This course examines security management, management tools, and physical and operations security in an organization's environment. Security management addresses identifying information assets and developing, documenting and implementing policies, standards, procedures and guidelines for asset protection. Management tools such as data classification and risk assessment/ analysis help identify system vulnerabilities and implement controls. Physical and operations security addresses control mechanisms and protection techniques for facility, resource and overall system operation.
- Understand the risk associated with securing the confidentiality, integrity, and availability (CIA) of electronic information systems. Understand how-in modern organizations-information is treated as a quantifiable, tangible, and competitive asset.
- Identify and explain the role of administrative controls that seek to protect the CIA of an information system. Identify and explain NIST-recognized policies, procedures, and guidelines that may be employed to protect the information system. Understand the legal intent of due care.
- Identify and explain the role of technical controls that seek to protect the CIA of an information system. Identify and explain the role of access control lists, intrusion detection systems and intrusion prevention systems, fault tolerance, operating system constraints and logging, password and encryption technologies, bastion servers and demilitarized zones in network architecture, and firewall and proxy services.
- Identify and explain the role of physical controls that seek to protect the CIA of an information system. Identify and explain the role of biometrics, traditional environment controls, fire suppression systems used in industry, redundant physical sites, physical access controls, and monitoring devices.
- Reflect upon the need to classify and stratify data to determine the appropriate levels of protection to guarantee CIA. Understand NIST SP800-60 guidelines for evaluating data in an analytical framework of low, medium, high, and severe risk. Explain how administrative, technical, and physical controls are used to provide defense-in-depth information security strategies.
- Beyond the theoretical application and best practices of information security is the motivation of a person: either that of a true criminal, a hacker, a cracker, a vendor, or an employee. Understand the psychology of people and explain how people are, in fact, the weakest line of defense to information systems security.