Computer Science (COMP) 660

Enterprise Information Security (Revision 2)

COMP 660 Course website

Delivery Mode: Grouped Study Online

Credits: 3

Area of Study: IS Elective

Prerequisite: 604

Faculty: Faculty of Science and Technology

Centre: School of Computing and Information Systems

Instructor: Dr. Hongxue (Harris) Wang

**Note: This is a graduate level course and students need to apply and be approved to one of the graduate programs or as a non-program School of Computing and Information Student graduate student in order to take this course. Minimum Admission Requirements must be met. Undergraduate students who do not meet admission requirement will not normally be permitted to take this course. http://scis.athabascau.ca/

Overview

In this course, students will study various security issues associated with the development and deployment of information systems, including Internet-based e-commerce, e-business, and e-service systems, as well as the technologies required to develop secure information systems for enterprises. Students will also learn about the policies and regulations essential to the security of enterprise information systems.

Course Objectives

The objectives of the course are:

  • to explain various security issues associated with the development and deployment of information systems including Internet-based e-commerce, e-business and e-service systems
  • to teach essential technologies such as algorithms and protocols for encryption/decryption, authentication and key management required in developing secure information systems for enterprises,
  • to familiarize students with the tools, policies and regulations that are necessary for ensuring the security of enterprise information systems.

Learning Outcomes

After successfully completing this course, students should be able to

  • analyze the security risks of a specific information system,
  • set up appropriate security goals for the system, and
  • implement appropriate security technologies in a network environment or information system to achieve the set security goals and eliminate the identified security risks.

Outline

Unit 1: Introduction to Enterprise Information Security

  • This unit provides an overview of general security concepts, terminologies, issues, and some technical background such as computer networks and security models. After this unit, students should understand the concept of information security and the information security risks an enterprise may face, and be able to explain important concepts and terminologies related to enterprise information security.

Unit 2: Cryptography and Cryptology

  • Cryptography is about encryption and decryption. It sits at the centre of information security, and can be used for different purposes. In this unit, students will study both symmetric and asymmetric cryptography, including public key cryptography, data encryption standard (DES), international data encryption algorithm (IDEA), advanced encryption standard (AES), as well as algorithms for hashes and message digests. The focus will be on both the principles and the mechanisms of operation. After this unit, students should be able to describe the principles and features of some classical and modern cryptographic systems and algorithms. Students should also be able to choose the correct cryptographic scheme when needed.

Unit 3: Authentication and Access Control

  • Information security means protecting information resources from unauthorized access while keeping them available to authorized users. To achieve this essential goal of information security, we must first authenticate users, and then authorize their rights of access to specific resources. In this unit, students will learn the meaning of authentication, how various authentication schemes work, and how access to information resources can be controlled in various access control models. After this unit, students should be able to explain how various authentication schemes work, as well as their strengths and weaknesses. Students should also be able to choose an appropriate authentication scheme for a given application.

Unit 4: Security Standards, Protocols and Systems

  • In a networked environment (like the Internet), certain security goals can only be achieved through the collaboration of clients and servers. These computers collaborate by following certain standards and protocols, with the assistance of security systems. In this unit, students will learn about some well-known security systems, standards, and protocols: the Kerberos protocol; public key infrastructure (PKI); and security protocols for different network layers, particularly secure IP protocol (IPSec), Secure Socket Layer (SSL), and transport layer security (TLS). Protocols specially designed for e-commerce will also be covered, as will firewalls and VPNs that can be used to achieve certain security goals. After this unit, you should be able to describe some well-known security standards, explain how some well-known security protocols and systems work and how they are used, and interpret new security protocols when you encounter them.

Unit 5: Systems Security

  • Today’s enterprises are heavily dependent on many types of computer-based systems, which store or transmit their information assets. The security of such systems is essential and critical to enterprises. In this unit, students will study security issues, and the technological requirements of systems commonly deployed and used by enterprises. After this unit, students should be able to explain the principle of firewalls. Students should also be able to describe the main security features of some well-known systems, as well as their weaknesses.

Unit 6: Information Security Management

  • Securing the information asset of an enterprise can be very technical and costly; however, even with all the technologies, systems, and personnel in place, the security of an enterprise’s information assets cannot be guaranteed if the technologies and systems are not used properly, or the personnel is poorly trained. In this unit, students will study various management issues, technologies, and systems related to information security management at enterprises.

Evaluation

To receive credits for COMP 660 toward the Master of Science in Information Systems Program, you must achieve a cumulative course grade of at least C+ (66 percent), including an average grade of 60 percent on the assignments and achieve a grade of at least 60 percent on the Final Examination.

To receive credit for COMP 660 toward the Post-Baccalaureate Certificate in Information Security Program, you must achieve a cumulative course grade of at least B- (70 percent), including an average grade of 60 percent on the assignments and achieve a grade of at least 60 percent on the Final Examination.

To receive credit for COMP 660 as a non-program student, you must achieve a cumulative course grade of at least C+ (66 percent), including an average grade of 60 percent for each required learning outcome it is intended to address.

The weighting of the composite grade is as follows:

Assessment Weight  
TME 1 20% (Unit 1~2)
TME 2 20% Unit 3~4)
TME 3 20% (Unit 5~6)
Online discussion 10%
Final Examination 30%
Total 100%

Course Materials

Textbook

No textbook is specified; students will be required to find articles and other documents related to the topics covered in each unit from various sources such as the IEEE and ACM digital libraries. If you are completely new in the subject, you are encouraged to get a copy of a university textbook that has good coverage on general topics and standard technologies related to information security. Some of these textbooks are listed under References below.

Other Materials

The following materials will be distributed online as part of the course:

  1. Study Guide
  2. Study Plan
  3. Detailed descriptions of the requirements for the individual tutor-marked assignments will be available on the course Web page
  4. Other materials may be distributed through the course conference when necessary
  5. A course evaluation form

References

  1. Stallings, W. (2011). Cryptography and network security: Principles and practice, (5th ed.). Upper Saddle River,NJ:Prentice Hall. ISBN-10: 0136097049, ISBN-13:9780136097044.
  2. Kaufman, C., Perlman,R., & Speciner, M. (2002). Network security: Private communication in a public world (2nd ed.). , 2/E, Upper Saddle River,NJ:Prentice Hall. ISBN-10: 0130460192, ISBN-13:9780130460196.
  3. Pfleeger,C.P., Pfleeger, S.L. (2007). Security in Computing (4th ed.) Upper Saddle River,NJ:Prentice Hall. ISBN-10: 0132390779, ISBN-13:9780132390774.
  4. Merkow,M., & Breithaupt,J. (2005). Information security: Principles and practices. Upper Saddle River,NJ:Prentice Hall. ISBN-10: 0131547291, ISBN-13:9780131547292.
  5. Stallings W.,& Brown,L. (2008).Computer security: Principles and practice. Upper Saddle River,NJ:Prentice Hall. ISBN-10: 0136004245, ISBN-13:9780136004240.
  6. Microsoft Corporation. (2010). Microsoft security: The latest in computer security. Retrieved from http://www.microsoft.com/security/
  7. Cisco Systems. (2010). Security intelligence operations. Retrieved from http://www.cisco.com/security/center/home.x
  8. National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division, Computer Security Resource Center. (2010). Secure hashing. Retrieved from http://csrc.nist.gov/CryptoToolkit/tkhash.html
  9. National Institute of Standards and Technology, Information Technology Laboratory, Computer Security Division, Computer Security Resource Center. (2009). Password usuage and generation. Retrieved from http://csrc.nist.gov/CryptoToolkit/tkpassword.html
  10. RSA Laboratories. (2000). RSA Laboratories' frequently asked questions about today's cryptography (Version 4.1). Retrieved from the RSA Security Inc. Web site: http://www.rsa.com/rsalabs/node.asp?id=2152
  11. Stein, L.D., & Stewart, J.N. (2002, February,4). The World Wide Web security FAQ (Version 3.1.2). Retrieved from the W3C Web site:http://www.w3.org/Security/faq/
  12. Carnegie Mellon, Software Engineering Institute. (2010). CERT. Retrieved from http://www.cert.org/

Course Workload

The estimated weekly workload of a student comprises of approximately:

  • 7 hours readings per week;
  • 5 hours synthesis/exercises per week.

The above numbers represent averages only. The actual workload for each individual really depends on each individual's background knowledge and skills in the areas of mathematics, computer networks and computing in general.

The time required to complete the 4 assignments is not incldued in this 12 hours/week, although half of each assignment may be done while reading through the course materials. Each assignment may further require an additional 8 hours of work--for a total of 24 extra hours.

Software Tools

No particular software is required for this course; however, some general system development tools such as JDK and GNU C++ that are publicly available may be needed for certain assignment questions.

Special Course Features

Delivery Platform

The basic delivery model for this course is Internet home study. The AU produced textual and graphical material will be supplemented by use of applications software for some content, exercises, and assignments.

Computer and Data Communications Resource Requirements

Students must provide their own Internet access.

Special Note

Students registered in this course will NOT be allowed to take an extension due to the nature of the course activities.

Athabasca University reserves the right to amend course outlines occasionally and without notice. Courses offered by other delivery methods may vary from their individualized-study counterparts.

Opened in Revision 2, July 8,2010.

Updated July 15 2016 by Student & Academic Services