ITSY2300 InfoSecCurriculumModel

[DRAFT]
A Model Curriculum
A Modelfor Programs
Curriculum of Study
for Programs of Study
in and Assurance
in Information Security
Information Security and Assurance

v. 3.0 May 2005
[DRAFT]
Michael E. Whitman, Ph.D., CISSP

Herbert J. Mattord, CISSP
Kennesaw State University
1000 Chastain Rd. MS 1101
Kennesaw, GA 30114
(770) 423-6005
mwhitman@kennesaw.edu
hmattord@kennesaw.edu
*A limited use license is granted to adopt parts of this curriculum for use in your institution. Specific
permission is required to reproduced or republish this content. Contact the authors for additional details.
A (Draft) Model Curriculum for Programs of Study in Information Security and Assurance
A (Draft) Model Curriculum for Programs of Study

in Information Security and Assurance
Note: Kennesaw State University was designated a National Center of
Academic Excellence in Information Assurance Education by the National
Security Agency and the Department of Homeland Security in April 2004.
Table of Contents
Introduction..................................................................................................................................... 5
Statement of the Problem................................................................................................................ 5
Goals and Objectives ...................................................................................................................... 7
Approaches to Implementing Information Security Curricula ................................................... 7
Preliminary Work Completed ......................................................................................................... 9
Information Security Position and Roles .................................................................................... 9
CISO ..................................................................................................................................... 10
Security Managers ................................................................................................................ 10
Security Administrators and Analysts .................................................................................. 10
Security Technicians............................................................................................................. 10
Security Staffer or Watchstander .......................................................................................... 11
Information Security Professional Certifications...................................................................... 11
Certified Information Systems Security Professional (CISSP) and Systems Security
Certified Practitioner (SSCP)................................................................................................ 11
Global Information Assurance Certification (GIAC) ........................................................... 13
Security Certified Professional ............................................................................................. 14
Security + .............................................................................................................................. 14
Certified Information Systems Auditor (CISA) and Certified Information Security Manager
(CISM) .................................................................................................................................. 15
Certified Information Systems Forensics Investigator ......................................................... 15
Established Standards, Models And Practices .......................................................................... 16
ISO 17799/BS 7799 .............................................................................................................. 17
Mapping Positions and Roles to Knowledge Areas.................................................................. 20
Mapping the CISSP Common Body of Knowledge ................................................................. 20
NSTISSC Training Standards ............................................................................................... 22
Defining the Focus of the Program........................................................................................... 23
Managerial InfoSec Program ................................................................................................ 23
Technical InfoSec Program................................................................................................... 23
Balanced InfoSec Program ................................................................................................... 24
Levels of Mastery ..................................................................................................................... 24
Determining Numbers of Courses Needed ............................................................................... 25
Mapping Mastery Depth to Courses ......................................................................................... 25
Pilot study ..................................................................................................................................... 29
Principles of Information Security & Assurance. ..................................................................... 29
Technical Applications in Information Security & Assurance. ................................................ 30
© 2005 Kennesaw State University Center for Information Security Education 2

(http://infosec.kennesaw.edu / infosec@kenneaw.edu)
The Draft Curriculum Model ........................................................................................................ 31

Implementation of the Draft Curriculum Model....................................................................... 32
Number of Course the Institution can Implement in InfoSec ............................................... 33
Some suggestions based on institutional intent could be as follows: ....................................... 33
Certificate in Information Security and Assurance (ISA)......................................................... 35
ISA 3100 Principles of Information Security and Assurance............................................... 38
ISA 3200 – Technical Applications in Information Security and Assurance....................... 48
ISA 3300 Policy and Administration in Information Security and Assurance.................... 55
Project Presentations............................................................................................................. 57
Next Step: Bachelor of Science in Information Security and Assurance ..................................... 63
Program Objectives................................................................................................................... 63
General Program Learning Objectives ................................................................................ 63
Specific Program Learning Objectives................................................................................. 64
Major Electives ..................................................................................................................... 69
Business Electives:................................................................................................................ 69
Criminal Justice Electives: ................................................................................................... 69
CSIS Electives:...................................................................................................................... 69
Information Security Electives:............................................................................................. 70
Information Technology Electives: ....................................................................................... 70
Sample Programs of Study........................................................................................................ 71
Development of the Degree Program ..................................................................................... 104
Development of the BS-ISA was an arduous, drawn-out project. It actually began in 2001,
when we drafted the Certificate in ISA. In fact, when I proposed the ISA Certificate, I
intentionally used a separate prefix (ISA) instead of the department standard (CSIS) to prepare
for the eventuality of a degree. Shortly after the certificate was implemented I pulled up the
overview of our BS in Information Systems and mused as to what a BS in ISA would look
like. I then put it back on the shelf to collect dust, as I really did not expect to be able to
pursue it further. When Herb Mattord came on board as a full time faculty member, he
declared his mission to see the BS-ISA come to fruition. With the success of the Certificate –
some 30+ certificates issued in just over 2 years, and with constantly full ISA classes,
eventually the other faculty in the department began to agree with us that perhaps an
additional major would be a good idea. At the time the department had close to 1400 majors
in its four degree programs - BS in IS and CS, and MS in IS and CS................................... 104
Textbooks used in the program:.............................................................................................. 106
ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec).............. 106
1. Introduction to Information Security .............................................................................. 106
2. The Need for Security..................................................................................................... 106
3. Legal, Ethical, and Professional Issues in Information Security .................................... 106
4. Risk Management ........................................................................................................... 106
5. Planning for Security ...................................................................................................... 106
6. Security Technology: Firewalls and VPNs..................................................................... 106
7. Security Technology: Intrusion Detection, Access Control, and Other Security Tools . 106
8. Cryptography .................................................................................................................. 106
9. Physical Security............................................................................................................. 106
10. Implementing Information Security.............................................................................. 106
11. Security and Personnel.................................................................................................. 106

12. Information Security Maintenance ............................................................................... 106

ISA 3200: Applications in Information Security and Assurance (Technical InfoSec)....... 107
ISA 3300: Policy and Administration in Information Security and Assurance (Management
of InfoSec) .......................................................................................................................... 107
ISA 3350: Computer Forensics........................................................................................... 108
CSIS 3550: Unix Security and Administration................................................................... 109
Lab Manual used for a variety of ISA courses: .................................................................. 109
Revision of Pilot Model .......................................................................................................... 111
Broader Impacts of This Proposal........................................................................................... 111
Evaluation Plan ....................................................................................................................... 111
Academic Information Security Peer Review..................................................................... 112
External Practitioner Review. ............................................................................................. 112
DISSEMINATION ................................................................................................................. 112
1) Proceedings of the upcoming academic conferences.................................................. 112
2) Inclusion in PIs’ texts.................................................................................................. 112
3) Course University and Working Connections Series. .................................................... 112
4) Publication through Educational Portals: ...................................................................... 112
5) Posting on Regional Security Web Sites. ................................................................... 113
6) Recognition through NSA........................................................................................... 113
7) Publication in regional and national venues. ................................................................. 113
How you can help ....................................................................................................................... 113
Appendix: Information Security Curriculum Development Procedures and Forms for use at
your institution:........................................................................................................................... 115
I. Determine interest, scope and intent of the program. ..................................................... 115
II. Determine stakeholder interest and guidance. ................................................................ 115
III. Form the curriculum development committee............................................................ 115
IV. Map desired positions to knowledge areas. ................................................................ 115
V. Discuss the following constraints on the program.......................................................... 117
VI. Define program objectives......................................................................................... 119
VII. Determine the level of mastery desired in the program.............................................. 120
VIII. Determine the number of courses to offer. ................................................................. 122
IX. Determine the Prerequisite knowledge areas necessary to support the desired classes.
124
X. Develop specific course learning objectives................................................................... 125
XI. Define laboratory components and required resources............................................... 125
XII. Pilot test key courses................................................................................................... 125
XIII. Refine and revise as needed........................................................................................ 125

Introduction
Greetings! We would like to take this opportunity to thank you for allowing us to share our
lessons learned in the development of Information Security Curriculum. As part of our ongoing
commitment to Information Security education, we have decided to formally compile our
information into a single packet and provide it to any who seek it, without any requirements,
associated costs or restrictions. As a courtesy we would like to ask that if you like what you see,
and would like to adopt the contents in whole or in part, that you send us a letter indicating your
intent. This is to allow us to maintain a contact within institutions that are adopting our
curriculum and to gather feedback on its feasibility and use. This document begins with pieces
of the overall curriculum model as defined in an NSF proposal. We then continue through a
discussion of the specific courses and programs implemented at Kennesaw State University,
along with accompanying course materials. We then conclude with the intended next steps in the
development of this curriculum. We invite you to participate in this process by forwarding
suggestions, constructive criticisms, and ideas to us at the address above or by email to
mwhitman@kennesaw.edu.
The following sections overview our experiences and findings in developing security curriculum.
At the end of this discussion an abbreviated copy of our methodology is repeated with blank
worksheet so that you may duplicate our process yourself.
Statement of the Problem

One of the continuing challenges facing society is the security and protection of information
assets. Advances in information security (InfoSec) have been unable to keep pace with advances
in computing in general [1]. Daily, press accounts of dramatic computer theft, fraud and abuse
are reported as leading to extensive economic loss. Recent attacks on the American IT
Infrastructure have highlighted the need for information security [2]. The 2003 CSI/FBI
Computer Security survey found 92% of respondents detected computer security breaches within
the last year and 75% reported financial losses due to these computer breaches [3]. According
to Dr. Joseph Bordogna, Deputy Director, National Science Foundation in remarks at a June
2002 NSF Workshop “The events of September 11 only accelerated longstanding concerns about
the threat of cyberterrorism and the vulnerability of the nation’s information systems and
communications networks […] Questions about the adequacy of the U.S. science, engineering,
and technology workforce are also rising to a chorus. Reported shortages of skilled workers in
the IT sector are only one example. The need we all recognize, for a cadre of professions in
computer security and information assurance, is right at the top of the list” [4].
Education in information security prepares IT students to recognize and combat information

system threats and vulnerabilities [5]. The article “Integrating Security into the Curriculum”
argues “an educational system that cultivates an appropriate knowledge of computer security will
increase the likelihood that the next generation of IT workers will have the background needed to
design and develop systems that are engineered to be reliable and secure” [6]. The need is so
great that the President of the US issued Presidential Decision Directive 63, the Policy on
Critical Infrastructure Protection in May 1998, which prompted the National Security Agency to
established outreach programs like the Centers of Academic Excellence in Information

Assurance Education (CAEIAE). This program’s goal is “to reduce vulnerabilities in our
National Information Infrastructure by promoting higher education in information assurance, and
producing a growing number of professionals with IA expertise” [7]. According to the US
Government document The National Strategy to Secure Cyberspace, “Education and outreach
play an important role in making users and operators of cyberspace sensitive to security needs.
These activities are an important part of the solution for almost all of the issues discussed in the
National Strategy to Secure Cyberspace” [8].
There are two dominant technology curriculum guidelines currently in use. The first is the
ABET-CAC accreditation standards. The IS version of the standard specifies the need for an IS
Environment: “15 semester hours which must be a cohesive body of knowledge to prepare the
student to function effectively as an IS professional in the IS environment as well as 12 semester
hours of advanced IS coursework” [20]. The CS standard similarly provides for 16 hours of
advanced CS course work. These courses could be used for InfoSec courses or programs.
The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for
Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest
professional technology organizations: Association for Computing Machinery (ACM),
Association for Information Systems (AIS) and Association for Information Technology
Professional (AITP). “IS 2002 is a model curriculum for undergraduate degree programs in
Information Systems… and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an
academic field, encompasses two broad areas: (1) acquisition, deployment, and management of
information technology resources and services (the IS function); and (2) development and
evolution of technology infrastructures and systems for use in organizational processes (systems
development). It also includes a detailed set of course descriptions and advice to [those] who
have a stake in the achievement of quality IS degree programs” [21]. The IS 2002 guiding
principles have been adopted and revised for this curriculum model development:
“1) The model curriculum should represent a consensus from the InfoSec community. 2) The
model curriculum should be designed to help InfoSec faculty produce competent and confident
entry level graduates well suited to work-place responsibilities. 3) The model curriculum should
guide but not prescribe. Using the model curriculum guidelines, faculty can design their own
courses. 4) The model curriculum should be based on sound educational methodologies and
make appropriate recommendations for consideration by InfoSec faculty. 5) The model
curriculum should be flexible and adaptable to most IS/CS programs” [21].
Existing courses have been predominantly designed for graduate-level coursework [9,10], for
computer science and engineering specific programs [5,11,24], or as pure practitioner-level
training programs [12,13,14]. Even established curriculum bodies, like the Association for
Computing Machinery (ACM) and the Accreditation Board for Engineering and Technology –
Computing Accreditation Council (ABET-CAC), do not have formal models established for
curriculum in Information Security at the four-year level. The only recommendation that does
exist resulted from a workshop sponsored by the NSF and the American Association of
Community Colleges, resulting in the draft recommendation Protecting Information: the Role of
Community Colleges in Cybersecurity Education [15]. This report serves as both a starting point
for two-year institutions and as a reference for this project. The report provides details for
community colleges to design curriculum focused on providing technical skills through training

for the security technician, and hinges on the role of certification as an assessment tool. While
supportive of the two-year institution’s mission, this level of approach is inadequate for the
mission of the four-year institution. The proposed model is designed to allow undergraduate
Information Systems (IS) and Computer Science (CS) majors to move toward career fields that
include and evolve through technical knowledge areas and into the management of information
security, an area not addressed at the two-year level.
Goals and Objectives

This project is designed to increase the quality of baccalaureate-level information security
education by creating a curriculum model in information security that provides students with
technical and managerial skills needed for the IT workforce. The curriculum can be adopted by
other institutions with undergraduate technology degree programs as individual courses, minors
or concentrations in information security. It is intended to provide adopters of the curriculum
with the means to deliver a quality education with breadth and depth of the information security
common body of knowledge. The curriculum will adapt current national standards for security
training. Standards for training programs do presently exist, but there are no baccalaureate
education models. The closest work available to support a standardized baccalaureate curriculum
is in The Role of Community Colleges described earlier. There is a clear lack of managerial and
administrative education that this project will identify and develop.
Approaches to Implementing Information Security Curricula

There are five approaches to implementing information security curricula:
1. Elements added to existing courses. In this option, a number of existing courses can have an
information security module added to reinforce the need to address information security at all
junctures of organizational effort. This is a preferred technique and can be used in
conjunction with other approaches. It is important to thread information security through a
course, rather than adding it as a single module at the end. The following table provides
examples of how information security could be integrated in existing courses.
Existing Course Information Security Topics

Programming Principles Secure programming techniques
Applied cryptography
Networking/ Network security principles
Data Communications Use of security tools (firewalls, IDS systems)
Systems Analysis & Creating secure systems by design
Design
Database Principles Developing secure database structures
Security tools for data management
Privacy topics
Operating Systems Configuration management

2. Elements added to a capstone course or courses. In this second approach to adding security
content, specific modules are added to specific capstone experiences or courses. In our
program for example students have two classes that represent their capstone experience. In
the first, they are exposed to strategic policy and planning in IT, and presented with a number
of guest speakers on various topics. In the second they are required to develop a system to
solve a business problem, incorporating all aspects of learning to that point including
database, data communications, programming, project management etc. By addressing
strategic Information Security planning in the first course and having at least one speaker on
an InfoSec topic, we integrate security into this course. By requiring the student teams to
demonstrate how they used secure development techniques in the second we reinforce the
concepts there.
3. Independent information security courses. The third approach to implementing information

security is to create single security courses. This is the approach most commonly used today.
Many programs develop one or two classes in security. Unfortunately many of the classes
labeled as security classes fail to address the overall comprehensive breadth and scope of
what is information security. A class in theoretical cryptography, while interesting does not
provide much value to an information security professional-to-be. This requires faculty to
develop courses in the manner described in detail the subsequent sections, rather than
implementing classes “that would be fun to teach.” Also indicated in subsequent sections are
suggestions for topics and components of individual security classes.
4. Information security certificates / minors. Continually increasing in frequency, the fourth

option is to implement a cohesive set of classes, under the title of minor, concentration,
specialization, or certificate. This requires detailed planning based on the desired focus and
outcome of the program. In our case, we made a conscious decision to focus more on
managerial information security, and less on technical information security. While we have
courses in the technical arena, the bulk of the foundational courses are on the roles and
responsibilities of an information security professional manager, rather than technical. This
is purely a choice based on our strengths. There are many institutions out there that could,
and should, consider implementing technical programs, if they have the resources and
support to do so.
5. Information security degree programs. In our mind, the ultimate goal for enhanced
information security curriculum is the baccalaureate-level information security program. As
indicated in the statement of the problem, there are several programs in the field that list
bachelors in information security degree. When you take a close look, however it is more of a
concentration or minor. Nothing wrong with that, but it tends to be misleading to the
students. It takes a great deal of effort and support to create enough courses to populate a
program of this magnitude, and even more resources to offer it. It does represent the
pinnacle of InfoSec education at the baccalaureate level.
Which of these approaches should you consider? First one must examine the available
resources, time, faculty, money, technology and student demand. It may help to begin with the
first two approaches and then slowly roll out additional approaches as demand presents itself. Or
just jump in. No pain, no gain.

Preliminary Work Completed

Education is recognized as a critical component to improve information security throughout the
nation [5]. The development of a curriculum model would provide direct benefit to the various
academic, business, and governmental agencies, to support formal education efforts. During the
initial analysis phase, we, the authors, examined existing literature, reviewed other programs of
interest and their implementations. We also examined current and emerging national and
international standards and guidelines for the training of InfoSec professionals [15,17,18],
instructional methods and materials from programs recognized as NSA centers of excellence
across the country [7,19], and general recommendations and constraints from curriculum
supporting organizations such as ACM and ABET.
In developing the curriculum for our pilot project, we used the “Backward Curriculum Design
Process” [22] a well-known approach to curriculum design that begins with the desired outcomes
and goals and works backward to learning objectives grouped into courses. The curriculum
model seeks to answer the following question:
What should an information security person who graduates from a particular

program be qualified to do, and what positions should they expect to be able to
hold?
Information Security Position and Roles

As position descriptions are not sufficiently descriptive of the roles the individuals play in the
information security function, the next step was to identify the roles information security
professionals assume and then map them to the positions an individual should hold. The
following sections are from the text Management of Information Security © 2004 Course
Technology.
A study of information security positions by Schwartz, Erwin, Weafer, and Briney found that
positions can be classified into one of three types: those that define, those that build and those
that administer.
“Definers provide the policies, guidelines and standards…They're the people who
do the consulting and the risk assessment, who develop the product and technical
architectures. These are senior people with a lot of broad knowledge, but often not
a lot of depth. Then you have the builders. They're the real techies, who create
and install security solutions. ... Finally, you have the people who operate and
administrate the security tools, the security monitoring function, and the people
who continuously improve the processes. [...] What I find is we often try to use
the same people for all of these roles. We use builders all the time... If you break
your InfoSec professionals into these three groups, you can recruit them more
efficiently, with the policy people being the more senior people, the builders
being more technical and the operating people being those you can train to do a
specific task” [30].

A typical organization has a number of individuals with information security responsibilities.

While the titles used within any specific organization may be different from one organization to
the next, most of the job functions fit one of the following categories:
• Chief information security officer (CISO)
• Security managers
• Security administrators and analysts
• Security technicians
• Security staffer
CISO
The CISO is primarily responsible for the assessment, management, and implementation of the
program that secures the organization’s information. The CISO may also be called the Manager
for Security, the Security Administrator, or a similar title. The CISO usually reports directly to
the CIO, although in larger organizations one or more layers of management may exist between
the two officers.
Security Managers
Security managers are accountable for the day-to-day operation of the information security
program. They accomplish objectives identified by the CISO, to whom they report as shown in
Figure 5-11, and resolve issues identified by technicians, administrators, analysts, or staffers
whom they supervise. Managing technology requires an understanding of it, but not necessarily a
technical mastery in its configuration, operation, and fault resolution. Within the information
security community, there may be team leaders or project managers responsible for
management-like functions, such as scheduling, setting priorities, or administering any number
of procedural tasks, but who are not necessarily held accountable for making a particular
technology function. The accountability for the actions of others is the hallmark of a true
manager. The accountability found in true management roles can be used to differentiate
between actual managers and other roles that may include the word manager in their job titles but
in fact to not have such accountability.
Security Administrators and Analysts

The security administrator is a hybrid between a security technician (see below) and the security
manager, described in the previous section. These individuals have both technical knowledge and
managerial skill. They are frequently called upon to manage the day-to-day operations of
security technology, as well as assist in the development and conduct of training programs,
policy and the like. The security analyst is a specialized security administrator. In traditional IT,
the security administrator corresponds to a systems administrator or database administrator, and
the security analyst to a systems analyst. The systems analyst, in addition to security
administration duties, also must analyze and design security solutions within a specific domain
(firewall, IDS, antivirus). Systems analysts must be able to identify the users’ needs, as well as
understand the technological complexities and capabilities of the security systems they design.
Security Technicians
Security technicians are the technically qualified individuals who configure firewalls and IDSs,
implement security software, diagnose and troubleshoot problems, and coordinate with systems
and network administrators to ensure that security technology is properly implemented. A

security technician is usually an entry-level position; however, some technical skills are required,
which can make it difficult for those new to the field. It is difficult to get a job without
experience, and experience comes with a job. Just as in networking, security technicians tend to
be specialized, focusing on one major security technology group (firewalls, IDS, servers, routers,
or software), and further specializing in one particular software or hardware package within the
group, like Checkpoint firewalls, Nokia firewalls, or Tripwire IDS. These technologies are
sufficiently complex to warrant a high level of specialization. Security technicians who want to
move up in the corporate hierarchy must expand their technical knowledge horizontally, gaining
an understanding of the general, organizational issues of information security, as well as all
technical areas.
Security Staffer or Watchstander

This is a catchall title that applies to the individuals who perform routine watch standing
activities. It encompasses the people that watch intrusion consoles, monitor e-mail accounts, and
perform other routine-yet-critical roles that support the mission of the information Security
Department.
Why is it important to understand these roles? In order to design curriculum one must
understand what it is you want the student to be able to accomplish upon graduation. In our
curriculum development we use these roles were used as surrogates for positions and mapped to
knowledge areas. Knowledge areas represent the specific knowledge needed for each role, and
when paired with a multi-level mastery model like Bloom’s taxonomy [21], can be used to
identify the level of depth of knowledge for each role. For example, a CISO may need great
breadth of knowledge, but not as much depth of knowledge in an area as a technician would.
The challenge is to completely map and verify the roles, knowledge areas, and levels of mastery
needed. Knowledge areas can be obtained from key indices like certifications [27], and from
training standards and models [28]. Knowledge areas in InfoSec are many and can be very
technical but, there is an agreed upon way to discuss them. Many programs take the short cut
and jump straight to the certifications an information security professional could earn like:
CISSP, SSCP, GIAC, SCP, TruSecure CSA/CSE, Security+, CISA/CISM. However, programs
are hesitant to implement coursework that is focused on a specific applied output. Universities in
general prefer to focus more on the true knowledge areas that these certificates test, rather than
the specifics of these exams. However if we examine the content of some of the key
certifications we can begin to glimpse some of the knowledge areas we would need to integrate
with our coursework. The following excerpt from Management of Information Security provides
additional detail on the leading certifications in Information Security.
Information Security Professional Certifications

Certified Information Systems Security Professional (CISSP) and Systems Security
Certified Practitioner (SSCP)
Considered the most prestigious certifications for security managers and CISOs, the CISSP is
one of two certifications offered by the International Information Systems Security Certification
Consortium (ISC)2 (see http://www.isc2.org). The SSCP is the other. CISSP Certification was
designed to recognize mastery of an international standard for information security and

understanding of a common body of knowledge (CBK). In order to sit for the CISSP exam, the
candidate must possess at least three years of direct full-time security professional work in one or
more of ten domains. The CISSP covers ten domains of information security body of
knowledge:
• Access control systems and methodology

• Applications and systems development
• Business continuity planning
• Cryptography
• Law, investigation and ethics
• Operations security
• Physical security
• Security architecture and models
• Security management practices
• Telecommunications, network and internet security
With the difficulty in mastering all ten domains, many security professionals seek other less
rigorous certifications. ISC2 has developed the SSCP certification to be more focused. Like the
CISSP, the SSCP certification is more applicable to the security manager than the technician,
since the bulk of its questions focus on the operational nature of information security. The SSCP
focuses “on practices, roles and responsibilities as defined by experts from major IS industries”
[31]. However, the information security technician seeking advancement can benefit from this
certification. Instead of the ten domains of the CISSP, the SSCP covers seven domains:
• Access controls
• Administration
• Audit and monitoring
• Risk, response, and recovery
• Cryptography
• Data communications
• Malicious code/malware
The SSCP is considered by many to be the little brother of the CISSP. It is a valid certification
and is easier to obtain than the CISSP. The seven domains are not a subset of the CISSP
domains, but contain slightly more technical content.
ISC2 has another program, the ISC2 Associate, designed to support those individuals with a
desire to earn the CISSP or SSCP but without the required amount of professional experience the
ability to take the test prior to earning the experience. “The Associate of (ISC)2 program is a
mechanism for information security professionals, who are still in the process of acquiring the
necessary experience to become CISSPs or SSCPs, to become associated with (ISC)2 and obtain
career-related support during this early period in his or her information security career” [32].
ISC2 also implemented a concentration component to the CISSP certification allowing standing
CISSPs to earn additional recognition [37]:

ISSAPCM: Information Systems Security Architecture Professional - The major domains of

the CBK® covered by ISSAP certification are:
• Access Control Systems and Methodology
• Telecommunications and Network Security
• Cryptography
• Requirements Analysis and Security Standards, Guidelines, Criteria
• Technology Related Business Continuity Planning (BCP) and Disaster Recovery
Planning (DRP)
ISSEPCM: Information Systems Security Engineering Professional - The major domains of the
CBK® covered by ISSEP certification are:
• Systems Security Engineering
• Certification and Accreditation
• Technical Management
• U.S. Government Information Assurance Regulations
ISSMPCM: Information Systems Security Management Professional - The major domains of

the CBK® covered by ISSMP certification are:
• Enterprise Security Management Practices
• Enterprise-Wide System Development Security
• Overseeing Compliance of Operations Security
• Understanding Business Continuity Planning (BCP), Disaster Recovery Planning
(DRP) and Continuity of Operations Planning (COOP)
• Law, Investigations, Forensics and Ethics
Each of these concentrations require additional exams..
Global Information Assurance Certification (GIAC)

The System Administration, Networking and Security Organization, better known as SANS
(http://www.sans.org), developed a series of technical security certifications in 1999, known as
the GIAC (http://www.giac.org). At the time, there were no technical certifications. Anyone who
wished to work in the technical security field could only obtain networking or computing
certifications like the MCSE (Microsoft Certified Systems Engineer) or CNE (Certified Novell
Engineer).
The GIAC family of certifications can be pursued independently or combined to earn the
comprehensive certification, GIAC Security Engineer (GSE). The GIAC Information Security
Officer (GISO) is an overview certification that combines basic technical knowledge with
understanding of threats, risks, and best practices, similar to the SSCP. The various individual
GIAC Certifications include:
• GIAC Security Essentials Certification (GSEC)

• GIAC Certified Firewall Analyst (GCFW)
• GIAC Certified Intrusion Analyst (GCIA)
• GIAC Certified Incident Handler (GCIH)

• GIAC Certified Windows Security Administrator (GCWN)

• GIAC Certified UNIX Security Administrator (GCUX)
• GIAC Information Security Officer - Basic (GISO - Basic)
• GIAC Systems and Network Auditor (GSNA)
• GIAC Certified Forensic Analyst (GCFA)
• GIAC Security Leadership Certificate (GSLC)
Security Certified Professional

One of the newest certifications in the information security discipline is the Security Certified
Professional Certification (http://www.securitycertified.net/). The SCP certification provides two
tracks: the SCNP (Security Certified Network Professional) and the SCNA (Security Certified
Network Architect). Both are designed for the security technician and have dominant technical
components; however, the latter also emphasizes authentication principles. Even though they
both have a networking focus, it is a concentration on network security, rather than on true
networking (for example, MSCE and CNE). The SCNP track focuses on firewalls and intrusion
detection, and requires two areas of study [33].
• Network Security Fundamentals (NSF)

• Network Defense and Countermeasures (NDC)
The SCNA program focuses more on authentication areas including biometrics and PKI. The
two areas of study in the SCNA certification are:
• PKI and Biometrics Concepts and Planning (PBC).

• PKI and Biometrics Implementation (PBI)
While not as detailed as the GIAC certifications, these programs provide a useful migration into
new areas of security, while developing a vendor-neutral core of practitioner knowledge
evaluations.
Security +
From CompTIA (www.comptia.com), the company that brought the first vendor-neutral
professional IT certifications, the A+ series, comes another certification program, the Security +
certification. “The CompTIA Security+ certification tests for security knowledge mastery of an
individual with two years on-the-job networking experience, with emphasis on security. The
exam covers industry wide topics including communication security, infrastructure security,
cryptography, access control, authentication, external attack and operational and organization
security. CompTIA Security+ curricula are being taught at colleges, universities and commercial
training centers around the globe. CompTIA Security+ is being used as an elective or
prerequisite to advanced vendor specific and vendor neutral security certifications”[35]. The
Exam covers the following five domains:
1.0 General Security Concepts
2.0 Communication Security
3.0 Infrastructure Security
4.0 Basics of Cryptography
5.0 Operational/Organizational Security

Certified Information Systems Auditor (CISA) and Certified Information Security

Manager (CISM)
The CISA certification, while not specifically a security certification, does contain many
information security components. The CISM is focused on practitioners in the information
security field. The sponsoring organization for the CISA, the Information Systems Audit and
Control Association & Foundation (ISACA) promotes the certification for auditing, networking
and security professionals. The CISA certifications requirements cover the following areas of
information systems auditing:
• The IS audit process (1 percent)
• Management, planning, and organization of IS (11 percent)
• Technical infrastructure and operational practices (13 percent)
• Protection of information assets (25 percent)
• Disaster recovery and business continuity (10 percent)
• Business application system development, acquisition, implementation, and maintenance
(16 percent)
• Business process evaluation and risk management (15 percent)
CISM, the Certified Information Security Manager is another certification program offered by
ISACA. This credential is geared toward experienced information security managers and others
who may have information security management responsibilities. The CISM can provide
executive management with an assurance that those earning the designation have the required
background knowledge needed for effective security management and consulting. It is oriented
toward information risk management and addresses management, design and technical security
issues at a conceptual level.
CISM will encompass the following areas
• Information Security Governance (21 percent) - Establish and maintain a framework to

provide assurance that information security strategies are aligned with business objectives
and consistent with applicable laws and regulations.
• Risk Management (21 percent) - Identify and manage information security risks to
achieve business objectives.
• Information Security Program(me) Management (21 percent) - Design, develop and
manage an information security program(me) to implement the information security
governance framework.
• Information Security Management (24 percent) - Oversee and direct information security
activities to execute the information security program(me).
• Response Management (13 percent) - Develop and manage a capability to respond to and
recover from disruptive and destructive information security events. [38]
Certified Information Systems Forensics Investigator

There is a new certification under development by the Information Security Forensics
Association (infoforensics.org). This group is developing an examination for a Certified
Information Systems Forensics Investigator, which evaluates the tasks and responsibilities of a
security administrator or security manager in dealing with incident response, working with law

enforcement, and auditing incidences. Although the certification exam has not been developed
yet, the common body of knowledge has been tentatively defined to include information on:
• Counter measures
• Auditing
• Incident response teams
• Law enforcement and investigation
• Traceback
Established Standards, Models And Practices
Another major area of information that could be used to derive the skills needed to become a
security professional lay in established standards, models and practices. There are three primary
documents which guide the implementation and management of security programs. These are
discussed in turn here, in an extract from Management of Information Security:
Among the most accessible places to find a quality security management model are U.S. federal
agencies and international organizations. One of the most popular security management models
has been ratified into an international standard. British Standard 7799 provides two components,
each addressing a different area of security management practice. BS 7799:1, now known as
ISO/IEC 17799, is called “Information Technology – Code of Practice for Information Security
Management.” BS 7799:2 is called “Information security management: Specification with
guidance for use.” These documents are discussed in detail in the following sections. These are
proprietary, and organizations wishing to adopt this model must purchase the rights to do so.
There are a number of alternatives. The first and foremost of these are free documents provided
by the National Institute of Standards and Technology’s Computer Security Resources Center
(http://csrc.nist.gov). This site contains a number of publications, including ones containing
models and practices, such as:
• NIST SP 800-12, Computer Security Handbook

• NIST SP 800-14, Generally Accepted Security Principles & Practices
• NIST SP 800-18, Guide for Developing Security Plans
• NIST SP 800-26, Security Self-Assessment Guide for Information Technology
Systems
• NIST SP 800-30, Risk Management for Information Technology Systems
• DRAFT NIST Special Publication 800-37, Guidelines for the Security Certification
and Accreditation of Federal Information Technology Systems.
Supplemental resources also include:
• RFC 2196, The Site Security Handbook
• VISA, U.S.A. Cardholder Information Security Program
Some of the more key documents are presented in additional detail:

ISO 17799/BS 7799

One of the most widely referenced and often discussed security models is Information
Technology – Code of Practice for Information Security Management, which was originally
published as the British Standard BS 7799. This Code of Practice was adopted as an
international standard framework for information security by the International Organization for
Standardization (ISO) and the International Electrotechnical Commission (IEC) as ISO/IEC
17799 in 2000. While the details of ISO/IEC 17799 are available only to buyers of the standard,
the structure and general organization are well known: [36]
1. Organizational Security Policy is needed to provide management direction and support
for information security.
2. Organizational Security Infrastructure objectives include:
o Manage information security within the company
o Maintain the security of organizational information processing facilities and
information assets accessed by third parties
o Maintain the security of information when the responsibility for information
processing has been outsourced to another organization
3. Asset Classification and Control is needed to maintain appropriate protection of
corporate assets and to ensure that information assets receive an appropriate level of
protection.
4. Personnel Security objectives are to:
o Reduce risks of human error, theft, fraud or misuse of facilities
o Ensure that users are aware of information security threats and concerns, and are
equipped to support the corporate security policy in the course of their normal
work
o Minimize the damage from security incidents and malfunctions and learn from
such incidents
5. Physical and Environmental Security objectives include:
o Prevent unauthorized access, damage and interference to business premises and
information
o Prevent loss, damage or compromise of assets and interruption to business
activities
o Prevent compromise or theft of information and information processing facilities
6. Communications and Operations Management objectives are:
o Ensure the correct and secure operation of information processing facilities
o Minimize the risk of systems failures
o Protect the integrity of software and information
o Maintain the integrity and availability of information processing and
communication
o Ensure the safeguarding of information in networks and the protection of the
supporting infrastructure
o Prevent damage to assets and interruptions to business activities
o Prevent loss, modification or misuse of information exchanged between
organizations
7. System Access Control objectives in this area include:
o Control access to information
o Prevent unauthorized access to information systems

o Ensure the protection of networked services

o Prevent unauthorized computer access
o Detect unauthorized activities
o Ensure information security when using mobile computing and
telecommunication networks
8. System Development and Maintenance objectives here include:
o Ensure security is built into operational systems
o Prevent loss, modification or misuse of user data in application systems
o Protect the confidentiality, authenticity and integrity of information
o Ensure IT projects and support activities are conducted in a secure manner
o Maintain the security of application system software and data
9. Business Continuity Planning to counteract interruptions to business activities and to
critical business processes from the effects of major failures or disasters.
10. Compliance objectives include:
o Avoid breaches of any criminal or civil law, statutory, regulatory or contractual
obligations and of any security requirements
o Ensure compliance of systems with organizational security policies and standards
o Maximize the effectiveness of and minimize interference to/from the system audit
process
NIST Documents
The NIST documents use a common philosophy based on the implementation of 17 areas of
controls, divided into three categories: Managerial, Operational and Technical. For example
NIST SP 800-26- Security Self-Assessment Guide for Information Technology Systems provides
an overview of the three areas of controls and detailed instruction on assessing an organization’s
systems to determine the levels of security present.
Management Controls
1. Risk Management
2. Review of Security Controls
3. Life Cycle Maintenance
4. Authorization of Processing (Certification and Accreditation)
5. System Security Plan
Operational Controls
6. Personnel Security
7. Physical Security
8. Production, Input/Output Controls
9. Contingency Planning
10. Hardware and Systems Software
11. Data Integrity
12. Documentation
13. Security Awareness, Training, and Education
14. Incident Response Capability
Technical Controls
15. Identification and Authentication

16. Logical Access Controls

17. Audit Trails
NIST SP 800-14
NIST SP 800-14 - Generally Accepted Principles and Practices for Securing Information
Technology Systems, provides a number of common IT security practices in the following areas:
• Policy
o Program Policy
o Issue-Specific Policy
o System-Specific Policy
o All Policies
• Program Management
o Central Security Program
o System-Level Program
• Risk Management
o Risk Assessment
o Risk Mitigation
o Uncertainty Analysis
• Life Cycle Planning
o Security Plan
o Initiation Phase
o Development/Acquisition Phase
o Implementation Phase
o Operation/Maintenance Phase
o Disposal Phase
• Personnel/User Issues
o Staffing
o User Administration
• Preparing for Contingencies and Disasters
o Business Plan
o Identify Resources
o Develop Scenarios
o Develop Strategies
o Test and Revise Plan
• Computer Security Incident Handling
o Uses of a Capability
o Characteristics
• Awareness and Training
• Security Considerations in Computer Support and Operations
• Physical and Environmental Security
• Identification and Authentication
o Identification
o Authentication
o Passwords
o Advanced Authentication
• Logical Access Control

oAccess Criteria
oAccess Control Mechanisms
• Audit Trails
o Contents of Audit Trail Records
o Audit Trail Security
o Audit Trail Reviews
o Keystroke Monitoring
• Cryptography
Mapping Positions and Roles to Knowledge Areas

With this information the curriculum designers can gain a better feel for what a graduate should
know upon seeking a specific job category. The following figure illustrates this mapping.
Positions Roles Knowledge Areas
Net Admin ACS
Firewall Analyst SA & D

CISO
IDS Eng BCP
SysAdmin InfoSec Mgr Crypto
ISO Law & Ethics

InfoSec Analyst OpSec
Forensics
InfoSec Mgr PhySec
InfoSec Tech
IRP Handler Architecture
InfoSec W.S. Sec Mgt
DR/BCP Mgr
InfoSec Cons. NetSec
(Varying levels of mastery)

In our case, we decided, based on conversations with our local curriculum advisory board, that
KSU’s information security coursework should be focused on preparing security administrators
so that immediately upon graduation they would be prepared for career progression through
security manager to CISO. As a result, selected learning objectives were tied to providing the
appropriate level of mastery within each knowledge area felt to be critical to an individual’s
success in that program. We began with a two sets of information: the CISSP Common Body of
Knowledge, and the NSTISSC training standards (www.nstissc.gov). From each of the
following we examined introductory and advanced knowledge areas we felt were essential to this
career progression.
Mapping the CISSP Common Body of Knowledge

In mapping the CISSP CBK we began with the general categories as indicated in the diagram
above, and looked for areas that our graduates should have varying levels of mastery in. As the
10 domains of the CBK were too broad to be of much use, we identified major subordinate areas
in each as follows:

I. Access Controls
• Access control fundamentals
• Access control types
• Access control attacks
• Penetration testing methods
II. Telecommunications
• Network types (LAN/WAN)
• OSI reference model
• TCP/IP protocol suite
• Telecomm security management
• Telecommunications threats and attacks
• Remote access protocols
III. Security Management

• Security planning
• Security policies
• Personnel security
• Security personnel
• Data classification and storage
• Risk Management
• Security education, training and awareness program
• Change/configuration management
• Assessment strategies
IV. Applications Security

• Systems development life cycles
• Database development and management
• Systems controls
• Distributed applications
• Object oriented concepts
• Knowledge based systems
• Application and systems attacks and vulnerabilities
• Malicious code
V. Cryptography
• Cryptosystems
• Ciphers and encryption algorithms
• Asymmetric key systems
• Symmetric key systems
• Hybrid key systems
• Message authentication/message digests
• Public key infrastructure

• Key management
• Digital signatures
• Alternative cryptosystems
• Security protocols
VI. Security Architecture

• Security models
• Information systems evaluation criteria
• System certification and accreditation
• Security architectures
VII. Operations Security

• Operations concepts
• Threats and countermeasures
• Incident response
• Auditing
• Monitoring
VIII. Business Continuity Planning

• Contingency planning
• Business continuity planning
• Disaster recovery planning
• Data backup and recovery methods
• Crisis management
IX. Law and Ethics

• Law categories and types
• Computer crimes
• Computer crime investigations
• Computer ethics
• Computer forensics procedures
X. Physical Security
• Site selection and security
• Guards
• Keys and locks
• Doors, walls and gates
• Intrusion detection systems
• Fire detection and suppression systems
• Biometrics
• CCTV
NSTISSC Training Standards

We also looked at the National Security Telecommunications and Information Systems Security

Committee (NSTISSC) now known as the Committee for National Security Systems (CNSS)
documents on training information security professionals
(http://www.nstissc.gov/html/library.html). While we are not preparing training per se, we felt it
was useful in two areas: 1) to provide information not found elsewhere and 2) to lay the
foundation for eventual certification in the NSA’s Information Assurance Courseware Evaluation
program. These standards include:
• NSTISSI No. 4011 - National Training Standard for Information Systems Security
(INFOSEC) Professionals, dated 20 June 1994
• NSTISSI No. 4012 - National Training Standard for Designated Approving Authority
(DAA), dated August 1997
• NSTISSI No. 4013 - National Training Standard for System Administration in
Information Systems Security, dated August 1997
• NSTISSI No. 4014 - National Training Standard for Information Systems Security
Officers (ISSO), dated August 1997
• NSTISSI No. 4015 - National Training Standard for Systems Certifiers, dated December
2000
Defining the Focus of the Program
At this point it is important to define the general thrust of the program and develop overall
program objectives. Again, what is it we want our students to learn from the entire program? In
order to do this we must define the focus of the program. In information security, there are three
general types of programs:
Managerial InfoSec Program

The managerial program seeks to emphasize what we call the 5 “Ps” of Information Security:
People, Planning, Policy, Programs and Projects. As is evident in the sample syllabus for the
Management of Information Security and Assurance later in this document, these areas focus
more on the administration and management of information security, than the technological
aspects. The managerial student should have an understanding of the types and purposes of
various technical security controls, but may not be able to configure, implement or maintain
them. Managerial InfoSec programs are frequently found in Colleges of Business, Information
Systems programs or other related areas.
Technical InfoSec Program

The other end of the security spectrum, the technical program focuses more on the technologies
of information security. Students in these programs are expected to, in a very hands-on fashion,
design, install, configure, test, and maintain various technical security controls and equipment.
This could include firewalls, intrusion detection systems, operating systems hardening, etc. The
technical student should understand the role and purpose of the managerial aspects, as the
technical implementations are guided by the managers in InfoSec, but may not be able to develop
these areas. Technical InfoSec programs are frequently found in Colleges of Science, Computer
Science programs, technical colleges and schools, or other related areas.

Balanced InfoSec Program

The balanced InfoSec program is a combination of the managerial and technical programs
seeking a balance between the two. Programs in this category generally will not have the level
of depth in either management or technology aspect of InfoSec, but will seek to provide an
approach that well prepares the student for further education or experience in subsequent
institutions or organizations. Balanced InfoSec programs will become the most prevalent
programs, eventually replacing the technical programs in popularity.
Levels of Mastery
Using the detailed list of domains and knowledge areas from the CISSP and other sources we
then began to identify what level of mastery was desired for each knowledge area. The
taxonomy we used was derived in part from Bloom’s taxonomy, but simplified to a great extent.
We chose four levels of desired mastery, defined as follows:
1. Understanding: At the understanding level, the student can identify key concepts when
presented with a list of alternatives. The student has familiarized themselves with the
selected knowledge area and can discuss key concepts.
2. Accomplishment: At the accomplishment level, the student can demonstrate the process
necessary to use the knowledge area in a given scenario. The student has a deeper grasp
on both theoretical and practical applications of the knowledge area.
3. Proficiency: At the proficiency level, the student can generate new examples of the
application of the knowledge are. The student has demonstrated the ability to critically
discuss knowledge area concepts and can easily relate their learning to others.
4. Mastery: At the mastery level, the student can not only freely create new knowledge of
the area, but can also evaluate and critique new knowledge created by others. This level
is typically obtained through graduate level coursework, or extensive depth of
curriculum.
An example in the area of information security policy could be:
Upon completion of identified material, the student should be able to:

Understanding: Know and discuss importance of policy in the organization
Accomplishment: Demonstrate procedures needed to design and implement policy
Proficiency: Able to develop and implement a variety of security policies
Mastery: Able to review and critique all types of security policy at all levels of the
organization

Determining Numbers of Courses Needed

The next step was to determine how many courses would be needed, at a minimum to provide
the student with the desired level of mastery in the target knowledge. This step was
accomplished by organizing the similar content with corresponding learning objectives into class
areas. This information then allowed us to identify minimal prerequisite areas for each class.
We used the following template to facilitate this process:
Mapping Mastery Depth to Courses

We determined that three courses would provide this depth as indicated for a specialization. This
table shows not only the total level of depth, but also the courses in which the depth would be
obtained.

Level of Mastery Desired

U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
Domain Knowledge Area Introduction Technical Management
Access Controls
Access control fundamentals U AP A
Access control types U AP A
Access control attacks U AP A
Penetration testing methods U A
Telecommunications* (Some knowledge areas are prerequisite)
Network types (LAN/WAN)
OSI reference model
TCP/IP protocol suite
Telecomm security management U A
Telecommunications threats and attacks U A
Remote access protocols U A
Security Management
Security planning UA AP
Security policies UA AP
Personnel security UA AP
Security personnel UA AP
Data classification and storage UA AP
Risk Management UA AP
Security education, training and UA AP
awareness program
Change/configuration management UA A AP
Assessment strategies UA AP A
Applications Security* (Some knowledge areas are prerequisite)
Systems development life cycles A
Database development and management A
Systems controls UA A A
Distributed applications U
Object oriented concepts*
Knowledge based systems*
Application and systems attacks and U AP A
vulnerabilities


U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
Malicious code UA AP A
Cryptography
Cryptosystems U A A
Ciphers and encryption algorithms U A A
Asymmetric key systems U A A
Symmetric key systems U A A
Hybrid key systems U A A
Message authentication/message digests U A A
Public key infrastructure U A A
Key management U A AP
Digital signatures U A A
Alternative cryptosystems U A A
Security protocols U A
Security Architecture
Security models U A A
Information systems evaluation criteria U A A
System certification and accreditation U A A
Security architectures U A A
Operations Security
Operations concepts UA A AP
Threats and countermeasures UA A AP
Incident response UA A AP
Auditing UA A AP
Monitoring UA A AP
Business Continuity Planning
Contingency planning UA AP
Business continuity planning UA AP
Disaster recovery planning UA AP
Data backup and recovery methods UA AP
Crisis management UA AP
Law and Ethics
Law categories and types UA AP


U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
Computer crimes UA AP
Computer crime investigations UA AP
Computer ethics UA AP
Computer forensics procedures UA A
Physical Security
Site selection and security UA A
Guards U U
Keys and locks U U
Doors, walls and gates U U
Intrusion detection systems U U
Fire detection and suppression systems U U
Biometrics U A A
CCTV U
As is obvious, there is substantial overlap both within and between courses with regard to the
level of mastery. We found that in some cases, since our sequence of courses would permit a
student to take the introduction course and then either the technical OR the managerial, that to
obtain the desired level of mastery, duplication of certain levels would be necessary. Duplication
between courses also serves to reinforce that desired level of depth. Also evident is the need to
obtain both levels of understanding and accomplishment within the same course in order to reach
the overall desired level of mastery.
It was then a simple matter to re-organize learning objectives in each of the target courses and
begin searching for learning materials that would support each of these courses. Since the initial
development, our learning objectives have evolved to represent in a more robust fashion what the
students should be learning in each course. Learning objectives for each of the core courses
implemented are presented with the course descriptions in the next section.
As a final note to this phase of the model curriculum, we would like to make the following
recommendations: Courses and programs should be created in ways that:
• Involve all critical stakeholders. Just as in systems development, the use of
representative groups from all interested parties (faculty, students, industry advisors) will
serve to improve the final product.
• Create employable students or students who can advance academically. The bottom line
is to create a resource that will be in demand. Unless students can expect employability

upon completion, they may lose interest in the program, after an initial surge of interest
due to the novelty of the program.
• Capitalize on available resources (faculty, classrooms, labs). We have found that existing
labs can be easily modified to support the information security laboratory’s unique
requirements and exercises. We have also found a wealth of freeware and “hackerware”
tools that provide realistic and valuable experiences to the students. Cultivating several
key industry contacts has also resulted in several multi-thousand dollar donations in
software and hardware.
• Support local / state / national program objectives like the National Strategy to Secure
Cyberspace. Contributing to these types of programs not only provides visible and
demonstrable credibility to the program, but serves as a basis for increasing the validity
of your program should you decide to submit for national grants and industry support.
Pilot study
Based on previous analysis of the literature and curriculum development and accreditation efforts
as indicated in previous sections, seven new information security courses were implemented at
KSU. These classes were designed to meet existing national security standards, as described
previously, and to provide a foundation for the curriculum model. In the pilot project students
could select individual courses of interest or a five-course sequence culminating in a Certificate,
as major electives in a Bachelor of Science in Information Systems degree. The Certificate in
Information Security and Assurance (ISA) offers students both theoretical foundations and
applied hands-on experiences with the tools and technologies used to protect information assets.
Upon examination of the textbooks, and other learning support materials available at the time of
the design of our curriculum, we initially pilot tested the courses with trade press texts, modified
to meet the needs of an academic environment. In almost every instance, the trade press texts
proved severly lacking in depth and breadth for the classroom. In a stroke of luck, we were
approached by the senior editor of a major text publisher and convinced to write a text of our
own. We took the opportunity to use the mappings that we were using for our courses and
design a text to provide a strong foundation for the first course in our sequence.
The curriculum is designed to encompass both technical details and managerial functions. The
certificate begins with three core courses:
Principles of Information Security & Assurance.

An introduction to the various technical and administrative aspects of Information Security and
Assurance, this course provides the foundation for understanding key issues associated with
protecting information assets, developing protection and response to security incidents, and
designing a consistent, reasonable information security system, with appropriate intrusion
detection and reporting features. Learning objectives: After successful completion of the course
students should be able to: identify and prioritize information assets; identify and prioritize
threats to information assets; define an information security strategy and architecture; discuss the
components of an incident response plan; describe legal and public relations implications of
security and privacy issues; and outline a disaster recovery plan.

Technical Applications in Information Security & Assurance.

A detailed examination of the tools, techniques and technologies used in the securing of
information assets, this course provides in-depth information on the software and hardware
components of Information Security and Assurance. Topics covered include: firewall
configurations, hardening Unix and NT servers and specific implementation of security models
and architectures. Learning objectives: After successful completion of the course students
should be able to: identify the components of Information Security Architectures; specify
appropriate security models used in the architecture; identify specific weaknesses and strengths
of the security of various networking operating systems; locate and recommend corrections to
known vulnerabilities in network infrastructures; specify recommendations for the physical
hardening of popular network components; and identify and specify the components of a
technology-based security solution.
Policy and Administration in Information Security & Assurance

A detailed examination of a systems-wide perspective of information security, beginning with a
strategic planning process for security. Includes an examination of the policies, procedures and
staffing functions necessary to organize and administrate ongoing security functions in the
organization. Subjects include security practices, security programs, and continuity planning and
disaster recovery planning. Learning objectives: After successful completion of the course
students should be able to: write enterprise and issue-specific security policies; design a security
infrastructure; build a security team; select necessary security personnel; specify
recommendations for the auditing of an information system for security; and design a disaster
recovery/business continuity plan.
Students then selected two courses to complete the certificate. They may select these from 1)
Computer Forensics and either Criminal Investigations or Criminal Law; 2) Unix Administration
and Security and Data Communications Protocols; 3) Computer Law and Computer Ethics; 4)
Accounting Information Systems class and either EDP Auditing & Control or Accounting
Auditing & Assurance; or 5) Internship or Cooperative Study and one course from the above.

The Draft Curriculum Model

Outcomes from the pilot program have been incorporated into the proposed curriculum model.
These outcomes included the adjustment of specific learning objectives across all core courses,
adjusted use of laboratory exercises within each course, and the movement of some core material
to more advanced classes (like forensics material from the technical course to the computer
forensics course). Additional outcomes strengthened existing course relationships, and validated
instructional approaches. One specific outcome was the identification of a clear lack of
academic texts to support the curriculum. As a result we authored their own for two of the
course classes. These texts are now part of a suite of academic Information Security texts
offered by Course Technology.
Table 1 provides an overview of our draft curriculum model.

Table 1: DRAFT CURRICULUM MODEL

Subject Bloom’s Levels of Knowledge (from [21])
Prerequisite Knowledge
General: Computing Foundations, Data Communications …
Managerial: Also need Management, Accounting …
Technical: Also need Operating Systems, Computer Org & Arch, Programming, Protocols …
Foundation
1.0 Introduction to Information Security L1 – Knowledge Recognition & Differentiation in
Context
1.1 Computer Law & Ethics L2 – Comprehension Translation/Extrapolition Use
of Knowledge
Technical Aspects of Information Security
2.0 Technical Applications in InfoSec L2 – Comprehension Translation/Extrapolition Use
of Knowledge
2.1 Operating Systems Security L3 – Application Knowledge
2.1.1 Windows NT/2000 Security L4 – Analysis & L5 Synthesis
2.1.2 Linux/Unix Security L4 – Analysis & L5 Synthesis
2.2 Network Security L3 – Application Knowledge
2.3 Applied Cryptography L3 – Application Knowledge
2.4 Computer Forensics L3 – Application Knowledge
2.5 Firewalls & Intrusion Detection L3 – Application Knowledge
Sys
2.6 ?????
Managerial Aspects of Information Security
3.0 Management of Information Security L2 – Comprehension Translation/Extrapolation
(Policy & Administration) Use of Knowledge
3.1 Disaster Recovery/ Business L3 – Application Knowledge
Continuity Planning
3.2 Risk Management L3 – Application Knowledge
3.3 Incident Response L3 – Application Knowledge
3.4 Physical Security L3 – Application Knowledge
3.5 Security Training & Awareness L3 – Application Knowledge
Pgms
3.6 ?????
Outside Emphases
O1 Criminal Justice Varies
O2 Auditing Varies
Implementation of the Draft Curriculum Model
Our preliminary findings suggest that if an institution has the ability to only implement two
courses, they will be best served implementing an introductory course, and then either a technical
or managerial course depending on their preferences. If the institution can implement more, an

analysis of the intent of the program as described in previous sections will provide additional
course recommendations, as illustrated in the table below.
Table 2: Implementation of the Proposed Curriculum Model

Based on the number of courses an Institution can implement, it is recommended that they
should select the courses indicated. Question marks “?” are used to indicate alternatives.
Number of Course the Institution can Implement

in InfoSec
↓ Courses: 1 2 3 4 5 6 7
Introduction to InfoSec * * * * * * *
Technical Applications in InfoSec * or * * * * *
Management of InfoSec * * * * * *
Additional Courses Selected from: ? ? ? ?
Network Security (Win2K/Unix), ? ? ?
Adv. Network Security, Operating ? ?
?
Systems Security, Auditing for
Security, Computer Forensics,
Criminal Justice, Criminal Law,
Computer Ethics, Computer Law,
Cryptography/ Cryptology, Secure
Programming, Internship/Coops
Some suggestions based on institutional intent could be as follows:
Scenario 1: The institution can only implement one course:
For a general or technical program:

• Introduction to InfoSec
For a managerial or business program:
• Management of InfoSec (with heavy emphasis on foundation material).
Scenario 2: The institution can implement two courses:

• Technical InfoSec
• Management of InfoSec
Scenario 3: The institution can implement three courses:
For all programs:


Scenario 4: The institution can implement four courses:

• Advanced Technical topic such as:
o Firewalls, IDS & VPNs
o OS Security (Unix/Windows)
o Computer Forensics

• Advanced Managerial topic such as:
o Contingency Planning
o Computer Law & Ethics
o Security Policy
As additional courses are added additional technical or managerial topics can be added.
Institutions can then begin drafting specific programs to include electives, existing courses etc. to
support their desired outcomes.
As a detailed example of our efforts, the Certificate in Information Security and Assurance is
presented here with sample course syllabi.
Following the Certificate is our newest degree program – the Bachelor of Science in Information
Security and Assurance with the course syllabi for the new classes associated with this degree.

Certificate in Information Security and Assurance (ISA)
The Certificate in Information Systems and Assurance consist of 5 new courses, plus a number
of courses in the current catalog from CS, IS, Accounting, Criminal Justice and Political Science
degree programs. The Certificate is built on the presumption that students will be sufficiently
prepared to enter the program. This includes Preparatory Knowledge Clusters in areas of
Principles of Computing, Programming Principles and Data Communications. For students that
do not meet this assumption, they can either take undergraduate equivalents (CSIS 2300, 2301
and 2520) or submitting a portfolio of work for exempting one or more preparatory courses.
“The Committee on National Security Systems and the National Security Agency have certified
that Kennesaw State University offers a set of courseware that has been reviewed by National
Level Information Assurance Subject Matter Experts and determined to meet National Training
Standard for Information Systems Security Professionals (NSTISSI 4011, 4012, 4013, 4014) for
academic years 2003 - 2006.”
Each student will be required to complete the 9-hour core (3 courses) and then select and
complete one track (6-hours, 2 courses).
All coursework within the certificate program must be completed with a “C” or better in order to
count towards the certificate.
CORE:
ISA 3100 – Principles of Information Security and Assurance
ISA 3200 – Technical Applications in Information Security and Assurance
ISA 3300 – Policy and Administration in Information Security and Assurance
Plus One Track (6 hours from the following)
Track 1. Computer Forensics and Investigation

ISA 3350 – Computer Forensics
and either
CJ 3320 – Criminal Investigations
or
POLS 4411 – Criminal Law
Track 2. Technical Security

CSIS 3550 – Unix Administration & Security
and
CSIS 4500 – Data Communications Protocols

Track 3. Computer Law and Ethics

CSIS 4510 – Computer Law
and
CSIS 4515 – Computer Ethics
Track 4. Security Audit

ACCT 3300 – Accounting Information Systems
and either
CSIS 4210 – EDP Audit & Control
or
ACCT 4150 – Audit & Assurance
Track 5. Applied Security

One elective from the above tracks or:
CSIS 4420 – Local Area Networks
IT 4525 – Electronic Commerce
MGT 3100 – Management and Behavioral Sciences
and either
ISA 3398 – Internships in Information Security and Assurance
or
ISA 3396 – Coop in Information Security and Assurance


Sample Syllabi
DEPARTMENT OF COMPUTER SCIENCE AND INFORMATION SYSTEMS
Fall 2003
ISA 3100 Principles of Information Security and Assurance

Date/Time of Class
Dr. Michael E. Whitman, CISSP
Course Description:
Examination of current standards of due care and best business practices in Information Security.
Includes examination of security technologies, methodologies and practices. Focus is on
evaluation and selection of optimal security posture. Topics include evaluation of security
models, risk assessment, threat analysis, organizational technology evaluation, security
implementation, disaster recovery planning and security policy formulation and implementation.
Prerequisites:
CIS 2520: Data Communications
Textbooks:
Principles of Information Security, Whitman & Mattord, © 2003 Course Technology ISBN:
0-619-06318-1
Resources:
http://csrc.nist.gov/publications/nistpubs/index.html
SP 800-12 An Introduction to Computer Security: The NIST Handbook,
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-34 Contingency Planning Guide for Information Technology Systems
http://infosec.kennesaw.edu
Instructor: Michael E. Whitman, Ph.D., CISSP

Office: CL 3047
Email Address: mwhitman@kennesaw.edu
Phone: 770-499-3568
Note: I seldom check phone messages, best method of
communication is via email.
Office Hours: TBD by email and by appointment.
Fax Number: 770-423-6731
Website Address: http://science.kennesaw.edu/~mwhitman

Learning Outcomes:
As a result of completing this course, students will be able to:
• Describe threats to information security
• Identify methods, tools and techniques for combating these threats.
• Identify types of attacks and problems that occur when systems are not properly protected.
• Explain integral parts of overall good information security practices
• Identify and discuss issues related to access control.
• Describe the need for and development of information security policies, and identify
guidelines and models for writing policies.
• Define risk management and explain why it is an important component of an information
security strategy and practice.
• Describe the types of contingency plan and the steps involved in developing each.
• Identify security issues related to personnel decisions, and qualifications of security
personnel.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 - 79.49 =
C, 59.5 - 69.49 = D, else = F).
Project will be graded for correctness and completeness.
The instructor retains the right to subjectively adjust an individual student's grade in appropriate
cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-quality
type. Specific examples will be provided in class. Students failing to present the information
completely, neatly and in the prescribed format will receive minimal credit for their work.
Students should double check for spelling and grammar before submitting assignments.
NO LATE WORK WILL BE ACCEPTED.
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice
thereof DOES NOT constitute official withdrawal from the course. Students who simply stop
attending classes without officially withdrawing usually are assigned failing grades. Students
wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a
withdrawal form from the Academic Services Department in the Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments, take
quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn
from this course, they will not be permitted to attend class nor will they receive any grade for the
class.

Electronic Devices
In order to minimize the level of distraction, all beepers and cellular phones must be on quiet
mode during class meeting times. Students who wish to use a computer/PDA for note taking need
prior approval of the instructor since key clicks and other noises can distract other students.
Recording of lectures by any method requires prior approval of the instructor. Students using a
laptop in class should not check their email, browse the web, or in other way detract from the
focus of the class.
Classroom Behavior
Students are reminded to conduct themselves in accordance with the Student Code of Conduct, as
published in the Undergraduate and Graduate Catalogs. Every KSU student is responsible for
upholding the provision. For more details, visit
http://ww.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf . Students
who are in violation of this policy will be asked to leave the classroom and may be subject to
disciplinary action by the University.
Tentative Course Schedule: Subject to change

Week Date Topic & Chapter
1 Introduction &
Chapter 1: Introduction
2 Chapter 2: The Need for Security
3 Chapter 3: Legal & Ethical Issues in Security
4 Chapter 4: Risk Management: Identifying and Assessing Risk
5 Chapter 5: Risk Management: Assessing and Controlling Risk
6 Chapter 6: Blueprint For Security
7 Exam 1
8 Labs
Last Day to Drop without Academic Penalty
9 Group Meetings
10 Chapter 7: Planning for Continuity and the Systems
Development Life Cycle
11 Chapter 8: Security Technology
12 Chapter 9: Physical Security
13 Chapter 10: Implementing Security
14 Chapter 11: Personnel and Security
15 Chapter 12: Maintaining a Security Posture
16 Exam 2
Final Project Presentations
Exam

Special Dates:
Holidays/No Class
Last day to withdrawal without penalty
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or
meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Class notes can be downloaded from: TBD
Assignments:
The student will be assigned a number of written projects and reports throughout the course of the
semester. These will include:
Contribution to a class “security links” and “security readings” web pages
Sample risk assessment
Control spreadsheet
Outline of a disaster recovery plan
Organizational fair and responsible use policy
Additional details will be provided in class.
Project Requirements:
During the course of the semester, students will be exposed to a fictitious organization, CGT,
Inc., a computer gaming company. Students will be expected to analyze and design a complete
computer security profile for this organization and its systems. This analysis will be organized
and presented at the end of the semester. Students will submit a binder containing all necessary
security policies, documents and recommendations. Additional details will be provided in class.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does not
arrive within 20 minutes of the start of class, the class should move to the lab and work on their
laboratory exercises.
Computer Labs:
Additional Information on Lab hours and availability will be provided in class.

Assessment:
Exam 1 25%
Exam 2 25%
Assignments and Labs 20%
Project 30%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below

Student Course Evaluation:
A standard questionnaire (described below) will be administered during the last two weeks of the
semester in all classes. Additional questions developed by the college or instructor(s) may be
included as well. It is important that each student provide meaningful feedback to the instructor(s)
so that changes can be made in the course to continually improve its effectiveness. We value
student feedback about the course, our teaching styles, and course materials, so as to improve our
teaching and your learning. At a minimum, the following two questions will be asked: 1) Identify
the aspects of the course that most contributed to your learning (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring), and 2)
Identify the aspects of the course, if any, that might be improved (include examples of specific
materials, exercises and/or the faculty member's approach to teaching and mentoring).
Acquiring Final Grades:
The final grades for this course will be posted to the student’s permanent record using the KSU
Banner system. Students may acquire their final grades by accessing their Banner account online.
Grades are no longer mailed to students. Students needing verification of grades or enrollment
should request either an official transcript or an enrollment verification through the Office of the
Registrar.

Academic Integrity Statement:

Every KSU student is responsible for upholding the provisions of the Student Code of Conduct,
as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of
Conduct addresses the University's policy on academic honesty, including provisions regarding
plagiarism and cheating, unauthorized access to University materials,
misrepresentation/falsification of University records or academic work, malicious removal,
retention, or destruction of library materials, malicious/intentional misuse of computer facilities
and/or services, and misuse of student identification cards. Incidents of alleged academic
misconduct will be handled through the established procedures of the University Judiciary
Program, which includes either an "informal" resolution by a faculty member, resulting in a grade
adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct's
minimum one semester suspension requirement.
Students are encouraged to study together and to work together on class assignments and lab
exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic
Honesty, KSC Undergraduate Catalog will be strictly enforced in this class.
Frequently students will be provided with “take-home” exams or exercises. It is the student’s
responsibility to ensure they fully understand to what extent they may collaborate or discuss
content with other students. No exam work may be performed with the assistance of others or
outside material unless specifically instructed as permissible. If an exam or assignment is
designated “no outside assistance” this includes, but is not limited to, peers, books, publications,
the Internet and the WWW. If a student is instructed to provide citations for sources, proper use
of citation support is expected. Additional information can be found at the following locations.
http://www.apa.org/journals/webref.html
http://www.lib.duke.edu/libguide/citing.htm
http://bailiwick.lib.uiowa.edu/journalism/cite.html
http://www.cas.usf.edu/english/walker/papers/copyright/ipdummie.html
http://www.indiana.edu/~wts/wts/plagiarism.html
http://plagiarism.phys.virginia.edu/links.html
http://www.arts.ubc.ca/doa/plagiarism.htm
http://alexia.lis.uiuc.edu/%7ejanicke/plagiary.htm
http://webster.commnet.edu/mla/plagiarism.htm
http://www.virtualsalt.com/antiplag.htm
http://www.engr.washington.edu/~tc231/course_info/plagiarism.html
http://quarles.unbc.edu/lsc/rpplagia.html

Acknowledgment and Acceptance of Academic Integrity Statement:
In any academic community, certain standards and ethical behavior are required to ensure the
unhindered pursuit of knowledge and the free exchange of ideas. Academic honesty means that
you respect the right of other individuals to express their views and opinions, and that you, as a
student, not engage in plagiarism, cheating, illegal access, misuse or destruction of college
property, or falsification of college records or academic work.
As a member of the Kennesaw State University academic community you are expected to adhere
to these ethical standards. You are expected to read, understand and follow the code of conduct
as outlined in the KSU graduate and undergraduate catalogs. You need to be aware that if you
are found guilty of violating these standards you will be subject to certain penalties as outlined in
the college judiciary procedures. These penalties include permanent expulsion from KSU.
Read the Academic Integrity Statement and then sign and date in the space below. You are
required to abide by these ethical standards while you are a student at KSU. Your signature
indicates that you understand the ethical standards expected of you in this academic community,
and that you understand the consequences of violating these standards.
________________________________ ________________________________
Course Name Instructor Name
Print Name Student ID Number
Signature Date
________________________________
email

White Hat Agreement

And Code of Ethics
This is a working document that provides further guidelines for the course exercise. If you have questions about any
of these guidelines, please contact one of the course instructors. When in doubt, the default action should be to ask
the instructors.
1) The goal of the project is to search for technical means of discovering information about others with whom you
share a computer system. As such, non-technical means of discovering information are disallowed (e.g., following
someone home at night to find out where they live).
2) ANY data that is stored outside of the course accounts can be used only if it has been explicitly and intentionally
published, (e.g. on a web page), or if it is in a publicly available directory, (e.g. /etc, /usr ).
3) Gleaning information about individuals from anyone ouside of the course is disallowed.
4) Impersonation, e.g. forgery of electronic mail, is disallowed.
5) If you discover a way to gain access to any account other than your own (including root), do NOT access that
account, but immediately inform the course instructors of the vulnerability. If you have inadvertently already gained
access to the account, IMMEDIATELY exit the account and inform the course instructors.
6) All explorations should be targeted specifically to the assigned course accounts. ANY tool that indiscriminately
explores non-course accounts for vulnerabilities is specifically disallowed.
7) Using the web to find exploration tools and methods is allowed. In your reports, provide full attribution to the
source of the tool or method.
8) If in doubt at all about whether a given activity falls within the letter or spirit of the course exercise, discuss the
activity with the instructors BEFORE exploring the approach further.
9) You can participate in the course exercise only if you are registered for a grade in the class. ANY violation of the
course guidelines may result in disciplinary or legal action.
10) Any academic misconduct or action during the course of the class can result in that course not being eligible to
count toward the security certificate.

White Hat Agreement

Code of Ethics Preamble: (Source www.isc2.org Code of ethics)

Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen
to adhere, to the highest ethical standards of behavior.
Therefore, strict adherence to this code is a condition of laboratory admission.
Code of Ethics Canons:

Protect society, the commonwealth, and the infrastructure.
Act honorably, honestly, justly, responsibly, and legally.
Provide diligent and competent service to principals.
Advance and protect the profession.
The following additional guidance is given in furtherance of these goals.
Objectives for Guidance
Protect society, the commonwealth, and the infrastructure

Promote and preserve public trust and confidence in information and systems.
Promote the understanding and acceptance of prudent information security measures.
Preserve and strengthen the integrity of the public infrastructure.
Discourage unsafe practice.
Act honorably, honestly, justly, responsibly, and legally

Tell the truth; make all stakeholders aware of your actions on a timely basis.
Observe all contracts and agreements, express or implied.
Treat all constituents fairly. In resolving conflicts, consider public safety and duties to principals,
individuals, and the profession in that order.
Give prudent advice; avoid raising unnecessary alarm or giving unwarranted comfort. Take care to be
truthful, objective, cautious, and within your competence.
When resolving differing laws in different jurisdictions, give preference to the laws of the jurisdiction in
which you render your service.
Provide diligent and competent service to principals

Preserve the value of their systems, applications, and information.
Respect their trust and the privileges that they grant you.
Avoid conflicts of interest or the appearance thereof.
Render only those services for which you are fully competent and qualified.
Advance and protect the profession

Sponsor for professional advancement those best qualified. All other things equal, prefer those who are
certified and who adhere to these canons. Avoid professional association with those whose practices or
reputation might diminish the profession.
Take care not to injure the reputation of other professionals through malice or indifference.
Maintain your competence; keep your skills and knowledge current. Give generously of your time and
knowledge in training others.

As part of this course, you may be exposed to systems, tools and techniques related to Information Security. With
proper use, these components allow a security or network administrator better understand the vulnerabilities and
security precautions in effect. Misused, intentionally or accidentally, these components can result in breaches of
security, damage to data or other undesirable results.
Since these lab experiments will be carried out in part in a public network that is used by people for real work, you
must agree to the following before you can participate. If you are unwilling to sign this form, then you cannot
participate in the lab exercises.
Student agreement form:
I agree to:
- only examine the special course accounts for privacy vulnerabilities (if applicable)
- report any security vulnerabilities discovered to the course instructors immediately, and not disclose them to
anyone else
- maintain the confidentiality of any private information I learn through the course exercise
- actively use my course account with the understanding that its contents and actions may be discovered by others
- hold harmless the course instructors and Kennesaw State University for any consequences of this course
- abide by the computing policies of Kennesaw State University and by all laws governing use of computer
resources on campus
I agree to NOT:
- attempt to gain root access or any other increase in privilege on any KSU workstation
- disclose any private information that I discover as a direct or indirect result of this course exercise
- take actions that will modify or deny access to any data or service not owned by me
- attempt to perform any actions or use utilities presented in the laboratory outside the confines and structure of
the labs.
- utilize any security vulnerabilities beyond the target accounts in the course or beyond the duration of the course
exercise
- pursue any legal action against the course instructors or Kennesaw State University for consequences related to
this course
Moreover, I consent for my course accounts and systems to be examined for security and privacy vulnerabilities by
other students in the course, with the understanding that this may result in information about me being disclosed (if
applicable).
This agreement has been explained to me to my satisfaction. I agree to abide by the conditions of the Code of Ethics
and of the White Hat Agreement.
Signed, ______________________________________ Date:___________________
Printed name:____________________________
e-mail address ___________________________


Fall 2003
ISA 3200 – Technical Applications in Information Security and Assurance

Date/Time of Class
Course Description:
Detailed examinations of the tools, techniques and technologies used in the technical securing of
information assets. This course is designed to provide in-depth information on the software and
hardware components of Information Security and Assurance. Topics covered include: firewall
configurations, hardening Unix and NT servers, Web and distributed systems security, and
specific implementation of security models and architectures.
Prerequisites:
ISA 3100: Principles of Information Security and Assurance
Textbooks:
Guide to Network Defense and Countermeasures, Greg Holden © 2003 Course Technology
ISBN: 0-619-13124-1
Resources:
• SP 800-51 Use of the Common Vulnerabilities and Exposures (CVE) Vulnerability
Naming Scheme, September 2002
• SP 800-48 Wireless Network Security: 802.11, Bluetooth, and Handheld Devices,
November 2002
• SP 800-41 Guidelines on Firewalls and Firewall Policy, January 2002
• SP 800-40 Procedures for Handling Security Patches, September 2002
• SP 800-33 Underlying Technical Models for Information Technology Security, December
2001
• SP 800-32 Introduction to Public Key Technology and the Federal PKI Infrastructure,
February 2001
• SP 800-31 Intrusion Detection Systems (IDS), November 2001
• SP 800-28 Guidelines on Active Content and Mobile Code, October 2001
• Plus additional resources as assigned in class.
http://infosec.kennesaw.edu

Office: CL 3047
Phone: 770-499-3568
Note: I seldom check phone messages, best method of
communication is via email.
Office Hours: TBD by email and by appointment.
Fax Number: 770-423-6731

Learning Outcomes:
With the increasing exposure of information systems to attacks from natural and man-made
disasters, there is an increasing demand on information systems technical staff to use technical
information security tools to defend systems from attacks on information systems security. The
purpose of this course is to examine technical preventative, detective and responsive measures.
• Understand the technical details of common information security technical
countermeasures.
• Evaluate each of the included technical countermeasures as to when its use is appropriate
and it can be used to provide increased control or reduced risk.
• Create deployment plans for included technical countermeasures that include impact and
risk assessments to IT systems as well as impact and risk to general system users.
• Apply technical knowledge to simulated deployment planning issues using a case study in
a team-based project.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 - 79.49 =
C, 59.5 - 69.49 = D, else = F).
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral notice
thereof DOES NOT constitute official withdrawal from the course. Students who simply stop
attending classes without officially withdrawing usually are assigned failing grades. Students
wishing to withdraw after the scheduled change period (add/drop) must obtain and complete a
withdrawal form from the Academic Services Department in the Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments, take
quizzes and exams, and receive a grade in the class. If a student is administratively withdrawn
from this course, they will not be permitted to attend class nor will they receive any grade for the
class.

Electronic Devices
focus of the class.
Classroom Behavior
http://ww.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf . Students
who are in violation of this policy will be asked to leave the classroom and may be subject to
disciplinary action by the University.

1 Introduction &
Chapter 1: Foundations of Network Security
2 Chapter 2: Designing a Network Defense
3 Chapter 3: Risk Analysis and Security Policy Design
4 Lab 1
5 Chapter 4: Choosing and Designing Firewalls
6 Chapter 5: Configuring Firewalls
7 Chapter 6: Strengthening and Managing Firewalls
8 Exam 1
9 Lab 2
10 Chapter 7: Setting up a Virtual Private Network
11 Chapter 8: Intrusion Detection: An Overview
12 Chapter 9: Intrusion Detection: Preventive Measures
13 Lab 3
14 Chapter 10: Intrusion Detection: Incident Response
15 Chapter 11: Strengthening Defense Through Ongoing Management
16 Exam 2
Final Project Presentations
Exam

Special Dates:
Holidays/No Class
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn or
meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Assignments:
Students will issues an assignment schedule during the semester, consisting of requirements from
the Information Security Lab Manual, and other relevant requirements.
During the course of the semester, students will be presented with a fictitious organization, CGT,
Inc., a computer gaming software company. Students will be expected to assess the vulnerabilities
present in CGT’s three primary servers. Students will be provided with an assessment toolkit,
and asked to design a written report identifiying all vulnerabilities in these systems. In addition,
the student will be required to research the vulnerabilities, including the CVE for each, and
collect information on the resolution on the vulnerabilities. Students will submit a binder
containing all necessary documents and recommendations. Additional details will be provided in
class and via WebCT.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does not
arrive within 20 minutes of the start of class, the class should move to the lab and work on their
laboratory exercises.
Computer Labs:

Assessment:
Exam 1 20%
Exam 2 20%
Assignments 15%
Labs 20%
Project 25%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below

should request either an official transcript or an enrollment verification through the Office of the
Registrar.
( Syllabus truncated to remove redundant material from other examples).

Project Description:
Each student will be assigned to a 3-person team. Although assigned to a team, each student will
conduct an independent analysis of the target servers. Once each student has scanned the
designated targets, the student can then work with their team in identifying the specifics of the
vulnerability and its resolution. While detailed knowledge of server administration is not
required, a basic understanding of operating systems and networking is expected. Students who
do not have this level will be expected to study on their own to understand the systems
sufficiently to assist in their preparation for security. Students will be expected to research and
recommend upgrades and fixes for known vulnerabilities. Resources to use in your assessment
include: Sam Spade, NMAP, Nessus and LanGuard. Resources to use in your investigation of
vulnerability include: http://cve.mitre.org, http://icat.nist.gov/icat.cfm, http://www.opensec.org/
and other references to be provided in class.
At the end of the semester the student team will present a joint presentation overviewing the
vulnerabilities found on each server and the severity of the individual vulnerabilities. Each
student will submit a binder with an overview of the specification of the system examined,
methods and techniques used, and findings, neatly organized, tabbed with appropriate headers
and references. Additional materials will be provided in class.
Lab Exercises Overview:

Selected exercises from the Hands-On Information Security Lab Manual or online Exercises
through XanEdu will be selected for this course. These will come from the following (for the lab
manual):
Chapter 1 Footprinting
Ex 1-1 Web Reconnaissance
Ex 1-2 WhoIS
Ex 1-3 DNS Interrogation
Ex 1-4 Network Reconnaissance
Chapter 2 Scanning & Enumeration

Ex 2-1 Scanning Utilities
Ex 2-2 Active Stack Fingerprinting
Ex 2-3 Generic Enumeration
Ex 2-4 Novell Enumeration
Ex 2-5 Unix Enumeration
Chapter 3 Firewalls and Intrusion Detection Systems

Ex 3-1 Windows Host Based Firewall Setup
Ex 3-2 Linux Firewall Setup
Ex 3-3 Intrusion Detection Systems Setup
Chapter 4 Operating Systems Vulnerability Analysis and Resolution

Ex 4-1 Common Win9x/ME Exploits and Protection
Ex 4-2 Common WinNT Exploits and Protection

Ex 4-3 Common Win2000 Exploits and Protection

Ex 4-4 Common UNIX Exploits and Protection
Ex 4-5 Common LINUX Exploits and Protection
Ex 4-6 Common Novell Exploits and Protection
Chapter 5 Security Maintenance (Whitman & Shackleford)

Ex 5-1 Log Analysis
Ex 5-2 Establishing a Virtual Private Network
Ex 5-3 Implementing Public Key Encryption
Ex 5-4 Using Digital Certificates
Ex 5-5 Virus Threats and Hoaxes
Ex 5-6 Password and Password Policy Evaluation
Chapter 6 Minicase Studies (Whitman)

Minicases Analysis of the Minicase
Minicase 1 Lab Antivirus Protection Strategy
Minicase 2 Personal Firewall Evaluation
Minicase 3 The Security Awareness, Training and Education Program
Minicase 4 Lab Physical Security Assessment
Minicase 5 Lab Document Security Assessment
Minicase 6 Local Security Policies Evaluation
Chapter 7 Case Studies (Whitman)

Case 1 HomeLAN Inc. – Residential Solutions
Case 2 HomeLAN Inc. – Business Solutions
Case 3 Computer Gaming Technologies Inc.
Case 4 DOTCOM Ltd.
Appendix A: Common Utilities and Tutorials (All)

Ex A-1: Sam Spade (Whitman)
Ex A-2: Ethereal
Ex A-3: NESSUS
Ex A-4: NMAP
Ex A-5: LanGuard Port Scanner
Ex A-6: LanGuard Network Scanner
Ex A-7: NetCat
Ex A-8: SNORT (Shackleford)


Semester year
ISA 3300 Policy and Administration in Information Security and Assurance

Date/Time of Class
Course Description:
Detailed examinations of a systems-wide perspective of information security, beginning with
a strategic planning process for security. Includes an examination of the policies, procedures
and staffing functions necessary to organize and administrate ongoing security functions in
the organization. Subjects include security practices, security architecture and models,
continuity planning and disaster recovery planning.
Prerequisites:
ISA 3100: Principles of Information Security
Textbooks:
Management of Information Security, Whitman & Mattord, © 2004 Course Technology
ISBN: 0-619-21515-1 (draft to be distributed in class).
Resources:
SP 800-12 An Introduction to Computer Security: The NIST Handbook,
SP 800-26 Security Self-Assessment Guide for Information Technology Systems
SP 800-30 Risk Management Guide for Information Technology Systems
SP 800-34 Contingency Planning Guide for Information Technology Systems

Office: CL 3047
Phone: 770-499-3568
Note: I seldom check phone messages; best method of communication is via
email.
Office Hours: TBD, by email and by appointment.
Fax Number: 770-423-6731

Learning Outcomes:
• Discuss the stages in the risk management process.
• Conduct a Business Impact Analysis
• Identify and prioritize threats to information and priorities of organizational information
resources.
• Develop information security policies for all three types.
• Design a security education, training and awareness program.
• Make informed choices in selecting security personnel.
• Develop guidelines for the hiring of non-security personnel sensitive to organizational
information protection requirements.
• Conduct a cost-benefit analysis.
• Develop a budget for the acquisition of needed security resources.
• Develop a program to develop plans to respond to business information security
contingencies.
Final Grading:
A standard 100% evaluation scheme will be used, i.e. 89.5+ = A, 79.5 - 89.49 = B, 69.6 -
79.49 = C, 59.5 - 69.49 = D, else = F).
The instructor retains the right to subjectively adjust an individual student's grade in
appropriate cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-
quality type. Specific examples will be provided in class. Students failing to present the
information completely, neatly and in the prescribed format will receive minimal credit for
their work. Students should double check for spelling and grammar before submitting
assignments.
Withdrawal Policy:
The last day to withdraw without academic penalty is TBD. Ceasing to attend class or oral
notice thereof DOES NOT constitute official withdrawal from the course. Students who
simply stop attending classes without officially withdrawing usually are assigned failing
grades. Students wishing to withdraw after the scheduled change period (add/drop) must
obtain and complete a withdrawal form from the Academic Services Department in the
Registrar’s Office.
Enrollment Policy:
Only those students who are enrolled in the class may attend lectures, receive assignments,
take quizzes and exams, and receive a grade in the class. If a student is administratively
withdrawn from this course, they will not be permitted to attend class nor will they receive
any grade for the class.

Electronic Devices
focus of the class.
Classroom Behavior
http://www.kennesaw.edu/academicaffairs/acadpubs/ucat2003-04/x.genpolicies%20.pdf .
Students who are in violation of this policy will be asked to leave the classroom and may be
subject to disciplinary action by the University.

1 Introduction &
Chapter 1: Introduction to Mgt of InfoSec
2 Chapter 2: Planning for Security
3 Chapter 3: Planning for Contingencies
4 Chapter 4: Security Policy
5 Chapter 5: Developing Security Programs
6 Chapter 6: Security Management Models and Practices
7 Exam 1
8 Labs
Last Day to Drop without Academic Penalty
9 Group Meetings
10 Chapter 7: Risk Assessment
11 Chapter 8: Risk Management and Control
12 Chapter 9: Protection Mechanisms
13 Chapter 10: Personnel and Security
14 Chapter 11: Law & Ethics
15 Chapter 12: Security Project Management
16 Exam 2
Final
Exam Project Presentations

Special Dates:
Holidays/No Class
Last day of class
Final Exam Period
Graduation
Class Format:
Classes are predominantly lecture-oriented. On at least two occasions, the class will adjourn
or meet in the SC 363 computer lab for hands-on exercises.
Lecture Notes:
Assignments:
The student will be assigned a number of written projects and reports throughout the course of
the semester. These will include:
Sample risk assessment
Control spreadsheet
Outline of a disaster recovery plan
Organizational security policies
Additional details will be provided in class.
Students will be organized into 3-4 person teams, and provided with a case study of an
organization in desperate need of information security. Students will analyze the organization
and design a security profile including security personnel, a security policy, disaster recovery
and continuity plans, and recommendations for periodic auditing of the system. Additional
details will be provided in class.
Instructor Absence:
In the event of an instructor absence, the class will find a notice posted. If the instructor does
not arrive within 20 minutes of the start of class, the class should move to the lab and work on
their laboratory exercises.

A Model Curriculum for Programs of Study in Information Security and Assurance
Computer Labs:
Assessment:
Exam 1 25%
Exam 2 25%
Assignments and Labs 25%
Project 25%
100%
Grade Evaluation
A 90% - 100%
B 89% - 80%
C 79% - 70%
D 69% - 60%
F 59% or below

The instructor retains the right to subjectively adjust an individual student's grade in
appropriate cases, based upon observed performance.
All turned-in assignments will be neatly typed (word-processed) and printed with letter-
quality type. Specific examples will be provided in class. Students failing to present the
information completely, neatly and in the prescribed format will receive minimal credit
for their work. Students should double check for spelling and grammar before submitting
assignments.
Whitman & Mattord, Kennesaw State University © 2003 59


should request either an official transcript or enrollment verification through the Office of the
Registrar.
Academic Integrity Statement:

Every KSU student is responsible for upholding the provisions of the Student Code of Conduct,
as published in the Undergraduate and Graduate Catalogs. Section II of the Student Code of
Conduct addresses the University's policy on academic honesty, including provisions regarding
plagiarism and cheating, unauthorized access to University materials,
misrepresentation/falsification of University records or academic work, malicious removal,
retention, or destruction of library materials, malicious/intentional misuse of computer facilities
and/or services, and misuse of student identification cards. Incidents of alleged academic
misconduct will be handled through the established procedures of the University Judiciary
Program, which includes either an "informal" resolution by a faculty member, resulting in a grade
adjustment, or a formal hearing procedure, which may subject a student to the Code of Conduct's
Students are encouraged to study together and to work together on class assignments and lab
exercises; however, the provisions of the STUDENT CONDUCT REGULATIONS, II. Academic
Honesty, KSC Undergraduate Catalog will be strictly enforced in this class.
Frequently students will be provided with “take-home” exams or exercises. It is the student’s
responsibility to ensure they fully understand to what extent they may collaborate or discuss
content with other students. No exam work may be performed with the assistance of others or
outside material unless specifically instructed as permissible. If an exam or assignment is
designated “no outside assistance” this includes, but is not limited to, peers, books, publications,
the Internet and the WWW. If a student is instructed to provide citations for sources, proper use
of citation support is expected. Additional information can be found at the following locations.
http://www.apa.org/journals/webref.html
http://www.lib.duke.edu/libguide/citing.htm
http://bailiwick.lib.uiowa.edu/journalism/cite.html
http://www.cas.usf.edu/english/walker/papers/copyright/ipdummie.html
http://www.indiana.edu/~wts/wts/plagiarism.html
http://plagiarism.phys.virginia.edu/links.html
http://www.arts.ubc.ca/doa/plagiarism.htm
http://alexia.lis.uiuc.edu/%7ejanicke/plagiary.htm
http://webster.commnet.edu/mla/plagiarism.htm
http://www.virtualsalt.com/antiplag.htm
http://www.engr.washington.edu/~tc231/course_info/plagiarism.html
http://quarles.unbc.edu/lsc/rpplagia.html
Additional Duplicative material deleted for brevity.

Project Description: Using the CGT Case RFP provided in class, use the following proposal
format to provide the indicated information.
For Computer Gaming Technologies Information Security RFP response
The following sections should guide the development and submission of the proposal. The final
document will be submitted in a 3-ring binder, and single-spaced, with standard margins and
fonts. Each section should be properly tabbed, organized, and structured with appropriate
headers. Each new section and subsection should begin on a fresh page. All pages should be
numbered, and an index placed at the beginning of the document. The group members’ names
should be prominently displayed on the front cover. For each section, address the subjects or
components outlined beneath it. If a component requires a separate binder or document, create it
as needed.
SECTION
1) Overview of CGT
Provide an overview of the CGT company history, including an organization chart,
physical plant layout (blank), and general description of organization computing and in-
place security resources.
2) Problem Definition
Create a summary of the situation leading to the issuance of the RFP. Specify specific
organizational needs, situations demanding resolution.
3) Enterprise Information Security Policy

Create an Enterprise Information Security Policy for CGT, based on the template in the
text. Feel free to use assumptions to fill the policy with information as if you are the
CISO of CGT, just beginning a new Security SDLC.
4) Issue Specific Policies

Create a list outlining the ISSPs that CGT will need, and specify what each policy should
address (1 paragraph each). As an example, create an issue specific security policy for
the CGT case, based on the template in the text. The issue you are to address is fair and
responsible use of office email. Feel free to use assumptions to fill the policy with
information as if you are the CISO of CGT, just beginning a new Security SDLC.
5) Risk Management
Create an assessment of the risks inherent in CGT’s current security profile. Include an
assessment of threats facing CGT, along with estimated vulnerabilities in the CGT
systems. Include weighted tables a) prioritizing threats and b) prioritizing assets. Make
recommendations as to general improvements in the information security posture.
Basically perform a Risk Assessment/Business Impact Analysis on CGT.
6) Information Security Awareness Program

Create an information security awareness program overview document, outlining a
projected implementation of awareness in CGT. Feel free to use assumptions to fill the

policy with information as if you are the CISO of CGT, just beginning a new Security
SDLC. As part of your program include:
• 2 examples of Security Awareness Posters in PowerPoint.
• A training calendar for needed security training (1 month).
• A sample newsletter (2 – 4 pages) providing security awareness information to
CGT employees.
7) Contingency Planning
Provide a planning framework for CGT’s contingency planning. Design a contingency
planning program, including specifications for the program team, deliverables, timelines
etc. Provide a template for each of the following components:
• Incident Response Plan
• Disaster Recovery Plan
• Business Continuity Plan
This does not require you to complete these components; only provide a detailed outline
that CGT can fill in to create these plans, and a project management plan for the design
and development of both the team, and the actual plans.
8) Security Staff
Design a Security Team for this size organization (organization chart) including
specifications for the numbers and types of security professionals needed. Develop a job
advertisement for each position with qualifications and requirements.

Next Step: Bachelor of Science in Information Security and

Assurance
In November 2004, the USG Board of Regents approved KSU’s request to offer a Bachelor of
Science in Information Security and Assurance, representing one of the first such degree
programs of its kind in the country, at a public institution. The following section overviews the
contents of this program, and discusses some of the development tasks that occurred in the
construction of the program. The authors of the program used the information in this guide in
developing the curriculum of the degree.
Program Objectives
The purpose of the proposed Bachelor of Science in Information Security and Assurance (BS-
ISA) program is to create technologically proficient, business-savvy information security
professionals capable of applying policy, education & training and technology solutions to
protect information assets from all aspects of threats, and to manage the risks associated with
modern information usage. This program will incorporate existing coursework provided through
departments on campus minimizing the need for new courses, yet will create and offer a unique
program of study, with up to twelve courses in required Information Security, up to eight courses
in Information Technology, five courses in Business, and a host of electives in areas such as
Criminal Justice.
In preparation for campus SACS accreditation, and as part of the continuous improvement in
education program at KSU – the Assessment of Learning, the program architects have developed
tentative general and specific program objectives:
General Program Learning Objectives

GPLO1 – The graduate is able to demonstrate a thorough understanding of the theoretical
foundations and practical applications of information technology.
GPLO2 – The graduate is able to demonstrate a solid foundation in commonly accepted business
principles and practices.
GPLO3 – The graduate is able to protect the confidentiality, integrity and availability of
information while in transmission, storage or processing through the application of policy,
education, training and awareness program, and technology.
GPLO4 – The graduate is able to demonstrate an awareness of and to articulate positive and
socially responsible positions on the ethical and legal issues associated with the protection of
information and privacy.
GPLO5 – The graduate is able to demonstrate an understanding of the relationship and inter-
responsibilities between all three communities of interest in Information Security: General
Business, Information Technology, and Information Security.
GPLO6 – The graduate is able to effectively communicate – orally, in writing and using
symbolic methods and modeling – with all communities of interest; technical and non-
technical managers and users.

Specific Program Learning Objectives

SPLO1 – The graduate is able to demonstrate an understanding of the elements of information
security management: Policy, Strategic and Continuity Planning, Programs and Personnel.
SPLO2 – The graduate is able to analyze and design technical information security controls and
safeguards including system specific policies, network and platform security
countermeasures and access controls.
SPLO3 – The graduate is able to investigate and implement the principles and applications of
risk management, including business impact and cost-benefit analyses and implementation
methods.
SPLO4 – The graduate is able to demonstrate an understanding of and to implement an
assessment of threats, vulnerabilities and assets of modern computing systems, including
hardware, software, and networking components.
SPLO5 – The graduate is able to demonstrate an understanding of the foundations of security
programming and the use of security-related scripts.
Degree Program Knowledge and Skills

Technology Knowledge and Skills
While the proposed degree program is independent and unique from the Bachelor of Science in
Information Systems and the Bachelor of Science in Computer Science, it does draw from the
technology foundation of both. These two existing programs share a common core in
programming, database management and advanced technology issues. This foundation, coupled
with the available courses that form the Certificate in Information Technology provide the
students with a firm foundation in information technology. While Information Security students
must have a solid grasp of information technology, Information security itself is not necessarily a
technology-centric field. Just as Information Systems majors are focused on using technology to
solve business problems, Information Security majors are focused on using policy, education and
awareness, and technology to protect organizational information assets.
Business Knowledge and Skills
The foundation in Business is essential as information security is an area, like information
systems, that impacts all aspects of an organization, and requires a strategic understanding of
how businesses function. The foundation in business provides the students with a detailed
understanding of business financial accounting processes, managerial principles including
policy, planning, and personnel administration.
Cross-Disciplinary Electives
The proposed degree program will also include areas of Criminal Justice, a program related in its
approach to Cyber-Crime, a new area in the law enforcement arena. Cyber-Crime incorporates
aspects of information security from the criminal and law enforcement perspectives.
Coordination with the Criminal Justice program coordinator indicates that this is an excellent
cross-disciplinary opportunity to create a new subset of information security professionals,
prepared to work in law enforcement or corporate security in areas of cyber-crime and computer
forensics.
Career Opportunities
As a recommended elective component of the program, students can select from a number of
career-oriented opportunities, including internships and cooperative studies. There are a number
of information security related opportunities with local businesses, the Georgia Bureau of

Investigation and numerous public services institutions. The Center for Information Security
Education and Awareness employs 5-6 student interns each semester, in support of the current
Certificate in Information Security and Assurance. These students learn critical security skills
while providing valuable vulnerability assessment, security technology installation and
configurations, and policy review and recommendations. The center will continue its support of
student internships and cooperative studies with the proposed degree program. Once the students
have completed their educational programs, it is anticipated that the growing demand for
information security professionals will continue, as this is one area that organizations will be
reluctant to outsource overseas, a trend that is affecting a number of information technology jobs.
Through collaboration with the College of Business, the College of Humanities and Social
Sciences, the Center for Information Security Education and Awareness, and numerous academic
departments, the faculty, staff, and administrators behind this new program strive to actualize the
academic environment envisioned behind the university’s mission statement: one “that fosters
high-quality academic preparation, critical thinking, global and multicultural perspectives,
effective communication and interpersonal skills, leadership development, social responsibility
and lifelong learning.” The Department of Computer Science and Information Systems is well
prepared for the inaugural class of students for this program. Over the past two years, the
department has gained experience in offering information security classes through its efforts with
the Certificate in Information Security and Assurance. The proposed program will only require a
total of six new courses in order to offer the proposed curriculum and a modest increase in the
frequency of offering for the five courses already being offered. Spreading the new course
offerings over the two years projected for a student to complete the upper and lower division
required and elective components of the course will prove well within the department’s capacity.
The faculty, staff, classroom, and laboratory resources currently available are also well capable
of handling the projected initial demand. Five local information security professionals have
offered to teach courses on a part-time or adjunct basis, as demand for the degree grows.
National Standards for the degree area.

There are currently no standards for Information Security at the baccalaureate level. As such the
program architects began with an analysis of curriculum implemented at NSA designated
Centers of Academic Excellence in Information Assurance Education, as indicated earlier.
“NSA's National Centers of Academic Excellence in Information Assurance Education
(CAEIAE) program, established in November 1998, helps NSA partner with colleges and
universities across the nation to promote higher education in information assurance (IA). This
program is an outreach effort that was designed and is operated in the spirit of Presidential
Decision Directive 63 (PDD 63), the Clinton Administration's Policy on Critical Infrastructure
Protection, dated May 1998.
Under this program, 4-year colleges and graduate-level universities apply to NSA to be
designated as Centers of Academic Excellence in IA Education. Each applicant must pass a
rigorous review demonstrating its commitment to academic excellence in IA education. During
the application process applicants are evaluated against stringent criteria for measurement based
on IA training standards set nationally by the Committee on National Security Systems.
Designation as a CAEIAE is valid for three academic years, after which the school must

successfully reapply in order to retain its CAEIAE designation. These training standards
(NSTISSI No. 4011-4015) are located at: http://www.nstissc.gov/html/library.html.
CAEIAEs receive formal recognition from the U.S. government, as well as prestige and
publicity, for their role in securing our nation's information systems. Students attending CAEIAE
schools are eligible to apply for scholarships and grants through the Department of Defense
Information Assurance Scholarship Program and the Federal Cyber Service Scholarship for
Service Program (SFS).” (http://www.nsa.gov/ia/academia/caeiae.cfm). Currently KSU has an
application in for this program, and the findings from its results are pending.
The architects developing this curriculum examined dominant standards for technology
curriculum, as a foundation for the security degree. There are two dominant technology
curriculum guidelines currently in use. The first is the ABET-CAC accreditation standards.
While there are clear standards for curriculum in Information Systems, there are no standards for
Information Security. The primary program architect for this proposed program is an ABET-
CAC IS program evaluator, having completed formal training and at least one accreditation visit.
Lessons learned in developing and evaluating curriculum were incorporated into this program.
The second dominant curriculum guideline is the IS 2002 Model Curriculum Guidelines for
Undergraduate Degree Programs in Information Systems, co-sponsored by the three largest
professional technology organizations: Association for Computing Machinery (ACM),
Association for Information Systems (AIS) and Association for Information Technology
Professional (AITP). “IS 2002 is a model curriculum for undergraduate degree programs in
Information Systems… and is [a] collaborative effort by ACM, AIS, and AITP. IS, as an
academic field, encompasses two broad areas: (1) acquisition, deployment, and management of
information technology resources and services (the IS function); and (2) development and
evolution of technology infrastructures and systems for use in organizational processes (systems
development). It also includes a detailed set of course descriptions and advice to [those] who
have a stake in the achievement of quality IS degree
programs”(http://www.aisnet.org/Curriculum/IS2002-12-31.pdf). The IS 2002 guiding
principles have been adopted and revised for this curriculum model development as follows:
“1) The model curriculum should represent a consensus from the InfoSec community. 2) The
model curriculum should be designed to help InfoSec faculty produce competent and confident
entry level graduates well suited to work-place responsibilities. 3) The model curriculum should
guide but not prescribe. Using the model curriculum guidelines, faculty can design their own
courses. 4) The model curriculum should be based on sound educational methodologies and
make appropriate recommendations for consideration by InfoSec faculty. 5) The model
curriculum should be flexible and adaptable to most IS/CS programs”.
When internships or field experiences are required as part of the program, provide
information documenting internship availability as well as how students will be assigned
and supervised.
As a recommended elective component of the program, students can select from a number of
career-oriented opportunities, including internships and cooperative studies. There are a number
of information security related opportunities with local businesses, the Georgia Bureau of

Investigation and numerous public services institutions. Approximately 20 students that have
completed or are completing the Certificate in ISA have engaged in Internship Opportunities.
On average there are 3-5 internship or cooperative study opportunities available to students off-
campus. This is encouraging as most organizations would be reluctant to take a temporary
student employee and provide them with access to critical organizational data.
The Center for Information Security Education and Awareness employs 5-6 student interns each
semester, in support of the current Certificate in Information Security and Assurance. These
students learn critical security skills while providing valuable vulnerability assessment, security
technology installation and configurations, and policy review and recommendations. It is
anticipated that the center will continue its support of student internships and cooperative studies
with the proposed degree program. Once the students have completed their educational
programs, it is anticipated that the growing demand for information security professionals will
continue, as this is one area that organizations will be reluctant to outsource overseas, a trend that
is affecting a number of information technology jobs.
Indicate ways in which the proposed program is consistent with national standards.
As indicated earlier, The Committee on National Security Systems and the National Security
Agency have certified that Kennesaw State University offers a set of courseware that has been
reviewed by National Level Information Assurance Subject Matter Experts and determined to
meet National Training Standard for Information Systems Security Professionals (NSTISSI
4011, 4012, 4013, 4014) for academic years 2003 - 2006.
“The goal of the Information Assurance Courseware Evaluation (IACE) Program is to ensure
compliance with national standards for information assurance education and training throughout
the nation. The Committee on National Security Systems (CNSS) sets these standards. The
IACE Program is a major step in meeting the national requirements for IA education and
training. IACE is a systematic assessment of the degree to which the courseware from
commercial, government, and academic sources maps to the national standards. Through an
interactive website, an institution electronically submits data for evaluation. When the institution
has met all the elements of a specific standard, then it receives formal certification […]
The IACE Program was established under the authority of the National Security
Telecommunications and Information Systems Security Committee (NSTISSC), the predecessor
to today's Committee on National Security Systems (CNSS). This inter-governmental
organization sets policy for the security of national security systems for the Federal Government.
Presidential Decision Directive 63 (PDD 63) on Critical Infrastructure Protection, issued in May
1998, highlighted the critical shortage of well-trained information assurance professionals and
the need for national standards. In January 2000, the NSTISSC initiated the IACE Program to
establish those standards, recognizing that the body of knowledge required by the standards was
available from a variety of sources: government, commercial industry, and colleges and
universities” (http://www.nsa.gov/ia/academia/iace.cfm). The certified coursework forms the
foundation for the proposed Information Security degree program.
CURRICULUM
BS - Information Security and Assurance Degree Requirements

University-Wide Degree Requirements 45 Hours

AREA A: ESSENTIAL SKILLS - 9 CREDITS
English 1101 Composition I – 3 credits
English 1102 Composition II –3 credits
Math 1101 Mathematical Modeling – 3 credits
AREA B: SOCIAL ISSUES (INSTITUTIONAL OPTION) - 5 CREDITS
NTH 2105 or GEOG 2105 or PSYC 2105 or SOCI 2105 Social Issues in Anthropology, Geography,
Psychology, or Sociology – 2 credits
COM 1109 or FL 1002 or PHIL 2200 Human Communication or Foreign Language II or Ways of Knowing
–3 credits
AREA C: HUMANITIES/FINE ARTS - 6 CREDITS
ENGL 2110 World Literature – 3 credits
ART 1107 or MUSI 1107 or TPS 1107 Arts in Society (Visual Arts, Music, or Theatre)- 3 credits
AREA D: SCIENCE, MATHEMATICS, AND TECHNOLOGY – 10 to 11 CREDITS

SCI 1101 Interdisciplinary Sciences I (includes a lab) 4 credits or
CHEM 1211/CHEM 1211L General Chemistry I (including lab) 4 credits or
CHEM 1151/1151L Survey of Chemistry I (including lab) 4 credits or
PHYS 1111 Introductory Physics I – 4 credits or
PHYS 2111/PHYS 2111L Principles of Physics I (including lab) 4 credits
SCI 1102 Interdisciplinary Sciences II -3 credits or
CHEM 1212/1212L General Chemistry II (including lab) -4 credits or
CHEM 1152/1152L Survey of Chemistry II (including lab) -4 credits or
PHYS 1112 Introductory Physics II -4 credits or
PHYS 2212/PHYS 2212L Principles of Physics II (including lab) – 4 credits
MATH 1106 Elementary Applied Calculus - 3 credits or
MATH 1107 Elementary Statistics - 3 credits or
MATH 1190 Calculus - 4 credits
AREA E: SOCIAL SCIENCES – 12 CREDITS

POLS 1101 American Government in a Global Perspective - 3 credits
ECON 1100 or ECON 2100 Global Economics or Principles of Microeconomics - 3 credits
HIST 1110 Introduction to World Civilizations - 3 credits
HIST 2112 America Since 1890 - 3 credits
AREA F: COURSES RELATED TO THE PROGRAM OF STUDY
Lower Division Major Requirements 18 Hours

Course Description Hours Prerequisites
ACCT 2100 Introduction to Financial Accounting 3 ENGL 1101 & MATH 1106
ACCT 2200 Introduction to Managerial Accounting 3 ACCT 2100 & MATH 1106
CSIS 2300 Intro to Computer Information Systems OR 3 Credit level math course
BISM 2100 Business Information Systems & Communications NONE
CSIS 2520 Introduction to Data Communications 3 CSIS 2301
BLAW 2200 Legal and Ethical Environment of Business 3 NONE
CSIS 2301 Programming Principles I 3 CSIS 2300
Upper Division Major Requirements 42 Hours

Course Description Hours Prerequisites
ENGL 3140 Technical Writing 3 ENGL 2110
MATH 3400 Computer Applications in Statistics 3 CSIS 2300
MGT 3100 Management and Behavioral Sciences 3 60 credit hours
CSIS 3210 Project Management 3 CSIS 2301 or ACCT 3100
ISA 3010 Security Script Programming 3 CSIS 2301
ISA 3100 Principles of ISA 3 CSIS 2300 or BISM 2100

ISA 3200 Applications in ISA 3 ISA 3100 & CSIS 2520

ISA 3300 Policy and Administration in ISA 3 ISA 3100
ISA 3350 Computer Forensics 3 ISA 3200
ISA 4210 Client OS Security 3 ISA 3010 & 3200
ISA 4220 Server OS Security 3 ISA 3010 & 3200
ISA 4330 Incident Response and Contingency Planning 3 ISA 3300 & CSIS 2520
ISA 4820 ISA Programs & Strategies 3 ISA 3200 & ISA 4330
IT 3500 Database Technologies OR 3 CSIS 2300 or BISM 2100
BISM 3200 Adv Business Application Systems OR BISM 3100 or 60 hours
CSIS 3310 Introduction to Database Systems CSIS 2301
Major Electives
(Choose three 3-hour classes) see below for descriptions 9 Hours
ACCT 3100, ACCT 3300, ACCT 4150, ECON 2200, CRJU 1101, CRJU 3305, CRJU 3320, CRJU 4305, CSIS
3550, CSIS 4420, CSIS 4510, CSIS 4515, CSIS 4555, CSIS 4575, ISA 4400, ISA 4490, ISA 4700, IT 3300,
IT 3700, IT 4525
Free Electives
(Any courses in KSU curriculum totaling 9 hours) 9 Hours
TOTAL 123 Hours

Hours Required for Graduation
General Education 45
Lower Division Major Requirements 18
Upper Division Major Requirements 42
Major Electives 9
Free Electives + 9
TOTAL HOURS 123
Major Electives
COURSE TITLE PREREQUISITES
Business Electives:
(An Accounting & Auditing specialization may be obtained by selecting the following ACCT courses)
ACCT 3100 Intermediate Financial Accounting & Audit ACCT 2100 & ACCT 2200
ACCT 3300 Accounting Information Systems ACCT 3100
ACCT 4150 Auditing and Assurance ACCT 3300 & permission of the dept chair
ECON 2200 Principles of Macroeconomics ECON 2100
Criminal Justice Electives:

(A Criminal Justice & CyberCrime specialization may be obtained by selecting from the following CRJU courses)
CRJU 1101 Foundations of Criminal Justice none
CRJU 3305 Technological Applications in Criminal Justice CRJU 1101
CRJU 3320 Criminal Investigation CRJU 1101
CRJU 4305 Technology and Cyber Crime CRJU 1101 and CRJU 3305
CSIS Electives:
CSIS 3550 Linux Administration and Security CSIS 3600 & CSIS 3530 or ISA 3010
CSIS 4420 Local Area Networks CSIS 2520
CSIS 4510 Computer Law CSIS 3600 or ISA 4330
CSIS 4515 Computer Ethics CSIS 3310 or IT 3500
CSIS 4555 Electronic Business Systems CSIS 3210
CSIS 4575 Technology Commercialization Any 3000 Level CSIS (or ISA) Course

Information Security Electives:

ISA 3396* Cooperative Study in ISA Approval of Career Services & Dept Chair
ISA 3398* Internship in ISA Approval of Career Services & Dept Chair
ISA 4400 Directed Study in ISA Approval of Instructor & Dept Chair
ISA 4490 Special Topics in ISA varies by topic
ISA 4700 Emerging Issues in ISA ISA 4330
Information Technology Electives:

Students may take no more than one of the following:
IT 3300 Web Technologies CSIS 2300 or BISM 2100
IT 3700 Information Technology Management CSIS 2300 or BISM 2100
IT 4525 Electronic Commerce CSIS 2300 or BISM 2100
* Internships & Cooperative Studies may only be counted as free electives
ISA 4210
Client OS Security
ISA 3010
Security Script Prog
ISA 4220
Server OS Security
CSIS 4555
E-biz Systems
CSIS 3210
CSIS 3550
Proj Mgmt
Linux Sec & Admin
CSIS 4575
Tech Comm
ISA 3550
Computer Forenics
CSIS 4420
LAN
CSIS 2301 CSIS 2520
Prog Prin I Data Comm
ISA 3200 ISA 4820

Applications - ISA ISA Programs
& Strategy
CSIS 2300 or ISA 4330

ISA 3100 ISA 3300
BISM 2100 Incident Response &
Principles - ISA Policy & Admin - ISA CSIS 4510
Intro to Computing Contingency Planning
Comp Law
IT 3500 CSIS 4515

Database Comp Ethics ISA 4700
Emerg Issues - ISA
IT 3300
Web Technologies
IT 3700
IT Mgmt
Bold outlines represent new classes
Shaded boxes represent major ISA, IT & CSIS electives
(Dotted lines simply to prevent confusion on overlaps)
IT 4525
eCommerce
As evidenced by this chart, consideration was placed on the flow of students through the
program. A balance was created between the need for prerequisite knowledge from course to
course, and the need to resolve any potential bottlenecks in the matriculation of students. As a
result, the program designers identified the core courses (ISA 3100, 3200 and 3300) that form
the critical path through the program. These courses will or are already offered with sufficient
frequency to insure students can complete the program in a timely manner. The required core
courses in the lower and upper divisions will be offered at least once a semester, with many
courses in the CSIS foundations offered in multiple sections.

List the entire course of study required and recommended to complete the degree program. Give
a sample program of study that might be followed by a representative student. Indicate ways in
which the proposed program is consistent with national standards.
Sample Programs of Study
Four-Year Program of Study for Full-Time Student

Status 1st Semester Program 2nd Semester Program
ENGL 1101 (3) ENGL 1102 (3)
MATH 1101 (3) MATH 1106 (3)
Freshman CSIS 2300 (or BISM 2100) (3) POLS 1101 (3)
(up to 30 hrs) HPS 1000 (3) COM 1109 or FL 2001 or PHIL 2200 (3)
ECON 1100 or ECON 2100 (3) CSIS 2301 (3)
TOTAL HOURS: 15 TOTAL HOURS: 15
ENGL 2110 (3) HIST 2112 (3)
HIST 1110 (3) ACCT 2200 (3)
Sophomore CSIS 2520 (3) BLAW 2200 (3)
(30 - 60 hrs) SCI 1101 (4) ISA 3100 (3)
ACCT 2100 (3) SCI 1102 (3)
ISA 3010 (3) MGT 3100 (3)
ISA 3200 (3) ISA 4210 (3)
Junior ART 1107 or MUSI 1107 or THTR 1107 ISA 3300 (3)
(60 - 90 hrs) ENGL 3140 (3) MATH 3400 (3)
IT 3500 (3) Major Elective** (3)
ANTH 2105 or GEOG 2105 or
PSYC 2105 or SOCI 2105 (2)
ISA 3550 (3) ISA 4220 (3)
CSIS 3210 (3) ISA 4820 (3)
Senior ISA 4320 (3) Free Elective* (3)
(over 90 hrs) Free Elective* (3) Free Elective* (3)
Major Elective** (3) Major Elective** (3)
*Prerequisites for electives vary by class.

** Major electives are listed in the current KSU catalog.

Five-Year Program of Study for Part-Time Student (12 Hours)
1st Semester Program 2nd Semester Program

Freshman (up to 30 hrs)
ENGL 1101 (3) ECON 1100 or ECON 2100 (3)
MATH 1101 (3) ENGL 1102 (3)
CSIS 2300 (or BISM 2100) (3) MATH 1106 (3)
HPS 1000 (3) CSIS 2301 (3)
Sophomore (30 - 60 hrs)
COM 1109 or FL 2001 or PHIL 2200 (3) CSIS 2520 (3)
POLS 1101 (3) SCI 1101 (4)
ENGL 2110 (3) ACCT 2100 (3)
HIST 1110 (3) HIST 2112 (3)
Junior (60 - 90 hrs)
ACCT 2200 (3) ISA 3010 (3)
BLAW 2200 (3) ISA 3200 (3)
ISA 3100 (3) ART 1107 or MUSI 1107 or THTR 1107 (3)
SCI 1102 (3) ENGL 3140 (3)
IT 3500 (3) MATH 3400 (3)

ANTH 2105 or GEOG 2105 or ISA 3550 (3)
PSYC 2105 or SOCI 2105 (2) Free Elective* (3)
MGT 3100 (3) Major Elective** (3)
ISA 4210 (3)
ISA 3300 (3)
Senior (over 90 hrs)
ISA 4320 (3) ISA 4220 (3)
CSIS 3210 (3) ISA 4820 (3)
Free Elective* (3) Free Elective* (3)
Major Elective** (3) Major Elective** (3)
*Prerequisites for electives vary by class. Check KSU catalog for current prerequisite requirements.
** Major electives are listed in the current KSU catalog.

NEW AND EXISTING COURSES
In the Degree requirements example above, new courses are indicated as bold and italic. The
new degree program will require the following new courses:
ISA 3010 – Security Script Programming - In depth discussion of secure methods and
techniques in programming, and the role of specialized scripting languages.
ISA 4210 – Client OS Security - An overview of the security of and vulnerabilities present in
modern computing system clients, including computer architectures, and operating systems.
ISA 4220 – Server OS Security - An overview of the security of and vulnerabilities present in
modern computing system servers, including computer architectures, and operating systems.
ISA 4330 – Contingency Planning and Operations - An examination of the detailed aspects of
contingency planning and operations: Incident Response – prevention, detection, reaction,
recovery, Disaster Recovery & Business Continuity
ISA 4400 – Directed Study in ISA – An independent study of a topic of interest to a particular
student and faculty member.
ISA 4490 – Special Topics in ISA – A unique class of interest not part of the existing
curriculum.
ISA 4700 – Emerging Issues in Information Security and Assurance – The topics covered in
this course vary to maintain currency with current thinking and discussions in the InfoSec
profession. Students will choose or be assigned topics to be investigated as groups or
individuals. They will perform on-line and library research, prepare and deliver reports and
presentations, and analyze and critically evaluate the reports and presentations of other students.
ISA 4820 – Information Security & Assurance Programs and Strategies (capstone) - This
course pulls together the managerial and technical components of the program in one
comprehensive course. Individuals focus on risk management, organizational assessment, and
certification and accreditation issues, and the roles and responsibilities of the CISO.
Course Descriptions for the General Education requirements are available online at
www.kennesaw.edu.
Accounting Courses
ACCT 2100. Introduction to Financial Accounting. 3-0-3. Prerequisite: ENGL 1101 and MATH
1101.
An introduction to the language of business. Focuses on financial statements and their use in
decision making. Designed for non business and business majors.

ACCT 2200. Introduction to Managerial Accounting. 3-0-3. Prerequisite: ACCT 2100.An

introduction to how accounting information is used to manage a business. Includes managerial
problem-solving techniques and current trends in managerial decision-making.
ACCT 3100. Intermediate Financial Accounting & Auditing. 3-0-3. Prerequisite: Business
Majors: Sophomore GPA Requirement; Non business Majors: ACCT 2100 and ACCT 2200.
Focuses on problems and issues related to the collection, analysis, and reporting of external and
internal information. Includes theory and applications in financial accounting and auditing within
the framework of accounting as an information system.
ACCT 3300. Accounting Information Systems. 3-0-3. Prerequisite: Business Majors: Sophomore
GPA Requirement and ACCT 3100; Non business Majors: ACCT 3100.
A continuation of accounting transaction processing concepts; internal controls and systems
analysis and design.
ACCT 4150. Auditing and Assurance. 3-0-3. Prerequisite: Business Majors: Sophomore GPA
Requirement and ACCT 3300; Non business Majors: ACCT 3300 and permission of department
chair.
A continuation of audit theory with a focus on specific applications to financial reporting. Also
covers other types of attestation and assurance services with a focus on the concepts of risk,
control, evidence, and ethics.
Computer Science and Information Systems Courses
CSIS 2300. Principles of Computing. 3-0-3. Prerequisite: credit level mathematics course.
Principles of computing is the first course a student should take to prepare for a career in
computer science or information systems. Topics include information systems in organizations,
hardware, software, database concepts, telecommunications and networks, the Internet, systems
development, security, privacy, ethics, programming logic, algorithms, abstraction, and data
structures.
CSIS 2301. Programming Principles I. 3-0-3. Prerequisite: CSIS 2300 and any credit level
Mathematics course.
An introduction to problem-solving methods that lead to the development of correct, well-
structured programs. Topics also include the fundamentals of computer systems.
CSIS 2520. Introduction To Data Communications. 3-0-3. Prerequisite: CSIS 2301.

An introduction to the theory and applications of data communications. Topics include
communication media, encoding systems, data security and integrity, network topologies,
network protocol concepts, Internet protocols, and routing.
CSIS 3210. Project Management. 3-0-3. Prerequisite: CSIS 2301 or ACCT 3100.
Introduction to the principles and application of project management techniques with an
emphasis on the design and management of computer information systems projects. Topics
include project planning, work team design, project estimation techniques, project reporting,
identifying and controlling project risks, budgets, and quality assurance.

CSIS 4510. Computer Law. 3-0-3. Prerequisite: CSIS 3600.

Covers broad areas of law pertaining to the computer industry, including Intellectual Property
(Copyright, Patent, Trademark, and Trade Secret), Contract, and the U.S. Constitution. Class will
discuss computer crime, privacy, and professional ethics.
CSIS 4515. Computer Ethics. 3-0-3.Prerequisite: CSIS 3310 and ENGL 3140.
Computer Ethics addresses a definition ofethics, provides a framework for making ethical
decisions, and analyzes in detail several areas of ethical issues that computer professionals are
likely to encounter in business. Each area includes information regarding U.S. Law. Topics
include philosophical, business, and professional ethics, privacy, criminal conduct, property
rights, speech, and reliability.
CSIS 4555. Electronic Business Systems. 3-0-3. Prerequisite: CSIS 3210.

Information systems that enable electronic transactions and communication have redefined the
ways that firms compete, interact with value chain partners, and relate to customers. In the near
future, all business will be e-business, and every organization will be required to effectively
implement e-business solutions. This course explores enterprise e-business applications and the
issues organizations encounter as they leverage Internet technologies to enhance communication
and transactions with stakeholders.
CSIS 4575. Technology Commercialization. 3-0-3. Prerequisite: Any 3000 level BIOL, CHEM,
CSIS or MATH course.
This is a course for junior and senior level science and mathematics majors who may want to be
prepared to commercialize technology and start up a company. The course is designed to provide
students with the perspective, tools and information necessary to evaluate the market potential of
a technical idea, secure patent protection, obtain research and development funding, understand
start-up issues, appreciate the value of a technology incubator, obtain venture capital, understand
IPOs and grow a technology-based enterprise.
Business Law
BLAW 2200. Legal and Ethical Environment of Business. 3-0-3. Prerequisite: All developmental
studies courses if required.
Covers torts, contracts, government regulation of business and the legal system. Also addresses
ethical issues arising in a business’s internal and external relationships.
Criminal Justice Classes
CRJU 1101. Foundations of Criminal Justice. 3-0-3. Prerequisite: None.

This course provides an overview of the criminal justice system. Emphasis will be on crime in
America, the criminal justice process, law enforcement, adjudication, punishment, corrections,
and prisons. Other special issues to be addressed include AIDS, changing roles of women, and
criminal justice systems in other countries.
CRJU 3305. Technological Applications in Criminal Justice. 3-0-3. Prerequisite: CRJU 1101.

This course will examine current and predicted hardware and software applications of
technology by criminal justice agencies, especially law enforcement agencies. Topic areas
discussed will include technology associated with forensics, “less than” lethal force, and crime
analysis. Laws pertaining to the use of technology for investigative purposes, privacy issues, and
fourth amendment issues will also be examined.
CRJU 3320. Criminal Investigation. 3-0-3. Prerequisite: CRJU 1101.

This course examines the historical, theoretical, and technological aspects of the investigation of
crime. The topic areas include crime scene examinations, the collection and preservation of
evidence, forensic and behavioral sciences, interviews/interrogations, and the use of technology
by law enforcement agencies.
CRJU 4305. Technology and Cyber Crime. Prerequisite: CRJU 1101 and CRJU 3305.
This course provides an overview of cyber crime and computer-related crime issues facing the
American criminal justice system, particularly law enforcement. The course looks at law
enforcement’s ability to respond and discusses law enforcement problems in dealing with
computer crime. Students will learn about government response to cyber crime problems,
especially from a law enforcement perspective. Future trends of cyber crime and computer-
related crime will also be discussed.
Economics Classes
ECON 2200. Principles of Macroeconomics. 3-0-3. Prerequisite: ECON 2100 and 6 credit hours
of MATH numbered 1101 or higher.
Analysis of socioeconomic goals, money and credit systems, theories of national income,
employment and economic growth.
English Classes
ENGL 3140. Technical Writing. 3-0-3. Prerequisite: ENGL 2110.

Analysis of and practice in writing of business and technical documents from the perspective of
technical personnel whose writing supplements but does not define their job description.
Information Security and Assurance Classes
ISA 3100. Principles of Information Security and Assurance. 3-0-3. Prerequisite: CSIS 2520 or
permission of the department.
An introduction to the various technical and administrative aspects of Information Security and
Assurance. This course provides the foundation for understanding the key issues associated with
protecting information assets, determining the levels of protection and response to security
incidents, and designing a consistent, reasonable information security system, with appropriate
intrusion detection and reporting features.
ISA 3200. Applications in Information Security and Assurance. 3-0-3. Prerequisite: CSIS 2520
or permission of the department.

Detailed examinations of the tools, techniques and technologies used in the technical securing of
information assets. This course is designed to provide in-depth information on the software and
hardware components of Information Security and Assurance. Topics covered include: firewall
configurations, hardening Unix and NT servers, Web and distributed systems security, and
specific implementation of security models and architectures.
ISA 3300. Policy and Administration in Information Security and Assurance. 3-0-3. Prerequisite:
CSIS 2520 or permission of the department.
Detailed examinations of a systems-wide perspective of information security, beginning with a
strategic planning process for security. Includes an examination of the policies, procedures and
staffing functions necessary to organize and administrate ongoing security functions in the
organization. Subjects include security practices, security architecture and models, continuity
planning and disaster recovery planning.
ISA 3350. Computer Forensics. 3-0-3. Prerequisite: ISA 3100.This course focuses on the
detection, isolation and response to security breaches and attacks. It provides a detailed
examination of the entire computer forensic process and presents specific procedures required to
respond to a computer crime incident. Subjects include recognizing unauthorized access,
identifying file anomalies, and traffic monitoring.
ISA 3396. Cooperative Study in Information Security and Assurance. 3-0-3. Prerequisite: ISA
3100 and approval of coordinator of cooperative education (Career Services).
A supervised work experience for a minimum of two semesters at a site in business, industry or
government, focusing on some aspect of information security and assurance. For sophomore,
junior or senior level students who wish to obtain on-the-job experience in Information Security
and Assurance, in conjunction with their academic training. Students may take a cooperative
study for multiple semesters however only three credit hours are applicable toward the
Certificate in Information Security and Assurance. Contact the department office for additional
information on the requirements and restrictions of the cooperative study.
ISA 3398. Internships in Information Security and Assurance. 3-0-3. Prerequisite: ISA 3100 and
approval of coordinator of cooperative education (Career Services).
A supervised work experience for one semester at a site in business, industry or government,
focusing on some aspect of information security and assurance. For sophomore, junior or senior
level students who wish to obtain on-the-job experience in Information Security and Assurance,
in conjunction with their academic training. Students can earn between three and nine credit
hours toward their degree programs but only three hours will be counted toward the Certificate in
Information Security and Assurance. Contact the department office for additional information on
the requirements and restrictions for the Internship.
ISA 4210 – Client Operating Systems Security. 3-0-3. Prerequisite ISA 3200
This course is an exploration of client computer systems security and vulnerabilities, including
computer architectures, and operating systems. It provides the detailed technical coverage
necessary to protect computer information system clients by presenting the knowledge of client
platform computer hardware components, client network devices and interfaces as well as the
structure and usage of client operating system software from an information security perspective.

Additional learning regarding ongoing maintenance and operational issues of client computing
systems will also be included.
ISA 4220 – Server OS Security

An overview of the security of and vulnerabilities present in modern computing system servers,
including computer architectures, and operating systems.
ISA 4330 – Contingency Planning and Operations

An examination of the detailed aspects of contingency planning and operations: Incident
Response – prevention, detection, reaction, recovery. Disaster Recovery Business Continuity
ISA 4400 – Directed Study. 1 to 3 credit hours. Prerequisite: Approval of instructor, major area
committee, and department chair. Up to three hours may be applied to the major area.
Special topics of an advanced nature that are not in the regular course offerings.
ISA 4490 – Special Topics Special Topics. 1-3 credit hours. Prerequisite: Varies by topic.
Selected special or current topics of interest to faculty and students.
ISA 4550 – Security Script Programming

In depth discussion of secure methods and techniques in programming, and the role of
specialized scripting.
ISA 4700 – Emerging Issues in Information Security and Assurance –

The topics covered in this course vary to maintain currency with current thinking and discussions
in the InfoSec profession. Students will choose or be assigned topics to be investigated as
groups or individuals. They will perform on-line and library research, prepare and deliver
reports and presentations, and analyze and critically evaluate the reports and presentations of
other students.
ISA 4820 – Information Security & Assurance Programs and Strategies (capstone)
This course pulls together the managerial and technical components of the program in one
comprehensive course. Individuals focus on risk management, organizational assessment, and
certification and accreditation issues, and the roles and responsibilities of the CISO.
Information Technology Classes
IT 3300. Web Technologies. 3-0-3. Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent.
Web Technologies will introduce students to the planning, design, implementation and
maintenance of World Wide Web applications. Applications will be developed using both high-
end development environments as well as html. Topics include tables, image maps, frames,
security, ethical issues, application development tools, and development methodologies.
IT 3500. Database Technologies. 3-0-3. Prerequisite: CSIS 2300 or EBIZ 2100 or equivalent.
Database Technologies covers the essentials of database concepts for non-IT careers. Key topics
may include searching and querying, validation of electronic data, data mining, data collection
principles, privacy and fair use, related intellectual property issues, integration of incompatible

data sources, database-driven web sites, and visual database programming. Tools included may
include SQL, Visual Basic Web Databases, Personal Oracle, and Access 2000, and various
database search engines.
IT 3700. Information Technology Management. 3-0-3.Prerequisite: EBIZ 2100 or CSIS 2300.

Advanced applications of general-purpose software with a special emphasis on integration of
multiple software tools and data to solve a wide variety of career related problems. Students
study current topics in the application and management of information technology at the worker,
department, and enterprise level.
Courses
IT 4400. Directed Study. 1-3 credit hours. Prerequisite: Approval instructor, major area
committee, and department chair. Up to three hours may be applied to the upper division
requirements for the IT certificate.
Special topics of an advanced nature that are not in the regular course offerings. Students
selecting
this to complete the IT certificate must select a topic involving technology-applications in the
chosen career area.
IT 4525. Electronic Commerce. 3-0-3. Prerequisite: EBIZ 2100 or CSIS 2300.

The application of information technology to the buying and selling of information, products,
and services, via computer networks. Topics include EDI, transactions over public networks,
corporate digital libraries, advertising and marketing on the Internet, and consumer-data
interface.
Management Classes
MGT 3100. Management and Behavioral Sciences. 3-0-3. Prerequisite: Business Majors:
Sophomore GPA Requirement; Non business Majors: 60 credit hours.
This course introduces students to the field of management, focusing on basic principles and
concepts applicable to all types of organizations. The evolution of functional and behavioral
aspects of management and organization theory are presented in the context of political, societal,
regulatory, ethical, global, technological and demographic environmental forces.
Math Classes
MATH 3400. Computer Applications In Statistics. 3-0-3. Prerequisite: CSIS 2300.

Introduction to the use of computer-based statistical techniques and applications in the analysis
and interpretation of data. Topics include both descriptive statistics and inference methods. This
course is not for Mathematics or Mathematics Education majors.

ISA 3010 Security Script Programming
Syllabus
COURSE DESCRIPTION
A study of secure programming and security programming techniques. The course examines
aspects of developing traditional computer software, applying additional controls and measure to
prevent the development of vulnerable and exploitable code. The course then examines
programming techniques used in support of ongoing technical security functions, including Perl
and CGI scripting.
PREREQUISITES
CSIS 2301 or permission of the department
COURSE OBJECTIVES
After completing the course, students will be able to:

Design an Incident Response Plan for sustained organizational operations.
Design a Disaster Recovery Plan for sustained organizational operations.
Design an Business Continuity Plan for sustained organizational operations.
Integrate the IRP, DRP, and BCP plans into a coherent strategy to support
sustained organizational operations.
Understand and be able to discuss incident response options.
Understand the escalation process from incident to disaster.
RESOURCES
Required:
Secure Coding: Principles & Practices, By Mark G. Graff, Kenneth R. van Wyk, June 2003 ,
ISBN: 0-596-00242-4 O’Reilly
Perl and CGI for the World Wide Web: Visual QuickStart Guide, 2/E, Elizabeth Castro, ISBN:
0-201-73568-7, Publisher: Peachpit Press
Recommended:
The Computer Security Resource Center at the National Institute of Standards at

http://www.csrc.nist.gov/
The SANS Institute (System and Network Security) at http://www.sans.org

The Computer Security Institute at http://gocsi.com/

Information Security Magazine at http://www.infosecuritymag.com/
Carnegie Mellon SEI CERT/CC at http://www.cert.org
ACM Special Interest Group on Security, Audit and Control (SIGSAC) at
http://www.acm.org/sigsac/
Additional supplemental resources will be provided by the instructor.
Course Web Site:
Various course resources, technology tutorials, assignments, and announcements will be

available on the course Web site at http://science.kennesaw.edu/csis/courses/ISA3010.
WebCT Account:
This course will make extensive use of WebCT for several aspects of the course curriculum. In
order to facilitate your best use of the system, please verify your access to WebCT at your first
opportunity and then forward your WebCT email to an email address that you read regularly.
This will assure you stay up to date with WebCT communications.
EVALUATION
Evaluation of your performance will be based on five components:
Participation 10%
Programming Exercises 20%
Mid-term Examination 25%
Final Exam 25%
Programming Project 20%
Evaluation criteria explained:
• Students are expected to be active participants in each class meeting. Full credit for
participation will be extended to students who regularly ask questions, share
observations, and contribute relevant personal experiences. Participation in online
discussions in WebCT is also encouraged.
• The mid-term examination will consist of program assignments and technological
comprehension that cover the lecture material, and assigned readings.

PROJECTS DESCRIPTION
The team project will consist of the examination of several archetypal client information systems
within one or more defined information security technical architectures. The team will then
create an implementation and maintenance plan to implement the necessary technical controls to
meet the information security needs of the client information system. They will present their
findings in a formal presentation. Peer evaluations will be considered in determining each
student’s grade on the project. Project guidelines will be available via WebCT.
LABS DESCRIPTIONS
At various points throughout the semester, as defined in the schedule, the class will meet in SC
363, the Advanced Data Communications Lab. During this time, the students will be assigned a
number of hands-on exercises involving information security technical controls as applied to
client platforms. Students will perform the labs, and document their activities. These reports will
be submitted to the instructor, and are due 1 week after the lab is assigned. Students will be
provided with access to the lab after class hours in order to complete these exercises.
POLICIES
All submitted work should be word-processed. Any work submitted should contain a cover sheet
that includes your name, the course and section number, title of the assignment, and date of
submission. Late assignments and papers will not be accepted.
Please include the course number (i.e. 3100) in the subject field of any e-mail message that you
send to me during the term. E-mail messages I receive that are missing this information in the
subject field are likely to be automatically redirected to a folder the contents of which I seldom
check.
ACADEMIC HONESTY
Every KSU student is responsible for upholding the provisions of the Student Code of
Conduct, as published in the Undergraduate and Graduate Catalogs. Section II of the
Student Code of Conduct addresses the University’s policy on academic honesty,
including provisions regarding plagiarism and cheating, unauthorized access to
University materials, misrepresentation/falsification of University records or academic
work, malicious removal, retention, or destruction of library materials,
malicious/intentional misuse of computer facilities and/or services, and misuse of
student identification cards. Incidents of alleged academic misconduct will be handled
through the established procedures of the University Judiciary Program, which includes
either an "informal" resolution by a faculty member, resulting in a grade adjustment, or a
formal hearing procedure, which may subject a student to the Code of Conduct’s

COURSE OUTLINE
This tentative outline is subject to change.
Week Topic
1 Secure Code Text: 1. No Straight Thing
2 Secure Code Text: 2. Architecture
3 Secure Code Text: 3. Design
4 Secure Code Text: 4. Implementation
5 Secure Code Text: 5. Operations
6 Secure Code Text: 6. Automation and Testing
7 Exam 1 Chapters 1-6
8 Perl & CGI Scripting Text: 1. Introduction.

2. Perl Building Blocks.
9 Perl & CGI Scripting Text: 3. About Servers, Perl, and CGI.pm.
4. Running Perl CGI on a Unix Server.
10 Perl & CGI Scripting Text: 5. Testing Scripts Locally on Windows.

6. Testing Scripts Locally on the Mac.
11 Perl & CGI Scripting Text: 7. Getting Data from Visitors.

8. Environment Variables.
12 Perl & CGI Scripting Text: 9. Getting Data into the Script.
10. Simple Operations with Scalars.
13 Perl & CGI Scripting Text: 11. Conditionals and Loops.

12. Working with Arrays.
14 Perl & CGI Scripting Text: 13. Subroutines.

14. Working with Hashes.
15 Perl & CGI Scripting Text: 15. Analyzing Data.

16. Remembering what Visitors Tell You.
16 Perl & CGI Scripting Text: 17. Formatting, Printing, and HTML.
18. Security.
Final Exam
Period

ISA 4210 Client Operating System Security
Syllabus
COURSE DESCRIPTION
This course is an exploration of client computer system security and vulnerabilities,

including client computer architectures, and operating systems. It provides the detailed
technical coverage necessary to protect computer information system clients by
presenting the knowledge of client platform computer hardware components, client
network devices and interfaces as well as the structure and usage of common client
operating system software from an information security perspective. Additional learning
regarding ongoing maintenance and operational issues of client computing systems will
also be included.
PREREQUISITES
ISA 3200 or permission of the department
COURSE OBJECTIVES

Know and understand the nature and use of the hardware devices commonly
found in client information systems
Know and understand the nature and use of networking hardware and protocols
commonly found in client information systems
Know and understand the nature and use of commonly used client operating
systems
Be prepared to understand and implement client components information
security technical architecture
RESOURCES
Required:
Guide to Operating System Security, Michael Palmer, ISBN 0-619-16040-3 © 2004.
Organization and Architecture text, TBD, ISBN tbd © 2004.
Articles and readings at http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%20Secu
rity/
Recommended:


Course Web Site:

available on the course Web site at http://science.kennesaw.edu/csis/courses/4210.
WebCT Account:
EVALUATION
Participation 10%
Security Lab Exercises 15%
Final Exam 25%
Team Project 25%


LABS DESCRIPTIONS
POLICIES
Please include the course number (i.e. ISA4210) in the subject field of any e-mail message that
you send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the contents
of which is seldom checked.
ACADEMIC HONESTY

COURSE OUTLINE
Week Topic
1 Introduction to the course
2 Client hardware
3 Client O/S structures
4 Client O/S usages

5 Client network technology
6 Exam
7 Client O/S vulnerabilities
8 Client O/S hardening
9 Lab I
10 Client Email security
11 Managing client malicious code
12 Wireless client security
13 VPN and remote access clients
14 Lab II
15 Client configuration management
16 Project Presentations
Final Final Exam
Exam
Period

ISA 4220 Server Operating System Security
Syllabus
COURSE DESCRIPTION
This course is an exploration of server computer system security and vulnerabilities,

including server computer architectures, and operating systems. It provides the detailed
technical coverage necessary to protect computer information system servers by
presenting the knowledge of server platform computer hardware components, server
network devices and interfaces as well as the structure and usage of common server
operating system software from an information security perspective. Additional learning
regarding ongoing maintenance and operational issues of server computing systems
will also be included.
PREREQUISITES
COURSE OBJECTIVES

Know and understand the nature and use of the hardware devices commonly
found in server information systems
Know and understand the nature and use of networking hardware and protocols
commonly found in server information systems
Know and understand the nature and use of commonly used server operating
systems
Be prepared to understand and implement server components information
security technical architecture
RESOURCES
Required:
Guide to Operating System Security, Michael Palmer, ISBN 0-619-16040-3 © 2004.
Organization and Architecture text, TBD, ISBN tbd © 2004.
rity/
Recommended:


Course Web Site:

WebCT Account:
EVALUATION
Participation 10%
Security Lab Exercises 15%
Final Exam 25%
Team Project 25%


PROJECT DESCRIPTION
LAB DESCRIPTIONS
POLICIES
send to the instructor during the term. E-mail messages received that are missing this
information in the subject field are likely to be automatically redirected to a folder the content of
which is seldom checked.
ACADEMIC HONESTY

COURSE OUTLINE
Week Topic
2 Server hardware
3 Server O/S structures
4 Server O/S usage

5 Server network technologies
6 Exam
7 Server O/S vulnerabilities
8 Server O/S hardening
9 Lab 1
10 Securing organizational email servers
11 Authentication and Encryption
12 Lab 2
13 Account-based Security
Role-based security
14 File, Directory, and Shared Resource Security
15 Firewalls and Border Security
16 Project presentations
Final Final Exam
Exam
Period

ISA 4330 Incident Response and Contingency Planning
Syllabus
COURSE DESCRIPTION
An examination of the detailed aspects of incident response and contingency planning

consisting of incident response planning, disaster recovery planning, and business
continuity planning. Developing and executing plans to deal with incidents in the
organization is a critical function in information security. This course focuses on the
planning processes for all three areas of contingency planning – incident response,
disaster recovery and business continuity, and the execution of response to human and
non-human incidents in compliance with these policies.
PREREQUISITES
COURSE OBJECTIVES

Design an Incident Response Plan for sustained organizational operations.
Design a Disaster Recovery Plan for sustained organizational operations.
Design an Business Continuity Plan for sustained organizational operations.
Integrate the IRP, DRP, and BCP plans into a coherent strategy to support
sustained organizational operations.
Understand and be able to discuss incident response options.
Understand the escalation process from incident to disaster.
RESOURCES
Required:
Guide to Disaster Recovery, Michael Erbschloe, ISBN: 0-619-13122-5 © 2003 Course
Technology
rity/
Recommended:


Course Web Site:

WebCT Account:
EVALUATION
Participation 10%
Final Exam 25%
Individual Writing Assignments 20%
Team Project 20%


LABS DESCRIPTIONS
POLICIES
send to me during the term. E-mail messages I receive that are missing this information in the
subject field are likely to be automatically redirected to a folder the contents of which I seldom
check.
ACADEMIC HONESTY

COURSE OUTLINE
Week Topic
1 1. Introduction to Incident Response, Disaster Recovery and Business
Continuity Planning
2 2. Preparing to Develop the IR, DR and BC plan
3 3. Assessing Risks in the Enterprise
4 4. Prioritizing Systems and Functions for Recovery
5 5. Developing Plans and Procedures
6 6. Organizing Relationships in IR/DR/BC
7 Exam 1 Chapters 1-6
8 Introduction to Case Project and Overview of Project Deliverables
9 7. Procedures for Responding to Attacks on Computers
10 8. Developing Procedures for Special Circumstances
11 9. Implementing IR/DR/BC Plans
12 10. Testing and Rehearsal
13 11. Continued Assessment of Needs, Threats, and Solutions
14 12. Living Through a Disaster
15 Supplemental Lecture Material
16 Project Presentations
Final Exam Final Exam Chapters 7-12 plus supplemental material

Period

ISA 4700 Emerging Issues in Information Security and Assurance
Syllabus
COURSE DESCRIPTION
The purpose of the course is to explore emerging issues in information security and assurance, and the
role of organizational information security in state, regional and national policy. It provides content about
the interaction between the organization, society, and public agencies. It examines the role of people
versus technical security ideals currently debated by contemporary international organizations.
PREREQUISITES
COURSE OBJECTIVES
Describe, analyze and assess security relations at a state-societal level in both the developing
and developed world;
Analyze and evaluate the inter-relationship between global processes and specific information
security dynamics; and,
Analyze, evaluate and critically discuss the policy responses to organizational, state, regional and
national information security agendas, and the alternatives to them.
Discuss the viewpoints of information security as a people versus technical problem, and the
corresponding use of people versus technical solutions.
RESOURCES
Required:
rity/
Recommended:



Course Web Site:

WebCT Account:
EVALUATION
Participation 15%
Research Paper 25%
Midterm Exam 20%
Individual Writing assignments 20%
Final Exam 20%
PAPER DESCRIPTION

Students will write a paper on a subject assigned by the instructor on key subjects germane to the
management of information security programs. Paper format and content specifications will be
provided in class.
POLICIES
ACADEMIC HONESTY

COURSE OUTLINE
Week Topic
1 Introduction to Emerging Issues
2 The Human Side of Information Security and Assurance
3 Organizational information security responsibilities
4 State, Regional & National Information Security relationship – Infragard

Guest Speaker 1
5 Discussion of Topical Subject in Information Security
6 Exam 1
7 National Information Security Policy and Support

8 Discussion of Topical Subjects in Information Security
9 International Considerations in Information Security – Theft of Intellectual
Property
10 International Considerations in Information Security – Hacking and Electronic Extortion

12 Guest Speaker 2
13 The Future of Information Security
15 Guest Speaker 3
16 Report Presentations
Final Final Exam
Exam
Period

ISA 4820 Information Security and Assurance Programs and Strategies
Syllabus
COURSE DESCRIPTION
This is the senior capstone course for the Information Security and Assurance major
and the course must be taken in the final year of the student’s degree. The course
integrates learning from all ISA courses and encourages the student to develop skills in
synthesis and communication (both written and oral) as well as teaching new material
about the role of the CISO and the strategic and tactical planning and operation of the
information security department in a variety of organizations. A research paper will be
prepared and presented in the course. Outside speakers will supplement the course
and provide the student additional, outside perspective on the information security
industry.
PREREQUISITES
ISA 3200 AND ISA 4330 or permission of the department
COURSE OBJECTIVES

Know and understand the role of the Chief Information Security Officer (CISO)
and all of the other roles in the information security department
Demonstrate the typical deployment models for information security units within
various types and sizes of organizations
Select a research topic in the realm of information security management /
planning, perform research and prepare and present a paper on that topic
Gain exposure to outside speakers who will address the students on a variety of
information security management topics
RESOURCES
Required:
The Information Systems Security Officer's Guide: Establishing and Managing an Information
Protection Program, Second Edition, by Gerald Kovacich. ISBN: 0750676566, 2003
BUTTERWORTH HEINEMANN
The following documents are available for download from http://csrc.nist.gov
• SP 800-18 Guide for Developing Security Plans for Information Technology Systems,
December 1998
• SP 800-27 Engineering Principles for Information Technology Security (A Baseline for
Achieving Security), June 2001

• SP 800-26 Security Self-Assessment Guide for Information Technology Systems,

November 2001
• Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/InfoSec%20Articles/
• Articles and readings at
http://science.kennesaw.edu/~hmattord/Files/Web%20Article%20Archives/Information%
20Security/
Recommended:

Course Web Site:

WebCT Account:
EVALUATION
Participation 15%
Research Paper 25%
Midterm Exam 20%

Speaker Summaries and other writing assignments 20%

Final Exam 20%
PAPER DESCRIPTION
Students will write a paper on a subject assigned by the instructor on key subjects germane to the
management of information security programs. Paper format and content specifications will be
provided in class.
POLICIES
ACADEMIC HONESTY

COURSE OUTLINE
Week Topic
2 The Working Environment of a CISO
3 Information Security Organization: Structure and Placement
4 The CISO's Position, Duties and Responsibilities

Information Security Roles and Responsibilities
5 Information Security Strategic Planning
Guest Speaker 1
6 Policy, Law and Ethics
The CISO and Ethical Conduct
7 Exam 1
8 The InfoSec Strategic, Tactical, and Annual Plans
9 Determining and Establishing InfoSec Functions
10 InfoSec Personnel Recruitment and Retention
11 Global, Professional, and Personal Challenges of a CISO
12 Establishing a Metrics Management System
13 InfoSec assessment and maintenance

14 Using NIST SPs and ISO 17799 to support InfoSec assessment
15 CISO Career Development
16 Paper presentations
Final Final Exam
Exam
Period

Development of the Degree Program

Development of the BS-ISA was an arduous, drawn-out project. It actually began in 2001, when
we drafted the Certificate in ISA. In fact, when I proposed the ISA Certificate, I intentionally
used a separate prefix (ISA) instead of the department standard (CSIS) to prepare for the
eventuality of a degree. Shortly after the certificate was implemented I pulled up the overview
of our BS in Information Systems and mused as to what a BS in ISA would look like. I then put
it back on the shelf to collect dust, as I really did not expect to be able to pursue it further. When
Herb Mattord came on board as a full time faculty member, he declared his mission to see the
BS-ISA come to fruition. With the success of the Certificate – some 30+ certificates issued in
just over 2 years, and with constantly full ISA classes, eventually the other faculty in the
department began to agree with us that perhaps an additional major would be a good idea. At the
time the department had close to 1400 majors in its four degree programs - BS in IS and CS, and
MS in IS and CS.
We began the process much the same as the certificate was begun, by looking at the end product
– the entry level InfoSec professional. We realized that industry would need instruction on the
new academically prepared InfoSec professional, and would require a deviation from the
traditional promote-from-within-IT, or hire someone else’s InfoSec professional model. We
began talking to a number of CISOs, CIOs and other regional IT professionals, including fellow
CISSPs, to determine what they felt the fresh-college-InfoSec graduate should look like. We
realized that what was missing in the discipline was the bridge between the technical half of
infosec, and the managerial half. So our goal was to prepare an individual to work in either half,
and eventually to reach the position of CISO.
We then went back to our 10 domains of knowledge and began expanding on the foundation
provided by the certificate:
ISA 3100 – Principles of ISA
ISA 3200 – Applications in ISA
ISA 3300 – Policy and Administration in ISA
ISA 3350 – Computer Forensics
And began adding areas we found to be critical to the performance of both the InfoSec technical
and managerial expert.
From the technical side we realized the heart of the technical professional was the protection of
servers, and the use of information security technologies (firewalls, intrusion detection systems,
antivirus etc.). So we create a split operating systems security class, focusing on the protection
of client – and server- side security. This allows us to re-tool the 3200 class into a more
traditional Network Security class, focusing on the Security Technologies necessary to protect
organizations’ perimeters. We also realized that one area that is lacking in many programs is a
secure programming class. So we replaced the CS2 – type programming class with one designed
to take what the students learn in their programming principles I class, and scrutinize it for
security issues. We also added a scripting language (cgi etc) to this class for good measure.

From the managerial side, we added an incident response and disaster recovery class, to provide
both the planning requirements and the actual hands-on incident response actions. This class is
truly a hybrid between managerial planning and technical performance. We cap the program
with a “how to be a CISO” capstone class, with a major soup-to-nuts security project, requiring
the students to examine an organization (real or case) and design and partially implement a
security solution.
The draft layout of this program was presented to numerous groups, including department
advisory boards, and other experts in Information Security, both academic and practitioner. After
final reviews, it was submitted through the university’s curriculum approval process and
eventually to the University System of Georgia’s Board of Regents. It is customary for a new
degree program to receive supplementary questions prior to the board review and vote. Our
questions hit the heart of the issue – will the graduates find jobs, is there a demand both by
students and by industry for the program? Fortunately the IT market had just begun recovery in
earnest and we were able to provide convincing arguments on both accounts. The board met and
approved the degree within 5 minutes.
Now the work begins. We have to fully flesh out the courses, including lab exercises, homework
exercises, lecture notes and the like. To assist in this endeavor, we have requested support from
the NSF under the Federal Cyber Service: Scholarship for Service: Capacity Building Grant
program. As KSU was designated a National Center of Academic Excellence in Information
Assurance Education in April 2004 by the NSA and DHS, we are optimistic about our chances.

Textbooks used in the program:

As is obvious from the following list, most of our texts come from Course Technology. We do
have a vested interest in the publisher as they are promoting two of our own texts. None the less
we have conducted extensive research on the available offerings. Our own library in the Center
for Information Security Education and Awareness has over 130 text titles, spanning the breadth
and depth of information security topics. These include certification study guides, trade-press
applied technical security books, and available academic texts. With VERY few exceptions,
there are no texts currently on the market covering the field of Information Security like those
offered from Course Technology.
We have adopted the following books for our courses, and present a brief table of contents for
your consideration:
ISA 3100: Principles of Information Security and Assurance, (Intro to InfoSec)

Text: Principles of Information Security, 2nd edition by (us)
Michael E. Whitman, Ph.D., CISSP & Herbert J. Mattord, CISSP
ISBN: 0-619-21625-5 © 2005
Table of Contents:
1. Introduction to Information Security
2. The Need for Security
3. Legal, Ethical, and Professional Issues in Information Security
4. Risk Management
5. Planning for Security
6. Security Technology: Firewalls and VPNs
7. Security Technology: Intrusion Detection, Access Control, and Other Security Tools
8. Cryptography
9. Physical Security
10. Implementing Information Security
11. Security and Personnel
12. Information Security Maintenance

ISA 3200: Applications in Information Security and Assurance (Technical InfoSec)

Text: Security+ Guide to Networking Security Fundamentals, Second Edition
By: Mark Ciampa
ISBN: 0-619-21566-6 © 2005
Table of Contents
1. Information Security Fundamentals
2. Attackers and their Attacks
3. Security Basics
4. Security Baselines
5. Securing the Network Infrastructure
6. Web Security
7. Protecting Advanced Communications
8. Scrambling Through Cryptography
9. Using and Managing Keys
10. Operational Security
11. Policies and Procedures
12. Security Management
13. Advanced Security and Beyond
Appendices
A: CompTIA Security+ Examination Objectives
B: Linux and Windows Security
C: Common TCP/IP Ports and Their Threats
D: Sample Acceptable Use Policy
ISA 3300: Policy and Administration in Information Security and Assurance

(Management of InfoSec)
Text: Management of Information Security by (us again)
Michael E. Whitman, Ph.D., CISSP & Herbert J. Mattord, CISSP
ISBN: 0-619-21515-1 © 2004
TOC:
Unit I: INTRODUCTION
Chapter 1: Introduction to Management of Information Security
UNIT II: PLANNING

Chapter 2: Planning for Security
Chapter 3: Planning for Contingencies
UNIT III: POLICY AND PROGRAMS

Chapter 4: Security Policy
Chapter 5: Developing Security Programs
Chapter 6: Security Management Models and Practices

UNIT IV: PROTECTION

Chapter 7: Risk Assessment
Chapter 8: Risk Management and Control
Chapter 9: Protection Mechanisms
UNIT IV: PEOPLE AND PROJECTS

Chapter 10: Personnel and Security
Chapter 11: Law and Ethics
Chapter 12: Security Project Management
ISA 3350: Computer Forensics

Text: Guide to Computer Forensics and Investigations, Second Edition
By: Phillips, Nelson, Enfinger, Steuart
ISBN: 0-619-21706-5 © 2006
Table of Contents
1. Computer Forensics and Investigations as a Profession
2. Understanding Computer Investigations
3. The Investigator's Office and Laboratory
4. Current Computer Forensics Tools
5. Processing Crime and Incident Scenes
6. Digital Evidence Controls
7. Working with Windows and DOS Systems
8. Macintosh and Linux Boot Processes and File Systems
9. Data Acquisition
10. Computer Forensics Analysis
11. Recovering Image Files
12. Network Forensics
13. E-Mail Investigations
14. Becoming an Expert Witness and Reporting Results of Investigations
Appendices
A: Certification Test References
B: Computer Forensics References
C: Procedures for Corporate High-Technology Investigations

CSIS 3550: Unix Security and Administration

Text: Guide to Linux Networking and Security
By Nick Wells ISBN: 0-619-00094-5 © 2003
Lab Manual used for a variety of ISA courses:

Text: Hands-On Information Security Lab Manual, Second Edition
BY: Michael Whitman, Herbert Mattord, Dave Shackleford (yes, us again!)
ISBN: 0-619-21631-X © 2006
Table of Contents
1. Footprinting
2. Scanning and Enumeration
3. Operating System Vulnerabilities and Resolutions
4. Network Security Tools and Technologies
5. Secuirity Maintenance
6. Information Security Management
7. File System Security and Cryptography
8. Computer Forensics
Appendix A: Common Utilities Setup and Use
Appendix B: Student Answer Sheets
Appendix C: Contents of the CD
If you would like additional information on these books (i.e. how well they worked in the class,
or what support materials are included) please contact us. All Course Technology texts include
instructor’s ancillaries including PowerPoint slide shows, text banks, and instructor’s guides.

The Next Step: The Curriculum Development Project: Design

Revision and External Evaluation
NSF support has been requested to support further design revision and external review of the
curriculum model. It is out intent to obtain outside input on this model, and additional insight as
to the quality of the learning objectives, course content and supporting materials needed to
complete the curriculum model, as well as further explore prerequisite knowledge areas (i.e. data
communications, programming, operating systems etc).
Questions remaining include:

• What areas should be emphasized in a technical program vs. a managerial program vs. a
balanced program?
• What other courses should be added to each area, and what should they entail?
• Are the proposed levels of knowledge appropriate or should additional depth be pursued?
• Are there sub-domains below the major and minor topics listed?
To answer these questions we must consult with other experts in the field and obtain their
insight. NSF support is requested for design revision and extension. We plan to take the
preliminary implementation and draft curriculum model to outside experts for commentary at
national information security education conferences: the World Conference on Information
Security Education and the National Colloquium for Information Systems Security Education.
Information from these conferences will be used to shape an InfoSec curriculum development
workshop.
We have successfully implemented a new ongoing conference for pedagogy and practice of
information security education, held annually in September at KSU. Look for the CFP in
March/April, with the conference announcement going out in May. Contact us if you don’t hear
by then.
The Information Security Curriculum Development Conference
InfoSecCD is one of the first major forums for the presentation of research and pedagogical
experiences associated with the development and practice of Information Security Curriculum in
higher education in the Southeast. The purpose of the conference is to share novel instructional
methods and techniques, pedagogical research findings, curriculum models and methods, and to
identify new directions for future research and development work.
InfoSecCD seeks to give academicians, researchers and practitioners a unique opportunity to

share their perspectives with others interested in the various aspects of Information Security
Curriculum Development. Papers offering novel research contributions in any aspect of
information security education are solicited for submission to the 2005 InfoSec CD Conference.
The primary emphasis is on high-quality original unpublished research, case studies, and
implementation experiences. Papers should have practical relevance to the design, development,
implementation and best-practices in information security education – for the academic track and
for best-practices in the design, implementation and management of information security in
industry for the Industry Track. Theoretical papers must make convincing argument for the
practical significance of the results. Theory must be justified by compelling examples illustrating

its application. The primary criterion for appropriateness is demonstrated practical relevance.
Featured at the conference, in additional to keynote addresses by recognized experts and

authorities on information security education, are workshops on designing information security
curriculum, and conducting information security laboratory exercises, and presentations of
academic papers on teaching and designing information security coursework. Also featured is a
professional development track, where industry practitioners speak on the practice of information
security.
Revision of Pilot Model

During this phase we will synthesize all inputs and commentary from the workshop at the
InfoSecCD and formalize the final prototype model as a report sponsored by the NSF and the
Center for Information Security Education.
Broader Impacts of This Proposal

The ultimate purpose of the curriculum development project is to assist in the advancement of
information security education in the country. We feel that many schools are struggling with the
same problems that organizations are, in understanding what is needed to support the security of
information, and what skills and qualifications are needed in a quality information security
applicant. The core of this project is to improve education, by assisting instructors in
understanding what must be taught. It seeks to enhance and support educational infrastructure,
by providing a curriculum model that provides structure and guidance in the implementation of
this critical coursework. Many instructors will be able to master the basics of organizational
policy, planning and staffing. The technical components of any curriculum are often the most
difficult to master. A framework for the instruction of this technical content will provide strong
guidance on the instruction of a wide variety of technical security components. Society will
benefit as more qualified security personnel are created, improving the level of security of
personal information in organizations around the country.
Evaluation Plan
The project’s evaluation plan is comprised of three elements: 1) Peer review by internal and
external academic experts in curriculum development; 2) Peer review by academic Information
Security experts, and 3) External review by practitioners in the field of Information Security.
Curriculum Development Peer Review. KSU’s Center for Excellence in Teaching and Learning
(CETL) will serve as an external evaluator of the curriculum developed. The CETL consists of
several faculty dedicated to the development of quality curriculum, and as they will be external
to the information security field, they will be capable of evaluating the curriculum structure
independent of its content. Articles on the curriculum model will also be submitted to
educational journals (e.g. Journal for MIS Education, the ACM Journal on Educational
Resources in Computing, and to regional conferences (Southern Association for Information
Systems) for peer review. We will also develop and apply an assessment program based on the
Massachusetts model [26].

Academic Information Security Peer Review.

In the upcoming year, draft findings will be submitted to the World Conference on Information
Security Education and the National Colloquium for Information Systems Security Education,
where we will present the findings and obtain peer review and feedback from academics in the
field. Copies of the draft model will also be sent to program coordinators at institutions having
earned the Center of Excellence designation for their comment. In the following year, the final
findings will be submitted to academic information security and education journals for
publication as described in the dissemination plan.
External Practitioner Review.

Each year the curriculum model will be presented to practitioners at the Human Firewall
Conference. A workshop will be conducted specifically to discuss the development curriculum
and collect feedback. Copies will also be submitted to practitioner organizations like ISC2
(sponsor of the CISSP), and the Information Systems Security Association for comment. Upon
completion, findings will be summarized and presented to the KSU Computer Science and
Information Systems Industry Advisory Board, a board of representatives that provide guidance
on curriculum development and department initiatives.
DISSEMINATION
Subsequent revisions of this document will be disseminated through:
1) Proceedings of the upcoming academic conferences.

One of our proposed venues will be the Proceedings of the Annual Conference on Information
Security Curriculum Development, to be hosted at Kennesaw State University. This proposed
proceedings, will contain accepted papers presented at the academic track, summaries of
presentation presented at the practitioner track, and student papers presented at table topics. In
addition we will publish our findings at other conferences through their respective proceedings.
2) Inclusion in PIs’ texts.

We plan to include their findings as part of the instructor’s materials for their texts and on the
texts’ support web sites. Principles of Information Security 2nd edition & Management of
Information Security. In addition, we are the authors of The Hands-On Information Security Lab
Manual,2nd edition which provides technical hands-on labs for use in information security
courses. The findings of the curriculum model will be included in its instructor’s manual and
support site as well.
3) Course University and Working Connections Series.

There are a number of initiatives sponsored by Course Technology, including the Course
Technology Annual Conference, at which we frequently present, and numerous requested visits
and online presentations.
4) Publication through Educational Portals:

ISWORLD (www.isworld.org), is the premier academic portal dedicated to the promotion of IS

curriculum, teaching and research. Faculty can post works-in-progress and research findings.
The portal also provides information on key curriculum and research issues. We will post the
findings here for the entire IS community to view and comment on, and distribute the findings to
the over 3,750 members of the ISWORLD list server [23]. The CITIDEL project
(www.citidel.org) is a portal designed will serve the computing education community at all
levels, and is part of the National Science, Mathematics, Engineering, and Technology Education
Digital Library. The CITIDEL collects educational resources and provides them free of charge to
all interested programs. The results of this study will be submitted to this site as well.
5) Posting on Regional Security Web Sites.

The findings will also be posted to the KSU Center for Information Security Education and
Awareness Web site (http://infosec.kennesaw.edu), and the Georgia Tech Information Security
Center (GTISC) (www.gtisc.gatech.edu) for inclusion in their online documents. KSU already
has its information security program cataloged by the Virginia Alliance for Secure Computing
and Networking [25] as a result of the recognition described below.
6) Recognition through NSA.

Those institutions that are recognized as Centers of Excellence have their web sites linked to the
NSA’s, providing national dissemination of their work as best practices. This year KSU is
applying for Center of Excellence recognition [19]. If recognized, KSU will promote the new
curriculum through this venue. The Committee on National Security Systems and the National
Security Agency have already certified KSU’s Information Security courseware as having met
national training standards for Information Systems Security Professionals for 2003 – 2006,
providing KSU national recognition (see http://infosec.kennesaw.edu).
7) Publication in regional and national venues.

As with all academic research pursuits, the findings will be submitted to the aforementioned
InfoSec conferences, IS educational publications like the Journal for MIS Education, the ACM
Journal on Educational Resources in Computing (JERIC), and to regional conferences like the
Southern Association for Information Systems. Word-of-mouth dissemination is expected as
graduates undertake security related employment.
How you can help

This draft curriculum model is an ongoing effort to improve information security curriculum.
Through our presentations and discussion across the US, we have spoken with a number of
faculty members, all eager to learn about developing and implementing information security
curriculum. You can help us in two ways:
1) Provide critical but constructive reviews of the curriculum model and materials presented
here: Ask yourself the following questions:
• Does the curriculum model seem comprehensive, robust and scalable? Why or why not?
• Does the curriculum model follow established curriculum development guidelines?
• Does the curriculum model work within established curriculum models for technology
(or non-technology) baccalaureate programs?
• What could be improved in the curriculum model?

2) Let us know you like or are using the curriculum model. Send us a letter on letterhead
supporting the curriculum model developed. Your indication of support will be used in
subsequent grant activities designed to improve the curriculum model.

Appendix: Information Security Curriculum Development

Procedures and Forms for use at your institution:
I. Determine interest, scope and intent of the program.
Discuss within your department the desired scope and outcomes of a program in Information
Security. At this point simply get buy-in that two or more courses in Information Security are
desirable. If a concentration, specialization, certificate or degree program is desired, additional
information will be required.
Scope:
General Outcomes:
II. Determine stakeholder interest and guidance.

Organize a meeting with interested stakeholders, including industry representative of potential
employers, alumni, students, and faculty. Obtain their general perception of the idea of
courses/programs in Information Security. It may be useful to anonymously survey their
opinions. Questions to ask could include:
1) Do you feel the department should consider another program? Why or why not?
2) Do you feel that graduates with coursework/certificate/degree in Information Security

would be valuable to regional employers? Why or why not?
3) If the department should consider offering this program, what skills do you feel that the
student should possess upon graduation?
Summarize their responses.
III. Form the curriculum development committee.

Form a working committee to begin determining the specific focus, objective, depth, etc of the
program. Research the field of potential jobs in your area in Information Security. This
information will assist in the selection of the focus of the program. Include the feedback from
Step II. Identify available resources in terms of labs, faculty, and course offerings.
IV. Map desired positions to knowledge areas.

Using the methods outlined in the document, fill in the following table. Feel free to add/remove
blanks as needed. If you feel the table in the document is satisfactory as completed go to the
next step.
1) Only include the positions you want your students to be able to perform after they
complete the program.
2) Include the Roles these positions map based on the definitions earlier.
3) Identify the knowledge areas that correspond to these roles. Use the materials provided
earlier as a template. Do not try to map mastery levels yet.

Example:
Net Admin ACS
Firewall Analyst SA & D

CISO
IDS Eng BCP
SysAdmin InfoSec Mgr Crypto
ISO Law & Ethics

InfoSec Analyst OpSec
Forensics
InfoSec Mgr PhySec
InfoSec Tech
IRP Handler Architecture
InfoSec W.S. Sec Mgt
DR/BCP Mgr
InfoSec Cons. NetSec
(Varying levels of mastery)
Blank:
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________
__________________ _____________ ________________

V. Discuss the following constraints on the program.

The following questions should be discussed:
1) What should the focus of the courses/program be? Managerial, Technical, or Balanced?
2) How many courses in Information Security can we offer in this program?
3) What courses, that we currently offer, could be included or adapted to support this
program?
If in answering question 1, the institution desires a security program but just hasn’t made up its
mind as to which emphasis it wishes to take, the following set of program objectives may assist.
The following list of program objectives can be used to determine what focus you desire for your
program. Check off the objectives you want graduates of your program to meet, or rather what
qualities should your students possess upon graduation. Use caution, as it is our first tendency to
check everything! Realize that this may not be feasible unless you are able to implement an
entire degree program with 7 or more courses exclusively in Information Security related areas.
Once you have checked all desired qualities, the section immediately following the list will
provide guidance on what type of program may be best suited for your desired outcomes.
Upon completion of the program the student will have the following qualities (Check all
that apply):
1. The graduate has a thorough understanding of the types and uses of

Information Security policies, and can create examples bases on established
frameworks.
2. The graduate is able to recognize, define and implement firewall-related

solutions to appropriate threats.
3. The graduate possesses a detailed understanding of the process of

organizational planning for information security at strategic, tactical and
operational levels.
4. The graduate possesses knowledge, skill and technical depth in implementing

cryptographic solutions using appropriate methods, techniques and tools such
as PKI and VPNs.
5. The graduate has the ability to critically analyze and articulate positions on the
legal and ethical implications and influences of Information Security, including
relevant codes of ethics and federal and state laws.
6. The graduate possesses the ability to evaluate a given computer operating

system and implement “hardened” security measures to protect it.
7. The graduate has detailed knowledge of the types, organization, responsibilities

and qualifications of Information Security personnel in an organization..

8. The graduate has the ability to conduct an effective vulnerability assessment of

an organizations Information Security posture and report their findings in a
meaningful format.
9. The graduate can implement a risk management program including a detailed

risk assessment, and recommend appropriate risk control strategies and
measures.
10. The graduate can articulate the composition of popular security models such as
BIBA, Bell LaPadula, etc.
11. The graduate can develop and manage plans for dealing with organizational
contingencies such as incidents and disasters.
12. The graduate can evaluate and recommend effective security architectures using
security technologies, such as bastion hosts, screened subnets and demilitarized
zones.
13. The graduate can develop, implement and manage security programs designed
to improve employee perception of information security, such as security
education, training and awareness programs.
14. The graduate is able to recognize, define and implement intrusion detection
systems-based solutions to appropriate threats, including both host and network
IDS.
15. The graduate can evaluate and recommend improvements to the

implementation of security procedures in handling personnel in the
organization, including hiring, termination, and contract employee issues.
16. The graduate is able to evaluate, define and implement defenses against
malicious code attacks such as viruses, worms and denial of services.
17. The graduate can critically discuss popular information security management
practices, standards and models such as ISO 17799, NIST SPs 14 & 18, etc.
18. The graduate is able to evaluate, define and implement defenses as part of
counter intrusion measures against active and passive hacker attacks.
19. The graduate has the ability to conduct Cost/Benefit Analyses on proposed
security countermeasures and present to organizational stakeholders in a
meaningful manner.
20. The graduate is able to evaluate, define and implement effective access controls
technologies and procedures in accordance with organizational policy.

Now that you have specified the desired learning outcomes for your program, add up the number
of checks by ODD and EVEN answers. If you find substantially more checks by ODD numbers,
say 3 or more, then your inclination is toward a managerial program. If you find substantially
more checks by EVEN numbers, again 3 or more, then your inclination is toward a managerial
program. If your two values are approximately equal (within 2 or fewer) your inclination is
toward a balanced program. If you have a total of more than 16 checks total you are either very
ambitious or desire a balanced program with an emphasis toward one or the other area.
Balance this information with the feedback obtained in step II.
VI. Define program objectives.
From the list above, and the information you have gathered and analyzed, identify the 6-10
program objectives that best map to what you want your students to have achieved upon
completion of the material. You can use the list of 20 program objectives in Step V as a starting
point.
Program Objectives:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.

VII. Determine the level of mastery desired in the program.
Based on desired level of mastery and focus of class determine the level of mastery desired.
Perform this exercise within your program using the blank form. Using the following table as a
starting point, you can add additional columns to represent additional courses to be added
providing additional depth in managerial or technical areas. Also feel free to add or delete
specific domain and knowledge area based on your findings in your curriculum efforts.
When finished, take a moment to verify that what you have just created matches the
Management vs. Technical exercise created earlier. If you find you did not fill in many technical
areas with desired depth beyond U (i.e. A or P) and yet you specified a technical program earlier,
you may want to revisit one or both of these activities to determine your preferred path.

U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
Access Controls
Access control fundamentals
Access control types
Access control attacks
Penetration testing methods
Telecommunications* (Some knowledge areas are prerequisite)
Network types (LAN/WAN)
OSI reference model
TCP/IP protocol suite
Telecomm security management
Telecommunications threats and attacks
Remote access protocols
Security Management
Security planning
Security policies
Personnel security
Security personnel
Data classification and storage
Risk Management
Security education, training and


U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
awareness program
Change/configuration management
Assessment strategies
Applications Security* (Some knowledge areas are prerequisite)
Systems development life cycles
Database development and management
Systems controls
Distributed applications
Object oriented concepts*
Knowledge based systems*
Application and systems attacks and
vulnerabilities
Malicious code
Cryptography
Cryptosystems
Ciphers and encryption algorithms
Asymmetric key systems
Symmetric key systems
Hybrid key systems
Message authentication/message digests
Public key infrastructure
Key management
Digital signatures
Alternative cryptosystems
Security protocols
Security Architecture
Security models
Information systems evaluation criteria
System certification and accreditation
Security architectures
Operations Security
Operations concepts
Threats and countermeasures


U: Understanding
A: Accomplishment
P: Proficiency
M: Mastery
Courses Implemented
Incident response
Auditing
Monitoring
Business Continuity Planning
Contingency planning
Business continuity planning
Disaster recovery planning
Data backup and recovery methods
Crisis management
Law and Ethics
Law categories and types
Computer crimes
Computer crime investigations
Computer ethics
Computer forensics procedures
Physical Security
Site selection and security
Guards
Keys and locks
Doors, walls and gates
Intrusion detection systems
Fire detection and suppression systems
Biometrics
CCTV
VIII. Determine the number of courses to offer.

Based on the constraints in Step V. List the number of courses you can offer in your program.
Consider the following table in your decision, influence by the focus of your program
(managerial vs technical).

Table 1: DRAFT CURRICULUM MODEL

Subject Bloom’s Levels of Knowledge (from [21])
Prerequisite Knowledge
General: Computing Foundations, Data Communications …
Managerial: Management, Accounting …
Technical: Operating Systems, Computer Org & Architecture, Programming, Data Protocols …
Foundation
1.0 Introduction to Information Security L1 – Knowledge Recognition & Differentiation in
Context
1.1 Computer Law & Ethics L2 – Comprehension Translation/Extrapolition Use
of Knowledge
Technical Aspects of Information Security
2.0 Technical Applications in InfoSec L2 – Comprehension Translation/Extrapolition Use
of Knowledge
2.1 Operating Systems Security L3 – Application Knowledge
2.1.1 Windows NT/2000 Security L4 – Analysis & L5 Synthesis
2.1.2 Linux/Unix Security L4 – Analysis & L5 Synthesis
2.2 Network Security L3 – Application Knowledge
2.3 Applied Cryptography L3 – Application Knowledge
2.4 Computer Forensics L3 – Application Knowledge
2.5 Firewalls & Intrusion Detection L3 – Application Knowledge
Sys
2.6 ?????
Managerial Aspects of Information Security
3.0 Management of Information Security L2 – Comprehension Translation/Extrapolation
(Policy & Administration) Use of Knowledge
3.1 Disaster Recovery/ Business L3 – Application Knowledge
Continuity Planning
3.2 Risk Management L3 – Application Knowledge
3.3 Incident Response L3 – Application Knowledge
3.4 Physical Security L3 – Application Knowledge
3.5 Security Training & Awareness L3 – Application Knowledge
Pgms
3.6 ?????
Outside Emphases
O1 Criminal Justice Varies
O2 Auditing Varies

Table 2: Implementation of the Proposed Curriculum Model

Based on the number of courses an Institution can implement, it is recommended that they
should select the courses indicated. Question marks “?” are used to indicate alternatives.
Number of Course the Institution can Implement in
InfoSec
↓ Courses: 1 2 3 4 5 6 7
Introduction to InfoSec * * * * * * *
Technical Applications in InfoSec * or * * * * *
Management of InfoSec * * * * * *
Additional Courses Selected from: ? ? ? ?
Network Security (Win2K/Unix), ? ? ?
Adv. Network Security, Operating ? ?
?
Systems Security, Auditing for
Security, Computer Forensics,
Criminal Justice, Criminal Law,
Computer Ethics, Computer Law,
Cryptography/ Cryptology, Secure
Programming, Internship/Coops
IX. Determine the Prerequisite knowledge areas necessary to support the

desired classes.
Using the following form as an example, list the classes desired in the middle, the knowledge to
be taught in that class on the right, and then determine what a student should know coming into
the class on the left. Then match that information to existing courses offered in the institution. If
a prerequisite knowledge is needed but not currently taught, it may need to be added to the
program.

X. Develop specific course learning objectives.

Now that the individual courses are becoming defined it is time to define the specific learning
objectives that will go into each course. You can use the examples provides as a starting point.
1) Begin by using syllabi templates and adding other required components.
2) Add learning objectives
3) Select textbooks
4) Define evaluation methods
XI. Define laboratory components and required resources.

For each course identify any desired laboratory exercises. You can use the table of contents for
the lab manual listed earlier for ideas.
For each exercise define what hardware and software components will be required.
Compare to an inventory of on-hand resources. If a desired resources is not available, determine
if it can be acquired prior to the formal offering of the class, else look for alternatives. I find
there is a substantial set of shareware/hackerware that is readily available and suitable for
exercises. It’s the name-brand hardware that tends to be difficult and expensive to acquire.
Consider contacting industry advisors and “friends of the department” for contributions.
XII. Pilot test key courses.

Select a few key faculty members with experience in information security to pilot test individual
courses.
Collect information on student satisfaction and performance in the various areas of each course.
XIII. Refine and revise as needed.

Self-explanatory.

About the Authors
Dr. Michael Whitman, CISSP is an Associate Professor of IS and an active researcher in

Information Security with over 55 publications in texts, journals, and conference presentations.
In addition to a Ph.D. in IS, he has earned the Certified Information Systems Security
Professional (CISSP). He is currently co-authoring his second text, Management of Information
Security © 2004 Course Technology to be published March 2004, by Course Technology. His
first text, Principles of Information Security © 2003 Course Technology, has already been
adopted by over 60 institutions globally. He has also authored The Hands-On Information
Security Lab Manual © 2003 Thomson Custom Pub. The PI is the Director of the KSU Center
for Information Security Education and Awareness, and the Director of the KSU Master of
Science in Information Systems program, responsible for graduate IS curriculum. He is also an
IS program evaluator for ABET-CAC.
Professor Herb Mattord is an Instructor of IS and a former information security manager at

Georgia-Pacific Corporation, a multinational forest-products company. He also holds the CISSP
and is the co-author of both Principles of Information Security, and the forthcoming
Management of Information Security. He is also the coordinator for the Certificate in Information
Security and Assurance, and the Operations Manager for the KSU Center for Information
Security Education and Awareness.
References:
[1] Pfleeger, C. and Cooper, D. “Security and Privacy: Promising Advances.” IEEE
Software. 09/1997. 27-32.
[2] MSNBC. “Chinese hackers call truce in China-U.S. cyberwar.” WWW Document.
Viewed 5/12/2001. http://www.msnbc.com/news/571091.asp.
[3] CSI/FBI. “2003 Computer Crime and Security Survey." WWW Document. Viewed
5/10/2003. http://www.gocsi.com.
[4] Bordogna, J. “Remarks and Introduction of the Honorable Howard A. Schmidt

AACC/NSF Workshop on the Role of Community Colleges in Cybersecurity Education.”
June 26, 2002. WWW Document. Viewed 4/22/2003.
http://www.nsf.gov/od/lpa/forum/bordogna/jb020626aaccnsfcyber.htm
[5] Chin, S-K, Irvine, C.E., & Frinke, D. “An Information Security Education Initiative for
Engineering and Computer Science.” Naval Postgraduate School Technical Report,
NPSCS-97-003. Naval Postgraduate School, Monterey, CA. 12/1997.
[6] Irvine, C., Chin S-K., & Frincke, D. “Integrating Security into the Curriculum.”
Computer. 31(12). 12/1998. 25-30.

[7] National InfoSec Education and Training Program (NIETP). “Centers Of Academic
Excellence in Information Assurance Education.” WWW Document. Viewed 04/6/2003.
http://www.nsa.gov/isso/programs/coeiae/index.htm .
[8] The White House, “National Strategy to Secure Cyberspace.” WWW Document. Viewed
2/10/2003. http://www.whitehouse.gov/pcipb.
[9] Irvine, C. “Goals for Computer Security Education.” Proceedings of the IEEE
Symposium on Security and Privacy. 05/1996. 24-25.
[10] Irvine, C. “Naval Postgraduate School Center for INFOSEC Studies and Research:
Teaching the Science of Computer Security.” MILCOM Proceedings. Monterey, CA. (1).
11/1997. 405-409.
[11] Vaughn R. and Boggess, III, J. “Integration of computer security into the software
engineering and computer science programs.” The Journal of Systems and Software.
12/1999. 149-153.
[12] National Institute of Standards and Technology Computer Security Resource Center
“Special Publication 800-16 Information Technology Security Training Requirements: A
Role- and Performance-Based Model.” 04/1998. WWW Document. Viewed 04/12/2003.
http://csrc.nist.gov/publications/nistpubs/800-16/800-16.pdf.
[13] National Institute of Standards and Technology Computer Security Resource Center. “SP
500-172 Computer Security Training Guidelines.” 11/1989. WWW Document. Viewed
04/12/2003. http://csrc.nist.gov/publications/nistpubs/index.html.
[14] American Society for Industrial Security. “Professional Development.” WWW

Document. Viewed 5/15/2003. http://www.asisonline.org/profdev.html.
[15] National Science Foundation and the American Association of Community Colleges
Protecting Information: the Role of Community Colleges in Cybersecurity Education
Community College Press, Washington D.C. June 2002.
[16] National InfoSec Education and Training Program (NIETP). “Criteria for Measurement.”
WWW Document. Viewed 04/12/2002.
http://www.nsa.gov/isso/programs/coeiae/measure.htm.
[17] “NSTISSI No. 4011 – National Training Standard for Information Systems Security
(INFOSEC) Professionals.” 06/1994. WWW Document. Viewed 02/12/2002.
http://www.nstissc.gov/Assets/pdf/4011.pdf.
[18] “NSTISSI No. 4014 - National Training Standard for Information Systems Security
Officers (ISSO).” 08/1997. WWW Document. Viewed 02/12/2002.
http://www.nstissc.gov/Assets/pdf/4014.pdf

[19] National InfoSec Education and Training Program (NIETP). “NSA Designates Centers of
Academic Excellence in Information Assurance Education.” WWW Document.
Viewed 2/10/2002. http://www.nsa.gov/isso/programs/nietp/newspg1.htm#Universities.
[20] ABET-CAC. “Criteria For Accrediting Computing Programs” WWW Document.

Viewed 2/19/2003. http://www.abet.org/images/Criteria/C001%2003-
04%20CAC%20Criteria%206-7-03.pdf
[21] ACM, AIS & AITP. “IS 2002 Model Curriculum and Guidelines for Undergraduate
Degree Programs in Information Systems.” WWW Document Viewed 5/8/2003.
http://www.aisnet.org/Curriculum/IS2002-12-31.pdf.
[22] Hutton, G. “Backward Curriculum Design Process” WWW Document. Viewed 5/1/2003.
http://www.g4v.com/~glen.hutton/ED3601/BackwardDesignFeb11_03.pdf.
[23] ISWorld. “ISWorld Net List Digest.” WWW Document. Viewed 4/15/2002. http://disc-
nt.cba.uh.edu/isworldlist/index.htm
[24] Joint Task Force on Computing Curricula (IEEE Computer Society and Association for
Computing Machinery Computing Curricula 2001 Computer Science, Final Report
December 15, 2001. WWW Document. Viewed 5/10/2002.
http://www.acm.org/sigcse/cc2001/cc2001.pdf.
[25] VASCAN. “Universities with NSTISSI Certification.” Virginia Alliance for Secure
Computing and Networking. WWW Document. Viewed 4/11/2003.
(http://www.vascan.org/training/training_materials/certification/nstissi_cert.pdf).
[26] UMass. Program-Based Review and Assessment: Tools and Techniques for Program
Improvement.” WWW Document, viewed 5/28/03.
http://www.umass.edu/oapa/assessment/onlinehandbooks/.
[27] KSU “Professional Security Certifications” WWW Document, Viewed 5/10/2003.

http://infosec.kennesaw.edu/certifications.html.
[28] KSU “Security Models and Training Standards” WWW Document, Viewed 5/10/2003.
http://infosec.kennesaw.edu/tngstandards.html.
[29] Course Technology “Working Connections” WWW Document. Viewed 3/23/2003.

http://www.course.com/events/workingconnections
[30] Eddie Schwartz, Dan Erwin, Vincent Weafer, and Andy Briney. “Roundtable: Infosec
Staffing Help Wanted!” Information Security Magazine Online. April 2001. [Cited 22
July 2002]. Available from the World Wide Web
<http://www.infosecuritymag.com/articles/april01/features_roundtable.shtml>.

[31] International Information Systems Security Certification Consortium, Inc. “About SSCP
Certification.” ISC2 Online. [Cited 22 July 2002]. Available from the World Wide Web
<http://www.isc2.org/cgi/content.cgi?category=20>.
[32] ISC2. “The Associate ISC2 Program” WWW Document, Accessed 6/15/2003.
https://www.isc2.org/cgi/content.cgi?category=84#cat07.
[33] Security Certified Programs. “Certifications.” Ascendant Learning, LLC Online. [Cited
22 July 2002]. Available from the World Wide Web
<http://www.securitycertified.net/certifications.htm>.
[34] Trusecure. “TICSA Certification.” Trusecure Online. [Cited 22 July 2002]. Available
from the World Wide Web <http://www.truesecure.com/solutions/certifications/ticsa/>.
[35] CompTIA. CompTIA Security+™ Certification”. WWW Document. Accessed 7/17/03.

http://www.comptia.com/certification/security/default.asp.
[36] Mark Merkow. “Standardizing Information Systems Security Across the Globe: A Look
at ISO17799.” Internet.com Online. 10 September 2001. [Cited 24 June 2002]. Available
from the World Wide Web
<http://ecommerce.internet.com/news/insights/outlook/article/0,3371,10535_881531,00.h
tml>.
[37] ISC2. “(ISC)² Concentrations: Proven Expertise of Specialized Capabilities” WWW

Document, Accessed 4/11/2005. https://www.isc2.org/cgi-bin/content.cgi?category=99.
[38] ISACA. “CISM CertificationExam Content Areas” WWW Document Accessed

4/11/2005.
http://www.isaca.org/Content/NavigationMenu/Security/CISM_Certification/Exam_Infor
mation1/Content_Areas1/CISM_Certification_Content_Areas.htm.

ITSY2300 InfoSecCurriculumModel

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ITSY2300 InfoSecCurriculumModel

Uploaded by

Copyright:

Available Formats

[DRAFT]

Information Security and Assurance

Michael E. Whitman, Ph.D., CISSP

A (Draft) Model Curriculum for Programs of Study

© 2005 Kennesaw State University Center for Information Security Education 2

The Draft Curriculum Model ........................................................................................................ 31

© 2005 Kennesaw State University Center for Information Security Education 3

12. Information Security Maintenance ............................................................................... 106

© 2005 Kennesaw State University Center for Information Security Education 4

Statement of the Problem

Education in information security prepares IT students to recognize and combat information

© 2005 Kennesaw State University Center for Information Security Education 5

© 2005 Kennesaw State University Center for Information Security Education 6

Goals and Objectives

Approaches to Implementing Information Security Curricula

Existing Course Information Security Topics

© 2005 Kennesaw State University Center for Information Security Education 7

3. Independent information security courses. The third approach to implementing information

4. Information security certificates / minors. Continually increasing in frequency, the fourth

© 2005 Kennesaw State University Center for Information Security Education 8

Preliminary Work Completed

What should an information security person who graduates from a particular

Information Security Position and Roles

© 2005 Kennesaw State University Center for Information Security Education 9

A typical organization has a number of individuals with information security responsibilities.

Security Administrators and Analysts

© 2005 Kennesaw State University Center for Information Security Education 10

Security Staffer or Watchstander

Information Security Professional Certifications

© 2005 Kennesaw State University Center for Information Security Education 11

• Access control systems and methodology

© 2005 Kennesaw State University Center for Information Security Education 12

ISSAPCM: Information Systems Security Architecture Professional - The major domains of

ISSMPCM: Information Systems Security Management Professional - The major domains of

Each of these concentrations require additional exams..

Global Information Assurance Certification (GIAC)

• GIAC Security Essentials Certification (GSEC)

© 2005 Kennesaw State University Center for Information Security Education 13

• GIAC Certified Windows Security Administrator (GCWN)

Security Certified Professional

• Network Security Fundamentals (NSF)

• PKI and Biometrics Concepts and Planning (PBC).

© 2005 Kennesaw State University Center for Information Security Education 14

Certified Information Systems Auditor (CISA) and Certified Information Security

• Information Security Governance (21 percent) - Establish and maintain a framework to

Certified Information Systems Forensics Investigator

© 2005 Kennesaw State University Center for Information Security Education 15

Established Standards, Models And Practices

• NIST SP 800-12, Computer Security Handbook

Some of the more key documents are presented in additional detail:

© 2005 Kennesaw State University Center for Information Security Education 16

ISO 17799/BS 7799

© 2005 Kennesaw State University Center for Information Security Education 17

o Ensure the protection of networked services

© 2005 Kennesaw State University Center for Information Security Education 18

16. Logical Access Controls

© 2005 Kennesaw State University Center for Information Security Education 19

Mapping Positions and Roles to Knowledge Areas

Positions Roles Knowledge Areas

Net Admin ACS

Firewall Analyst SA & D

SysAdmin InfoSec Mgr Crypto