Kho Hc Pht Trin

Bo V Thng Tin
Trm An Ninh
Nguyn Tc C Bn
iu Lut
H Thng An Ninh
Thng Bo
on Th
K Ton

 Using Modules to Create your Own Course

Revised Sunday, August 19, 1990

Revised August 28, 2000 



Corey D. Schou

National Information Assurance Training and Education

Simplot Decision Support Center

College of Business

Idaho State University

208 282 3194




This section shows the instructor how to use these materials to create a custom course based on the contents of the Information Security Modules. This principle can be used for both University and industrial courses

Creating Information Security Courses

 Since Information Security is a developing discipline in the academic community, there are few academicians who have experience teaching courses in the area. As stated earlier, these modules have been designed to supplement other courses in the curriculum; an additional use of these modules is to guide the instructor in the creation of a custom course at the undergraduate level.

 By using the components of the modules separately, the instructor can tailor the course to his particular expertise. Among the authors of these modules there are individuals with backgrounds in Computer Science, Information Science, Mathematics, Management, Accounting, and even International Law. Each of us teach our Information Security Courses with an individual focus.

 There is a total of up to 87 hours of instructional material contained in these modules. The breakdown is:

 Introduction to Information Protection   

 5 hours

PC/Workstation Security   

 4.5 hours

Security Fundamentals   

 12 hours

Laws and Legislation   

 9 hours

System Security   

 15 hours

Communications Security   

 7 hours

Corporate Security Management.   

 17 hours

Introduction to Accounting Controls and EDP Auditing   

 18 hours

Since the materials were designed with redundancy, many of the components of the modules overlap. Frequently, the overlap represents a level of detail rather than a difference in content.

Course 1 for Accountants

For example, an Information Security course for accounting students might be composed of:

Module and Content Time

Part I of Module One

 Information as a corporate resource

 2 hour

Part 1 of Module Two


 1 hour

Part 2 of Module Three

 Organizational Policies and Procedures

 1 hour

Part 10 of Module Three

 Costs and Benefits

 1 hour

Part 2 of Module Four

 Laws as tools for computer security

 3 hours

Part 3 of Module Four

 Laws as legal options for control

 4 hours

Part 6 of Module Five

 Protection Planning

 5 hours

Part 2 of Module Six


 2 hours

Part 8 of Module Seven

Computer Security Checklist

 5 hours

Module Eight

 All of module Eight

 18 hours


This represents as much as 42 hours of classroom instructional time. This forms the core of material for the course. It is expected that the faculty will introduce other material that is specific to his area of expertise.

Course 2 Legal Focuws


Module and Content Time

Part I of Module One

Information as a corporate resource

 2 hour

Part 1 of Module Two


 1 hour

Part 2 of Module Three 

Organizational Policies and Procedures

 1 hour

Part 4 of Module Three   

Personnel Security

 1 hour

Part 1 of Module Four   

The Underlying Problem

 3 hours

Part 2 of Module Four   

Laws as tools for computer security

 3 hours

Part 3 of Module Four   

Laws as legal options for control

 4 hours

Part 6 of Module Five   

Protection Planning

 5 hours

Part 2 of Module Five   

Security Requirements

 3 hours

Part 5 of Module Five   

Data Life Cycle

 2 hours

Part 8 of Module Seven   

Computer Security Checklist

 5 hours

Part 2 of Module Eight   


 1 hour

Part 4 of Module Eight   

General Internal Controls

 2 hours

Part 11 of Module Eight   


 3 hours

 This represents approximately 36 hours of classroom instructional time. This forms the core of material for the course. It is expected that the faculty will introduce other material that is specific to his area of expertise.

 If you have suggestion for improvement or chose to use this technique, please send your suggestions or a copy of your course syllabus to;

Corey D. Schou

Associate Dean, Collgege of Business

Professor, Computer Information Systems

P.O. Box 4043

Pocatello, Idaho


 Each summer, we will compile these teaching materials, and distribute them to interested parties.

Topic Outline
Introduction to Information Protection


I. Information As A Corporate Resource 2 Hour

    A. Security As Part Of The Total Organization    

    B. Understanding The Organization

    C. Identifying Sensitive Data

    D. Controlled Sharing Of Information And Resources

II. Basic Security Problems 1 Hour

    A. Natural Disasters

    B. Accidental Problems

    C. Malicious Threats

III. Ethical Issues 1 Hour

    A. Ethics And Responsible Decision-Making

    B Confidentiality & Privacy

    C. Piracy

    D. Fraud & Misuse

    E. Liability

    F. Patent And Copyright Law

    G. Trade Secrets

    H. Sabotage

IV. Major Areas Of Information Systems Study 1 Hour

    A. PC/Workstation Security

    B. Security Fundamentals

    C. Information Security Laws And Legislation

    D. System Security

    E. Communications Security

    F. Corporate Security Management


Topic Outline

PC/Workstation Security

 I. Ethical Use Of The Computer 1 Hour

II. Computer Room Environment. 1 Hour

    A. Temperature

    B. Foreign Materials

    C. Radio Frequency Interference (RFI)

    D. Power Surges And Brownouts

III. Physical Security 1 Hour

    A. Location And Construction

    B. Computer Room Access

    C. Physical Control

IV. Data Security 1 Hour

    A. Software Control

    B. Backup Procedures

    C. Recovery Techniques

    D. Data Encryption And Access Control

V. Security Training 0.5 Hour


Topic Outline 
Security Fundamentals

 I. Planning 2 Hours

    A. Security As Part Of The Total Organization

    B. Understanding The Organization

    C. Identifying Sensitive Data

    D. Controlled Sharing Of Information And Resources

    E. Specific Needs

    F. Analysis And Design

II. Organizational Policies And Procedures 1 Hour

    A. Scope Of Security Mechanisms

    B. Basic Goals

        1. Prevention

        2. Deterrence

        3. Containment

        4. Detection

        5. Recovery

    C. Written Management Policies & Procedures

III. Ethics And Professionalism 2 Hour

    A. Ethics

        1. Ethics And Responsible Decision-Making

        2. Confidentiality & Privacy

        3. Piracy

        4. Fraud & Misuse

        5. Liability

        6. Patent And Copyright Law

        7. Trade Secrets

        8. Sabotage

    B. Laws And Legislation

    C. Professionalism

        1. The Computer Security Institute

        2. Computer Professionals For Social Responsibility

        3. Data Processing Management Association

        4. Security Management Magazine

        5. Licensing And Certification

            A. Institute For Certification Of Computer Professionals

            B. IISSCC (ISC2)

IV. Personnel Security 1 Hour

    A. Hiring Practices

    B. Training

    C. Access Rights And Privileges

    D. Rules For Granting And Revoking Privileges

    E. Separation Of Privileges And Roles

    F. Adverse Actions

    G. Termination Practices

V. Physical Security 1 Hour

    A. Location

        1. Access Versus Security

        2. Rooms, Doors, Windows, Keys

    B. Environment

        1 Radio Frequency Interference [RFI]

        2 Cooling

        3 Cabling

        4. Power

VI. System Security 1 Hour

    A. PC & Workstations

    B. Database

    C. Networks And Communications

    D. Operating Systems

    E. Application Software

    F. Systems Security

    G. Systems Architecture

    H. Audit And Control

    I. Corporate Security Management

VII. Threats And Vulnerability. 1 Hour

    A. Natural Disasters

        1. Fire

        2. Flood

        3. Brown-Outs

        4. Lightning

    B. Accidental Acts (Threats)

        1. Disclosure Of Data

        2. Modification/Destruction Of Data

        3. Faulty Software

        4. Residual Data

        5. Wrong Parameters

    C. Malicious Acts (Threats)

        1. Trap Doors

        2. Trojan Horse

        3. Tampering

        4. Snooping Or Browsing

        5. Intentional Disclosure Of Data

        6. Viruses

    D. Locus Of Attack

        1. Terminals

        2. Hosts

        3. Front-Ends

        4. Gateways

        5. Links

        6. Packet-Switches

        7. PC/Workstations

VIII. Data Security And Recovery 1 Hour

IX. Control And Audit 1 Hour

X. Costs And Benefits 1 Hour

    A. Accessibility Versus Secrecy

    B. Costs

        1. Money And Time For Development, Installation, Procurement, And Maintenance Of Security Measures

        2. Special Skills

        3. Performance

        4. Productivity

        5. Training Time

        6. Compatibility - Of Equipment, Procedures,

    C. Benefits

        1. Precise Definition Of Requirements

        2. Value Of Information

        3. Peace Of Mind

        4. Productivity

        5. Protection From Legal Liability

        6. Protection From Loss Of Control Of Assets/Company

        7. Good-Will

        8. Privacy


Topic Outline 
Laws And Legislation


I. The Underlying Problem 1 - 2 Hours

    A. Theft Of Hardware And Data

    B. Fraud

    C. Physical Abuse

    D. Misuse Of Information And Privacy Issues

    E. Issues Of Adjudication And Regulation

II. Laws As Tools For Computer Security 1 - 3 Hours

    A. Privacy Laws And Legislation

    B. Intellectual Property Laws

        1. Trade Secrets Law

        2. Patent Law

        3. Copyright Law

        4. Trademark Law

    C. Federal Laws

    D. State Statutes

    E. DPMA Model Computer Crime Bill

III. Laws As Legal Options For Control 1 - 4 Hours

    A. License Agreements

    B. Intellectual Property Laws, (Trade Secrets, Patents, Copyright And Trademarks)

    C. Employee Non-Disclosure Considerations

    D. Contracts

    E. Warranties For Software And Hardware


Topic Outline 
System Security

I. Overview 1 Hours

    A. Definitions

    B. Background

        1. Identifying Sensitive Systems

        2. Developing A Security Program And Plan, And

        3. Training Appropriate People Concerned With Both

Development And Operation Of Systems

    C. Management Responsibility

II. System Sensitivity 2 Hours

    A. Criticality

    B. Sensitivity

    C. Source Of Sensitivity Information

    D. Level Of Sensitivity

III. Security Requirements. 3 Hours

    A. Security Policy

    B. Accountability

    C. Assurance

        1. Architecture

        2. Integrity

        3. Testing

        4. Specification/Verification

        5. Facility Management

        6. Configuration Control

        7. Disaster Recovery Or Contingency Planning

        8. Compliance

IV. Levels Of Security 2 Hours

V.  Data Life Cycle. 2 Hours

    A. Retention Policy

    B. Destruction Policy

VI. Protection Planning 2 - 5 Hours

    A. System Description

        1. The Physical Location Of The Equipment

        2. Types Of Data And Information

        3. Classification Level

        4. Duration And Importance Of MIS Activity

        5. Equipment Location

        6. Equipment Description By Name And Model Number

        7. Security Officers

        8. Data Processing Terms

        9. System Integrity Study

    B. MIS Security

    C. Communications Security

    D. Information Security

    E. Personnel Security

    F. Physical Security

    G. Contingency Plans


Topic Outline 
Communications Security


I. Overview 1 Hours

    A. Brief Review Of The Concepts Of Protection In Data Communication

Systems And Networks From A Management Perspective

        1. Systems Objectives: Controlled Sharing Of Information And Resources.

        2. Specific Needs: Privacy, Secrecy, Integrity And Availability.

        3. Policies And Mechanisms.

        4. Assets: Identification Of Valuable/ Sensitive Data And Information.

        5. Threats And Vulnerability. 

    B. The Interrelationship Of Communications Security And Network Security For Interconnected Elements:

        1. Systems Connectivity

        2. Public/Private Carriers

        3. Relationship To Reliability And Dependability

II. Threats 2 Hours

    A. Types Of Attacks/Failures

        1. Passive Intrusion

            A. Disclosure Of Message Contents

            B. Traffic Analysis

            C. Disclosure Of Data On Network Users

        2. Active Intrusion

            A. Modification Or Deletion Of Message Contents

            B. Insertion Of Bogus Messages

            C. Replay Or Reordering Of Messages

            D. Viruses

        3. Natural Disasters/Catastrophes/Sabotage

            A. Human Errors

            B. Fires, Floods, Brown-Outs.

    B. Locus Of Attack/Failure

        1. Terminals

        2. Hosts

        3. Front-Ends

        4. Gateways

        5. Links

        6. Switches (Includes Multiplexer, Intermediate Nodes)

        7. Interconnected PC/Workstations (Includes LAN, Host-PC Etc.)

III. Countermeasures 2 Hours

    A. Encryption

        1. Private-Key And Public-Key Systems - Des And RSA As Examples

        2. Key Distribution

        3. Link Level And End-To-End

    B. Authentication

        1. Node And User Authentication

        2. Passwords

        3. Message Authentication

        4. Encryption-Based

        5. Added Protection For PC Authentication Date

    C. Access Control

        1. Access Control Mechanisms-Control Lists And Passwords

        2. Administration

    D. Contingency Planning

IV. Tradeoffs - Costs And Benefits 2 Hour


Topic Outline

Corporate Security Management


I. Overview 1 Hour

II. Development Of Security Program. 3 Hours

    A. Objectives

    B. Policies

    C. Connectivity, Corporate Structure, And Security

        1. Connectivity Defined

        2. Affect On Corporate Structure

        3. Security Considerations

    D. Plans

    E. Responsibilities

III. Risk Analysis 2 Hour

IV. Contingency Planning 3 Hour

V. Legal Issues For Managers 1 Hour

    A. Licenses

    B. Fraud/Misuse

    C. Privacy

    D. Copyright

    E. Trade Secrets

    F. Employee Agreements

VI. System Validation & Verification (Accreditation)1 Hour

VII. Information Systems Audit 1 Hour

VIII. Computer Security Checklist. 5 Hours

    A. General Information

    B. General Security

    C. Fire Risk And Water Damage Analysis

    D. Air Conditioning Systems

    E. Electrical System

    F. Natural Disasters

    G. Backup Systems

    H. Access Control

    I. System Utilization

    J. System Operation

    K. Software

    L. Hardware

    M. File Security

    N. Data File Standards

    O. Shared Resource Systems Security


Topic Outline

Introduction To Accounting Controls And EDP Auditing

I. Goals. 1 Hour

    A. Role Of The Accountant

    B. Asset Safety

        1. Organizational Asset

        2. Computer Resource Abuses

        3. Value Of Systems

            A. Hardware

            B. Software

            C. Personnel

            D. Operating Systems

            E. Application Systems

            F. Data

            G. Facilities

            H. Supplies

        4. Proprietary And Private Data

    C. Data Integrity

        1. Pervasiveness Of Errors

        2. Individual Decisions

    D. System Effectiveness

        1. Decision Making Value

        2. Timeliness

        3. Support For Competitive Advantage

    E. System Efficiency

        1. Proper Uses Of Systems And Components

        2. Misallocation Of Resources

            a. Theft

            b. Destruction

                1)Physical Acts Of Nature

                2)Physical Acts Of Persons

            c. Disruption Of Service




            d. Unauthorized Changes

II. Roles. 1 Hour

    A. Management

        1. Top Management

        2. Middle Management

        3. Entry-Level Management

    B. Information Systems Professionals

        1. MIS Orientation

        2. Data Processing Orientation

    C. Internal Auditors

    D. External Auditors

    E. Management Controls

III. Systems Cycle. 1 Hour

     A. Auditor's Involvement

            1. Concurrent Participation

            2. Ex Post Review

            3. Phases And Concerns

    B. Alternative Models

            1. Traditional

            2. Prototype

            3. Socio-technical

    C. Differences In Internal And External Auditors'

    D. End-User Developed Systems

IV. General Internal Controls 2 Hours

    A. Segregation Of Duties

    B. Proper Delegation Of Authority

    C. Competent Personnel

    D. Authorization System

    E. Documentation

    F. Physical Controls

    G. Supervision

    H. Accountability

V. Access Controls 1 Hour 

    A. Strengths And Weakness

    B. Encryption

    C. Personalized Access

        1. Cards And PINS

        2. Physical Identifiers

    D. Audit Trails

        1. Accounting

            a. User Identities

            b. Validation Routines Used

            c. Access And Usage Desired

            d. Physical Location Of Originating Site

            e. Session Times And Dates

            f. Access Methods And Number Of Tries

            g. Results Of Access: Authorized Or Rejected

        2. Operations

VI. Input Controls 2 Hours

    A. Data

        1. Preparation

            a. Conversion To Machine-Readable

            b. Prepare Totals

            c. Human Scanning As Quality Control

            d. Verification

        2. Gathering

            a. Paper-Based

            b. Machine-Based

            c. Mixture

        3. Review

            a. Components

            b. Design

                1)What Data To Gather,

                2)How To Gather Data,

                3)Who Will Gather The Data,

                4)When Will The Data Be Gathered, And

                5)How The Data Will Be Handled, Retained, And Used

        4. Controls

            a. Hash Totals

            b. Financial

            c. Document Counts

    B. Validation

        1. Online

        2. Batch

        3. Lexical

        4. Semantic

        5. Syntactic

        6. Corrections

    C. Error Controls

        1. Error Report

        2. Field Checks

        3. Record Checks

        4. Batch Checks

        5. File Checks

VII. Communications Controls 1 Hour

    A. Risks

        1. Reliability

        2. Unauthorized Uses And Abuses

        3. Errors

    B. Technical Failure

        1. Communications

        2. Hardware

        3. Software

        4 .Personnel

    C. Terrorism And Other Overt Threats

        1. Aggressive

            a. Insertion

            b. Deletion

            c. Modification

            d. Intervention

        2. Non-Intrusive

            a. Note Or File Sending

            b. Monitoring Activities

        3. Controls

            a. Audit Trail

            b. Operations Audit Trail

VIII. Processing Controls 1 Hour

    A. CPU Controls

        1. Instruction Set Check

        2. Status Check

            a. Kernel

            b. Supervisor

            b. Problem

    B. Memory Controls

        1 Physical

        2 Access

        3. Virtual

    C. Systems

        1. Operating

            a. Protected From Users

            b. Insulated From Its Environment

            c. Users Isolated From Each Other

            d. Examples

        2. Application

            a. Validation Reviews

            b. Programming Reviews

            b. Interfaces Among Programs/Routines

        3. Audit Controls

IX. Database Controls 2 Hours

    A. Access To Levels

        1. Name

        2. Content

        3. Context

        4. History

    B. Application Oversight

        1. Update Policy

        2. Reporting Procedures

    C. Concurrency

        1. Replication

        2. Partitioning

        3. Priorities

    D. Encryption

        1. Transportability

        2. Personalized

        3. Multiple Levels Of Access

    E. Physical Security

        1. Access

        2. File Protection

        3. Data Base Administrator (DBA)

        4. Backup

    F. Audit Controls

X. Output Controls 1 Hour

    A. Production

        1. Online

        2. Off-line

        3. Ad Hoc

    B. Distribution

        1. Physical Requirements

        2. Control

    C. Presentation

        1. Content

        2. Physical Form

        3. Format

        4. Layout

        5. Time Aspects

    D. Interpretation

        1. Availability

        2. Warning System For Further Information

XI. Evidence 3 Hours

     A. Needs

        1. Assess Quality Of Data

        2. Evaluate Processes

        3. Review Existence Of Processes And Data

        4. Initial Review

            a. Analytical Review

            b. Statistical Analysis

            c. Spreadsheet

            d. Expert Systems Or Decision Support Systems

    B. Limitations

        1. Often After The Fact

        2. Constrained To Extent Of Generalized Audit Software (Gas)

    C. Generalized Audit Software

        1. Parallel Simulation

        2. Integrated Test Facility

        3. File And Record Extraction

    D. Specialized Audit Software

        1. Industry Specific

        2. Configuration Specific

        3. Potential To Be More Efficient

        4. Less Flexible Than Gas

    E. Concurrent Techniques

        1. Concurrent Integrated Test Facility

        2. Simulations

            a. Continuous

            b. Intermittent

        3. System Control Audit Review File (Scarf)

    F. Human Techniques

        1. Interviews

            a. Preparation

            b. Observation

            c. Evaluation

        2. Questionnaires

            a. Determine Objectives

            b. Plan Questions

            c. Test

            d. Deliver

            e. Analyze

        3. Observation

            a. Work As Participant

            b. Unobtrusive

    G. Flowcharts

        1. Document

        2. Data Flow

        3. Systems

        4. Programs

    H. Machine Techniques

        1. Hardware Monitors

            a. Tracks Activity

            b. Analyzes Activity

        2. Software Monitors

            a. Internal To System

            b. Particular Transaction Versus Sampling

            c. Analyzes Activity

XII. Integration 2 Hours

    A. Asset Safety

        1. Measurement

            a. Qualitative


                2)Risk Matrix

            b. Quantitative

                1)Expected Dollar Loss Versus Cost Of Controls

                2)Expected Time Loss

            2. Cost-Benefit

    B. Data Integrity

        1. Measurement

            A. Qualitative

            B. Quantitative

        2. Cost-Benefit

    C. System Effectiveness

        1. Objectives

            a. Goals Of Firm

            b. Usage

            c. Types Of Usage

            d. User Satisfaction

            e. Technical



                3)Degree Of Independence Of Components Of System

        2. Judgment

        3. Overall Evaluation

    D. System Efficiency

        1. Objectives

        2. Indicators

            a. Workload Monitors

            b. Systems Checks

        3. Overall Evaluation

    E. Summary

        1. Qualitative

            a. Collect All Items

            b. Think

        2. Quantitative

            a. Financial Or Business Terms

            b. Sensitivity To Assumptions

        3. Judgment Group Decision Making and Experience Transfer