- Suggested Schedule: The following sample module plan is based on the offering of six to nine hours of lectures
with outside lab and homework time. To cover adequately each area in this
module, integrate the material into other business and information systems
- Planning..............................................0.5 hour
- Organizational Policies and Procedures...1.0 hour
- Ethics and Professionalism...................0.5 hour
- Personnel Security.............................0.5 hour
- Physical Security............................... 0.5 hour
- System Security................................ 0.5 to 1 hour
- Threats and Vulnerability.....................0.5 to 1 hour
- Data Security and Recovery.................0.5 to 1 hour
- Control and Audit...............................0.5 hour
- Costs and Benefits............................ 0.5 to 1 hour
- Homework and Lab Exercises: Following are examples of exercises to enhance the lecture material for this module:
- 1. Class/Paper exercises:
- Brainstorm and graph the flow of data in an organization then
identify sensitive resources;
- List organizational security mechanisms that might be used to control
the sensitive resources in (a).
- Take the position of the “bad guy” and justify the ethical
standpoint of “why you went wrong.”
- Identify corporate policies and procedures for dealing with sensitive
resources, and show how these policies and procedures might be communicated
to the appropriate personnel.
- Lab exercise - Visit the microcomputer lab and identify:
- What is GOOD about security. Why?
- What is POOR about security. Why?
Schou, C.D., Fites, P.E., & Burgess, J.D., “Corporate Security Management,” in Information
Security Modules, Department of Defense, 1989.
Consider this the capstone security module in this document. Emphasis is on the management
of a corporate level data security program.
Fites, Philip E., Martin P. J. Kratz, and Alan F. Brebner, Control and Security of Computer Information
Systems, W. H. Freeman/Computer Science Press, September. 1988.
A textbook intended to support college level courses in computer security for technicians
and accountants, or to serve as a reference for computer law courses. Contains
considerable detail on the material mentioned in this module. A useful
reference as well.
Computer Security Institute, Computer Security Handbook: Computer Security Institute, updated
This publication is a compilation of timely sensitivity related articles and
monographs. Chapter headings include Managing Security, Protecting the Data
Center Communication Security, Disaster Recovery Planning, and Auditing. A
good general reference of timely information.
The Computer Security Institute publishes The Computer Security Journal and a computer
security handbook. Computer Security Institute, 360 Church Street, North
Borough, MA. 01532, (508) 393-2600.
Johnson, Douglas W., Computer Ethics: A Guide for the New Age, The Brethren Press, 1984.
readable paperback book introduces critical issues, including: personal data,
decision-making and identifying, building and maintaining ethics in a
computer society. This book addresses the question of ethics in the indiscriminate
use of the personal computer. The concept of what ethics are is proposed and
suggestions are made for establishing a code for personal computer use.
Computer Professionals for
Social Responsibility, Inc., P.O. Box 717, Palo Alto, CA 94301, 415/322-3778.
CPSR is an
organization for computer professionals concerned about social issues. There
are active chapters around the world. They produce a newsletter.
Mandell, Steven L., Computer
Data Processing, and the Law, West Publishing Company, Minnesota, 1984.
This book has
been designed especially for the functional aspects of data processing
Davis, G. G., Software Protection, Practical and Legal Steps to Protect and Market Computer Programs,
Van Nostrand Reinhold, New York, 1985.
discussion of intellectual property rights, copyright, unresolved problems
with copyright, software warranties, export controls, and infringement
Richards, T., Schou, C.D. & Fites, P.E. “Information Systems Security Laws and Legislation,” in Information
Security Modules, Department of Defense, 1989.
al. review topics, timely laws and legislation about computer security as it
relates to the individual and the organization.
Institute For Certification
of Computer Professionals, 2200 E. Devon Avenue, Suite 268, Des Plaines, IL
organization administers professional certificate programs and is sponsored by
thirteen other professional organizations.
DATAPRO Research Corp., Data
Pro Reports on Information Security, 1988
This is a
collection of reports dealing with all aspect of information security. Reports
IS30-xxx-xxx are primarily concerned with the subject of microcomputer
DATAPRO Research Corp.
Delran, NJ 08075 (800) 328-2776
Spiro, Bruce E. &
Schou, Corey D., “System Security,” in Information Security Modules,
Department of Defense, 1988.
review of security issues and the integration of these details into an
organizational security program.
Walston, Claude, and Lisa
Hinman, Communications Security IDA Memorandum security breach dealing
with possible misappropriation of data, computer programs blueprints, plans,
laboratory notes or similar material.
Whiteside, T., Computer
Capers, Mentor, 1978.
of some early “tales of electronic thievery, embezzlement, and fraud” that
brought the problem of data security to our attention. These stories can be
used with reports of current problems, for example from The Wall Street
Journal or Fortune magazine.
Voydock, V. and Kent, S.,
“Security Mechanisms in High-Level Network Protocols,” ACM Computing
Surveys, Vol. 15, No. 2, June 1983, pp. 135-171.
cryptographic controls, and use of end-to-end encryption in networks.
Denning, D.E., Cryptography
and Data Security, Addison-Wesley, 1983.
is one of the principal textbooks in computer security. Good as a background
Burgess, J.D. & Watts,
R.T., “PC/Workstation Security,” in Information Security Modules,
Department of Defense, 1989.
gives an introduction to security problems that one may have when working with
a stand-alone PC or workstation (networked PCs or workstations are NOT
considered here). This material is useful, for a one-person business as well
as individual user who is part of a larger organization.
National Computer Security
Center, “A Guide to Understanding AUDIT in Trusted Systems”, NCSC-TG-001-87,
1987. Department of Defense, 9800 Savage Road, Fort George G. Meade, MD
described in this document provide a set of good practices related to the use
of auditing in automatic data processing systems used for processing
classified and other sensitive information.