TCMG 597AB/MGMT 597 - GLOBAL BUSINESS POLICY & STRATEGY (Capstone)

TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse

TCMG 514 – Foundations of Information Security Management University of Bridgeport Fall 2016 Semester Monday, August 29 – December 5, 2016 Section 6M1 – 6:15PM – 8:45PM Mandeville Hall – Room 303

Professor Ken Lacasse; Mandeville Hall; (203) 545-1757 email: [email protected], Office hours: by appointment. Student Honor Code: As a UB student, I take personal responsibility for emulating the highest values and ethical norms: my work is my own and reflective of my best efforts and abilities.

COURSE SYLLABUS

Course Description and Approach:

As organizations become more dependent on technology and are focusing on Big Data and their customer databases, these organizations are very concerned with managing the risks and the vulnerabilities associated with their data. Prompted by newsworthy cyber-attacks against notable companies and government agencies, the demand for security experts is growing faster than all other IT positions.

This course examines the practices for assuring Information Security and risk management. The various roles and functions within the Information Security and Information Risk management practice will be combined and leveraged to produce a secure and risk aware organization. Case studies will be used to examine theories and practices drawn from real world situations. The numerous pitfalls of information security will be presented with everyday practices of securing companies resources from attack. This course will examine the frameworks, roles, and competencies involved with information security and information risk management. This course will include:

 Introduction to the Management of Information Security  Planning for Security  Planning for Contingencies  Information Security Policy  Developing the Security Program  Security Management Models  Security Management Practices  Risk Management: Identifying and Assessing Risk  Risk Management: Controlling Risk  Protection Mechanisms  Personnel and Security  Law and Ethics

The course will provide an opportunity to analyze major security events (e.g., breaches and cyber- 1 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse attacks) from various attackers on different targets ranging from large corporations to government agencies to the individual, and analyzing the response and business impact. Through the combination of lectures, case studies, team activities, review of current events, guest lecturers, term papers and class participation, this course introduces the student to the tools and vocabulary prerequisites to understand and gain knowledge about Information Security and Risk Management.

Course Learning Objectives: The course learning objectives are to:  Gain knowledge of Information Security and Risk management frameworks, tools/technologies and taxonomy that will enable a student to identify critical issues, opportunities and priorities in security and risk management situations and cases; to analyze alternatives, to summarize decisions that impact future actions and develop and execute programs and response plans;  Critique and assess the strengths and weaknesses of general security models, including the CIA triad Confidentiality, Integrity and Availability, NIST etc.;  Assess the current threat landscape, including the nature of the threat, threat agents and their Tactics, Techniques and Procedures (TTP), common vulnerabilities, and the potential consequences of security failures;  Appraise the interrelationships among elements that comprise a modern Information Security systems, including hardware, software, policies, and people;  Compare the interrelationships among security roles and responsibilities in a modern information- driven enterprise—to include interrelationships across security domains (Information, physical, classification, personnel);  Understand the interrelationship between business strategies and Information Technology strategies to Security Strategies and the possible consequences of misaligning these strategies;  Design an Information Security strategy and supporting program;  Evaluate the principles of risk management and conduct a risk management exercise;  Understand Information Security metrics; o Assess the role of good metrics and Key Performance Indicators (KPIs) o Key Risk indicators (KRIs) in security assessment and governance;  Critique the current legal and regulatory environment as it applies to Information Security;  Understand the human element of security awareness and training and formulate a simple training program;  Understand the difference between physical and Information Security;  Evaluate the trends and patterns that will determine the future state of Information Security;  Bridge the gap between theory and practice by developing an understanding of why, when and how Security is applied in a real business world.  Opportunities/discussion for careers in Information Security.

2 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse Required Course Textbook and Supplementary Materials: 1. Michael E. Whitman and Herbert J. Mattord, Management of Information Security , 4th Edition, – Cengage Publishing, 2014, ISBN-13: 9781285062297 2. Some useful websites and/or sources for Information Security and Risk Management information:  Verizon 2015 Breach report http://www.greycastlesecurity.com/resources/documents/2015_Verizon_Business_Data_ Breach_Investigations_Report.pdf

3 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse

 2015 State of Endpoint Report - Ponemon Institute http://nhlearningsolutions.com/Portals/0/Documents/2015-Cost-of-Data-Breach- Study.PDF  President Obama - Executive Order -- Promoting Private Sector Cybersecurity Information Sharing https://www.whitehouse.gov/the-press-office/2015/02/13/executive-order-promoting- private-sector-cybersecurity-information-shari  President Obama - Executive Order - Improving Critical Infrastructure Cybersecurity https://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving- critical-infrastructure-cybersecurity  The Transformation of Information Risk Management (PDF) – KPMG https://www.kpmg.com/US/en/IssuesAndInsights/ArticlesPublications/Documents/transfor mating-it-risk-management .pdf  Risk Management Fundamentals – Department of Homeland Security https://www.dhs.gov/xlibrary/assets/rma-risk-management-fundamentals.pdf  Cybersecurity Fundamentals Glossary, ISACA – http://www.isaca.org/knowledge- center/documents/glossary/cybersecurity_fundamentals_glossary.pdf  Defense in Depth - National Security Agency -https://www.nsa.gov/ia/_files/support/defenseindepth.pdf  Layered Defense in Depth Model for Information Organizations https://iieng.org/siteadmin/upload/8285E0914047.pdf  Security Now – weekly podcast – Steve Gibson, Leo Laporte https://twit.tv/shows/security-now https://www.grc.com/securitynow.htm 3. Other Recommended Sources:  Harris, Shon and Maymi, Fernando, CISSP All-in-One Exam Guide. McGraw-Hill Education  Ernst and Young, Responding to Targeted Cyber Attacks. ISACA  Tzu, S., Griffith, S., (1971). The Art of War. Oxford University Press Note: You are encouraged to ask the Reference Librarian at Wahlstrom Library for any other research information you may need regarding your project. The UB book distribution system is for you to order the books on line at http://www.ubcampusstore.com or at the UB Bookstore on the main campus. Course Requirements: 1. Class Attendance, Participation, Punctuality, Cheating and Plagiarism: Attendance at each class session is expected. Class lectures complement, but do not duplicate, textbook information. Together the students and instructor will be creating a learning organization. Students are expected to be on time for class. A significant portion of your learning will accrue through the constructive and respectful exchange of each other’s ideas (including mine!) and search for alternative solutions. You must be actively engaged in class discussions to improve your thinking and communication skills. Cheating and plagiarism is absolutely unacceptable in any guise. If I catch you cheating or plagiarizing, I will warn you once. The second offense will result in an “F” for the course. Cheating and plagiarizing means using the work of others as your own. Copying homework, using papers from the Internet, any talking or 4 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse looking around during exams and allowing others to look at your exam papers are examples of cheating. Be certain that your travel arrangements do NOT conflict with any of your team or individual presentations. As a UB policy, for a three credit course like TCMG 514, it is expected that each student that attends one hour of classroom instruction will require a minimum of two hours of out of class student work each week for approximately fifteen weeks for one semester. 2. Preparation, Deadlines and Late Policy: Late assignments will be penalized 20% for each class day past the deadline. No excuses will be accepted. Don’t wait until the last minute to print out your assignment. Do not email me late homework assignments. Please put late assignments in my mailbox (Technology Building). 3. Homework: The syllabus identifies both the oral and written homework assignments. Each assignment that states “written” should be typed and only one or two pages long. It will be collected at the end of class so that you may refer to them during class discussions. Homework is important and represents a key component of your grade. 4. Current News: Each student will be required to select and be able to orally review news articles relating to the topic assigned for the class meeting. Suggested sources include: Wall Street Journal, New York Times, Business Week, Newsweek, Securityweek, Technewsworld, Time, Fortune, Inc. the Internet (reliable sites) and other relevant sources. 5. Information Security Strategic Plan and Program - Project Team Presentation: (PowerPoint presentation only, no paper is due). The team project provides an opportunity to integrate the major concepts studied this semester by developing an Information security strategic plan for an organization in one of the critical infrastructure sectors as described in H.R.3696 - National Cybersecurity and Critical Infrastructure Protection Act of 2014. It will reflect real-world conditions but not represent a real-world system or enterprise. The purpose of the strategic plan and program is to assess the risk to the organization’s business and human assets and develop technical and operational remedies based on the perceived risk. (Important to understand the various risk responses). The key to completing this assignment is to utilize the concepts studied in this course e.g., Defense in Depth, Risk management, incident response and operations, technical controls, policies and standards, threats to the organization to support the business’ strategic plan. The Instructor will distribute a rubric which will be used to evaluate the team results and determine the team grade. Each team member will be asked to evaluate the contributions of each team member on his/her team that may affect the individual student’s team grade. 6. Individual Term Paper – Information Security / Risk Management: The topic will be approved by the professor. The paper should explain an information security and/or risk topic to a deeper degree than we cover it in class. In the paper, you should demonstrate that you have acquired deeper knowledge of your chosen topic through independent research as if you were educating others on the selected topic. You are expected to consult at least five external sources which may include interviews with practitioners. The purpose of the paper is to educate a non- technical person on the topic to the extent that the reader will be able to understand the affect the topic has in a real world situation.  Risk Management, Economics, and Regulation  Frameworks and their applications e.g., COSO, NIST etc.  Incident management – research in current breaches and the response 5 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse  Government’s role in information security – e.g., Obama’s executive order  Threat landscape – threat agents and targets  Data privacy and protection  Law enforcement and their role in cyber attacks  Select/comparison of IT Security and Risk management certifications (See ISACA, ISC2 etc.)  The war for talent – careers in information security Each paper will be typed doubled-spaced in 12-point font and is expected to be at least 12 pages long (not including title, contents and reference pages. All papers must have a table of contents and a reference section. Please spell check and page number your work. Each student is required to orally summarize his/her term paper in 5 - 6 minutes. (2-3 slides to aid the discussion). The paper and oral summary will be due on the last class day of the term. Factors on which the term paper will be graded:  A well-organized Table of Contents that is followed throughout the analysis, including page numbers, is required.  A comprehensive bibliography of sources (references) used must be appended at the end of the paper. It is anticipated that the length of the bibliography will correlate with the grade assigned. A web site used as a reference must contain the source document name of the author, title of the article or book or other source and date created.  The paper should have an abstract of about 300 words that summarizes the motivation for the work (why did you select the topic). It should be followed by a list of keywords. The Introduction section should begin by elaborating on the motivation (why the topic is important) and then an overview of the topic. The body of the paper should develop the topic in more detail as if educating the reader. The conclusion section should reiterate the reasoning for the topic (importance) and recommendations to the reader on the topic e.g., (what they should do).

Individual Research Paper Grading Rubric. Use this rubric as a checklist when writing and proofreading your papers. It depicts how I will evaluate your submission.

Plagiarism Evaluation

A "fail" evalution on either of these two dimensions results in a failure and 0 points for the submission.

Turnitin Similarity Rating Pass Less than 25% (Set a goal to attain a rating of 10% or less). Fail Greater than or equal to 25%.

Citations Pass Sources are cited in context using the APA 5th style. Fail Sources are not cited in context using the APA 5th style.

Specification Evaluation 6 A "fail" evaluation on one of these four dimensions results in a failure and a grade of 59 for this submission.

Length Pass 15 pages or more. Fail Less than 15 pages.

Number of References Pass 10 or more references. Fail Less than 10 references.

Organization Pass Follows the required outline. Fail Does not follow the required outline.

Formatting Pass Double spaced, 12 point, Times New Roman font. Fail Deviates from double spaced, 12 point, Times New Roman font.

Content Evaluation

- Evaluation scale of 1 - 5: 1 = lowest, 5 = highest. Half ratings (i.e. 3.5) are valid. - Ratings equate with increments of 20 points apiece, from 1 = 20 points to 5 = 100 points. - Each dimension's numerical grade contributes 20% toward the overall grade. - The resulting numerical grade drives an equivalent letter grade for the submission.

Content Evaluation Dimensions Message Clarity The paper conveys a clear message. Logical Flow The message flows logically between points. English Grammar The writing exhibits master's level English skill. Creativity The author presents a new or novel approach to the material. Plagiarism Evaluation

A "fail" evalution on either of these two dimensions results in a failure and 0 points for the submission.

Turnitin Similarity Rating Pass Less than 25% (Set a goal to attain a rating of 10% or less). Fail Greater than or equal to 25%.

Citations Pass Sources are cited in context using the APA 5th style. Fail Sources are not cited in context using the APA 5th style. TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse Specification Evaluation

A "fail" evaluation on one of these four dimensions results in a failure and a grade of 59 for this submission.

Length Pass 15 pages or more. Fail Less than 15 pages.

Number of References Pass 10 or more references. Fail Less than 10 references.

Organization Pass Follows the required outline. Fail Does not follow the required outline.

Formatting Pass Double spaced, 12 point, Times New Roman font. Fail Deviates from double spaced, 12 point, Times New Roman font.

Content Evaluation

7. Course Grading:

Class Participation, Attendance & Current Events 10% (News) Exam (Midterm) 20% Team Project & Presentation 25% Case Studies (written assignments) 20% Written Term Paper & Oral Summary 25% Total 100%

7 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse

Letter Grade Percentage A 94.9 – 100% A- 90 – 94.8% B+ 87 – 89.9% B 83 – 86.9% B- 80 – 82.9% C+ 77 – 79.9% C 73 – 76.9% C- 70 – 72.9% D+ 67 – 69.9% D 63 – 66.9% D- 60 – 62.9% F Below 60%

TCMG 514 – Foundations of Information Security Management - Schedule – Fall 2016 – 15 Weeks The following table outlines the 15-week course agenda:

# Date Content Assignment 1 8/29/2016 Introduction to Information Security Management: Read Chapter 1.  Overview of Security management Written assignment:  Principles of Information Security Management Page 32, Exercise 2.  Project Management overview  The Threat environment Planning for Security  Strategic planning  Governance  Planning 2 9/5/2016 Labor Day holiday Read Chapter 2.

Written assignment: Page 69, Exercises 1 & 2.

Page 70, Closing Case - answer discussion question 1.

Written summary of a recent information security story, and describe the steps that could have avoided the incident.

8 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse

# Date Content Assignment 3 9/12/2016 Planning for Security (continued) Read Chapter 3.  Strategic planning Written assignment:  Governance Page 119, Exercise 4.  Planning Planning for Contingencies  Fundamentals of planning  Components of the plan  Business Resumption Planning (BCP)Policy  BIA Business Impact Analysis  Incident Response Planning  Testing  Roles and Responsibilities 4 9/19/2016 Information Security Policies Read Chapter 4.  Enterprise Policies Written assignment:  Issue Specific Policies Page 158, Closing Case  Systems Policies - answer discussion  Guidelines for Effective Policies questions. 5 9/26/2016 Developing a Security Strategy and Program Read Chapter 5.  Developing a Strategic plan Written assignment:  Components of a Security program Page 208, Exercises 1 &  Developing a Security program 2.  Roles and Responsibilities  Implementation 6 10/3/2016 Security Management Models Read Chapter 6.  Introduction to Blueprints, Frameworks and Models Written assignment: Page 243, Exercise 2.  Access Controls  Architecture Models  Management Models 7 10/10/2016 Guest Speaker / Midterm Exam Written summary of a recent information security story, and describe the steps that could have avoided the incident. 8 10/17/2016 Security Management Practices Read Chapter 7.  Architecting the enterprise Written assignment:  Types of technologies (Controls) Page 275, Exercise 2.  The role of Infrastructure in Security  Implementation and configuration

9 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse 9 10/24/2016 Risk Management: Identifying and Assessing Risk Read Chapter 8.  Risk Management Written assignment:  Risk Identification Page 310, Exercises 3-6.  Risk Assessment

# Date Content Assignment 10 10/31/2016 Risk Management: Controlling Risk Read Chapter 9.  Risk Control Strategies  Managing risk Written Assignment:  Risk Treatment – feasibility/cost Pages 338-339,  Risk Control Practices Exercises 1 & 4. 11 11/7/2016 Protection Mechanisms (Technical Controls) primer Read Chapter 10.  Access Written assignment:  Firewalls Pages 395-396, Closing  Intrusion Detection IDS Case answer questions  Remote Access 1-4.  Wireless Network Written description of  Scanning and Analysis Tools your home/personal  Security Operations security setup of your  Cryptography Internet connection. Include details of any hardware/software protection. 12 11/14/2016 Team Presentations Read Chapter 11.

Personnel and Information Security No written assignment.  Hiring Team presentations  Termination due.  Background check  Non-employees  Management of corporate assets (for individuals)  Personal data  Personal Devices  Personnel security practices

10 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse 13 11/21/2016 Laws, Compliance and Regulatory Requirements Read Chapter 12.  Laws and Ethics Written assignment:  Timeline of U.S. laws related to Information Page 485, answer Security Review Questions 4-6,  The Federal Information Security Management 10, 11, 14-18. Act (FISMA)  Obama Executive orders Critical Infrastructure.  SOX  FFIEC  Data Protection  Role of Law enforcement  Investigation

11 TCMG 514 – Foundations of Information Security Management – 15 Weeks – Fall 2016 Ken Lacasse

# Date Content Assignment 14 11/28/2016 The future of Information Security Written assignment:  Key future uncertainties Write a job description for an Information  Possible future scenarios Security Position that  Careers in Information Security you would see yourself  Certifications (ISACA, ISC2, SANS, etc.) in 5 years from now and  Advice on Security Careers a short essay on the training and experience  Your next steps (conversation on areas of you would be required interest) in order to obtain that position. 15 12/5/2016 Individual Term Papers Due Individual Term Papers Due. Individual Presentations Final