Information Security and Auditing in the Digital Age
Welcome to the security book instructor corner. It suugests how this material can be, and has been, used in developing information security courses with a sample course outline and sample projects. You can also download powerpoint slides if you are an instructor.
This corner is still under construction. Additional materials will be posted as they become avaiable.
For additional details, please Contact us .
I teach a course on information security and auditing at the Fordham Graduate School of Business. The objective of the course is to give a broad overview of the subject matter and cover the building blocks of IS security in the modern digital enterprise. The topics discussed include:
I had a great deal of difficulty in finding good text materials for this type of course. There are numeous books that cover encryption and others that only cover one aspect (e.g., network security, computer security). I thought that the handbook edited by Tipton and Krause ("Information Security Management Handbook", Auerbach, 2000) would help but it was disappointing (badly organized, redundant and very old topics).
The closest I could find was the book "Surviving Security" by M. Andress (SAMS 2002) but it has almost no depth. Although I used Andress book as an overall text, I developed my own notes and assembled my notes into a possible text book. This book is an early version of the textbook (a more rigorous edition will appear in summer 2004). Any comments and suggestions are welcome.
What are your experiences? What have you found? Am I missing something? Is it a deathwish to teach an introductory course on IS security with a broad and recent coverage of topics before spending a lifetime on cryptography?
I am sure that other courses of this nature are being taught and I may end-up teaching this course again, I am looking for other experiences in this area. Specifically, I am looking for other materials, course outlines, references, suggestions, comments, whatever.
I will post the summary of responses on this site. Promise.
This book has been classroom tested in different university and industrial
courses in the past three years. These introductory courses were intended to
provide a broad understanding of the subject matter that exposed the students
to the managerial as well as technical aspects of security in the highly
distributed environments in the digital age. The current book format has been
largely influenced by the information security course that I taught in the
Information and Communications Systems (ICS) department at
The following course description outlines the course. I have taught variations of this course in the industry. The course can be easily modified for a more technical audience by adding one or two sessions on cryptographic techniques and by reducing/eliminating the management and audit/control topics.
Course: Information Security and Auditing
This course covers the technical as well as administrative aspects of security in modern digital enterprises from a total systems point of view instead of concentrating on one issue (e.g., network security, host security, data security, cryptography). The course starts with a comprehensive overview of security principles and practices that are needed to satisfy the IS systems integrity, confidentiality and availability requirements. The topics in this phase of the course include security awareness, security requirements, IS security and control practices, risk analysis, policies, and security management. A methodology for IS security is also introduced in this phase. The second part of the course covers the core security tools and techniques that are common to almost all security and audit practices. The topics in this phase of the course include: encryption based on symmetric/asymmetric techniques, authentication, access control, digital certificates, and digital signatures. Discussion also includes common security packages that combine these techniques into solutions such as PKI, PGP, SSL, and VPN. In the third phase, these techniques and methodology are used to build security solutions at an enterprise level. Topics in this phase cover Internet security, Web and Web Services security, XML security, application security, e-commerce security, wireless and mobile computing security, and other emerging cyber security issues. The course concludes with a discussion of information assurance in web environments, IT audit and control principles, and security audits needed for continued secure operations.
Course Objectives: Present a broad overview, with necessary details, of the following topics:
Umar, A., "Information Security and Audits in the Digital Age", NGE Solutions, Dec. 2003
Additional main sources of Information
Andress, M., "Surviving Security", SAMS Book, 2002 (recommended)
"Guide to Information Technology, Control, and Audit", Frederick Gallegos (Editor), Sandra Allen-Senft, Daniel P. Manson
Tipton, H. and Krause, M. editors, "Information Security Management Handbook", Auerbach, 2000
Additional sources and web links made available during the course
Two projects (200 Points)
One Examination- Take home (100 Points)
Total: 300 points
Straight percentile grade
U-Cn Umar, Chapter n
Phase 1: Introduction and EDP Audits
Session 1; Introduction to information security and audits (U-C1)
Session 2: : Security requirements, risk, and policies (U-C2)
Session 3: Security management and an overall methodology (U-C2,C3)
Phase 2: Security Principles and Technologies
Session 4: Cryptography techniques, symmetric/asymmetric encryption, digital signatures (U-C4)
Session 5: Authentication, authorization, accountability, availability, certificate management, non-repudiation, single sign-on (U-C5)
Session 6: Security packages (PKI, SSL, VPN, PGP, Kerberos) (U-C6)
Phase 3: Building Solutions to Secure IT Assets
Session 7; Review of IT assets, network security principles and firewalls (U-C7,C8)
Session 8; Internet security, VPNs/ IPSEC, Remote access security (U-C8)
Session 9: Wireless network security (U-C9)
Session 10: Web, Semantic Web, and XML security (U-C10)
Session 11: Distributed platform, Web Services, and .NET security (U-C11)
Session 12: Application security, e-commerce security, mobile application security (U-C12)
Session 13: Auditing and control, security audits (U-C13)
Session 14: Wrapup and Trends (U-C14)
Projects are crucial to the learning experience. In the security courses I have taught, I have generally used two team projects (teams of 2-3 members) that include a mixture of research, hands-on experiments, and architectural analysis. Here is a sample list. You can pick any two or combine some of these to build larger team projects )
When you click on the links below, you will get a zipped file in return with ckhapter slides for each Part of the book. You will need ID and PW to access theses slides.
If you are an instructor and want a free review copy of the material, please Contact us with university/college name, possible course title, etc. We will send you the passwords and IDs for the slides plus the text chapters.
Part1 Slides (ppt)
Part2 Slides (ppt)
Part3 Slides (ppt)
Part4 Slides (ppt)
Part5 Slides (ppt)