Information Technology 645
ITEC 645
Information Security, Privacy, and Reliability
1. Catalog Entry
ITEC 645
Information Security, Privacy, and Reliability
Credit hours (3)
Prerequisites: Admission into the Data and Information Management program, or permission of instructor.
Advanced examination of the reliability, security and privacy issues in storage, transmission and processing of data. The course covers security of database management systems and the infrastructure on which they execute privacy issues and mechanisms that ensure reliability of enterprise database management systems.
2. Detailed Description of Course
1) Fundamentals of information security and privacy
a. Goals of security (confidentiality, integrity, availability, authentication, non-repudiation and
accountability)
b. Vulnerabilities and exploits on DBMS and data sets (e.g., Programming flaws, SQL injection,
statistical inference attacks)
c. Threat modeling and security analysis
2) Information Security with data storage and management
a. Cryptography (symmetric key, asymmetric key, secure hashes and modes of operation)
b. Secure design principles (e.g., least privilege, complete mediation, separation of privilege,
least common mechanism, defense in depth)
c. Authentication
d. Access control
e. Access logs
f. Security mechanisms (e.g., perimeter security, host based security)
g. Secure operations (backups, hardening distributed databases, disaster recovery, business
continuity)
3) Privacy
a. Statistical inference attacks and controls
b. Legal issues (e.g. HIPAA, FERPA, ECPA)
4) Reliability
a. Failures
b. Fault tolerance
3. Detailed Description of Conduct of Course
This course will be delivered in a lecture and discussion format with demonstration and application of concepts using one or more enterprise level database management systems.
4. Goals and Objectives of the Course
Students who complete this course will be able to:
1) Enumerate the main goals of security and privacy including confidentiality, integrity,
availability, authentication, non-repudiation and accountability.
2) Analyze and develop threat models for the security of database management systems,
networks and distributed database infrastructures.
3) Analyze and develop threat models on the privacy of data (such as inference attacks).
4) Perform security analysis on centralized and distributed database installations using techniques
such as the Open Source Security Testing Methodology (OSSTMM).
5) Describe and apply cryptographic algorithms, and mechanisms including secure hashes, secret
key and public key cryptography, and their modes of operation to secure both stored data and data
in transit across networks.
6) Describe and apply standard secure design principles including least privilege, complete
mediation, least common mechanism, economy of mechanism, defense in depth, reluctance to trust
and privacy to the different database installations.
7) Describe and deploy authentication, fine-grained access control and accountability mechanisms
(such as access logs) on database management systems and distributed and centralized database
installations.
8) Describe and deploy mechanisms that provide security such as intrusion detection systems and privacy such as those that protect against statistical inference attacks on databases.
9) Perform secure operations including backup, recovery and secure updates.
10) Administer security by enumerating the steps of risk management and developing security
policies and plans such as acceptable usage policies, and business continuity and disaster recovery
plan.
11) Enumerate and identify privacy issues of data taking into account the federal and state laws
that govern privacy such as HIPAA, FERPA, and the Electronic Communication and Privacy Act.
12) Describe reliability mechanisms to achieve fault tolerance in distributed databases.
5. Assessment Measures
A significant component of the assessment must measure each individual student’s mastery of the conceptual and applied knowledge and skills described in the course objectives. Evaluations may include but are not limited to assignments, projects, presentations, quizzes, and examinations.
6. Other Course Information
None.
Review and Approval
April 23, 2014