College of Information Studies

INFM 718W (Online)

Information Risk Management & Security

Syllabus – Spring 2013

Instructor: Scott Paquette / E-mail:

Please note: This syllabus may be subject to minor alteration, as needs arise, before or during the Fall term.

Course Description

This course presents an introduction to the principles of risk management and security as they apply to information and technology. Both technical and non-technical aspects of information security will be examined through the perspective of an organizational risk management and security framework.

Course Goals

  1. Introduce students to the concept of risk management, and how it applies to information management;
  2. Understand the structures for assessing information risk and controls, including organizational governance models;
  3. Apply student’s knowledge of information technology to information risk management;
  4. Identify both the risks and corresponding controls of an information technology architecture;
  5. Understand the non-technical factors in information security, including behavioral security and social engineering;
  6. Identify the components of a business continuity plan, and how to recover from large organizational disasters; and
  7. Understand the future of information risk management and security, including laws, regulations, and the threat of cyber terrorism.

Course/Learning Objectives

By the conclusion of the course students should be able to:

  1. Demonstrate an understanding and appreciation of risk management in an information environment;
  1. Identify the risks associated with the use of information and technology;
  1. Recommend controls to mitigate risks, whether human, process, or technology based; and
  1. Demonstrate an understanding of current and future trends in information security and risk management.

Text and Course Readings

There is no required text for this course.

Required course readings are listed in the schedule below. These readings are available through the ELMS system or the University’s e-Journal Library. You are also strongly encouraged to read widely current issues in information and knowledge management found in both practitioner and academic journals.

Prerequisites

There are no prerequisites for this course.

Instructional Methods

This is an online course, which means the content will be delivered electronically through the university’s ELMS system. Two important aspects of online courses will be used. The first is content, which for this class will consist of recorded lectures and presentation slides that will be available as an ‘enhanced podcast’. You will be able to download these lectures and view them through QuickTime. Readings and other online materials will also be made available, which will include PDFs, website links and other audio / video files. Secondly, there will be opportunities to interact with the instructor and your fellow course mates. Online discussion boards and chats can be used as a form of class participation to further engage in the course material. Of course, e-mail is always an option, and students are strongly encouraged to contact the instructor with any questions. In addition to information gleaned from lectures, required and recommended readings, students will gain insights about information environments from the assignments.

Each student is responsible for completing the assigned readings, viewing the lecture video(s) and other supplementary materials (if applicable), and participating in the weekly online discussions. This course is organized by 12 weekly installments aligned with the university academic calendar. Class materials will be released online 3 weeks in advance to allow students to work at their own desired pace. However, students must ensure they cover all relevant materials and are prepared to contribute to the online discussions with quality ideas.

As we do not meet in a classroom setting, it is imperative that students maintain open lines of communication with the instructor. E-mail is the preferred method. Any questions on the materials, assignments or course administration are always welcomed and encouraged. Students should not let problems or concerns go unresolved and should feel open to contacting the instructor at any time during the term so problems can be addressed.

Course Assessment

Detailed instructions regarding each assignment will be provided. Assessment of all assignments is directly related to attention to the instructions, clarity of expression and presentation, and evidence of critical thinking.

Participation (10%) – as judged through their participation and involvement in the online discussions. Each week, the students will be presented with discussion questions that will require them to think in depth about the week’s topic and create an online conversation with their peers.

Case assignments (2 x 20%) – Two cases will be distributed to the students where they will have to perform an information risk management and security assessment, based on a topic discussed in class. One case will involve technical security concepts, while the other will focus on human and behavioral security concepts.

Security Policy Assessment (20%) – A security policy will be distributed, where students will evaluate the policy based on the criteria discussed in class and make recommendations to improve the organization’s overall information security.

Major paper (30%) – Students will be given the opportunity to identify a current topic in information risk management and security, and further explore the subject which may be of interest or related to their other studies or professional experience.

Please note: Late assignments will be penalized by one grade per day. For example an A- paper that is two days late would result in the grade of B. Any assignments over 5 days late will result in a failing grade.

Participation

As this is an online course, participation will work somewhat differently than an in-class course. On the ELMS-Blackboard website, a discussion board will be established with discussions for each week of class. Every week, the instructor will post questions related to the lecture and the readings that will allow the students to further consider the concepts and topics introduced in class. Students are expected to not only answer questions, but also pose further questions and engage with other members of the class in order to create a lively debate and discussion. Bringing new and timely sources into the conversation is highly recommended.

Rules and Expectations for Online Participation:

1)Students will participate on a regular basis, contributing to the conversations.

2)Contributions will not repeat previous posts or information, but add new ideas, opinions and views to the conversation.

3)Posts that not only answer questions but also pose new questions are very welcome. Originality, innovative ideas, or posts that bring new knowledge into the conversation are highly regarded, including those that relate ideas based on professional experience.

4)Students are not assessed by the quantity of posts, but the quality of posts. Many posts that add little or no value to the conversation, or only repeat previously stated facts will not be a positive factor in a student’s participation grade.

5)The online space shared by all students should be considered a safe place to post ideas and opinions. It is acceptable to respond, agree or question posts made by others. However, any rude, inflammatory, insulting or inappropriate posts will not be tolerated. Participation marks will be lost from online attacks or ‘flaming’.

Academic Integrity

Students are reminded to review the University’s Honor Code and Honor Pledge regarding cheating, plagiarizing papers, and other unacceptable activities. Academic dishonesty will not be tolerated and reported to the Honor Council.

INFM 718W (Online) Class Calendar

Date / Topics / Readings
Part I: Introduction to Information Risk Management
Week 1
January 28
Introduction to Risk Management /
  1. Course Introduction and Administration
  2. Introduction to Risk Management
  3. The Business Risk Model
/ Course Documents
Week 2
February 4
Information & Tech Risk Management /
  1. What is Information and Technology Risk Management?
  2. A Method for Identifying IT Risks and Controls
/ (C. W. Choo, 2005)
Week 3
February 11
Assessing Information Risks and Controls /
  1. The Role of IT Audit and Risk Assessments
  2. COBIT: A Framework for Assessing IT Risks
  3. IT Governance
/ (Parent & Reich, 2009)
Part II: Technical Aspects of Information Security
Week 4
February 18
Data Security and Encryption
Case #1 Due /
  1. The History of Encryption
  2. Codes, Ciphers and Other Secrets
  3. How Encryption Works
/ (McCreary, 2008)
(Sundt, 2010)
Week 5
February 25
Organizational Network and Application Security /
  1. The Risks of Connectivity
  2. Risks Surrounding IT and Telecommunication Networks
/ (Tomlinson, Yau, & MacDonald, 2010)
Week 6
March 4
Organizational Network and Application Security /
  1. Internet & Host Security
  2. Firewalls & VPNs
/ (Paquette, Jaeger, & Wilson, 2010)
Week 7
March 11
ITFraud & Digital Forensics
Case #2 Due /
  1. IT Fraud in Organizations
  2. Digital and Computer Forensics
/ (Phua, Lee, Smith, & Gayler, 2010)
(Jones & Martin, 2010)
Part III: Non-Technical Aspects of Information Security
Week 9
March 25
Information Security Management /
  1. Creating a Corporate Security Policy
  2. The Ongoing Management of Information Security
  3. Measuring Security
  4. Incident Response
/ (Ackerman, Rucker, Wells, Wilson, & Wittman, 2009)
(Cannoy & Salam, 2010)
(Paquette & Fagnot, 2010)
Week 10
April 1
Disaster Recovery and Business Continuity Planning /
  1. Planning for Disasters, Big and Small
  2. Developing a Business Continuity Plan
  3. Physical Security
/ (Arduini & Morabito, 2010)
Week 11
April 8
Information Process Risk
Security Policy Assessment Due /
  1. What are Information Processes?
  2. Assessing and Mitigating Risk at the Process Level.
  3. Managing Project Risk
/ (Humphreys, 2008)
Week 12
April 15
Non-Technical Security Risks /
  1. The Risks Caused by People – Social Engineering & Behavioural Security
  2. Google Hacking
  3. Preventing Security Beaches through Security Awareness Training
/ (Fagnot, 2007)
Week 13
April 22
The Future of Information Security /
  1. Cyber Crime and Terrorism
  2. Emerging Threats for Organizations – social media
/ (K.-K. R. Choo, 2010)
Week 14
April 29
Major Paper Due / Week to Work on Final Papers

Required Readings List

Ackerman, M., Rucker, B., Wells, A., Wilson, J., & Wittman, R. (2009). IT Strategic Audit Plan. Journal of Technology, 1.

Arduini, F., & Morabito, V. (2010). Business Continuity and the Banking Industry. Communications of the ACM, 53(3), 121-126.

Cannoy, S. D., & Salam, A. F. (2010). A Framework for Health Care Information Assurance Policy and Compliance. Communications of the ACM, 53(3), 126-132.

Choo, C. W. (2005). Information Failures and Organizational Disasters. Sloan Management Review, Spring 2005, 8-10.

Choo, K.-K. R. (2010). High Tech Criminal Threats to the National Information Infrastructure. Information Security Technical Report, 15, 104-111.

Fagnot, I. (2007). Behavioral Information Security Encyclopedia of Cyber Warfare and Cyber Terrorism (Vol. 1, pp. 199-205): Berkshire Publishing Group LLC.

Humphreys, E. (2008). Information Security Management Standards: Compliance, Governance and Risk. Information Security Technical Report, 13(4), 247-255.

Jones, A., & Martin, T. (2010). Digital Forensics and the Issues of Identity. Information Security Technical Report, 15, 67-71.

Managing Business Risks in the Information Age. (1998). New York, NY: The Economist Intelligence Unit.

McCreary, L. (2008). What Was Privacy? Harvard Business Review(October 2008), 123-132.

Paquette, S., & Fagnot, I. (2010). Social Media Use and Employee Attitudes Towards Information Security Paper presented at the Workshop on Information Security and Privacy (WISP) at the International Conference for Information Systems (ICIS).

Paquette, S., Jaeger, P. T., & Wilson, S. (2010). Identifying the Security Risks Associated with Governmental Use of Cloud Computing. Government Information Quarterly, 27, 245-253.

Parent, M., & Reich, B. (2009). Governing Information Technology Risk. California Management Review, 51(3), 134-153.

Phua, C., Lee, V., Smith, K., & Gayler, R. (2010). A Comprehensive Survey of Data Mining Based Fraud Detection Research. Cornel University.

Sundt, C. (2010). Cryptography in the Real World. Information Security Technical Report, 15, 2-7.

Tomlinson, A., Yau, P.-W., & MacDonald, J. A. (2010). Privacy Threats In a Mobile Enterprise Social Network. Information Security Technical Report, 15, 57-66.

© Scott Paquette 2011, College of Information Studies 1

University of Maryland