DSCI 519: Foundations and policy for information security

Hello, if you have any need, please feel free to consult us, this is my wechat: wx91due

DSCI 519: Foundations and policy for information security 

Course Description 

Security policy has been defined as the set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information. The policy lays out the business case for the information protection. It is the basis for all protection measures. Ultimately the protection implementation must be traceable to the policy and the policy must be traceable to the implementation. If such traceability fails usually something breaks and the information is either not adequately protected or the implemented system contains superfluous components. 

The course examines information policies in various contexts, including business, government and technology implementation with an eye to detecting errors, flaws and omissions. 

The course focuses on fundamental theory and practice for engineering and operating secure information systems. It addresses challenges of policy formulation, verifiably secure operating system components and secure applications. 

Learning Objectives 

After successfully completing this course, the students will be able to: 

• Understand that a security policy is effectively a definition of security for a computer system 
• Understand the need for and the development process of information security policies 
• Understand the root causes of security vulnerabilities and why current best practices and ad-on security products fail 
• Understand foundational concepts with focus on hard science that goes beyond the search for vulnerabilities in deployed systems and the development of defenses for specific attacks 
• Identify key cybersecurity policy frameworks 
• Develop an enforceable security policy for an organization 
• Critique a security policy for its effectiveness and completeness 

Recommended Preparation 

It is recommended that students have some background in computer security, or a strong willingness to learn. Recommended previous courses of studies include computer science, electrical engineering, computer engineering, management information systems, and/or mathematics. Students should have a solid background in operating systems, computer architecture, digital networking, elementary/introductory abstract algebra, and theory of computation/non-computability. 

Course Resources 

Piazza will be used for lectures, announcements, assignments, and intra-class communication DEN D2L will be used for: 

• posting of grades 

• homework submission 

• quiz submission 

• exam submission 

Technological Proficiency and Hardware/Software Required 

Students must provide their own laptop. The laptop specifications take into consideration that students will be creating, streaming, and downloading audio and video, communicating using video-conferencing applications, and creating and storing large multimedia files. 

Methods of Teaching 

The primary teaching method will be lectures, discussion, case studies, and possibly guest speakers and demonstrations. Students are expected to perform directed self-learning outside of class, which encompasses, among other things, a considerable amount of literature review. In addition, students will partake in oral presentations based on homework and assigned literature readings.

Hours of Instruction 

Once weekly for 200 minutes including two 10-minute breaks. 

Semester Project 

The semester project gives each student the opportunity to apply the concepts from the course in a similar manner as they would in “the real world”. 

Grading Breakdown 

Grading Timeline 

None of the items in this class are auto graded. Assignments and the exams will typically be graded within 7 days of the due date. Final project deliverables will typically be graded within 5 days of the due date. The class participation grades will typically be graded within 3 days after the end of classes. 

Course Homework 

Submission Homework submission in electronic form via DEN. 

Examination 

Both the midterm and the final exam will be two-hour written test administered via the USC DEN. The exams format will be a combination of short answers and essays. 

Final exam date and time: refer to the final exam schedule in the USC Schedule of Classes at classes.usc.edu. 

The exams can only be taken on the scheduled date and at the scheduled starting time. Accommodations for students with letters from DSP will be provided, though the exam will still need to be taken on the scheduled date and start time. There are no makeup exams. If you miss an exam due to a documented illness or an emergency, official written documentation will need to be submitted to instructor as soon as possible. Approval will be based on the instructor’s discretion. 

Assignment Submission Policy 

Assignments and semester project will be submitted electronically via D2L. Assignments will be accepted after the deadline with the following grade penalties. Cumulative of 10% times number of days late: 

• 1 day late: lose 10% 

• 2 days late: lose 30% (10% + 20%) 

• 3 days late: lose 60% (30% + 30%) 

• Greater than 4 days late not accepted 

No personal emergencies will be entertained (with the exception of the USC granted emergencies, in which case official documents need to be shown). 

Diversity, Equity, and Inclusion (DEI) Statement 

Our classroom is a place to expand our knowledge and experiences safely, while being respected and valued. We proactively strive to construct a safe and inclusive learning environment by respecting each other’s dignity and privacy. We treat one another fairly and honor each member’s experiences, beliefs, perspectives, abilities, and backgrounds, regardless of race, religion, language, immigration status, sexual orientation, gender identification, ability status, socio-economic status, national identity, or any other identity markers. 

Disruptive or insulting remarks, gender or racial slurs, or other forms of bullying, intimidation or hate speech and other disrespectful language or behavior will not be tolerated. We welcome your thoughts on how we can improve our learning environment. 

Additional Policies 

Class notes policy: Notes or recordings made by students based on a university class or lecture may only be made for purposes of individual or group study, or for other noncommercial purposes that reasonably arise from the student’s membership in the class or attendance at the university. This restriction also applies to any information distributed, disseminated, or in any way displayed for use in relationship to the class, whether obtained in class, via e-mail or otherwise on the Internet, or via any other medium. Actions in violation of this policy constitute a violation of the Student Conduct Code and may subject an individual or entity to university discipline and/or legal proceedings. Again, it is a violation of USC’s Academic Integrity Policies to share course materials with others without permission from the instructor. 

Class Participation 

Students are expected to actively participate in this course. Participation includes: 

• Careful reading and viewing of assigned materials by the date due 

• Regular, substantive contributions to discussions and in-class questions 

• Active engagement with online content 

Course grades for students who do not contribute to the course through active participation will be affected. 

Pop out questions (about 6) will be asked during each lecture. Responses will be submitted using Google forms. The students will have 72 hours to submit their responses for each lecture. Failure to submit the responses on time will result in a deduction of the class participation score. 

Required Readings 

Required Textbooks: 

[BISH] Computer Security Art and Science: Bishop, Matt, 2018. 

[PFL] Security in Computing, Charles P. Pfleeger, Shari Lawrence Pfleeger, Jonathan Margulies, 2015. 

Literature: 

[BLP] Bell, D. Elliott, and Leonard J. La Padula. Secure computer system: Unified exposition and Multics interpretation. No. MTR-2997-REV-1. MITRE CORP BEDFORD MA, 1976. 

[ENVI] Technical Rationale Behind CSC-STD-003-85: Computer Security Requirements -- Guidance for Applying the Department of Defense Trusted Computer System Evaluation Criteria in Specific Environments, CSC-STD-004-85, DoD Computer Security Center: Ft. George G. Meade, MD, 1985. 

[FIPS] FIPS PUB 140-3, Security Requirements for Cryptographic Modules, NIST, 2019. 

[FPIGS] Schell, Roger R. "Information security: science, pseudoscience, and flying pigs." Computer Security Applications Conference, 2001. ACSAC 2001. Proceedings 17th Annual. IEEE, 2001. 

[LIPN] Steven B. Lipner, “The Birth and Death of the Orange Book”, Computer Science, IEEE Annals of the History of Computing, 2015. 

[RBAC] R. Sandhu, David F. Ferraiolo, D. Richard Kuhn, “The NIST Model for Role-Based Access Control: Towards a Unified Standard”, 2000. 

[SANS] Sorcha Diver, “Information Security Policy-A Development Guide for Large and Small Companies”, SANS, 2004. 

[SHOC] Shockley, William R., and Roger R. Schell, "TCB subsets for incremental evaluation”, In Proceedings of the Third Aerospace Computer Security Conference, Orlando, Florida, pp. 131-139., 1987. 

[TCSEC] Department of Defense, Department of Defense Trusted Computer System Evaluation Criteria, Department of Defense 5200.28-STD, 1985. 

[TDI] Trusted DBMS Interpretation, National Computer Security Center, 1988. 

[TINTO] Mario Tinto, “The Design and Evaluation of INFOSEC Systems”, The Computer Security Contribution to the Composition Discussion, 1992. 

[TNI] Trusted Network Interpretation. "NCSC-TG 005" National Computer Security Center, 1990. 

[USEO] Order, Executive. "13526" Classified National Security Information”, 2009. 

Course Schedule: A Weekly Breakdown 

Class sequence, dates, reading assignments, and topics are subject to change as the semester proceeds. Any revisions will be noted and announced in class and posted on the class website.