Master of Science in Information Security Management (MSISM)¹

CURRICULUM

Masters of Science in Information Security Management (MSISM)
This degree program prepares students to be strategic and tactical contributors in the development, implementation and evaluation of enterprise level security programs. Specializations allow students to pursue a program of study which relates to their professional interests and goals.

Specializations:

• Disaster Recovery and Continuity Planning (DRC)
• Information Security Analysis (ISA)
• Information Security Auditing (IAU)
• Information Security Compliance (ISC)
• Information Security Engineering (ISE)

Program Objectives:

• To gain knowledge in a specialized field of study based upon theory, concepts and skills relevant to Information Security practitioners.
• To apply critical thinking and problem-solving skills in the analysis of issues relevant to Information Security practitioners.
• To utilize secondary research competencies in the analysis of issues relevant to Information Security practitioners.
• To develop the necessary skills and perspectives to address a specialized area of Information Security management.

Learning Outcomes
Upon completion of this degree program, students will be able to:

• Compile, analyze, and assess the applicability of best practices in addressing Information Security issues.
• Evaluate the impact of business constraints and processes on the implementation of Information Security programs.
• Integrate principles and techniques of risk analysis, project planning and change management in the development of Information Security strategies.
• Utilize secondary research skills in the critical assessment and selection of information sources that are applicable and relevant to the development of approaches to Information Security challenges.
• Demonstrate mastery of theory, concepts and skills in addressing specialized aspects of Information Security issues.

SEQ #	COURSES, OBJECTIVES AND DELIVERABLES
1	IA7020 Information Security Systems and Organizational Awareness
	In this course, students utilize a subset of five of the ten domains of the (ISC)2 Common Body of Knowledge (CBK) in information security as a framework to critically analyze security awareness issues and to evaluate best practices in implementing security systems within the enterprise. (3 credits) DELIVERABLES: Best Practice Analyses COURSE OBJECTIVES: To compare and contrast the mechanisms and procedures used by management to influence behavior, use, and content of an information system. To propose best practices which utilize the means and methods of disguising information through cryptography in order to protect confidentiality and integrity. To evaluate the impact of high level procedures, structures and standards used in defining, designing, and implementing information systems and technology. To analyze structures, transmission methods, transport formats and security measures that enable confidentiality, integrity and availability in business communications. To assess best practices used in establishing controls, within business applications, that support the security strategy of the enterprise.
2	IA7030 Legal and Ethical Practices in Information Security
	In this course, students utilize a subset of five of the ten domains of the (ISC)2 Common Body of Knowledge (CBK) in information security as a framework to critically analyze ethical decision-making and to evaluate the best practices employed in security operations planning and management. (3 credits) DELIVERABLES: Best Practice Analyses COURSE OBJECTIVES: To assess associated security risks of various frameworks, policies, and structures of enterprise information assets. To evaluate physical, procedural, and environmental risks associated with a business information technology infrastructure. To recommend procedures and best practices required to preserve business in the face of major disruptions to normal operations. To propose best practices for the protection and control of information technology resources. To evaluate ethical investigative measures and techniques used to identify and retain evidence of security incidents within the constraints of general computer crime legislation and regulations.
3	RM6000 Effective Writing in Information Security Analysis
	In this course, students utilize secondary research to analyze a current best practice or process in one of the ten domains of Information Security. Students write and present a white paper providing a rationale for research to evaluate the effectiveness of that practice or process. (3 credits) DELIVERABLE: A research white paper related to one of the ten domains. COURSE OBJECTIVES: To demonstrate effective written and oral communication skills. To demonstrate knowledge of the secondary research process. To develop a rationale for applied research in Information Security using literature review. To demonstrate knowledge of APA requirements for format, source identification and citations in research writing.
4	IA7040 Information Security and Organizational Change
	In this course, students analyze the principles of change management as they apply to the requirements and regulations of information security. Students evaluate the factors which affect corporate decision-making when implementing security programs and the ability of the manager to translate corporate needs into information security projects. (3 credits) DELIVERABLE: Change Management Plan COURSE OBJECTIVES: To analyze the factors influencing the need for change and the imperatives for managing information security change initiatives in the workplace. To evaluate the need for a specific Information Security change initiative at the group and organizational level. To evaluate how the proposed change aligns with corporate leadership goals and culture. To develop a change strategy and identify potential resistance factors to be managed. To apply appropriate models to implement a sustainable Information Security change initiative.
5	IA8010 Business and Security Risk Analysis
	This course provides students with an overview of risk management principles. Methods to identify, quantify, and qualify internal and external risks to the organization are examined. Students apply these principles and methods to the current business and risk environment. (3 credits) DELIVERABLES: Case Study Analyses; Business Risk Assessment Report COURSE OBJECTIVES: To evaluate the role of business and technical risk analysis within the context of Information Security. To identify and analyze prevalent threats and vulnerabilities facing businesses today. To identify and analyze business and technical threats to an organization. To analyze and evaluate Information Security methods used to address business threats and vulnerabilities. To identify and evaluate the controls necessary to address business and technical threats.
6	PM8100 Information Security Project Management
	In this course, students utilize PMI's Project Management Body of Knowledge (PMBOK) as a framework to apply project management concepts in the information security arena. Each student develops a project plan for a security assessment which incorporates the technical and behavioral characteristics of high performance teams. (3 credits) DELIVERABLES: Project Charter; Work Breakdown Schedule (WBS); Project Plan COURSE OBJECTIVES: To evaluate the role of project management in improving the success of information technology and information assurance projects. To demonstrate and apply knowledge of key project management terms and techniques. To gain experience in the use of project management methodologies and techniques. To develop skills in creating project management documentation.
7	IA8250 Knowledge Management in Information Security
	In this course, students utilize secondary research competencies to identify and evaluate industry-relevant sources of information in the context of an emerging technology trend in information security. (3 credits) DELIVERABLES: Source Analysis; Comparative Analysis of Sources COURSE OBJECTIVES: To differentiate and classify secondary research sources based on their salient characteristics. To critically examine the validity and credibility of industry relevant information sources used in identifying an emerging technology trend in information security. To evaluate and synthesize alternative information sources relating to an emerging technology trend in information security. To critically analyze the applicability and relevance of specific information sources to an emerging technology trend.
8	RM9200 Strategic Analysis in Information Security
	In this integrative course, students assess the information security risk associated with an identified management problem. Students then develop a risk mitigation strategy which integrates principles and techniques of risk analysis, project planning, and change management. (3 credits) DELIVERABLE: Strategic Risk Mitigation Plan COURSE OBJECTIVES: To assess the level of risk in an organization with respect to an identified Information Security management problem. To formulate a strategy to mitigate the identified Information Security risk while limiting liability exposure. To evaluate the defined strategy to ensure that it either reduces, mitigates, or transfers risk, or results in an acceptable residual risk. To develop a project plan for implementing the chosen strategy that addresses resources, schedules, and organizational change management requirements.
9	Specialization Course
10	Specialization Course
11	Specialization Course
12	Specialization Course
Specialization: Disaster Recovery and Continuity Planning
9	IA8190 Security Forensics
	In this course, students explore the essentials of computer forensics and its contribution toward information assurance. (3 credits) DELIVERABLES: Forensic Evaluations; Affadavit Critique COURSE OBJECTIVES: To demonstrate knowledge of the application of the rules of evidence to electronic security incidents. To apply appropriate forensic tools in the extraction and analysis of electronic evidence. To analyze security incidents in the identification of criminal actions. To synthesize the results of forensic analysis for presentation in a legal environment.
10	IA8230 Legal and Ethical Management Issues in Information Security
	In this course, students explore issues with respect to the legal and regulatory environment of security and the challenges faced in developing and managing policy related to enterprise security. (3 credits) DELIVERABLES: Regulatory Analysis; Research Paper COURSE OBJECTIVES: To analyze how legislation influences specific corporate or institutional environments. To identify legal and ethical issues that arise within a given legal or regulatory environment. To investigate best practices that address specific issues within a given legal or regulatory environment.
11	IA8140 Business Continuity Planning and Recovery
	In this course, students explore tools and strategies for Business Continuity Planning (BCP) and Disaster Recovery Planning (DRP) activities. Topics include business impact assessment methods, recovery strategy approaches and solutions, and continuity planning. (3 credits) DELIVERABLES: Business Continuity Plan; Disaster Recovery Plan COURSE OBJECTIVES: To examine methods used in the identification of vulnerabilities and approaches taken to prevent and mitigate risks for an organization. To demonstrate how to effectively address business and technical risks to the enterprise through appropriate business continuity planning and disaster recovery planning activities. To gain experience in the use of standard and advanced tools, techniques and methodologies that support disaster recovery activities.
12	IA8120 Information Security Policy Planning and Analysis
	In this course, students develop information assurance policies and deployment plans as part of the comprehensive strategic plan and operational objectives of the enterprise. (3 credits) DELIVERABLES: Enterprise Security Critique; Security Governance Report COURSE OBJECTIVES: To analyze how legislation mandates the need for policy. To identify policy requirements within a given environment. To develop a policy statement that meets the identified needs. To formulate an implementation strategy for the policy.
Specialization: Information Security Analysis
9	IA8120 Information Assurance Policy Planning and Analysis
	In this course, students develop information assurance policies and deployment plans as part of the comprehensive strategic plan and operational objectives of the enterprise. (3 credits) DELIVERABLES: Enterprise Security Critique; Security Governance Report COURSE OBJECTIVES: To analyze how legislation mandates the need for policy. To identify policy requirements within a given environment. To develop a policy statement that meets the identified needs. To formulate an implementation strategy for the policy.
10	IA8020 Security Policies, Standards and Procedures
	In this course, students examine the role of security policies, standards and procedures in addressing business and technical risks and develop a security governance report to evaluate compliance across the enterprise. (3 credits) DELIVERABLES: Enterprise Security Critique; Security Governance Report COURSE OBJECTIVES: To examine the role of security policies, standards and procedures in supporting information security and assurance across the enterprise. To examine the management of security policy review and implementation projects. To demonstrate how to effectively address business and technical risks to the enterprise through appropriate policies, standards and procedures. To develop a security governance report to evaluate compliance across the enterprise.
11	IA8030 Design, Development and Evaluation of Security Controls
	In this course, students transform high-level policies and procedures into quantifiable and measurable controls and mechanisms that enforce data and process integrity, availability and confidentiality. (3 credits) DELIVERABLES: General IT Controls Review; Application Controls Review COURSE OBJECTIVES: To analyze and evaluate the interrelationship between risk management objectives and the application of effective business and IT controls. To identify, define and evaluate key business and IT processes, requirements and performance metrics used by management to monitor and control risk. To identify, analyze and evaluate organizational, administrative, network, and application-specific controls and risk mitigation strategies to meet business and technical objectives. To demonstrate knowledge of the management of business and IT controls assessment projects. To transform high-level business and technical objectives into quantifiable and measurable controls and mechanisms which enforce data and process integrity, availability and confidentiality.
12	IA8040 Incident Response Management
	In this course, students identify and analyze the nature of security incidents, the source of potential threats and the methods used in incident management and mitigation. Students also evaluate technical and business issues which affect the actions of the enterprise in responding to a security incident. (3 credits) DELIVERABLE: Incident Response Plan COURSE OBJECTIVES: To identify and analyze the nature of computer security incidents and the source of potential threats. To demonstrate knowledge of a methodology for end-to-end incident management and mitigation. To analyze and evaluate the technical issues associated with incident management such as network trace back and computer forensics. To identify, analyze and evaluate the business and non-technical drivers associated with incident management such as legal issues. To gain knowledge of resources available for utilization in the event of a security incident.
Specialization: Information Security Auditing
9	IA8050 Security Risk and Vulnerability Assessment
	This course provides students with an understanding of advanced techniques and tools for identifying and categorizing vulnerabilities that allow penetration of networked systems and environments. Students gain first-hand experience in the assessment of networked systems through extended virtual lab sessions. (3 credits) DELIVERABLES: Security Vulnerability Assessments COURSE OBJECTIVES: To evaluate the role of basic networking and operating system functions in defining and qualifying security risks. To demonstrate knowledge of network and system vulnerability assessment terms and techniques. To utilize standard and advanced tools, techniques and methodologies that support the delivery of network and system vulnerability assessments. To gain experience in the use of a repeatable methodology for performing detailed network and system vulnerability assessments. To utilize a systematic approach to testing for vulnerability false-positives.
10	IA8190 Security Forensics
	In this course, students explore the essentials of computer forensics and its contribution toward information assurance. (3 credits) DELIVERABLES: Forensic Evaluations; Affadavit Critique COURSE OBJECTIVES: To demonstrate knowledge of the application of the rules of evidence to electronic security incidents. To apply appropriate forensic tools in the extraction and analysis of electronic evidence. To analyze security incidents in the identification of criminal actions. To synthesize the results of forensic analysis for presentation in a legal environment.
11	IA8030 Design, Development and Evaluation of Security Controls
	In this course, students transform high-level policies and procedures into quantifiable and measurable controls and mechanisms that enforce data and process integrity, availability and confidentiality. (3 credits) DELIVERABLES: General IT Controls Review; Application Controls Review COURSE OBJECTIVES: To analyze and evaluate the interrelationship between risk management objectives and the application of effective business and IT controls. To identify, define and evaluate key business and IT processes, requirements and performance metrics used by management to monitor and control risk. To identify, analyze and evaluate organizational, administrative, network, and application-specific controls and risk mitigation strategies to meet business and technical objectives. To demonstrate knowledge of the management of business and IT controls assessment projects. To transform high-level business and technical objectives into quantifiable and measurable controls and mechanisms which enforce data and process integrity, availability and confidentiality.
12	IA8110 Certification and Accreditation
	In this course, students analyze an enterprise-wide view of information systems and the establishment of appropriate, cost-effective information protection programs. Within this context, students examine a set of standard policies, procedures, activities and a management structure to certify and accredit information systems for the protection of the data as well as the systems. (3 credits) DELIVERABLES: C&A Plan; Accreditation Recommendation COURSE OBJECTIVES: To select a certification and accreditation methodology appropriate to an organization's compliance requirements. To demonstrate knowledge of the components necessary to perform a certification assessment. To develop a certification plan to meet an organization's compliance requirements. To assess residual risk and produce an accreditation recommendation.
Specialization: Information Security Engineering
92	IA8050 Security Risk and Vulnerability Assessment
	This course provides students with an understanding of advanced techniques and tools for identifying and categorizing vulnerabilities that allow penetration of networked systems and environments. Students gain first-hand experience in the assessment of networked systems through extended virtual lab sessions. (3 credits) DELIVERABLES: Security Vulnerability Assessments COURSE OBJECTIVES: To evaluate the role of basic networking and operating system functions in defining and qualifying security risks. To gain knowledge of network and system vulnerability assessment terms and techniques. To gain experience in the use of standard and advanced tools, techniques and methodologies that support the delivery of network and system vulnerability assessments. To gain experience in the use of a repeatable methodology for performing detailed network and system vulnerability assessments. To utilize a systematic approach to testing for vulnerability false-positives.
10	IA8060 Intrusion Detection, Attacks and Countermeasures
	In this course, students examine common attack methods, technologies and countermeasures. Students also gain skills needed to recognize various stages and methods of attack on the enterprise. (3 credits) DELIVERABLES: Network Analysis Report; Intrusion Detection Report; Malware Analysis Report; Firewall Analysis Report COURSE OBJECTIVES: To analyze network traffic behavior to identify potential hostile activity. To analyze intrusion detection software alerts and data to identify valid intrusion incidents. To analyze malware to identify the effects of the malicious behavior on corporate assets. To assess firewall rule sets and logs to determine validity and potential change requirements.
11	IA8070 Design and Development of Security Architectures
	In this course, students evaluate the principles, attributes and processes used in designing and deploying a comprehensive and resilient layered security architecture that supports the business and technical objectives of the enterprise. (3 credits) DELIVERABLE: Business Security Plan COURSE OBJECTIVES: To identify and analyze the key business processes used within the enterprise and the technical implementations of those processes. To identify, define and evaluate alternative security measures needed to facilitate the previously identified business processes. To orchestrate the previously identified security measures into an effective, layered security architecture as part of the strategic information technology plan. To document the design, deployment and implementation of the security architecture in a cohesive business security plan.
12	IA8080 Security Solution Implementation
	In this course, students compare, contrast and evaluate contemporary practices in the implementation of security solutions. (3 credits) DELIVERABLES: Security Solution Implementation Plan COURSE OBJECTIVES: To identify implementation strategies utilized in addressing Information Security problem solutions. To assess the requirements for each appropriate implementation strategy. To compare and contrast the benefits and risks associated with alternative implementation strategies in relation to schedule, resources, budget, culture, and compliance requirements. To formulate a recommended implementation approach and develop the supporting implementation plan documentation.
Specialization: Information Security Compliance
92	IA8120 Information Assurance Policy Planning and Analysis
	In this course, students develop information assurance policies and deployment plans as part of the comprehensive strategic plan and operational objectives of the enterprise. (3 credits) DELIVERABLES: Enterprise Security Critique; Security Governance Report COURSE OBJECTIVES: To analyze how legislation mandates the need for policy. To identify policy requirements within a given environment. To develop a policy statement that meets the identified needs. To formulate an implementation strategy for the policy.
10	IA8020 Security Policies, Standards and Procedures
	In this course, students examine the role of security policies, standards and procedures in addressing business and technical risks and develop a security governance report to evaluate compliance across the enterprise. (3 credits) DELIVERABLES: Enterprise Security Critique; Security Governance Report COURSE OBJECTIVES: To examine the role of security policies, standards and procedures in supporting information security and assurance across the enterprise. To examine the management of security policy review and implementation projects. To demonstrate how to effectively address business and technical risks to the enterprise through appropriate policies, standards and procedures. To develop a security governance report to evaluate compliance across the enterprise.
11	IA8030 Design, Development and Evaluation of Security Controls
	In this course, students transform high-level policies and procedures into quantifiable and measurable controls and mechanisms that enforce data and process integrity, availability and confidentiality. (3 credits) DELIVERABLES: General IT Controls Review; Application Controls Review COURSE OBJECTIVES: To analyze and evaluate the interrelationship between risk management objectives and the application of effective business and IT controls. To identify, define and evaluate key business and IT processes, requirements and performance metrics used by management to monitor and control risk. To identify, analyze and evaluate organizational, administrative, network, and application-specific controls and risk mitigation strategies to meet business and technical objectives. To demonstrate knowledge of the management of business and IT controls assessment projects. To transform high-level business and technical objectives into quantifiable and measurable controls and mechanisms which enforce data and process integrity, availability and confidentiality.
12	IA8210 Risk Management and Compliance
	In this course, students evaluate the procedures and results of risk analysis, as well as the compliance processes that address the regulatory requirements which drive the need for risk analysis within the enterprise. Security-related regulations such as SOX, GLBA, FISMA and HIPAA are examined. (3 credits) DELIVERABLE: Security Compliance Audit; Risk Mitigation Plan COURSE OBJECTIVES: To analyze security-related regulations and policies and formulate appropriate compliance requirements. To assess the security posture of an organization and perform a compliance audit. To analyze the risks associated with deficiencies identified in the compliance audit. To develop a mitigation plan to achieve compliance.

¹Students seeking the MSISM degree who do not hold a baccalaureate are required to complete a total of 48 semester credits to meet graduation requirements.
² Students interested in a more technical option may elect to take IA8050 in place of IA8120. Technical knowledge of the Unix or Linux Operating System is a prerequisite for IA8050.