Unit Outline: ITEC854
Semester 2, 2008
Convenor: Milton Baar
Prerequisites: It is strongly recommended that prospective students have an understanding of business decision making processes in either the public or private sector.
About This Unit
Information
Security and Risk Management
This course will provide students with a working knowledge of commercial information security governance requirements, tools and techniques. The course has a practical focus with Tutorial and Lab work that will include aspects of physical security and hacking, Information Security Architectures and the creation of a dummy company on which the tools and techniques will be developed and tested. The course will cover, in detail, ISO27001, AS/NZS4360, ISO17799, HIPAA, Sarbanes Oxley, PCIDSS and other information security standards, frameworks and legislative requirements. Students will participate in a hands-on process of identifying and evaluation information security risks, threats and mitigation strategies whilst operating within a tutorial-based set of companies. Other areas covered include application and operating systems vulnerabilities, computer forensics and business continuity/disaster recovery.
This unit is related to ITEC851 Commercial Operating Systems Vulnerabilities and ITEC856 Operating Systems Programming. ITEC851 provides detailed content on the major commercial operating systems in use in large public and private sector organisations, as well as defence organisations - the focus is on why operating systems design can contribute to the security, or lack of security, in commercial environments. ITEC856 provides deeper technical skills in Linux programming at the kernel level.
Teaching Staff
| Role | Name | Room | Office hours | |
|---|---|---|---|---|
| Convenor, Lecturer | Milton Baar | mbaar@ics.mq.edu.au |
All emails related to ITEC854 should be sent to ITEC854-admin@ics.mq.edu.au and must include your full name and your student id number.
Classes
Each week you should attend 2 hours of lectures and a two hour tutorial/practical. For details of days, times and rooms consult the timetables webpage.
Note that Tutorials commence in week 2 .
If you do not have a class, or if you wish to change one, you should see the enrolment operators in the E7B courtyard during the first two weeks of the semester. Thereafter you should go to the Student Centre.
Please note that you will be required to attend most of the tutorials and hand in prepared work as required. Failure to do so may result in you failing the unit or being excluded from the exam.
Required and Recommended Texts
Supplied through Blackboard
-
ISO/IEC17799:2005 Code of practice for information security management
-
ISO/IEC27001:2005 Information technology - Security techniques - Information security management systems - Requirements
-
HB171-2003 Guidelines for the management of IT evidence
-
HB231:2004 Information security risk management guidelines
-
COBIT Security Baseline
-
ISECOM Open-Source Security Testing Methodology Manual v2.1
Unit Web Page
The web page for this unit can be found at http://online.mq.edu.au/pub/ITEC854. Note that the majority of the unit materials are publicly available while some material requires you to log in to Blackboard to access it.
The unit will make use of discussion boards hosted within Blackboard. Please post questions there, they will be monitored by the staff on the unit.
Learning Outcomes
A student completing the unit should have:
- An introductory understanding of commercial risk related to information security;
- A detailed understanding of threats and vulnerabilities, mitigation strategies and commercially acceptable quantitative analysis methods;
- A detailed understanding of the common information security frameworks, standards and legislative requirements within Australia, the EU and the US;
- An understanding of how different commercial business requirements can impact on a business risk appetite;
- A high-level awareness of consultants and third parties, their use, care and maintenance; and
- Quantitative analysis skills to enable the creation of certifiable Information Security Management System.
In addition to the discipline-based learning objectives, all academic programs at Macquarie seek to develop students' generic skills in a range of areas. One of the aims of this unit is that students develop their skills in the following:
- Critical analysis skills;
- Problem-solving skills; and
- Creative thinking skills.
Teaching and Learning Strategy
ITEC854 is taught via lectures and tutorials. Lectures are used to introduce new material, give examples of information security risk and architectures, mitigation strategies and opput them in a wider context of international standards. While lectures are largely one to many presentations, you are encouraged to ask questions of the lecturer to clarify anything you might not be sure of. Tutorials give you the opportunity to interact with your peers and with a tutor who has a sound knowledge of the subject. You will be given problems to solve each week prior to the tutorial; preparing solutions is important because it will allow you to discuss the problems effectively with your tutor and maximise the feedback you get on your work.
Each week you should:
- Attend lectures, take notes, ask questions.
- Attend your tutorial, seek feedback from your tutor on your work.
- Read appropriate sections of the text, add to your notes and prepare questions for your lecturer or tutor.
- Prepare answers to next week's tutorial questions.
- Work on any assignments that have been released.
Lecture notes will be made available each week but these notes are intended as an outline of the lecture only and are not a substitute for your own notes or the reading material supplied on Blackboard.
Topic List
|
Week |
Topic |
Reading |
|---|---|---|
|
1 |
Introduction, course outline, assignment and examination requirement overview, required reading and general background. Discussion of commercial IT environments and security principles |
|
|
2 |
Standards and Governance |
|
|
3 |
Risk Management Concepts |
|
|
4 |
Threat Workshop |
|
|
5 |
Controls Workshop |
|
|
6 |
Practical Hacking |
|
|
7 |
Practical Hacking – Server Hardening |
|
|
8 |
Evidence Collection |
|
|
9 |
Business Continuity Planning and DRP |
|
|
10 |
Creating an |
|
|
11 |
Is your EISF/ISMS certifiable |
|
| 12 | ||
| 13 | Exam review |
Relationship Between Assessment and Learning Outcomes
- Improved problem solving skills and enhanced ability to think algorithmically: all assessment tasks involve problems solving and analysis and some of the problems involve algorithmic solutions.
- An understanding of the importance of information security frameworks and international standards: these aspects are taken into account in the marking of the assignments, one quiz and the final exam.
- An understanding of technical and legal issues facing organisations when trying to implement information security: Statutory and forensic issues will feature in quizzes and in the final exam.
- An understanding of information risk as understood by commercial organisations: your understanding of information security risk will feature in assessments and the final exam.
| Task | Planned Date | Total Marks |
|---|---|---|
| In-class Quizzes (3) | Weeks 4, 8, 12 | 30% |
| Assignment 1: | Due Week 6 | 15% |
| Assignment 2: | Due Week 11 | 15% |
| Final Examination | TBA | 40% |
Your final grade will depend on your performance in each part separately. In particular:
- You must perform satisfactorily in the examination in order to pass this unit.
- You must submit a reasonable attempt to both assignments to pass this unit.
- You must submit a reasonable attempt to all quizzes to pass this unit.
All assignments should be handed in via the online Blackboard system at http://online.mq.edu.au/ by the time specified in the assignment description. Tutorial questions should be submitted via Blackboard before 9am on the Monday of each week.
All work submitted should be readable and well presented.
Late work will be accepted with a penalty of 10% of the marks for the assignment per day submitted late. Hence, an assignment submitted five days late will get at most half the marks. If you cannot submit on time because of illness or other circumstances, please contact the lecturer before the due date.
Examinations
The university examination period in Second Half year 2008 is from November 24th to December 5th.
You are expected to present yourself for examination at the time and place designated in the University Examination Timetable. The timetable will be available in Draft form approximately eight weeks before the commencement of the examinations and in Final form approximately four weeks before the commencement of examinations.
You are advised that it is Macquarie University policy not to set early examinations for individuals or groups of students. All students are expected to ensure that they are available until the end of the teaching semester, that is the final day of the official examination period.
The only exception to not sitting an examination at the designated time is because of documented illness or unavoidable disruption. In these circumstances you may wish to consider applying for Special Consideration. Information about unavoidable disruption and the special consideration process is available on the web (PDF).
If a Supplementary Examination is granted as a result of the Special Consideration process the examination will be scheduled after the conclusion of the official examination period. For details of the Special Consideration policy specific to the Department of Computing, see the Department's policy page.
Plagiarism
Please refer to the Department of Computing Plagiarism Policy for the definition of plagiarism, advice on avoiding it and the penalties in place if you are found to have submitted plagiarised work.
University Policy on Grading
Academic Senate has a set of guidelines on the distribution of grades across the range from fail to high distinction. Your final result will include one of these grades plus a standardised numerical grade (SNG).
On occasion your raw mark for a unit (i.e., the total of your marks for each assessment item) may not be the same as the SNG which you receive. Under the Senate guidelines, results may be scaled to ensure that there is a degree of comparability across the university, so that units with the same past performances of their students should achieve similar results.
It is important that you realise that the policy does not require that a minimum number of students are to be failed in any unit. In fact it does something like the opposite, in requiring examiners to explain their actions if more than 20% of students fail in a unit.
Student Support Services
Macquarie University provides a range of Academic Student Support Services. Details of these services can accessed at http://www.student.mq.edu.au.
Staff-Student Liaison Committee
The Department has established a Staff-Student Liaison Committee at each level to provide all students studying a Computing unit the opportunity to discuss related issues or problems with both students and staff.
For each meeting, an agenda is issued and minutes are taken. These are posted on the web at:
Details of the regular meeting dates will be posted on the unit home page. Anyone with an interest in Computing units may attend. This includes staff involved in the teaching and administration of the units, and all students currently taking a Computing unit at that level. There are formal Liaison Committee representatives for each unit who attend to present the views of the student body; all students are welcome and are encouraged to attend.
The meetings are usually held in the Department of Computing Meeting Room, E6A357.
To forward agenda items or get in touch with your representative, send an email to ITEC854liaison@ics.mq.edu.au.
If you have exhausted all other avenues, then you should consult the Director of Teaching (Dr Steve Cassidy) or the Head of Department (Assoc. Prof. Tony Sloane). You are entitled to have your concerns raised, discussed and resolved.