Management Development Institute

PGPM 2011 Information Security Management NAME OF THE PROFESSOR: Dr. ANJALI KAUSHIK CREDIT: FULL SESSION DURATION: ONE Dec-Jan 2011-12

Course Objective
Information security concerns all individuals and organizations dealing in information. Specially, as organizations continue to deploy mission critical network centric information systems, managing the security of such systems has become very critical. Information security and privacy issues are of importance to all organizations. They are of all the more importance to off-shore software development and business process outsourcing companies which handle data across countries in a distributed environment. It is important for all individuals as they access/provide information on the network. This course is designed to provide a comprehensive framework for planning, analyzing and managing information security to suit to the differing requirements of organizations. Specifically the course is designed with the following objectives: To expose students to the various aspects of information security including confidentiality, integrity and availability of information resources. To identify and assess security risks, formulate and implement security policies, enable governance mechanisms and ensure compliance to information security requirements. Understand major cyber crimes (eg-What is hacking/identity theft etc? What are cyber crimes? Global snapshot of cybercrimes) Protection mechanisms: To understand different technology components of a security infrastructure, and the process of selection of appropriate components to meet organizational needs To analyze different options for maintenance of the security infrastructure To expose students to different security standards and frameworks including FISMA, ISO 27001, PCI DSS and SAS 70 To understand information security auditing procedures To expose students to legal aspects of information systems security including discussions of HIPAA, SOX and Indian IT Act 2000

Text Book:
Whitman, M., and Mattord, H. (2003). Principles of Information Security. Thomson Course Technology: New Delhi.

Reference Books:
1. . Dhillon, G. (2007). Principles of Information Systems Security: Text and Cases. Hoboken, NJ, USA: John Wiley & Sons. 2. Bragg, R., Rhodes-Ousley, M., and Strassberg, K. (2004). Network Security: The Complete Reference. New Delhi: Tata McGraw-Hill. 3. Fadia, Ankit. (2004). The Ethical Hacking Guide to Corporate Security. New Delhi: Macmillan India.

4. infoDev, (2003). Information Security technology Handbook. Washington, DC, USA: World Bank. 5. Panko, Raymond (PR). (2003). Corporate Computer and Network Security (Low Price Edition). Pearson Education: New Delhi. 6. Stallings, W. (2003). Cryptography and Network Security: Principles and Practices (Third Edition). New Delhi: Pearson Education.

Evaluation Components
The students will be evaluated based on their performance in quizzes, class discussions, group project and exams as indicated below: Discussion Paper Presentation 2 Quizzes (4 * 5%)

Mid-Term Exam
Term Paper/Project End-Term Exam Total

15% 10% 25% 20% 30% 100%

Students will form groups of three in the first few days of class. The groups will present critical review of discussions papers, focusing on extending/ augmenting what is given the paper i.e. you are expected to read the paper/s and do substantive work besides that. There will be two announced quizzes, which will be held during the last 10 minutes of class period. There will be no make-up quizzes. The students should come prepared for case and paper discussions as and when they are scheduled. Attendance will be taken in each class.

The projects identified are: 1. Security and Privacy Issues in Cloud Computing. 2. Leveraging Cloud to deliver Security Services 3. Evolution of Privacy ITAA, UIDAI, Privacy Laws, Global Regulations 4. Information Security Management in a BPO 5. Securing Business Transactions using cryptography-implementation aspects 6. Role of Cyber forensics with examples 7. Adoption issues and usage trends for PCI standard 8. Security Technologies in Focus 9. Cyber Crime and IT Act 2000 10.Organizations in information security domain and their role-ISACA, NASSCOM-DSCI, CERT etc
Apart from the above, there are 2-3 live projects in cyber security which MDI is involved in and some students can participate in them. MDI is suggesting the information security framework for Government sector in India which will be applicable to critical infrastructure and all the third party service providers to Government. This is a project for Ministry of Communication and IT. The Pilots for the same are underway. We are also closely working with NASSCOM to study the Global dimensions of financial cybercrime to make recommendations to Indian Government.

Reading Material * [1] infoDev, (2003). (2003). Part Three: Security for Organizations. Information Security Handbook. World Bank: Washington DC, USA. 81-161. [2] Sumner, M. (2009). Information security threats: A comparative Analysis of impact , probability, and Preparedness , Information Systems Management , 26, 1, pp 2-12 [3] Berghel, H. (2003). Malware Month. Communications of the ACM. 46(12), 15-19 [4] Berghel, H. (2006). Phishing Mongers and Posers. Communications of the ACM, 49(4), 21-25. [5] Jagatic, T., Johnson, N., Jakobsson, M., and Menezer, F. (2007). Social Phishing, Communications of the ACM. 50(10), 94-100. [6] Ives, B., Walsh, K., and Schneider, H. (2004). The Domino Effect of Password Reuse. Communications of the ACM. 47(4), 75-78. [7] D Arcy, J., and Hovav, A. (2007). Deterring Internal Information Systems Misuse. Communications of the ACM, 50(10), 113-117. [8] Mercuri, R. (2007). Scooping Identity Theft. Communications of the ACM. 49(5), 17-21. [9]Whitman, M. (2003). Enemy at the Gate: Threats to Information Security. Communications of the ACM. 46(8), 91-95. [10] Gordon, L.A. and Loeb, M.P. (2006). Budgeting Process for Information Security Expenditures. Communications of the ACM. 49(1), 121-125 [11] Gordon, L.A. and Loeb, M.P. (2003). The economic cost of publicly announced information security breaches: empirical evidence from the stock Market. Journal of Computer Security, 11, 431-448. [12] Baker, W.H. and Wallace, L. (2007), Is information security under control? IEEE Security and privacy. January, pp 36-44. [13] Sridhar, V., and Bhasker, B. (2003). Managing Information Security on a Shoestring Budget. Annals of Cases in Information Technology. 151-1 [14] Blatchford, C. (1995), Information security Controls - Are they cost -Effective? ,Computer Audit journal , 3, pp 11-19 [15] Anderson, Ross (2006), Economic of Information Security [16] Mercuri. R, T. (2002), Computer Security : Quality Rather than Quantity , Communications of the ACM, October, 45, 10 [17] Mercuri, R. (2004). The HIPPA-potamus in Health Care Data Security. Communications of the ACM, 47(7), 25-28. [18]Ministry of Law, Justice and Company Affairs. (2000). The Information Technology Act 2000. Government of India. [19]Department of Information Technology. (2005). Proposed Amendments to Information Technology Act 2000. Government of India. [20] An introduction to a Business Model on Information security by ISACA

*There may be some changes in the final list of discussion papers.

Session Details (Tentative)

Session Number
1

Topics Information Security Overview

Reading Material Reference

CIA, Classification, Information Security How much is too much?, Trends in security incidents;

TB CH [1] [1]

2-3

security categorization based on CIA The Need for Security: Security Threats Malware attacks, Phishing, Identity theft, Hacking, Insider risk and Spam, mobile risk. Global snapshot of cybercrime Discussion Paper 1 Discussion Paper 2 Information Security Risk Analysis Risk Assessment Models and Metrics, Diversification strategies. To assess security risks and plan governance and compliance mechanisms Discussion Paper 3 Guest Lecture Security Policy Development, Development of Security Policy, Sample Security Policies Effective planning, selection and evaluation of information security controls Case study on approach to implementing information security in an organization Discussion Paper 4 Security Components and Functions Firewall, Intrusion Detection System, Virus Protection System Elements of Cryptography: Basic cryptographic concepts, symmetric and public key encryption, digital certificates. MID-TERM EXAM Key factors in implementation and management of information security Security audit and investment Evaluating information security investments Economics of information security Discussion Paper 5 Guest Lecture Information Security Maintenance Maintenance model, Security maintenance: outsource or keep it in-house, specifications of service level agreements Discussion Paper 6 Guest Lecture on Best Practices in Information Security Management

TB CH [2] [1],

[3]-[4] [7]
TB CH [4] [8]

4-6

[9]

7-9

TB CH [5]

[10]

10

TB CH [6&7]

11-13

TB CH [8]

[11]
TB CH [12]

14 15-17

[12]

18

Disaster Recover and Business Continuity Integrity and Availability Architecture, Components of Business Continuity. Discussion Paper 7

TB CH [5]

[13]

19

Information Security Standards ISO27001:2005, FISMA, PCI DSS

Guest Lecture 20 Legal Aspects of Information Systems Security Legal issues and laws governing security attacks, intrusions, invasion of privacy, IT Act 2000 and proposed amendments, HIPAA, SOX Discussion Paper 8 END-TERM EXAMINATION

[15]