Syllabus_612_Spring 2024

Center for Applied Information Technology AIT612 – Information Systems Vulnerability and Risk Analysis Spring 2024 (Section 101 -- Online Instruction) Instructor: Prof. Arthur Friedman Email: afriedman@towson.edu Office Hours: By email and appointment Course Hours: 7:30 pm to 10:10 pm Course Location: Online Course Website: Blackboard Prerequisite: Admission into the MS AIT certificate graduate program , completion of CAIT 500, and CAIT 600 or equivalents. Course Description: Corporations and government organizations must implement security controls for managing risk to minimize the impact of cyber-attacks, insider threats, and ensure the integrity and privacy of data is maintained. This course introduces the fundamental core concepts of information security from a risk management perspective. The course emphasizes applying information security controls and demonstrating an understanding of IT security through student assigned homework, case studies, and research. Course Objectives: Upon completion of the course, students will understand and be familiar with:  The concepts of threat, vulnerability, and risk management.  The identification, authentication and access control.  The methods used for intrusion detection.  The steps involved in responding to and recovering from an intrusion.  The basic concepts of cryptography, biometrics, wireless security, and forensics.  Current attack trends and how to defend against such attacks.  The legal framework and ethical issues associated with information security.  How to utilize the Internet to locate information security tools and resources.  The various best security practices used in government and industry. Required Textbook: Required Reading Security in Computing by Charles P. Pfleeger, Prentice-Hall, Fifth Edition, 2015. The textbook may be available online at: http://ptgmedia.pearsoncmg.com/images/9780134085043/samplepages/9780134085043.pdf . Supplemental reading material will also be identified and/or provided during the semester. Page 1 of 6 02/17/2024

Class Procedure: Class sessions will be a combination of lecture, discussion, and participating in case studies. Students are responsible for assigned readings and completing all assignments. Students are expected to read the assigned material prior to class. The material covered in class is designed to clarify and supplement the text book reading assignments. The Power Point notes used for lecture will be posted in the Blackboard course website. Grading Policy: Students will be evaluated on the following basis: Exams (2) 50% (500 pts.) Mid-term 25% Final 25% 5 Case Studies 50% (10% each) (500 pts.) Total 1000 pts. Final course grades will abide by the following scale: Grading Scale A 93 – 100 A- 90 – 92.99 B+ 85-89.99 B 80-84.99 C 70-79.99 F <70 Case Study Assignments: Case study assignments will be posted on Blackboard Assignments. Weeks 3, 5, 7, 10, and 12 will be devoted to researching and completing your case studies. Your case study should include: a statement of the problem or opportunity, an evaluation of relevant alternative courses of action and recommendations, and your conclusion on which alternative(s) you chose and why. Do not summarize or review the material in the case study - you are required to analyze the case study and present your recommendations. The case study must be written as a consultant or employee making recommendations to senior management (primarily the Chief Information Officer (CEO) or the Chief Information Security Officer (CISO)). The case study write-up will be 4-5 pages in length, 1.5-spacing. Your case study submissions will be graded based on your analysis of the problem, for content, and for exposition (coherence, understandability, grammar, and spelling), for a total of 100 points. Case study papers must be submitted on time. Mid-term and Final Exams: Both exams will be administered online via Blackboard. The exams are open book, and Internet and documents posted on Blackboard can be used. The exam format will be essay-type questions, and mini- case studies based on technologies presented in class, and the concepts, approaches, and security control measures in the readings. You will be tested on your ability to analyze and apply the technologies and methodologies covered in readings and in class. Make-up tests will be offered, in exceptional situations, in accordance with applicable University policy, and in the absence of policy, at the discretion of the professor. (Prior arrangements or letters from employers or health care providers are required for last-minute requests for make-up exams.) Page 2 of 6 02/17/2024

Class Schedule - Subject to change # Date Topics for Discussion Readings / Supplementary Readings 1 1/31/24 Class Orientation  Introductions  Course overview and introduction, review of syllabus and readings, assignments  Case Study – Format, Expectations, Some Pointers Introduction to IT Security  IT Security Principles  Best Security Practices Impact of Risk  Understanding concept of Confidentiality, Integrity, and Availability Read Class Syllabus and Schedule Read Security in Computing, Chapter 1 (Required) Review the US Cybercrime report posted on Blackboard Documents – 2018 and 2020 US State of Cybercrime Survey Review Synopsys 2022 Risk Analysis Report Hacker/Social Engineering Video https :// www . youtube .com/watch?v= bo -M6XV2 uXs Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=442fc884-44bf-4d32-a9bd-ab5301530c31 2 2/7/24 Risk Management  Overview of Threat and Vulnerabilities  Methodology for conducting risk  General Security Risk Assessment Guideline Read Security in Computing, Chapter 3, Sections 3.2 and 3.3, Chapter 6, Section 6.2, and Chapter 10, Section 10.4 (Required) Read GAO Report on Information Security Risk Assessment – Practices of Leading Organizations (See supplemental readings in Blackboard – Course Documents) Review Assignments in Blackboard Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=9733b25f-4dc7-4558-b32f-ab5900086c56 3 2/14/24 Case Study 1 – See Blackboard Assignments 4 2/21/24 IT Security Control Measures  Overview of Administrative Security  FISMA, NIST SP 800-53, GAISA V3.0, HIPAA  Sarbanes Oxley Industry Security Controls  Sarbanes Oxley, Section 404 IT Compliance  GAISP V3.0 Health Care Security Controls (HIPAA)  Title I Health Care Access, Portability, and Renewability  Title II Preventing Health Read Security in Computing, Chapter 1, Section 1.5 Review NIST SP 800-53 Rev 5, Chapters 2 and 3, Appendix C Read supplemental readings on SOX, HIPAA, and security guidelines (See supplemental readings in Blackboard - Course Documents). Note, there are several documents. These documents will be used to assist in completing the case study. Review Federal Information Security Management Act of 2002 http://en.wikipedia.org/wiki/ Federal_Information_Security_Management_Act_of_2002 Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=ee0ac3dd-8844-4874-b701-ab67000884ad Page 4 of 6 02/17/2024

Care Fraud and Abuse 5 2/28/24 Case Study 2 – See Blackboard Assignments 6 3/6/24 Security in Networks  Firewalls  Virtual Private Networks  Intrusion Detection Systems Access Control, I&A, and Biometrics Read Security in Computing, Chapter 6, Sections 6.6, 6.7 and 6.8 (Required) Review Commercial Firewall Security Target, Blackboard Documents Read Security in Computing, Chapter 2, Sections 2.1 and 2.2 (Required) Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=27b221a3-5365-4700-b818-ab7500090125 Mid-term Exam Review 7 3/13/24 Case Study 3 – See Blackboard Assignments 3/20/24 Spring Break 8 3/27/24 Mid-term Exam The mid-term exam will be posted on Blackboard from 6:00 pm on 3/27 until 3/30 at 6:00 pm. The completed exam must be submitted via Black Board by 6:00 pm on 3/30. 9 4/3/24 Cryptography and PKI  Symmetric and Asymmetric Key Encryption  Public Key Infrastructure Technology  Certification Practice Statements  Export Encryption Policy Read Security in Computing, Chapter 2, Section 2.3, and Chapter 12, Sections 12.2, 12.3, 12.4, and 12.5 (Required) Review Verisign Certification Practice Statement, Version 3.4, Blackboard Documents Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=da3c78c8-9dc6-4b81-907c-aa1d0183c43b 10 4/10/24 Case Study 4 – See Blackboard Assignments 11 4/17/24 Incident Response, Symmetric and Asymmetric Key Encryption, Public Key Infrastructure Technology  Forensics  COOP  Cyber Incident Response Read Security in Computing, Chapter 6 (Sections 6.2, 6.3, 6.4) Read Security in Computing, Chapter 10, Sections 10.2 and 10.3, and 10.5 (Required) Read Security in Computing, Chapter 6, Section 6.3 (Required) Video recording: https://towsonu.hosted.panopto.com/Panopto/Pages/Viewer.aspx? id=683b6ad5-ac65-4d12-96fa-aafe000a34aa 12 4/24/24 Case Study 5 – See Blackboard Assignments 13 5/1/24 Wireless Security  Security protocols Read NIST SP 800-48, Wireless Network Security. Page 5 of 6 02/17/2024