Archives

Papers

The East Stroudsburg University of Pennsylvania undergraduate Computer Security Program is offered as a model for colleges and universities who would like to incorporate information assurance education, and perhaps a new degree program, into their existing computer science programs. The lessons learned by the faculty involved in the ESU program will be illustrated.

A graduate level course on security vulnerability assessments, including practical experience at commercial firms, has become a cornerstone of our Information Assurance curriculum. The hands on nature of the course, designing, performing and experiencing an actual team based security assessment significantly deepens the level of understanding for students. Blending academic and training aspects yields a course with significant content and a unique opportunity based delivery mechanism while at the same time providing favorable exposure of the program to the community. The development of the course has been a journey through many challenges most of which are resolved through adequate pre-class preparations. Feedback from students has shown the long term value of a true comprehensive applied course.

This paper discusses the work at three collaborating institutions to develop, test, and disseminate educational materials on secure network protocols that can be used in both undergraduate and graduate studies. The materials will be developed in alignment with existing education/training standards in information assurance and security. In addition, the authors have created a set of requirements for development of the materials that enables their reuse by faculty at other institutions. This paper describes our methodology for creating reusable learning modules in secure protocols.

On 15 August 2004, DoD Directive 8570.1 Information Assurance Training, Certification, and Workforce Management was issued which required the training and education the IA Workforce with the appropriate tracking and certification mechanisms. This is a massive task and to date no clear guidance has been released directing how the military services should accomplish this task. This document explains a methodology to approach this requirement that maps existing military courses with CNSS IA Standards and offers a process to allow seamless use of existing classes with web-based courses to fulfill the directive.

The formation of a new research and postgraduate education institute, the Information Security Institute (ISI), was proposed for the Queensland University of Technology in 2004. The ISI concept involves a collaborative research undertaking of the Faculty of Built Environment and Engineering (BEE), the Faculty of Business (BUS), the Faculty of Information Technology (IT), and the Faculty of Law (LAW). The formation of the ISI was put forward as the next logical step in consolidating the already acknowledged expertise that the university had developed in all aspects of information security over the past 16 years. The ISI has been established to pursue multi-disciplinary research in technology, legal, policy and governance issues related to all aspects of information security and assurance.

This paper applies the NIMSAD framework to the evaluation of IA education projects. The framework considers elements relating to the education process, the education practice, and the educators as project teams. It is proposed that the evaluation of the above elements takes place at a minimum of three time periods using the criteria of efficacy, efficiency and effectiveness. The framework recognizes the importance of the human element and provides a holistic process to evaluating IA education projects. The generic nature of the framework allows its adaptation to other curriculum development, IT and security related projects and research.

The development of best practices and checklists to improve system security has popularized techniques and technologies for strengthening systems. These techniques provide a basis for teaching the importance of assumptions in computer and information security, and the necessity of questioning them. We present an example of analyzing a set of security guidelines to determine the underlying assumptions, and give examples of how to demonstrate the importance of the assumptions to the effectiveness of the guidelines.

In addition to managing the security of data assets, Information Technology (IT) has taken a significant role in managing the enforcement of corporate Acceptable Use Policies (AUPs). Human Resource departments rely on IT to monitor employee adherence to these policies. The ability of IT to monitor and investigate suspicious employee behavior and the direct violation of corporate AUPs represents an important element of managing information security. IT staff use some of the same computer forensic skills practiced by law enforcement, but investigations often require an extension of those skills to meet the unique nature of corporate surveillance and investigation.

The purpose of CyberCIEGE is to create an extensible Information Assurance (IA) teaching and learning laboratory. Through a scenario definition language, educators can create simulations to demonstrate specific IA concepts. In addition to rigorous scientific foundations, it involves the application of abstract principles to a virtual world. This hands-on virtual laboratory provides a dynamic and often surprising context where abstract principles can be applied.

Information Security courses such as Network Security and Database Security require the need for students to test the concepts taught. In order to develop effective countermeasures the students must first learn about the effects of attacks on networks. In a live network of an academic institution it is impossible to provide such a facility for testing and development. A stand-alone Information Security Lab was envisioned for this purpose and was developed over the past two years.

 
 
Powered by Phoca Download