Module 3 - Security Fundamentals

Module three (Security Fundamentals) is introductory in nature and provides basic security concepts for undergraduate general business majors and specialized Information Systems Majors.

This module outlines and describes the basic requirements for planning, organizing, and managing security in an organization. Topics include personal and organizational ethics; hardware and software issues; security and threats to data; recovery, control, and audit procedures; and corporate security costs and benefits identification. A bibliography and selected case studies are provided and may be used at the discretion of the instructor to expand any of these topics. This module might be included as part of a Junior level management information systems course or integrated as part of other business courses.

Objectives:

The objective of this module is to take the business and information systems major beyond the basic information protection principles and deal with security fundamentals that lay the foundation for specialized advanced study in systems security. Upon successful completion of this module, the student will understand the underlying fundamentals of information security and will be prepared for other course material in the areas of security laws and legislation, communications, advanced systems security, and corporate security management.

Learning Objectives

Upon completion of this module, the student should be able to:

  • Understand the need for security in an organization and identify sensitive resources
  • Recognize organizational security mechanisms and basic goals, and recognize the need for communicating policies and procedures within the organization
  • Understand ethical issues involved with the use of information systems
  • Identify societies and organizations essential to professional development
  • Identify procedures associated with establishing a personnel security program
  • Identify procedures associated with establishing a physical security program
  • Recognize significant security areas other than those covered explicitly in this module
  • Define threat, vulnerability, and control in an organization
  • Recognize procedures necessary for data security and recovery
  • Identify the components of an audit trail
  • Identify the costs and benefits associated with secure systems.

Prerequisite:

Introduction to Information Protection and PC/Workstation Security

Completion of the first two modules would be useful. Some basic knowledge about computer information systems and basic business courses is desirable. The student should have some computer laboratory experience.

Topic Outline: Security Fundamentals

  1. Planning

    1. Security As Part Of The Total Organization
    2. Understanding The Organization
    3. Identifying Sensitive Data
    4. Controlled Sharing Of Information And Resources
    5. Specific Needs:
      1. Confidentiality
      2. Integrity
      3. Availability
    6. Analysis & Design
  2. Organizational Policies & Procedures

    1. Scope Of Security Mechanisms
      1. Administrative
      2. Procedural
      3. Physical
      4. Operational
      5. Technical
    2. Basic Goals
      1. Prevention
      2. Deterrence
      3. Containment
      4. Detection
      5. Recovery
    3. Written Management Policies & Procedures
    4. Documentation
      1. Manuals
  3. Ethics And Professionalism

    1. Ethics
      1. Responsible Decision-Making
      2. Confidentiality & Privacy
      3. Piracy
      4. Fraud & Misuse
      5. Liability
      6. Copyright
      7. Trade Secrets
      8. Sabotage
    2. Laws And Legislation
    3. Professionalism
      1. National Computer Security Center
      2. National Computer Security Conference
      3. National Bureau Of Standards
      4. The Computer Security Institute
      5. Computer Professionals For Social Responsibility Newsletter
      6. Data Processing Management Association
      7. Security Management Magazine
      8. Licensing And Certification
  4. Personnel Security

    1. Personnel Policies
      1. Hiring Practices
      2. Training
      3. Access Rights And Privileges
      4. Rules For Granting And Revoking Privileges
      5. Separation Of Privileges And Roles
      6. Adverse Actions
      7. Termination Practices
  5. Physical Security

    1. Location
      1. Access Versus Security
      2. Rooms, Doors, Windows, Keys
    2. Environment
      1. Radio Frequency Interference [RFI]
      2. Cooling
      3. Cabling
      4. Power
  6. System Security

    1. PC & Workstations
    2. Database
    3. Networks And Communications
    4. Operating Systems
    5. Application Software
    6. Systems Security
    7. Systems Architecture
    8. Audit And Control
    9. Corporate Security Management
  7. Threats And Vulnerability

    1. Natural Disasters
      1. Fire
      2. Flood
      3. Brown-Outs
      4. Lightning
    2. Accidental
      1. Disclosure Of Data
      2. Modification/Destruction Of Data
      3. Faulty Software
      4. Residual Data
      5. Wrong Parameters
    3. Malicious
      1. Trap Doors
      2. Trojan Horse
      3. Tampering
      4. Snooping Or Browsing
      5. Intentional Disclosure Of Data
      6. Viruses
    4. Locus Of Attack
      1. Terminals
      2. Hosts
      3. Front-Ends
      4. Gateways
      5. Links
      6. Packet-Switches
      7. PC/Workstations
  8. Data Security And Recovery

    1. Floppy Diskettes
    2. Hard Disks
    3. Back-Up
    4. Recovery Principles
    5. Utilities
    6. Security Training
      1. User Training
      2. User Help
    7. Encryption
  9. Control And Audit

    1. Logon Authentication
    2. Access Control
    3. Audit
      1. Event Classes
      2. Audit Selectivity
      3. Management Of Audit Trails
    4. Relationship Between Operations, Management & Audit
    5. Costs And Benefits
      1. Accessibility Versus Secrecy
      2. Costs Of Security Measures
        1. Money & Time For Development, Installation, Procurement, Maintenance
        2. Special Skills
        3. Performance
        4. Productivity
        5. Training Time
        6. Compatibility - Of Equipment, Procedures...
      3. Benefits
        1. Precise Definition Of Requirements
        2. Value Of Information
        3. Peace Of Mind
        4. Productivity
        5. Protection From Legal Liability
        6. Protection From Loss Of Assets/Company
        7. Good-Will
        8. Privacy
          1. Individual
          2. Corporate
          3. Governmental