Teaching Information Security
This post is to help professors trying to teach information security, a subject typically studied by seniors earning a Bachelor’s in Information Technology. Information Security covers how to protect information from all of the bad things that might happen to it. Example problems include at least the following:
- loss due to backup failure plus hardware failure, flood, or fire
- theft by hackers and/or competitors
- encryption followed by a ransom demand from hackers
- corruption due to human or software error
- service becomes unavailable due to hardware or network failures, hackers, etc.
The textbooks on this subject, and most of the materials published on the Web, including from ISO and NIST, are abstract and all about the process rather than the substance. Remember the old saying about ISO 9000 that it would be possible to certify a life preserver made out of lead. You would just need sufficient paperwork. So that you don’t have to pay ISO, see NIST 800-100 to get a flavor. The textbooks might be good resources for those working as Chief Information Security Officers at Fortune 500 companies, but young people just getting their first degree aren’t going to have jobs like that. Our textbook, chosen by a previous professor, was Management of Information Security, 6th edition, by Whitman and Mattord.
In order to make sure that the students developed some real capabilities, I decided to make all the assignments applications of the high-level principles to simple concrete scenarios. They were all open-ended essay assignments, with reviews in class and chances to revise. This part actually didn’t go over that well with students, who are accustomed to multiple-choice quizzes and fill-in-the-blanks questions. I don’t see how IT graduates can be useful to employers without becoming competent writers. If they’re not being trained to be hands-on technicians, e.g., Cisco Certified router admins, then what role can they have in a company other than developing the policies and plans that the technicians will follow?
I built all of the assignments around three concrete scenarios:
- a hangar leasing operation in which a waiting list is maintained as a spreadsheet and active tenants are recorded in QuickBooks Desktop. All work is done by a single employee on a single desktop PC connected through a network-address translating router to the Internet (“HangarSys”)
- a 1990s-style web site offering custom-cut khaki pants for sale (mustering all of my imaginative powers, I picked iKhakis, a site that I had actually built much of, back in 1998)
- a T shirt shop that sells online and in person with all IT outsourced to Shopify and QuickBooks Online (Pop Ts of Delray)
- a 50-employee law firm (“KWA”) with a classic Microsoft intranet in which almost everything hinges off a single Windows Server machine
Summary of the assignments:
- apply the NIST standards to develop an Information Security Plan for HangarSys
- develop an Information Security Plan for iKhakis
- develop an Information Security Policy for HangarSys
- develop an Information Security Program for Pop Ts of Delray
- explain the differences among and between Information Security Plan vs. Program vs. Policy
- develop a risk management process for HangarSys
- develop a risk treatment plan (via transference) for HangarSys
- develop a disaster recovery plan for HangarSys (desktop PC destroyed)
- risk treatment plan for iKhakis source code only
- protect investors and founders so the source code is kept secret, but flows to the investors if the founders die or run away
- plan for hiring a temp to fill in for the HangarSys worker (the worst information security problems these days are related to people)
- contingency plan for the KWA law firm (earthquake destroys office)
- report on a network access breach at the KWA law firm (coffee shop customers got the WiFi WPA password)
By the time they’re done, the students will probably hate you, but they’ll have a portfolio of documents demonstrating practical skill in applying abstract principles. They can use these to show to employers. As discussed below, it may be smarter to assign these projects to groups of 2 or 3 students.
HangarSys
- Microsoft Windows desktop computer (easy to train replacement if Robin quits)
- Microsoft Excel as waitlist DBMS (only one user updating)
- Quickbooks Desktop for accounting (bank statement integration)
- Microsoft Outlook as e-mail system (merge Word doc with Excel list)
- Second internal hard drive as destination for Windows File History
- Microsoft OneDrive as off-site backup in cloud (Dropbox or Crashplan would also work)
- Internet connection through network address-translating (NAT) router
Robin works at the F45 airport, owned by Palm Beach County and part of that organizational structure. There are 300 Tee hangars occupied by tenants who pay rent monthly. There are 175 people on a waiting list. Robin checks to make sure that the tenants have paid up by matching payments to accounts in QuickBooks Desktop (not QuickBooks Online, a different product). She periodically sends out mass emails to either everyone on the waiting list or everyone who is a tenant. When someone vacates a hangar, Robin invites the person at the top of the waiting list to move in.
If students need more detail to complete a plan, they can make it up, e.g., by positing a directory structure for the files in OneDrive or on the hard disk.
iKhakis
iKhakis, a startup within a big company, has the following:
- Factory in Tennessee that can produce custom-cut khaki pants; Oracle RDBMS-based information system to support manufacturing and shipping
- Web server to take orders from customers; Oracle RDBMS behind the Web server
- Desktop access by developers in Massachusetts to Web server
- Desktop access for operations from acquired startup in Masschusetts to Web server
- Data warehouse for senior management in San Francisco to see reports on what is selling
- All of the software for the public ecommerce site is on the Web server and edits go live immediately
- The Internet Service Provider makes a backup of the SSD every Sunday morning at 3:00 am
Pop Ts of Delray
A pop-up T-shirt shop (“Pop Ts of Delray”) in Delray Beach is selling shirts both in-person (point of sale) and online via a web site. To minimize IT spending, the shop uses Shopify for its online presence, processing online orders, fulfillment of online orders, and also for point-of-sale payment processing.
Pop Ts has six employees:
- the founder/owner, who works in the store most days and from home sometimes (devices: Windows 11 laptop and iPhone running iOS 15)
- three retail clerks, who work from iPads in the store, but also bring their own smartphones and use Instagram for personal and promotional purposes
- a merchandising expert, who works from home from a laptop running MacOS
- an operations manager, who makes sure that inventory is maintained, bills are paid, etc. Works from home on a Windows 10 desktop connected to QuickBooks Online and Shopify. Also works from a Windows 10 laptop in the store sometimes and checks Shopify from an Android smartphone.
All locations are provisioned with Internet via AT&T fiber, with an AT&T-supplied router/WiFi base station.
KWA Law Firm
The 50-employee law firm of Kirkland, Watkins, and Austin (“KWA”) has an office in San Francisco. Everyone works primarily in person in the office, except when in court, out with a client, home sick, etc.
- Core information systems:
- shared filing cabinets for physical documents
- central server running Windows Server 2016 (set up when the firm moved to Windows 10)
- Windows shared drive (server with mirrored disks in an IT closet) for PDFs and TIFFs (documents from discovery) and Microsoft Office documents (work product)
- Microsoft Active Directory for single sign-on to all of the Microsoft applications as well as PCLaw and Time Matters
- Microsoft Exchange Server 2016 on the local server; Microsoft Outlook on the laptops
- PCLaw 16 and Time Matters 16 on the local server for accounting
- Microsoft SQL Server 2016 to support PCLaw and Time Matters
- Central phone number and Cisco 7800-series IP phones on desks (shares network/wiring with the PCs, contrary to Cisco recommendations, due to limited Cat 5 wiring in the building)
- Every attorney has a Windows 10 laptop computer that plugs into a dock (hard-wired via Cat 5), but can also be used in conference rooms via WiFi
- Working when away from the office: VPN into the firm’s network (otherwise protected by a firewall)
- The IT department consists of two employees: IT Manager and IT Helper. The manager selects equipment, sets up and administers systems, hires contractors, and supervises the helper (who can solve individual users’ problems). The manager has already engaged a part-time Cisco-certified network engineer for configuring the routers and firewall as well as dealing with the phone system.
KWA has a Managing Partner, but otherwise a fairly flat management structure. There is an Office Manager who supervises most of the general administrative functions and a Finance Manager who makes sure that accounts receivable and accounts payable are current. The firm relies on PCLaw for billing and accounting and Time Matters for recording attorney hours. These applications rely on the Windows share drive server and can be used only from within the firm’s network. Payroll is handled by ADP and does not rely on any KWA systems.
(Fun to share with students who are dreaming of the California lifestyle, a 2018 response from a young colleague when I asked him where in San Francisco I should stay: “The review location is a cubicle inside of WeWork Civic Center on Mission between 7th and 8th wedged between a homeless encampment and emergency heroin detox center. I would recommend picking a hotel in another part of town. … I’ve actually found taking the train to the Civic Center stop and walking the rest of the way to be the best approach. Specifically walking down 7th street and crossing to the far side of Mission then turning right. Due to the layout and direction of the one way streets and traffic I’ve found cabs/Uber to work fairly poorly and often take longer than BART. I stopped using cars when junkies started trying to open my door at stop lights.”
Just a couple of blocks from my luxury hotel:
and on the same trip, I happened to get a picture of the In-N-Out Burger that was later shut down for refusing to check customers’ vaccine papers:
)
Checklist for the Students
For each document in your portfolio, use the following checklist
- filename makes sense, e.g., “20211103-meetfish-source-code-version-control-and-escrow-plan-joe-smith” (YYYYMMDD at the beginning enables the documents to sort chronologically if displayed in a typical file system browser; add your own name (not “joe smith”!) at the end so that if the document ends up in a folder with others’ work it will be clear how to find yours)
- only one version of each plan at the top level (create a “Drafts” subfolder if desired and put the obsolete versions in there)
- contains author’s name, email, and phone number
- contains date created and date of last revision
- contains the full text of the original assignment either at the beginning or the end (so that your document, if printed, can be read and understood without reference to any other material)
- does not contain any “plan for making a plan” material (e.g., cut and paste from textbook-type materials designed to cover a broad range of scenarios)
- does not contain any conditionals (“if the system is using a VPN, then…”) since your assignments always reference a concrete scenario (fill in additional details if designed)
- is in Microsoft Word format if at all possible (makes it easy for me and others to add comments and Track Changes)
The “plan for making a plan” bullet point is critical. Students struggled with these assignments at first. A standard technique for American college students is to take every 7th paragraph of the textbook chapter and submit that as their essay. If there is a guide to writing a plan, therefore, what is submitted is a condensed guide to writing a plan, not an actual plan. Until this has been pointed out to them at least three times, they don’t realize that they’re submitting the wrong category
Full post, including comments