Lecturer/Coordinator

Dr. Fenghui Ren

ISIT437/ISIT937 3.203
Information Technology Security and fren@uow.edu.au
4221 4276
Risk Management
Consultation hours:
Monday 9:30-11:30
Lecturer: Dr. Fenghui Ren
Wednesday 15:30-17:30
Week 1: Introduction
Autumn 2017

1 2

About Me eLearning - Moodle

PhD in CS (uow, 2010)
ARC DP Fellow (uow, 2011-2012)
VC Postdoctoral Fellow (uow, 2012-2013) The UOW eLearning system (Moodle) will be used
ARC DECRA Fellow (uow, 2014-2016) extensively throughout the course. E.g.
Teaching Areas:
Uploaded lecture notes
Object-oriented programming
Software engineering
Discussion forums
Web programming Quizzes
Formal method Assessment details
Security and risk management
Students should check the subject's web site regularly as
Research Areas (over 50 publications)
important information, including details of unavoidable
AI
changes in assessment requirements will be posted from
Multiagent systems
time to time via e-Learning space. Any information posted
Decision support systems
Complex system modelling and simulation
to the web site is deemed to have been notified to all
Supervision
students.
4 PhD students (currently)
Graduate 2 PhD students, 1 Honours
4
Subject Description: Subject Objectives
This subject aims to provide students with a deep Demonstrate a thorough understanding of current
understanding of the security, risk management and security issues in e-commerce applications
regulatory aspects of e-commerce facing businesses
in the on-line business environment. Today most Demonstrate an in depth understanding of the
businesses compete in a global business primary legal issues surrounding web-based e-
environment; a sound business strategy that commerce
addresses these issues is essential. This subject Critically assess the relative benefits of self-
covers key issues in e-commerce, including: security regulatory practices versus government regulation
options, trusted authorities, secure payment systems
for the Internet, the regulatory environment and Understand the risk management paradigm
Government policy; risk management and control. Differentiate between control weakness and control
risk

5 6

Graduate Qualities: Textbook

"Graduate Qualities" are the aspirational qualities that students will progressively develop
through their learning experiences at UOW. These Graduate Qualities are not achieved in a Michael E. Whitman and Herber J. Mattord 2014
single subject - their development is an ongoing process across an entire program of study.
This subject will contribute to the following Graduate Qualities: Management of information security. Third Edition. Course
Teamwork Technology, Cengage Learning
Function effectively in a multi-disciplinary/multi-cultural team as both a leader and a
member. Understand the different roles and issues within a team.
Informed
Have a sound knowledge of Computer Science or Software Engineering and
understand its current issues, locally and internationally. Know how to apply this
knowledge. Understand how this area of study has developed and how it relates to
other areas.
Independent learners
Engage with new ideas and ways of thinking and critically analyse issues. Seek to
extend own knowledge through ongoing research, enquiry and reflection. Find and
evaluate information, using a variety of sources and technologies. Acknowledge the
work and ideas of others.
Effective communicators
Articulate ideas and convey them effectively using a range of media. Work
collaboratively and engage with people in different settings. Recognise how culture and
media can shape communication and be able to respond appropriately.
Responsible
Understand how decisions can affect others and make ethically informed choices.
Appreciate and respect diversity. Act with integrity as part of local, national, global and
professional communities.
7 8
Week Lecture Topics Readings

1 Introduction and overview of the subject Chapter 1 / No Tutorials

2 Information security management Chapter 1

Assignments
3 Planning for security Chapter 2

4 Planning for contingencies Chapter 3 Assessment % Type Due Date

5 Information security policy Chapter 4 Electronic copy to be submitted to UOW

1. Report I 10 Individual Moodle before due date: midnight, Sunday,
March 26, 2017
6 Developing the security program Chapter 5

7 Security management models Chapter 6 2. Presentation 10 Individual Week 7 - 9

8 Security management practices Chapter 7 Electronic copy to be submitted to UOW

3. Report II 30 Group Moodle before due date: midnight, Sunday,
9 Risk management: identifying and accessing risk Chapter 8 May 21, 2017

10 Risk management: controlling risk Chapter 9

4. Final examination 50 Individual Examination period
11 Protection mechanisms Chapter 10

12 Personnel and security Chapter 11

9 10
13 Revision No tutorial

Penalties for late submission

Technical Fail
To be eligible for a Pass in this subject a student
must achieve a mark of at least 40% in the Final
Exam. Students who fail to achieve this minimum
mark & would have otherwise passed may be given a
TF (Technical Fail) for this subject.
of assessment items:
Penalties apply to all late work, except if student
academic consideration has been granted. Late
submissions will attract a penalty of 20% of the
assessment mark per day. Work more than 5 days
late will be awarded a mark of zero.

11 12
Supplementary Exams Assignments
The School does not normally offer a supplementary exam to a
student who has sat a scheduled exam. Detailed information will be published on Moodle in
Supplementary Exams will be dealt with in accordance with due course
student academic consideration policy
(http://www.uow.edu.au/about/policy/UOW060110.html) 9.2
Timing of Supplementary Exams.
While the School normally grants supplementary exams when
the student does not sit the standard exam for an acceptable
reason, each case will be assessed on its own merit and there
is no guarantee a supplementary exam will be granted.
If a supplementary exam is granted, you will normally be notified
via SOLS Mail the time and date of this supplementary exam.
You must follow the instructions given in the email message.
Please note that if this is your last session and you are granted
a supplementary exam, be aware that your results will not be
processed in time to meet the graduation deadline.

13 14

Lecture and Tutorials Attendance Requirements:

Activity Day / Time Location Week It is the responsibility of students to attend all lectures/tutorials/
Lecture Mon 13:30 - 14:30 35-G45 1-13 for subjects for which you are enrolled. It should be noted that
the amount of time spent on each 6 credit point subject should
AND Tutorial Tue 11:30 - 13:30 3-121 2-13 (Open) be at least 12 hours per week, which includes
OR Tutorial Tue 09:30 - 11:30 19-2004 2-13 (Closed) lectures/tutorials/labs etc.
OR Tutorial Wed 14:30 - 16:30 19-2114 2-13 (Will be Closed)
OR Tutorial Wed 16:30 - 18:30 19-2114 2-13 (Closed) Satisfactory attendance is deemed by the University, to be
OR Tutorial Thu 15:30 - 17:30 19-1001 2-13 (Open)
attendance at approximately 80% of the allocated contact hours.
OR Tutorial Thu 17:30 - 19:30 19-1001 2-13 (Open)
Attendance rolls will be kept for tutorials. Students MUST
attend their allocated tutorial unless they have the written
permission of the subject coordinator.
Tutor
Mr. Fei Xie In order to maximize learning outcomes, it is strongly
Email: fx439@uowmail.edu.au recommended that students attend all lectures.

15 16
The Communication Channel Emergency Evacuation Procedure
Turnoffanyelectricalequipment
Your tutor is your first point of contact Leavethebuildingimmediatelyviathenearestexit
Dontuselifts
Takes your tutorial sessions and marks your Obeyalldirectionsfromwardens
assignments Donotreenterthebuildinguntiladvised
Any complaints should be presented to your tutor first
If the issue is not resolved to your satisfaction, then
come to see me

17

What Is Security? What Is Security? (contd.)

Definitions
Security is defined as the quality or state of being
secureto be free from danger
Security is often achieved by means of several
strategies undertaken simultaneously or used in
combination with one another
Specialized areas of security
Physical security, operations security,
communications security, and network security
Information security
The protection of information and its critical
elements (confidentiality, integrity and availability),
including the systems and hardware that use,
store, and transmit that information
Through the application of policy, technology, and
training and awareness programs
Policy, training and awareness programs and
technology are vital concepts

19 20Management of Information Security, 3rd Edition

CNSS Security Model
Figure 1-1 Components of Information security
CNSS Security Model (contd.)
C.I.A. triangle
Confidentiality, integrity, and availability
Has expanded into a more comprehensive list of
critical characteristics of information
Committee on National Security Systems (CNSS)
Security Model
Also known as the McCumber Cube
Provides a more detailed perspective on security
Covers the three dimensions of information
security

21 22

CNSS Security Model (contd.) CNSS Security Model (contd.)

CNSS Model (contd.)
Omits discussion of detailed guidelines and
policies that direct the implementation of controls
Weakness of this model emerges if viewed from a
single perspective
Need to include all three communities of interest

Figure 1-2 CNSS security Model

23 24
Key Concepts of Key Concepts of
Information Security Information Security (contd.)
Confidentiality Integrity
The characteristic of information whereby only those The quality or state of being whole, complete, and
with sufficient privileges may access certain uncorrupted
information
Information integrity is threatened
Measures used to protect confidentiality
If exposed to corruption, damage, destruction, or
Information classification
other disruption of its authentic state
Secure document storage
Corruption can occur while information is being
Application of general security policies
compiled, stored, or transmitted
Education of information custodians and end users
Cryptography

25 26

Key Concepts of Key Concepts of Information

Information Security (contd.)
Availability
The characteristic of information that enables user
access to information in a required format, without
interference or obstruction
A user in this definition may be either a person or
another computer system
Availability does not imply that the information is
accessible to any user
Implies availability to authorized users
Security (contd.)
Privacy
Information collected, used, and stored by an
organization is to be used only for the purposes
stated to the data owner at the time it was
collected
Privacy as a characteristic of information does not
signify freedom from observation
Means that information will be used only in ways known
to the person providing it

27 28
Key Concepts of Information
Security (contd.)
Identification
An information system possesses the
characteristic of identification when it is able to
recognize individual users
Identification and authentication are essential to
establishing the level of access or authorization
that an individual is granted
Authentication
Occurs when a control proves that a user
possesses the identity that he or she claims
Key Concepts of Information
Security (contd.)
Authorization
Assures that the user has been specifically and
explicitly authorized by the proper authority to
access, update, or delete the contents of an
information asset
User may be a person or a computer
Authorization occurs after authentication

29 30

Key Concepts of Information

Reference
Security (contd.)
Accountability Whitman M., Mattord H., Management of Information
Exists when a control provides assurance that Security
every activity undertaken can be attributed to a
named person or automated process

31 32