Teaching Considerations

  1. SUGGESTED SCHEDULE: It should be recognized that this module is intended to be a brief treatment of a complex subject within another course. Time will be limited and presentations must be well thought out and effectively presented.
  2. Following is a suggested schedule for time spent on each area:

    1. Overview............................0.5 hours
    2. System Sensitivity..............1.0-1.5 hours
    3. Security Requirements........2.0-3.0 hours
    4. Levels of Security...............1.0-1.5 hours
    5. Data Life Cycle...................1.0-1.5 hours
    6. TOTAL...............................5.0-8.0 hours

    1. Identify the sensitive sections of a personnel system.
    2. Create an access control list that permits individual, group or unrestricted access to 10 or more applications and/or databases.
    3. Identify four levels of security and describe the possible differences in the authentication process for each of these levels.
    4. Review the life cycle of data and information in an organization. Write a policy statement for the destruction of ‘stale’ data.
    5. Write a statement of company policies for: Access Control, Violations, or Password Management

  4. CASE STUDIES: This module lends itself well to the use of case studies. These will clarify the various aspects of system security and lend realism to the subject.
  5. Suggested case studies involve two general areas:

    1. Systems that have a single sensitivity level.
    2. The single level system might be something like an Automatic Teller Machine (ATM) or an Electronic Funds Transfer (EFT). The ATM is characteristic of low value transactions where financial limits are balanced against ease of use. EFT systems; on the other hand, are high value operations where ease of use is sacrificed for the assurance of accurate identification and authentication.

    3. Those systems that involve a mixture of different levels.
    4. In the multi-level security area, a MIS containing a mixture of sensitive and non-sensitive data is a good example. In this system the use of increasingly complex identification and authentication as the sensitivity of data increases can be shown.

      Another area that can be addressed is the movement of some systems from a tightly controlled environment to a more open environment where effective, but friendly, access control must be extended to remote users, such as in customer oriented banking.