1 / 14

Enrolling the fifth column

Enrolling the fifth column. Structure and standards in an MSc Module. Danny Dresner daniel.dresner@ncc.co.uk. History. University of Manchester The Industrial Liaison Panel School of Computing Science CS639 Computer Security Budget Materials, lecturers, marking Planned . . . 84 hours

kisha
Download Presentation

Enrolling the fifth column

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Enrolling the fifth column Structure and standards in an MSc Module Danny Dresnerdaniel.dresner@ncc.co.uk

  2. History • University of Manchester • The Industrial Liaison Panel • School of Computing Science • CS639 Computer Security • Budget • Materials, lecturers, marking • Planned . . . 84 hours • Actual (to date) . . . 161 hours • Two months @ 4:45 a.m. • (Definitely an IT project!) • Out of research . . .

  3. Founded in 1966 The UK’s foremost membership organization for IT Users Principia/IITT/Certus/CIO-Connect/Impact Mission to promote the more effective use of IT 1000 member organisations in UK Representing £billions in turnover Private and public sectors Voice of the IT user Focus: identifying, creating, disseminating best practice across all areas of IT Not for profit/limited by guarantee Certificated ISO 9001/TickIT BS 7799 Part 2 Security Special interest group Events and Training NCC Guidelines Method for mitigating IS operational risk Best Practice Guides BS 7799 Implementation method Secure Web Hosting Consumer Assurance Framework for Electronic Commerce Research reports The first breaches survey Actual practice Risk management The National Computing Centre

  4. Manage the risks with standards Computer Security Military Intelligence The laws of thermodynamics* But you can manage the risks . . . Body of knowledge for mitigating risks: standards Theory: Don't teach security, teach risk management * You can’t win . . . you can’t even break even

  5. Security Policy Security Organisation Asset Classification and Control Personnel Security Physical and Environmental Security Communications and Operations Management Access Control System Development and Maintenance Business Continuity Management Compliance BS 7799 Structure: think systems

  6. Focus on operational processes Business focused Recognised best practicefor information security:BS 7799 What students can get out of this . . . • Good understanding of how to define system security requirements • Be able to prioritise requirements, and match requirements to solutions and countermeasures commensurate with associated risks • Good understanding of the correlation of business processes to technology in relation to security requirements • Familiarity with the relevant industry security standards, regulations, and their application

  7. Fear • Systems approach would scare off the computer science ‘techies’ • Dr. Ning Zhang ready with encryption algorithms and firewall theory • But still a soft systems approach overall • Did it put them off?

  8. Students

  9. Take up and make up • 60 students of the Advanced Computing Science MSc • 44 on Computer Security • 2 external • 2 engineering • 1 PhD student just for the lectures • International

  10. Preparation (40 hours) Get to grips with the case studies Real systems (No lab.) Lectures 4 * 9:30 to 17:00 1 * 9:30 to 13:00 Daily question sheet Guest speakers McAfee, NCC Group, IRM, Cisco (Employment prospects; tomorrow’s purchasers) Assignment (40 hours) Information assurance plan (No exam.) Structure of the course

  11. Focus the standard(s) Coursework

  12. What did the teacher learn? • Student participation • Not using 'assignment sessions' • Then many questions up to the deadline • Apparently little preparation was done during the preparation week • Treating the assignment as an exam and not a case study. • What were the goals of the assignment? • How well did the students do? • Seeing security requirements as passwords and firewalls

  13. Conclusions • Security through risk management • More role play to get in tune with the assignment • Successful for getting to grips with inspections • Still need to differentiate tools and techniques from requirements • Emphasis on not trying things at home! • The fifth column is on the march!

  14. Questions? Danny Dresnerdaniel.dresner@ncc.co.uk

More Related