Internet Technology





IT 666/Information Technology Management





3 Class Hours per Week















T. Peltier | Information Security Risk Analysis | Auerbach Publications | 2005 | ISBN: 0-8493-3346-6


S. Purser | A Practical Guide to Managing Information Security | Artech House | 2004 | ISBN: 1-58053-702-2.






M. Whitman and H. Mattord | Management of Information security | Thomson Course Technology | 2004 | ISBN: 13: 978-0-619-21515-6 & 10: 0-61921515-1


Computer Magazines and Journals





Fall 2006





Dr. A. Joseph



Course Description: This course discusses information security from organizational and managerial perspectives. For an organization, information security is a continuous management process. Security technology alone cannot facilitate this process without security tradeoffs and various policy issues embedded in the process. This course will provide students with a background in managing information security in organizations. Topics include risk identification and assessment, security policy and planning, personnel and security, privacy, security auditing, legal issues.








Dr. A. Joseph



163 Williams St., 2nd floor, Room 231



212 346 1492


Office Hours:


Wednesday (NYC)            1:15pm-6:15pm







Grading Policy


Final examination:



Mid-term examination:


25% (No make up)



10% (No late homework accepted.)

Class Participation






35% (A late project will be penalized 5 points per day for 5 days)




Extra credit assignment (Optional):

Note: Only for students who are otherwise fulfilling all of the other course requirements.


10% (Due week 12)



Final grade Determination


Above 92%

90% -- 92%


85% -- 89%


80% -- 84%


75% -- 79%


70% --74%


65% -- 69%


Below 65%


Note: Grade is computed to the nearest whole number.







Rationale and Learning Objectives




Security technology alone is not enough to achieve information security in organization. It is necessary for security professionals being aware of the managerial tradeoffs and various policy issues in utilizing security technology. The purpose of this course is to provide students with a background in such issues.





Students are expected to accomplish the following after they complete this course:


1.        Understand Information security management


2.        Understand how to create and implement security policy


3.        Understand how to create an organizational security program


4.        Explain and understand how to implement security management models and practices


5.        Identify and assess risk


6.        Understand when to employ appropriate techniques and protection mechanisms in security management


7.        Understand the relationship between personnel and security management


8.        Understand law and ethics issues in security management.



Tentative Examination Schedule:


Course Section

Midterm Exam Date

Project Presentation & Submission Date

Final Exam Date

IT 666 (CRN 72664)

October 18, 2006

November 29, 2006

December 13, 2006



Note: In the interest of learning, it is very important to come to class prepared to learn – do all required assignments. Failure to do so could diminish your ability to get the most out of each lesson and the class. Remember that learning is action oriented.


Note: It is very important you read and familiarize yourself with CSIS Statement of Student Responsibilities (see attachment).














Risk management and frequently asked questions: The why, what, when and who of risk analysis and risk assessment; risk management as a business process; employee roles and responsibilities; information security life cycle; risk analysis process; risk assessment; cost-benefit analysis; and risk mitigation.

to be assigned





Risk assessment process: Risk assessment process; information as asset; and risk assessment methodology

to be assigned





Quantitative versus qualitative risk assessment: Quantitative and qualitative pros and cons; qualitative risk assessment basics; qualitative risk assessment using tables; the 30-minute risk assessment; vulnerabilit6y analysis; hazard impact analysis; questionnaires; and single time loss algorithm.

to be assigned





Management techniques: knowledge and experience; security incidence and vulnerability information; strategy and planning; policy and standards; processes and procedures; methods and frameworks; audits; contracts; and outsourcing.

to be assigned





Need for a proactive approach and a proactive approach overview: reality of the modern enterprise; evolution of organizational structures; limitations of policy-driven decision making; education and awareness; operational issues; new challenges; The (not so) Secure Bank; decide on personal strategy; consolidation period; strategy planning cycle; and core deliverables.

to be assigned.





Information security strategy: need for strategy; planning; analysis of current situation; identification of business strategy and legal and regulatory requirements as well as requirements due external trends; definition of target situation; definition and prioritization of strategy initiatives; distribution of draft strategy; and agreement and publication of final strategy.

to be assigned





Mid-term examination






Policy and standards: Documentation; policy; establishing a control framework; and standards

to be assigned







Process design and implementation: Requirements for stable processes; process improvements; improving the authorization and access-control procedure of The Secure Bank; and continuous improvement.

to be assigned





Building an IT security architecture: Evolution of enterprise IT infrastructure; problems with system-focused approaches; and three phase approach: design; implementation; and administration and maintenance phases.

to be assigned





Creating a security minded culture: Techniques for introducing cultural change; internal marketing sales; support and feedback; security awareness training; security skills training; and involvement initiatives.

to be assigned





Project presentation and submission: projects presented to class and submitted.

to be assigned





Law and ethics: legal environment; ethical concepts and differences therein; certifications and professional organizations; and organizational liability and need for counsel.

to be assigned





Final Examination.











Note 1: This course is structured around freely formed small collaborative teams in a cooperative learning environment. Students are encouraged to work together in their respective teams to form effective and productive teams that share the learning experience within the context of the course, help each other overcome learning difficulties, spend time to get to know each other, and spend time each week to discuss and help one another with the course work (content and assignments). Each team member is responsible for the completion and submission of each assignment. Each team member will be individually graded.


Note 2: During the first class session, student background information may be collected to get a sense of the diversity of student population, educational background, and learning style. An assessment test may be given to determine students’ prerequisite knowledge of the subject.


Team project: Students in small teams of two to four persons will participate in a research project supported by a technical report. The research topic will be on an emerging area of interest to an organization or the research community. In this project, teams will conduct research to assist in the determination of the solution to the research problem. They will demonstrate their knowledge and understanding of how research is conducted and the significance of the problem solution. The project grade to individual students within a team will be based upon their personal involvement and level of participation in the project as determined by their teammates and the professor.


Web support: This course may be supported with most or all of the following Blackboard postings: lesson questions, lessons (MS PowerPoint), instructions and guidelines pertaining to the course, information security management related news, team and class discussions boards, correspondence about the course, homework solutions, examination grades, and miscellaneous course related information and activities.


Supplementary materials: Handouts in class or web postings of current events and issues affecting information security and risk analysis/assessment.  Some books that may be helpful to the course will be posted on Blackboard.


In class activity and participation: Students are encouraged to bring to class articles on current newsworthy events in information security, risk analysis/assessment and management and related news to share with the class. Students are welcome to inform the class on these events and their significance to information security management.




Students are strongly encouraged to download relevant posted lessons from Blackboard and review them. They are encouraged to ask questions about these lessons in class.


Effort may be made to present some lessons using the storytelling format supported with subsequent discussion and elaboration on the central themes of the respective lessons.


The key elements of a story are the following: causality, conflict, complication, and character.



Collaborative teams are designed to function outside of the classroom. Collaborative team activities will be reinforced inside the class during the lessons. Teams are encouraged to function cohesively and to participate in all class activities.



The following excerpts about collaborative learning are from research documents:


·         In the university environment, educational success and social adjustments  depend primarily on the availability and effectiveness of developmental academic support systems.


·         Most organized learning occurs in some kind of team  team characteristics and team processes significantly contribute to success or failure in the classroom and directly [affect] the quality and quantity of learning within the team.


·         Team work invariably produces tensions that are normally absent, unnoticed, or suppressed in traditional classes.  Students bring with them a variety of personality types, cognitive styles, expectations about their own role in the classroom and their relationship to the teacher, peers, and the subject matter of the course.


·         Collaborative learning involves both management and decision-making skills to choose among competing needs.  The problems encountered with collaboration have management, political, competence, and ethical dimensions


·         The two key underlying principles of the collaborative pedagogy are that active student involvement is a more powerful learning tool than the passive attendance and that students working in teams can make for more effective learning than students acting alone.   The favorable outcomes of collaborative learning include greater conceptual understanding, a heightened ability to apply concepts, and improved attendance.  Moreover, students become responsible for their own learning is likely to increase their skills for coping with ambiguity, uncertainty, and continuous change, all of which are characteristics of contemporary organizations.



Who creates a new activity in the face of risk and uncertainty for the purpose of achieving success and growth by identifying opportunities and putting together the required resources to benefit from them?


Creativity is the ability to develop new ideas and to discover new ways to of looking at problems and opportunities


Innovation is the ability to apply creative solutions to those problems and opportunities to enhance or to enrich people’s lives.


Each team may be viewed as a small business that is seeking creative and innovative ways to maximize its product, academic outcome or average team grade. A satisfactory product is the break-even team average grade of 85%. Teams getting average grades above 85% are profitable enterprises.