MSIA678 - Risk Management: Syllabus

Instructor Information

Refer to Discussion Forum, Facilitator Introduction and Expectations

Course Title

MSIA678 - Risk Management

Course Description

Prepares students to evaluate an organizations exposure to information technology security threats using rigorous policy and standards based analysis of the existing policy directives and the derived threat matrix.

Course Overview

This course introduces the student to the basic fundamentals of the Risk Management (RM) which includes reducing the risk related to threats to the enterprise. This includes a sequence of activities including risk identification, risk assessments, risk analysis, risk mitigation, risk transference, and risk acceptance strategies. It takes into all considerations of risk to include environmental, technology, humans, organizations and politics. There will always be residual risk. This course examines the main objective of Risk Management which is to reduce the residual risk to an acceptable level for your organization. RM must address the protection of information systems against unauthorized access to, or modification of, information in processing, at rest, or in transit. RM must also provide adequate controls to protect against the denial of service to authorized users or the provision of service to unauthorized users, including those measures necessary to detect, document, and counter such threats. This course will help students examine, learn, and apply effective Risk Management techniques and strategies.

Prerequisite Courses

You need to have a good understanding of networking fundamentals, technologies, and architectures.

Course Outcomes

Upon completion of this course, learners should be able to:

Evaluate the risk posture of an enterprise using the Risk Management Framework (RMF).
Incorporate current technical tools to design a comprehensive risk mitigation approach for an enterprise (including separation of duty, certification and accreditation, protection of personal identifiable information, change management, incident response, and disaster recovery).
Apply the appropriate tools, processes, and policies to monitor enterprise activities.
Collect and analyze data to audit an enterprise system.
Practice ethical use of technology in the enterprise and critical thinking about how to affect such use.

Course Materials

Required Texts

Gregory, P. H. (2015). CISSP Guide to Security Essentials, 2nd Edition. ISBN-10: 1-285- 06042-3, ISBN-13: 978-1-285-06042-2.

Whitman, M. E. & Mattord, H. J. (2017). Management of Information Security, 5th Edition. ISBN-10: 1-305-50125-X, ISBN-13: 978-1-305-50125-6.

Additional Required Readings

Coleman, K. (August 27, 2008). The key to data security: Separation of duty. Computerworld. Retrieved from http://www.computerworld.com/s/article/9113647/The_key_to_data_security _Separation_of_duties. [keywords: separation of duties, internal controls, SOX compliance]

International Organization for Standardization. Information technology - Security techniques Guidelines on the integrated implementation of ISO/IEC 27001 and ISO/IEC 20000-1 (ISO/IEC DIS 27013). Geneva, Switzerland: ISO. Retrieved from http://www.iso27001security.com/html/27013.html.

Klosterboer, L., (2009). Implementing ITIL Change and Release Management. IBM Press. Upper Saddle River, New Jersey. Retrieved from http://pubs.opengroup.org/it4it/refarch20/front.html.

National Institute of Standards and Technology (NIST).

NIST SP 800-34 Rev 1. Contingency Planning for Federal Information Systems. Retrieved from http://csrc.nist.gov/news_events/HIPAAMay2010_workshop/presentations/2-2b-contingency-planning-swanson-nist.pdf.
NIST SP 800–37 Revision 1 (2010). Guide for applying the risk management framework to federal information systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf.
NIST SP 800-47. August 2002). Security Guide for Interconnecting Information Technology Systems. Retrieved from http://csrc.nist.gov/publications/nistpubs/800- 47/sp800-47.pdf.
NIST SP 800-61, Rev 2 (March 2008). Computer Security Incident Handling Guide. Retrieved from http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.
NIST SP 800–122 NIST SP 800-122. Guide to Protecting the Confidentiality of Personally Identifiable Information (PII). Retrieved from http://csrc.nist.gov/publications/nistpubs/800-122/sp800-122.pdf.
NIST SP 800-128 (August 2011). Guide for Security-Focused Configuration Management of Information Systems. Retrieved from http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-128.pdf.
NIST Interagency Report 7316 (September 2006). Assessment of Access Control Systems. Retrieved from http://csrc.nist.gov/publications/nistir/7316/NISTIR- 7316.pdf.

Required Resources

Refer to the Course Assignments and Activities, and each Topic’s Readings and Research section for a complete list for each Topic.

Your facilitator may assign additional readings.

Technology Tools

technical specifications

Pre-Assignment

Online Format: Sign on to WorldClass (D2L) and become familiar with the course navigation. Refer to the table below titled, “Course Assignments and Activities” for Topic 1.

Classroom-based Format: Read the following before the first night of class: NIST Special Publication 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems

Pre-Assignment Due Dates

Classroom-based Format: Due the first night of class.

Online Format: The instructor will specify the due date for assignments.

Course Assignments and Activities

Assignments for Online Course
Week	Readings	Graded Assignments or Assessments (Percentage)
1: Authorization and Accreditation (A & A)	Whitman & Mattord (2017). Chapters 1, 4, & 8 Gregory (2015). Chapter 1 NIST SP 800–37 Revision 1 Topic 1 Presentation	Introductions Discussion Questions A & A Document
2: Personally Identifiable Information (PII)	Whitman & Mattord (2017). Chapter 4 NIST Special Publication 800–122 Topic 2 Presentation Key Terms	Discussion Questions Research Paper – PII Incidents
3: Continuous Monitoring	Whitman & Mattord (2017). Chapter 6 NIST SP 800–37 Rev 1 Topic 3 Presentation Key Terms	Discussion Questions Develop a Continuous Monitoring Plan
4: Incident Detection, Response, and Reporting	NIST SP 800-61 Revision 1 Topic 4 Presentation	Discussion Questions Discussion – Group Exercise Incident Response Plan
5: Change Management	Gregory (2015). Chapter 7 Klosterboer (2009). NIST SP 800–128 NIST SP 800-37 Rev 1 Topic 5 Presentation Key Terms	Discussion Questions Mobile Device Management Change Initiative Plan
6: Disaster Recovery, Business Continuity, and Contingency Planning	Whitman & Mattord (2017). Chapter 10 Gregory (2015). Chapter 2 NIST 800-34 Revision 1 Topic 6 Presentation	Discussion Questions Business Continuity/Disaster Recovery Facilitated Workshop
7: Separation / Segregation of Duty (SOD)	Gregory (2015). Chapter 2 Coleman (August 27, 2008). NIST SP 800-47 NIST SP 800-53 Rev. 4 NIST Interagency Report 7316 Topic 7 Presentation Key Terms	Discussion Questions Separation/Segregation of Duty-Case Study
8: Auditing and Accountability	Whitman & Mattord (2017). Chapters 6 & 12 Gregory (2015). Chapter 6 ISO/IEC 27000 NIST SP 800-53 Rev. 4 Topic 8 Presentation	Discussion Questions Audit and Accountability Jesuit Values Reflection Discussion
		TOTAL: 100%

Summary of Assignments and Percentage Weight:

Assignments	Weighted Percentage
Discussion Questions Discussion – Group Exercise Jesuit Values Reflection Discussion	20%
A & A Document Research Paper – PII Incidents Develop a Continuous Monitoring Plan Incident Response Plan Mobile Device Management Change Initiative Plan Business Continuity/Disaster Recovery Facilitated Workshop Separation/Segregation of Duty-Case Study Audit and Accountability	80%
TOTAL	100 %

Course Policies and Procedures

Class Participation

Learners are expected to make every effort to attend all class meetings. Learners unable to attend the first class must contact the facilitator ahead of time. If the learner misses two or more class sessions or fails to thoughtfully participate in each online discussion, the learner may fail the class.

Email Communication

Email communication between facilitators and learners must be conducted using Regis email addresses, or, in the case of online courses, must use the course mailsystem.

This is a master's-level course. At a minimum, 10 to 20 hours of course work outside the classroom is expected for learner success.

Assignments may be automatically submitted to www.turnitin.com to ensure compliance with Regis University's Academy Integrity Policy.

CCIS Policies

Review the CCIS Policies on the Regis University website.

OTHER INFORMATION

NOTE TO LEARNERS: On occasion, the course facilitator may, at his or her discretion, alter the Learning Activities shown in this Syllabus. The alteration of Learning Activities may not, in any way, change the Learner Outcomes or the grading scale for this course as contained in this syllabus. Examples of circumstances that could justify alterations in Learning Activities could include number of learners in the course; compelling current events; special facilitator experience or expertise; or unanticipated disruptions to class session schedule.