IA Course CPSC 4610:

Information Security Management

Course Description

The study of management in information security, including planning, policy and protections is covered. Topics include planning for security, information security policy, developing security program, access control, cryptography, risk management, information security administration and incident handling and response.Both commercial practices and federal government policies for classified information will be explored.PrerequisitesCPSC 160, CPSC 375 and CPSC 385 with grades of C or better.


MichaelE. Whitman and Herbert J. Mattord, Management of Information Security, Edition: 1, Thomson, Course Technology, ISBN: 0-619-21515-1

Ronald L. Krutz, Russell Dean Vines, The CISSP Prep Guide, Edition: 2, Wiley, ISBN: 0-7645-5915-x

Lecture Notes

Chapter 1:Introduction to the Management of Information Security
Chapter 2.Planning for Security
Chapter 3.Planning for Contingencies
Chapter 4.Security Policy
Chapter 5.Developing the Security Program;Cryptography
Chapter 6.Security Management Models and Practices; E-mail Security
Chapter 7.Risk Management: Identifying and Assessing Risk
Chapter 8.Risk Management: Assessing and Controlling Risk
Chapter 9.Protection Mechanisms;IPSec;Web Security
Chapter 10.Personnel and Security
Chapter 11.Law and Ethics
Chapter 12. Information Security Project Management

Supplemental Materials



Homework on Access Control: DAC, MAC, and RBAC



IA Academic Links


Secure Use

General Security Policy: Cyber Ethics

Cyber Ethics

General Security Policy: Information Technology Security Evaluation Criteria (ITSEC)

ITSEC Definition

General Procedures: Inference

Inference Definition

General Procedures: Rainbow Series

Rainbow Series

General Procedures: NSTISSAM COMPUSEC/1-99 Insider Threat to Government Computer Systems

NSTISS Glossary

General Countermeasures and Safeguards: Computer Law

Computer Law

General Countermeasures and Safeguards: Computer Media

Computer Media

General Countermeasures and Safeguards: Evaluate Security Testing Tools

Security Testing Tools

Administrative Countermeasures/Safeguards: Control Management

Change Control
Control Management

Administrative Countermeasures/Safeguards: Privacy Act

Privacy Act of 1974

Operations Policies/Procedures: Keystroke Monitoring

Keystroke Monitoring

Operations Policies/Procedures: Disaster Recovery Planning

Disaster Recovery


Policy and Procedures: Incident Response

Incident Response

Policy and Procedures: Witness Interrogation

Witness Interrogation

Operations Countermeasures/Safeguard: Computer Attacks

Computer Attacks
Computer Virus Timeline

Operations Countermeasures/Safeguard: Computer Emergency Readiness Teams



Administrative Policies/Procedures: Approval to Operate

Approval to Operate

Administrative Policies/Procedures: Configuration/Change Control

Change Control

Administrative Policies/Procedures: Copyright Protection

Copyright Protection

Administrative Policies/Procedures: Patch Management

Patch Management

Administrative Policies/Procedures: Records Management

Records Management

Administrative Policies/Procedures: Wireless Use Policies

Wireless Use Policy

Anomalies and Integrity

General Risk Management: Computer System Risk Management

Risk Management

Access Control Safeguards: Computer System Access Control

Access Control

Access Control Safeguards: Protected Distribution Systems

Protected Distribution System

Access Control Safeguards: Information Systems Access Restrictions

Access Restrictions


Access Control Mechanisms: KMI Applications

Key Management

Access Control Mechanisms: Single Sign-on

Single Sign On

IA Sites