Georgia State University Department of Computer Information Systems

Course Syllabus ACCT 8680 / CIS 8080

(CRN 81334/82858)

Security and Privacy of Information and Information Systems Fall 2011

Professor
Name Office Office Hours Office Phone Office Fax Email Richard Baskerville RCB Building, 35 Broad Street, 919 Tuesdays, 3.00 pm 5.00 pm, or by appointment (404) 413-7362 (404) 413-7394 baskerville@acm.org

Venues
Tuesdays, 7.15 9.45 pm, 331ALC Some sessions will be conducted online (see course schedule).

Prerequisites
None. CSP: 1, 2, 3, 4, 5, 6, 7, 8.

Required Materials
Course Web Site: http://cis.gsu.edu/~rbaskerv/cis8080/index.html Most course readings will be available via GSU library subscriptions or from the course web site. The exceptions are the four HBR case studies that must be downloaded directly from HBR (for a fee payable to HBR at time of downloading). The download link for these cases is: http://cb.hbsp.harvard.edu/cb/access/9790160 See Readings below for a complete list of required reading material.

Catalog Description
This course is designed to develop knowledge and skills for the management and assurance of security of information and information systems in technology-enabled environments. It focuses on concepts and methods associated with planning, designing, implementing, managing, and auditing security at all levels on different platforms, including worldwide networks for ebusiness. The course presents techniques for assessing risk associated with accidental and intentional breaches of security and covers the associated issues of ethical uses of information and privacy considerations.

ACCT8680/CIS8080 Syllabus

Page 2

Course Objectives
Students completing this course will be capable of: 1. distinguishing the relationships of various information systems elements with threats and security features that protect the elements from these threats, viz., a. applying a TFO Model to an organizational setting, b. using a comprehensive IT Threats Framework to develop scenarios for an organizational setting, c. using an IT Safeguards Framework to develop alternatives for IT security controls, 2. analyzing and evaluating the ethics of information development and use, viz., a. incorporating Privacy Law into security planning, b. incorporating public accounting legal requirements (e.g., SARBOX) into security planning, 3. planning, designing, and implementing IT security, viz., a. organizing and planning IT Risk Management operations, b. organizing the IT security function, c. adapting an organizational IT security methodology, d. constructing organizational policies, 4. auditing IT security, viz., a. applying security standards (e.g., COBIT) to an organizational setting, b. determining organizational compliance with security standards, privacy laws, and public disclosure laws.

Special Considerations
The course web site will be used as a repository for further required course material that arises during the class. Three meetings are planned as online venues. Students must arrange for their own access to the World Wide Web (Internet access is available free in the GSU labs) and must establish their access capability to WebCT and Elluminate live prior to these meetings. All student work submitted in fulfillment of course requirements is deemed to be granted in the public domain (copyright-free) for the purposes of use as instructional material or examples of student work in future courses. Constructive assessment of this course by students plays an indispensable role in shaping education at Georgia State. Upon completing the course, students are asked to take the time to fill out the online course evaluation. The course syllabus provides a general plan for the course. Deviations may be necessary.

Method of Instruction
Classroom sessions will regard the same topics as the readings assignments, but seek further depth through discovery learning. It is essential that students read the assigned material before coming to class. Instruction will follow these three approaches: (1) topic discussion of course concepts, (2) discussion of cases that will allow us to apply knowledge of information security concepts to actual business settings, and (3) class activities that apply these concepts to simulated business situations. Preparation is essential and all students are required to have read, and be prepared to discuss critically, the readings assigned. Individuals may be cold called to introduce an article or to initiate discussion. In assigning the participation grade, both class attendance and the quality of oral contributions during class discussions will be considered.

ACCT8680/CIS8080 Syllabus

Page 3

Class Attendance Policy

Roll will not be taken on a regular basis. It is the students responsibility to attend class, obtain assignments, and turn in work on time. Absence from class does not relieve you of any of these responsibilities. One absence will be considered excused if it is due to an emergency, a religious holiday, or some other extenuating circumstance. Please notify the instructor in advance if possible. Unless an absence is excused, students will NOT be allowed to make up missed work. A low-score drop mechanism will automatically satisfy one absence, excused or unexcused, from the in-class quizzes. Further absences may impact a students grade due to missed in-class activities.

Flicker and Noise Distractions

By continued enrollment in this class, students agree to practice a click-free, flicker-free and noise-free environment for fellow students in this classroom. Students agree that mobile devices such as telephones, pdas, Blackberries, etc. will be silenced and unused during class. Students agree to forebear from the use of computers during the class for email, web-surfing, gaming, etc.

Withdrawals
Students who withdraw before the midpoint will receive a grade of W. Students withdrawing after this date will receive a grade of WF unless a hardship authorization is obtained from the Dean of Students. For the exact midpoint date see http://calendar.gsu.edu/calendar.

Incompletes
A grade of I will be given only in exceptional circumstances. A student must have completed all but one of the requirements of the course in order to be eligible to receive a grade of I.

Assessment
Learning objectives will be assessed by both individual and group performance through the following course features: Discussions The course will include in-class discussions of five cases: (1) Secom, (2) ChoicePoint, (3) CareGroup (4) TJX and (5) Leihs retailer. Students will have individual opportunities to contribute thoughtful and critical oral observations during class discussions focused on the course objectives. There will be readings assigned for most class meetings. Students will have opportunities during the semester to introduce and comment on these readings during in-class discussions. An email group server provides opportunities for discussions outside of class meeting times. Team Activities Four in-class team activities will be organized: (1) Threat scenarios, (2) Threat news reports, (3) Safeguards tradeshow, (4) Methodology bends. Assessment of performance is generally based on the quality of the deliverables in each activity. In some cases, these activities will be competitive, and small amounts of bonus credit may be awarded to winning teams. These activities are further described in the activity descriptions distributed in advance of the activities.

ACCT8680/CIS8080 Syllabus

Page 4

Students will form self-managing teams for the purpose of completing team activities. Each team is expected to persist through the course. Peer appraisals will be part of the overall grading/evaluation of individual performance. Consensus on the relative contributions of each of the team members will be derived through assessment of documented facts and records, evaluation of team output, and evaluation of team processes. Unless team members inform the instructor in writing to the contrary, the assumption will be that each team member contributed equally to the assessed products of the team. Quizzes There will be two short objective quizzes that assess familiarity with the principles and general organization of two examples of security management frameworks: (1) CobiT, and (2) Octave. Students will actively participate in the construction and evaluation of these quizzes. Short Paper Each student will prepare an essay that compares the ChoicePoint case (discussed during the course) with the recent Sony data breach (not discussed during the course) from a perspective of the ethical reasoning in security and privacy of information and information systems. The paper must demonstrate the students ability to research a case, analyze data, synthesize data from different sources, and to compare and to evaluate distinct cases with a clear train of argumentation and ethical reasoning using the perspective required. Any and all conclusions must be clearly stated. To insure research originality, students are strongly encouraged to seek information beyond web pages, and from at least one original source (such as an interview with an authority on the subject). The paper must be submitted both in paper and electronic form (as a Microsoft Word Document), no longer than 2000 words, and include citations and full references to all direct sources (in APA format). Short Paper Discussion Each student will prepare a brief (e.g. three-minute) presentation of their essay that features its point-counterpoint relationship to at least one other student short paper. This discussion should authoritatively (i.e. by citing references) compare and contrast the central arguments and conclusions of their paper with at least one other student short paper. PowerPoint may not be used. Students may or may not be called on to present during class at the discretion of the instructor. Order of progression will be determined in a bidding session and draft papers exchanged one week before the discussion.

Grading Policy
Activity Case and readings discussions Team activities Quizzes Short paper Short paper discussion Total Points Available 400 300 100 150 50 1000

ACCT8680/CIS8080 Syllabus

Page 5

Letter Grade A+ A AB+ B BC+ C CD F

Percentage Range
>96% 90% 87% 83% 80% 77% 73% 70% 67% 60% 0% 96% 89% 86% 82% 79% 76% 72% 69% 66% 59%

Point Range
>960 900 870 830 800 770 730 700 670 600 0 959 899 869 829 799 769 729 699 669 599

Readings
Note: Accessing some of these resources may only be completed from an on-campus computer or through a VPN connection from off-campus. An on-campus IP address is usually required. For more information see Connecting to the Network from Home (VPN - Virtual Private Network) at http://www.gsu.edu/help/25697.html Alberts, C., & Dorofee, A. (2001). An Introduction to the OCTAVE Method. Retrieved Jan 2, 2007, from http://www.cert.org/octave/methodintro.html Alberts, C., Dorofee, A., Stevens, J., & Woody, C. (2003). Introduction to the OCTAVE Approach [Electronic Version]. Retrieved May 2009, from http://www.cert.org/octave/approach_intro.pdf Backhouse, J., Hsu, C. W., & Silva, L. (2006). Circuits of power in creating de jure standards: Shaping an international information systems security standard. MIS Quarterly, 30(SI), 413-438. Baskerville, R. (2005). Hacker Wars: E-Collaboration by Vandals and Warriors. International Journal of e-Collaboration, 2(1), 1-16. Baskerville, R. (2008). Strategic Information Security Risk Management In D. W. Straub, S. Goodman & R. Baskerville (Eds.), Information Security Policy, Processes, and Practices (pp. 112-122). Armonk, New York: M.E. Sharpe. Baumer, D. L., Earp, J. B., & Poindexter, J. C. (2004). Internet privacy law: a comparison between the United States and the European Union. Computers & Security, 23(5), 400412. Berg, G., Freeman, M., & Schneider, K. (2008). Analyzing the TJ Maxx Data Security Fiasco: Lessons for Auditors. The CPA Journal, 78(8), 34-37. Berghel, H. (2005). The two sides of ROI. Association for Computing Machinery. Communications of the ACM, 48(4), 15-20.

ACCT8680/CIS8080 Syllabus

Page 6

Charoen, D., Raman, M., & Olfman, L. (2008). Improving End User Behaviour in Password Utilization: An Action Research Initiative. Systemic Practice and Action Research, 21(1), 55. Deloitte Touche Tohmatsu. (2010). 2010 Global Security Survey. Retrieved Aug 19, 2010, from http://www.deloitte.com/assets/DcomGreece/Local%20Assets/Documents/Attachments/security/GlobalSecuritySurvey2010.pd f Herzberg, A. (2009). Why Johnny can't surf (safely)? Attacks and defenses for web users. Computers & Security, 28(1/2), 63-71. Im, G., & Baskerville, R. (2005). A Longitudinal Study Of Information System Threat Categories: The Enduring Problem Of Human Error. The Database for Advances in Information Systems, 36(4), 68-79. IT Governance Institute. (2007). CobiT 4.1. from http://www.isaca.org/Content/NavigationMenu/Members_and_Leaders1/COBIT6/Obtain _COBIT/Obtain_COBIT.htm Leih, M. (2006). The Impact Of The Sarbanes-Oxley Act On IT Project Management. JITTA : Journal of Information Technology Theory and Application, 8(3), 13-30. Luoma, V. M. (2006). Computer forensics and electronic discovery: The new management challenge. Computers & Security, 25(2), 91-96. McFarlan, F. W., & Austin, R. D. (2005). CareGroup (Case No. 9-303-097). Boston: Harvard Business School McFarlan, F. W., Austin, R. D., Usuba, J., & Egawa, M. (2008). Secom: Managing Information Security in a Risky World (Case No. 9-308-015). Boston: Harvard Business School Paine, L., & Phillips, Z. (2007). ChoicePoint (B) (Case No. 9-306-082). Boston: Havard Business School Paine, L., & Phillips, Z. (2008). ChoicePoint (A) (Case No. 9-306-001). Boston: Havard Business School Pfleeger, S. L., & Cunningham, R. K. (2010). Why Measuring Security Is Hard. Security & Privacy, IEEE, 8(4), 46-54. Rees, J., & Allen, J. (2008). The State of Risk Assessment Practices in Information Security: An Exploratory Investigation. Journal of Organizational Computing and Electronic Commerce, 18(4), 255-277. Siponen, M., Baskerville, R., & Heikka, J. (2006). A Design Theory for Secure Information Systems Design Methods. Journal of the Association for Information Systems, 7(11), 725-770. Tsohou, A., Karyda, M., Kokolakis, S., & Kiountouzis, E. (2006). Formulating information systems risk management strategies through cultural theory. Information Management & Computer Security, 14(3), 198-217. von Solms, B. (2005). Information Security governance: COBIT or ISO 17799 or both? Computers & Security, 24(2), 99-104. Wallace, L., Lin, H., & Cefaratti, M. (2011). Information Security and Sarbanes-Oxley Compliance: An Exploratory Study. Journal of Information Systems, 25(1), 185-211. Willison, R., & Backhouse, J. (2006). Opportunities for computer crime: considering systems risk from a criminological perspective. European Journal of Information Systems, 15(4), 403-419.

ACCT8680/CIS8080 Syllabus

Page 7

Xu, W., Grant, G., Nguyen, H., & Dai, X. (2008). Security Breach: The Case of TJX Companies, Inc. Communications of the Association for Information Systems, 23(Article 31), 575590. Young, R., Zhang, L., & Prybutok, V. R. (2007). Hacking into the Minds of Hackers. Information Systems Management, 24(4), 281.

Academic Honesty
(Abstracted from GSUs Student Handbook Student Code of Conduct Policy on Academic Honesty and Procedures for Resolving Matters of Academic Honesty -http://www.gsu.edu/~wwwcam/code/academicconduct/intro.html )

As members of the academic community, students are expected to recognize and uphold standards of intellectual and academic integrity. The University assumes as a basic and minimum standard of conduct in academic matters that students be honest and that they submit for credit only the products of their own efforts. Both the ideals of scholarship and the need for fairness require that all dishonest work be rejected as a basis for academic credit. They also require that students refrain from any and all forms of dishonorable or unethical conduct related to their academic work. Students are expected to discuss with faculty the expectations regarding course assignments and standards of conduct. Here are some examples and definitions that clarify the standards by which academic honesty and academically honorable conduct are judged at GSU. Plagiarism. Plagiarism is presenting another persons work as ones own. Plagiarism includes any paraphrasing or summarizing of the works of another person without acknowledgment, including the submitting of another students work as ones own. Plagiarism frequently involves a failure to acknowledge in the text, notes, or footnotes the quotation of the paragraphs, sentences, or even a few phrases written or spoken by someone else. The submission of research or completed papers or projects by someone else is plagiarism, as is the unacknowledged use of research sources gathered by someone else when that use is specifically forbidden by the faculty member. Failure to indicate the extent and nature of ones reliance on other sources is also a form of plagiarism. Failure to indicate the extent and nature of ones reliance on other sources is also a form of plagiarism. Any work, in whole or part, taken from the Internet or other computer based resource without properly referencing the source (for example, the URL) is considered plagiarism. A complete reference is required in order that all parties may locate and view the original source. Finally, there may be forms of plagiarism that are unique to an individual discipline or course, examples of which should be provided in advance by the faculty member. The student is responsible for understanding the legitimate use of sources, the appropriate ways of acknowledging academic, scholarly or creative indebtedness, and the consequences of violating this responsibility. Cheating on Examinations. Plagiarism is presenting another persons work as ones own. Plagiarism includes any paraphrasing or summarizing of the works of another person without acknowledgment, including the submitting of another students work as ones own. Plagiarism frequently involves a failure to acknowledge in the text, notes, or footnotes the quotation of the paragraphs, sentences, or even a few phrases written or spoken by someone else. The submission of research or completed papers or projects by someone else is plagiarism, as is the unacknowledged use of research sources gathered by someone else when that use is specifically forbidden by the faculty member. Failure to indicate the extent and nature of ones reliance on

ACCT8680/CIS8080 Syllabus

Page 8

other sources is also a form of plagiarism. Failure to indicate the extent and nature of ones reliance on other sources is also a form of plagiarism. Any work, in whole or part, taken from the Internet or other computer based resource without properly referencing the source (for example, the URL) is considered plagiarism. A complete reference is required in order that all parties may locate and view the original source. Finally, there may be forms of plagiarism that are unique to an individual discipline or course, examples of which should be provided in advance by the faculty member. The student is responsible for understanding the legitimate use of sources, the appropriate ways of acknowledging academic, scholarly or creative indebtedness, and the consequences of violating this responsibility. Unauthorized Collaboration. Submission for academic credit of a work product, or a part thereof, represented as its being ones own effort, which has been developed in substantial collaboration with assistance from another person or source, or computer honesty. It is also a violation of academic honesty knowingly to provide such assistance. Collaborative work specifically authorized by a faculty member is allowed.

Course Schedule (Subject to Change)

Week 1 Date 23-Aug Lesson Topic TFO & Incident centered security management Organizational context of IT Security (COBIT) Meeting Activities Team Organization Deliverables Reading Discussions

30-Aug

3 4

6-Sep 13-Sep

IT Threats Framework IT Safeguards Framework ISO 17799 / 27002

5 6

20-Sep 27-Sep

COBIT Controls Hacking and its prevention (Online Lesson) Privacy

Management of IS Security Case Visitor: *Karen MacDonald Biz Librarian Threats scenarios for Jashopper IT Threats News Reports Visitor: Chase Whitaker, Matt Edman and Josh Hubbard, HCI Auditing CareGroup Case Discussion Online Lesson: Hacker Toolboxes ChoicePoint Case Discussion: Privacy

1. IT Resources: (IT Governance Institute, 2007, read pp. 5-28) 2. Secom Case: (McFarlan et al., 2008)

News Reports

1. Risk Mgmt: (Tsohou et al., 2006) 2. IT Threats Framework: (Im & Baskerville, 2005) 1. Security Standards: (Backhouse et al., 2006) 2. 2010 Global Security Survey (Deloitte Touche Tohmatsu, 2010)

Quiz: COBIT

4-Oct

11-Oct

Safeguards (Online Lesson) Regulation: SARBOX, HIPPA, etc. IT Risk Management Framework

18-Oct

10

25-Oct

Online Lesson: Safeguards Toolboxes Safeguards Trade Show Guest Professor: Carl Stucke Discussion: Risk Analysis Visitor: Tammy Clark GSU CISO

Safeguards booth

1. CareGroup Case (McFarlan & Austin, 2005) 2. COBIT and 17799: (von Solms, 2005) 1. Hacking: (Baskerville, 2005) 2. and (Young et al., 2007) 3. Phishing: (Herzberg, 2009) 1. Privacy: (Baumer et al., 2004), 2. Choicepoint A case study (Paine & Phillips, 2008) 3. ChoicePoint B Case (Paine & Phillips, 2007) 1. Passwords: (Charoen et al., 2008) 2. Crime Prevention: (Willison & Backhouse, 2006) 1. Regulation Risk: (Berghel, 2005), 2. SOX 404 compliance (Wallace et al., 2011)

1. IT Risk Mgmt: (Baskerville, 2008) 2. Risk Analysis: (Rees & Allen, 2008) 3. Measuring Risk: (Pfleeger & Cunningham, 2010)

ACCT8680/CIS8080 Syllabus

Page 10

Week 11

Date 1-Nov

Lesson Topic IT security methodology

Meeting Activities Methodology Bends

Deliverables Quiz: Octave Method

12

8-Nov

13

15-Nov

IT Security functions and policy (ISO 27001) IT Audit & Disclosure

TJX Case Discussion

Reading Discussions 1. Octave: Approach (Alberts et al., 2003) 2. and Method: (Alberts & Dorofee, 2001), 3. Method Framework (Siponen et al., 2006, read pp. 1-13) 1. TJX Case (Xu et al., 2008) 2. TJX Case Audit (Berg et al., 2008)

IT Project Management Audit Case Visitor: Eric Brothers, Advisory Services, E&Y

Draft Short Paper Hard Deadline Discussion Bidding

1. Forensics: (Luoma, 2006), 2. Leihs Case (Leih, 2006, read pp. 20-28)

14

22-Nov 29-Nov

Thanksgiving Holiday Short Research Paper Presentations Short Paper & Discussion Deadline