond the student's control, is unable to complete the work of the course, and if the instructor is informed of, and approves, such reasons before the date when grades must be reported. This symbol may be used only if the student's prior performance and class attendance in the course have been satisfactory. Any failure to complete the work of a course that is not satisfactorily explained to the instructor before the date when grades must be turned in will be graded F, Failure. If acceptable reasons are later presented to the instructor, that instructor may initiate an appropriate grade change, which in all cases will include the symbol I. The course work must be completed within the designated time period agreed upon by the instructor and student, but no more than one calendar year from the end of the semester in which the course was taken. When work for the course is completed, the instructor will complete a grade change form and turn it in to the Office of the Registrar. The grade earned will be indicated in the form of I, followed by the grade. The indication of I cannot be removed and remains on the student's permanent academic record even after the course has been successfully completed. If work for the course is not completed within the designated time, the grade will be automatically converted to a grade of IF, Incomplete/ Failure, 0 quality points, and the grade-point average and academic standing recalculated.

Writing and Speaking Standards:

Effective managers, leaders, and teachers are also effective communicators. It is no understatement to say that effective speaking and writing skills are as important to career success as technical mastery of a subject. We will, therefore, provide opportunities for students to speak and write as part of this course.

Many people feel anxious about speaking up in public. Christine Stuart in her book, 'Effective Speaking' cites a survey in the USA where 3,000 adults were asked to list their ten worst fears. Speaking in Public came out as the number one fear. Why do so many people feel anxious in this situation?

Some of the reasons may be:

• Unfamiliar Situation: not so much a problem in the classroom.
• Lack of Confidence: This stems often from a feeling that others are better speakers than us, or that they may know more about the topic in question.
• Sense of Isolation: The speaker feels alone, the center of attention - and vulnerable.
• Self-Consciousness: about our accents, grammar, voice and image generally.
• Fear of looking Foolish - we may worry that we will forget what we wanted to say, and will stumble over our words, will say the 'wrong' thing, etc.
• Fear of the Consequences - for example being 'judged' by others, particularly professors, as lacking in ability or insight because of a poor public presentation. At least with an essay mistakes can be made in private!

When you are required to make presentations in class, pay attention to the three Ps: Planning, Preparation, Practice. Being well-prepared is half the battle to overcoming those butterflies.

Planning

Set objectives; consider the purpose of your presentation and the message you are trying to get across to your audience.

Develop the logic of your presentation by selecting and ordering the points you want to make.

Consider the time you have been allotted and how much you can reasonably say in that time.

Decide how you are going to structure your presentation. You need an introduction, middle and a conclusion. (This is often referred to as, 'Tell them what you're going to tell them; tell them; then tell what you told them.')

Work hard on your introduction. The first few minutes of your presentation will capture the audience’s attention.

Use notes. Don’t read a speech/paper. Your notes should consist of key words and phrases. Just enough to jog your memory and remind you of points you want to make. Include the points you need to make that aren’t on your slides.

Preparation

Prepare your slides.

Make sure any A/V equipment you need is available and that you are familiar with it.

Practice

Practice your presentation out loud, either on your own or in front of friends who will give you helpful feedback.

Use a tape recorder or video recorded so you can listen to and see yourself.

Written communication is an important element of the total communication process. This is a graduate program. Students are assumed to have learned how to prepare academic papers in their earlier studies, including how to reference works used in preparation of their papers and presentations. The University recognizes and expects exemplary writing to be the norm for course work. To this end, all posts and papers, individual and group, must demonstrate graduate level writing and comply with and conform to standard academic format as specified in A Manual For Writers of Term Papers, Theses, and Dissertations by Kate L. Turabian, Sixth Edition. (In on-line postings, footnotes may be treated as endnotes with a notation of, for example, [n2] placed in the text where the footnote reference would ordinarily appear) Points will be subtracted for format errors. Points will also be subtracted for spelling and grammatical errors. Use of Standard English ensures that your points will be both understood and correctly interpreted by all readers, a skill that will be vital to your success after graduation.

Academic integrity:

Academic integrity is central to the learning and teaching process. Students are expected to conduct themselves in a manner that will contribute to the maintenance of academic integrity by making all reasonable efforts to prevent the occurrence of academic dishonesty. Academic dishonesty includes, but is not limited to, obtaining or giving aid on an examination, having unauthorized prior knowledge of an examination, doing work for another student, and plagiarism of all types.

Plagiarism is the intentional or unintentional presentation of another person's idea or product as one's own. Plagiarism includes, but is not limited to, the following: copying verbatim all or part of another's written work; using phrases, charts, figures, illustrations, or mathematical or scientific solutions without citing the source; paraphrasing ideas, conclusions, or research without citing the source; and using all or part of a literary plot, poem, film, musical score, or other artistic product without attributing the work to its creator. Students can avoid unintentional plagiarism by following carefully accepted scholarly practices. Notes taken for papers and research projects should accurately record sources of material to be cited, quoted, paraphrased, or summarized, and papers should acknowledge these sources.

If you don’t understand what plagiarism is and how to avoid it, consult the University’s academic integrity policy. http://128.164.127.251/~ntegrity/code.html#definition. See also http://www.asee.org/prism/december/html/student_plagiarism_in_an_onlin.htm

This is a graduate program. Students are assumed to have learned how to prepare academic papers in their earlier studies, including how to reference works used in preparation of their papers and presentations.

The penalties for plagiarism include a zero or a grade of "F" on the work in question, a grade of "F" in the course, suspension with a file letter, suspension with a transcript notation, or expulsion.

Students are not permitted to submit an assignment or paper that already has been submitted for another course at GWU or any other institution, even if it is entirely their own work. This includes cutting and pasting portions of previous papers or other written assignments.

The penalties will be the same as those listed above for plagiarism. Please check your work carefully. Turabian contains complete guidance on how to correctly reference all forms of material.

Disabled Students: Any student who has a disability and is in need of special consideration must inform the instructor of this need within the first week of class (or immediately if the disability appears after the first week of class) so that appropriate arrangements can be made.

Communicating with the Professor: The Professor is a part-time member of the faculty of The George Washington University with no office on campus. Therefore there are no regular office hours. All communications with the Professor, other than those of a personal nature, should take place in class. This allows all students to benefit from the questions and answers. Should a student need to communicate with the Professor concerning issues or information of a personal nature that the student prefers not to discuss in an open forum, the Professor can be contacted by e-mail at profrknichols@comcast.net . The Professor reviews e-mail on a daily basis, so responses will be prompt.

Administrative

Contact Information:

10:00AM - 10:00 PM EST
717-329-9836
717-258-5693
profrknichols@comcast.net
profrknichols@comcast.net
www.infosec-technologies.com

Course Schedule