IV. AREAS OF INFORMATION SYSTEMS SECURITY STUDY
Students may be introduced to several major areas of study. Each area listed in the topic outline is elaborated on as a separate module in this document. The purpose of this introductory module is to help students recognize some security problems inherent with each of the major areas of study and to encourage them to learn more about information security throughout their undergraduate program.
A. PC/Workstation Security
Students are introduced to basic ethical issues associated with using PC’s, environmental and physical considerations for security, data integrity, and security training concepts. The PC/Workstation module may be used before, concurrently, or immediately following the “Introduction To Information Protection” module.
B. Security Fundamentals
The Security Fundamentals module, following the “Introduction To Information Protection” and “PC/Workstation” modules, lays the foundation for a specialized advanced study about systems security that is covered in subsequent modules. An important aspect of this module is its emphasis on understanding the need for data security within an organization and the integration of a security program as part of the basic corporate goals, policies, and procedures. Personal and corporate ethical issues are discussed.
C. Information Security Laws and Legislation
This topic should start with a discussion of underlying problems, such as information theft, privacy, and fraud, and leads to the security laws and legislation that continue to evolve. Students review state and federal legislation and contracts associated with information security and crime. An important objective is for students to have a “general working understanding of the inter-relationship between various areas of law and security system design.”
D. System Security
This module primarily addresses mainframe security considerations and goes into great detail about:
- System criticality, or the effect upon the organization if the system were to become unavailable
- System sensitivity, and the extent to which it is important to protect the system and
- Security policy, accountability, and assurance.
E. Communications Security
A basic understanding of networking, communications, and connectivity is helpful when dealing with communications security. The objective of this module is to investigate data protection in data communications systems and networks from a management perspective. This area of study is vital because of the increasing connectivity between PCs, workstations, minicomputers, and mainframe computers, whether within a room, building, or around the world. As the integration of hardware continues, the threat to data and information assets and resources grows rapidly. A description of protection mechanisms and countermeasures to these threats is included, plus cost/benefit tradeoffs are considered.
F. Corporate Security Management
This is the capstone module in this series of undergraduate teaching modules about information security. The focus is upon the need for a corporate security program and the responsibilities of managers at different levels within the organization. Risk analysis and contingency planning are discussed. A primary objective is the development of a corporate security management plan.