Effective: Early Spring 8-Week 2018/2019

CISS 391: Information Systems Security

Back to Top

  Course Description

Introduction to information systems security issues associated with formal and informal systems' protection, detection and responses.

Prerequisite: junior standing

Proctored Exams: Midterm and Final



  • Whitman, M. & Mattord, H. (2016). Principles of Information Security (5th). Australia: Delmar.  
    • [ISBN-978-1285448367]

MBS Information

Textbooks for the course may be ordered from MBS Direct. You can order

For additional information about the bookstore, visit http://www.mbsbooks.com.

  Course Overview

This course will provide an overview of various Information Systems security threats and the related means to help establish counter measures.

We will examine the framework of three kinds of systems – technical, formal, and informal – and the relationships between the three systems.

The course will also explore the core technical system security requirements of an organization and the various security models.

  Technology Requirements

Participation in this course will require the basic technology for all online classes at Columbia College:
  • A computer with reliable Internet access
  • A web browser
  • Acrobat Reader
  • Microsoft Office or another word processor such as Open Office

You can find more details about standard technical requirements for our courses on our site.

  Course Learning Outcomes

  1. Demonstrate a basic understanding of cryptography used in IT security.
  2. Demonstrate an understanding of ethical hacking.
  3. Demonstrate an understanding of IT security governance and management.
  4. Conduct risk assessment and auditing.
  5. Apply security controls to maintain confidentiality, integrity and availability.


Grading Scale

Grade Points Percent
A 936-1040 90-100%
B 832-935 80-89%
C 728-831 70-79%
D 624-727 60-69%
F 0-623 0-59%

Grade Weights

Assignment Category Points Percent
Discussion Posts and Responses (16) 240 23%
Quizzes (6) 120 12%
Dropbox Assignments (6) 180 17%
Paper Assignment 100 10%
Midterm Exam 200 19%
Final Exam 200 19%
Total 1040 100%

  Schedule of Due Dates

Week 1

Assignment Points Due
Introduction Discussion - Wednesday
Discussion 1 15 Wednesday/Friday
Discussion 2 15 Friday/Sunday
Dropbox Assignment 1 30 Saturday
Quiz 1 20 Sunday

Week 2

Assignment Points Due
Discussion 3 15 Wednesday/Friday
Discussion 4 15 Friday/Sunday
Dropbox Assignment 2 30 Saturday
Quiz 2 20 Sunday
Proctor Information N/A

Week 3

Assignment Points Due
Discussion 5 15 Wednesday/Friday
Discussion 6 15 Friday/Sunday
Dropbox Assignment 3 30 Saturday
Quiz 3 20 Sunday

Week 4

Assignment Points Due
Discussion 7 15 Wednesday/Friday
Discussion 8 15 Friday/Sunday
Midterm Exam 200 Sunday

Week 5

Assignment Points Due
Discussion 9 15 Wednesday/Friday
Discussion 10 15 Friday/Sunday
Dropbox Assignment 4 30 Saturday
Quiz 4 20 Sunday

Week 6

Assignment Points Due
Discussion 11 15 Wednesday/Friday
Discussion 12 15 Friday/Sunday
Dropbox Assignment 5 30 Saturday
Quiz 5 20 Sunday

Week 7

Assignment Points Due
Discussion 13 15 Wednesday/Friday
Discussion 14 15 Friday/Sunday
Dropbox Assignment 6 30 Saturday
Quiz 6 20 Sunday

Week 8

Assignment Points Due
Discussion 15 15 Wednesday/Friday
Discussion 16 15 Friday/Saturday
Paper Assignment 100 Saturday
Final Exam 200
Total Points: 1040

  Assignment Overview


There is an Introduction Discussion in Week 1 and sixteen (16) discussion assignments in the course, with two (2) questions assigned per week. Your additional reply (a minimum of one added post to another student's post or one from the instructor) must add to the discussion. Each discussion is set so that you must post your original thoughts before reading the posts of your classmates.

Each question is worth 10 points and the additional response is worth 5 points. This will be graded according to the Discussion grade criteria table. This is 23% of your final grade. Initial postings should be completed by 11:59 p.m. CT, Wednesday (Question 1) and Friday 11:59 p.m. CT (Question 2) of the respective week. Additional responses are due on 11:59 p.m. CT, Friday (Question 1) and 11:59 p.m. CT, Sunday (Question2), except for Week 8 (Question 2), where the due date is 11:59 p.m. CT, Saturday. It is okay to post your responses before the deadline. Late submissions will not be accepted.

You must post an initial response to the question that is well written, on topic with sufficient detail to demonstrate an understanding of the topic, contain a minimum of 150 words (more is better!). Additional responses must be well written and contain a minimum of 2-3 solid sentences. Just an “I agree” or “Good job” is not an acceptable reply. No defined format is required for the responses, but you must format your references using APA or MLA.

Dropbox Assignments

There are six Dropbox Assignments in the course. They should be completed by 11:59 p.m. CT, Saturday of the assigned week. Your submissions should be of at least 250 words. Submissions must be formatted using either APA or MLA guidelines. You must have at least one reference for your work. This requires original work so avoid using quotations from any sources unless you need to use one to make a point (the length of the quote will not count toward the 250 words).

Assignments will be graded as per the rubric provided in the content area of D2L. Total possible points are 30 points each, adding to 180 points for 6 assignments.

Late submissions will result in deductions of 10% of the points per day up to a maximum of 4 days. After 4 days (11:59 p.m. CT, Wednesday) the assignment will not be accepted unless an arrangement has been made with the instructor prior to the Saturday deadline. No late assignments are accepted in the final week of the course.

Paper Assignment

Paper Assignment should be completed by 11:59 p.m. CT, Saturday of week 8 (prior to the course end). It should be at least 10 pages in length and is worth 100 points. (Note:  The cover page and reference page do not count. Excessive line spacing will be removed during assessment.)

Your paper must be presented in APA or MLA format. You should include a minimum of 2-3 references for each policy. The work must be original (all papers are checked for originality).


There are six (6) quizzes (one on each week of non-exam weeks) that will open at 12:01 a.m. CT, Monday and due by 11:59 p.m. CT, Sunday of the assigned week. These are worth 20 points each. The quizzes will consist of 10 questions taken from the chapters covered during the week. Questions will be in multiple choice format. The quiz is open book but it is timed so it is recommended that you read the chapters prior to the quiz to avoid running out of time while looking up every answer. There are no extensions for quizzes as you have the entire week to complete each quiz. Avoid waiting until the final minutes on Sunday to take the quiz. If in a rare circumstance, an extension is needed, you must make arrangements prior to 11:59 p.m. CT, Friday of the week of the quiz. You have 15 minutes to complete each quiz. You are allowed one (1) attempt to complete the quiz.


There are two proctored exams in the course – Midterm Exam and Final Exam, each worth 200 points. Each exam will consist of 50 multiple choice questions. The Midterm Exam covers Chapters 1-7. The Final Exam covers Chapter 8-12. Questions will be based on the information taken directly from the textbook. Please read all your assigned chapters prior to taking the exam. Midterm Exam opens on 12:01 a.m. CT, Monday of Week 4 and closes at 11:59 p.m. CT, Sunday of the same week. Final opens on 12:01 a.m. CT, Monday of Week 8 and closes at 11:59 p.m. CT, Saturday of the same week. You will take both exams online in the course environment; the only window that can be opened is the exam window. You will have only one (1) attempt and 75 minutes for each exam. Additional information about Proctoring is located in the Content area of the course.

  Course Outline

Click on each week to view details about the activities scheduled for that week.

Chapter 1: Introduction to Information Security
Introduction Discussion

Introduce yourself in a few lines. Please share a bit of information about yourself here and feel free to welcome some of your classmates when they introduce themselves.

Discussion 1

Information has many characteristics and this is what helps us determine its value when we are using it to meet our needs. Two people can look at the same information and place different importance levels on each of the characteristics. Identify each of the critical characteristics of information. Select the two that stand out in your mind and provide a description of each in your own words. Why were these top two on your list? Read and respond to another student’s submissions for this topic.

Discussion 2

Everyone has the responsibility to protect the network and data within the organization. For the most part, this means being careful with passwords and refraining from activities such as opening emails from unknown senders and navigating to suspicious websites that can introduce risk to the network. However, there are specific roles that are dedicated to defending the network beyond these basic precautions. Identify and briefly describe the 7 member types of an information security project team. Discuss, in detail, the role of one and why you see this role as a key to success. (If you have filled one of these roles, you can discuss your responsibilities and how you worked with the others on the team) Read and respond to another student’s submissions for this topic.

Dropbox Assignment 1

Read the opening scenario (pages 1-2) and the Case Exercises section (page 42). Respond to two of the three discussion questions below (taken from page 42 of the text):

  • Do you think this event was caused by an insider or outsider? Explain your answer.
  • Other than installing virus and worm control software, what can SLS do to prepare for the next incident?
  • Do you think this attack was the result of a virus or a worm? Explain your answer.
Quiz 1

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 1 will be based on chapter 1.


Chapter 2: The Need for Security

Chapter 4: Planning for Security

Discussion 3

Organizations spend a great deal of resources to ensure the network is protected. In addition to the technical implementations that are focused on security, the organization develops policies and procedures that augment the tools that are put into place. Despite these efforts there are still breaches in the network. Why are employees one of the greatest threats to information security? How can we reduce this weakness in our organization’s security posture? Should an organization apply sanctions for those that fail to follow policy? Read and respond to another student’s submissions for this topic.

Discussion 4

If an organization is going to have a chance at a successful security program they need to develop policies that provide direction for all security efforts and guide the conduct of the users. These policies need to be well written to provide the organization with solid guidance to support their security objectives. Identify and briefly describe the three types of security policies. Your response should include a discussion of where each should be used. Where should policy writers look to find supporting material when developing the policies for their organization? Read and respond to another student’s submissions for this topic.

Dropbox Assignment 2

Submit a review of a recent article (published within 2 years from this week) related to cyber-attacks on either individuals or corporations. At the top of your response, clearly identify the category or categories of threat that your article covers (see page 52, table 2.2 for categories). Identify the article title, author, and link to article at the end of your response (2 points deducted for missing this piece). You must cite and quote any existing work and keep the total of all quotes to less than 10% of your paper. Quoted material does not count toward the 250 original words requirements.

Quiz 2

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 2 will be based on chapters 2 and 4.

Proctor Information
Submit your proctor form to the appropriate Dropbox folder by the end of the week. Remember to “Save” the form before placing it in Dropbox. See the Content area for more information.

Chapter 3: Legal, Ethical, and Professional Issues in Information Security

Chapter 5: Risk Management

Discussion 5

People are going to be people! Every organization has a mixture of employees that are going to put varying levels of effort into understanding policies, laws, and regulations and more importantly important they each make decisions on which they will follow to the letter, use as a general guide, or completely ignore. This can be concerning to the leadership of an organization. Briefly describe the three general causes of unethical and illegal behavior. What can an organization do to prevent these behaviors? Can the organization expect to have 100% compliance after implementing a program to promote ethical behavior? Read and respond to another student’s submissions for this topic.

Discussion 6

Risk is unavoidable and yet we tend to be reactive in nature and not proactive. A risk management plan is the best means to address the risks the organization faces. This is a continuous process and must be managed, which means resources must be applied. How does the Cost Benefit Analysis fit into Risk Management? Why is this important? Can some aspects of risk management be cut to save money? Why or why not? Read and respond to another student’s submissions for this topic.

Dropbox Assignment 3

Identify and describe the 5 criteria needed to make a policy enforceable. Place them in the order of importance (from your point of view). Why did you put your number one choice in that position?

Quiz 3

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 3 will be based on chapters 3 and 5.


Chapter 6: Security Technology: Firewalls and VPNs

Chapter 7: Security Technology: Intrusion Detection and Prevention Systems and Other Security Tools

Discussion 7

Granting access to a system requires more than simply setting up an account for the user. To properly protect the organization’s information, the user should only have access to the portions of the system or systems that are necessary to perform their duties. The successful hacks we read about in the news are made possible by a lack of properly established controls. Discuss Access Control. Describe some of the approaches that are commonly used to control access to a system.  Why are there so many approaches? Read and respond to another student’s submissions for this topic.

Discussion 8

We have heard stories about successful hacks into a network and the resulting damage that these cause an organization. In some cases, not only is the hack successful but it goes undetected for some time. The longer a hack goes unnoticed, the more damage that can be caused and the less likely that the perpetrator can be traced. Briefly discuss traditional intrusion detection, honeynets, and honeypots. If you were approached with a recommendation to make use of only one of these approaches, what would your decision be and why? Read and respond to another student’s submissions for this topic.

Midterm Exam

The midterm is a closed book, proctored exam consisting of 50 multiple-choice questions. You will have 75 minutes and only one attempt to complete the exam. It is worth 200 points and is based on chapters 1-7.


Chapter 8: Cryptography

Discussion 9

From the early Egyptians to the Code Talkers of World War II to present day Advance Encryption Standard, we have a long history of trying to make it impossible to read messages if you are not the intended recipient. Discuss the history of cryptography, making sure you point out some of the more significant milestones. Close out by describing the latest encryption standard recommended by the National Institute of Standards and Technology (NIST). Have we reached the ultimate in encryption? Why or why not? Read and respond to another student’s submissions for this topic.

Discussion 10

We have a need to protect our transmissions, but we do not want to wait for the encryption and decryption process to complete. Today’s systems have the horsepower to provide the processing speeds to handle sophisticated encryption methods. Now convenience is a factor when building systems that employ encryption. Describe symmetric and asymmetric encryption. What are the advantages and disadvantages of each? Why is it best to use a combination of the two? Read and respond to another student’s submissions for this topic.

Dropbox Assignment 4

Find a recent article (within two years of this date) that discusses an encryption tool or compares encryption tools. Provide a brief summary of the article and close out by making a case for using the tool.

Quiz 4

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 4 will be based on chapter 8.


Chapter 9: Physical Security

Chapter 10: Implementing Information Security

Discussion 11

Securing our information systems involves a great deal of knowledge of technology, the tactics of the hackers, policies, procedures, regulations, project management, and physical security.  Yes, physical security which includes everything from locks, to dogs, to alarms, to fire suppression.  These elements play a critical role in ensuring that the facility is safe. Discuss the importance of physical security in protecting our information systems.  Select one of the major controls listed on page 478 and share your thoughts on why it would be one of the controls that you would employ if you were the decision authority for physical security. Include the value of fire detection and suppression capabilities in your response. Read and respond to another student’s submissions for this topic.

Discussion 12

When developing a system, it is important to build in the security element from the beginning. When security is integrated from start to finish, the system has a greater chance of keeping the hackers out. Unfortunately, this costs money and requires knowledge of security, both of which are often in short supply. Security teams must ensure that new and updated systems meet the requirements identified to maintain a strong security posture before they are implemented on to the network. Discuss the value of accrediting systems to process information. How does the Risk Management Framework add value to making our information systems more secure? If this process was applied to your home network, what level of risk would you be willing to accept? Read and respond to another student’s submissions for this topic.

Dropbox Assignment 5

Read the Chapter 10 Case Study on pages 505-06 and continued on pages 544-45. Respond to the 3 questions on page 545.

Quiz 5

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 5 will be based on chapters 9 and 10.

Course Evaluation
Please evaluate the course. You will have an opportunity to evaluate the course near the end of the session. A link sent to your CougarMail will allow you to access the evaluation. Please note that these evaluations are provided so that I can improve the course, find out what students perceive to be its strengths and weaknesses, and in general assess the success of the course. Please do take the time to fill this out.

Chapter 11: Security and Personnel

Discussion 13

There is a saying that goes something like, “If leadership is not paying attention to something then no one in the organization will pay attention to it.” Cyber security is not an exception to this rule. Leadership must pay attention to this important element and must apply the necessary resources and personnel to maintain a strong posture. Smaller organizations may not be able to afford an executive level person dedicated to security. Assume a company has no CISO, who should lead the effort to hire a senior level, hands-on information security person? Why? You are that person. You have 4 finalists; each finalist is essentially equal in experience and each has a CISSP. One has the CISSP and a Security+, the others each have a CISSP with a single concentration (ISSAP, ISSEP, and ISSMP, respectively). Which one do you select? Why? Read and respond to another student’s submissions for this topic.

Discussion 14

Not all hackers have a goal to cause damage or steal valuable information from an organization. We are aware of the bad guys that have infiltrated organizations such as OMB, Target, and Sony. These hackers are the reason we spend so much time and money protecting our systems. There are other hackers that do hack into networks but do not steal or cause damage. What is a Certified Ethical Hacker? How do the activities of someone in this role help with securing an organization’s systems? As a CEO, would you hire an outside consultant with this certification to attempt to break into your organization’s network? Why or why not? Read and respond to another student’s submissions for this topic.

Dropbox Assignment 6

Describe the roles and responsibilities of the CISO, the security manager, and the security technician.

Quiz 6

The quiz is open book, consisting of 10 multiple-choice questions. You will have 15 minutes and only one attempt to complete them. Quiz 6 will be based on chapter 11.


Chapter 12: Information Security Maintenance

Discussion 15

One consistent fact about technology is that change is inevitable! In some cases, change is frequent and has significant impact on the security posture of a network or a system on the network. If left uncontrolled, all the work and money that an organization put into securing the system will be lost.  What should an organization put into place to control change? Why is it important to maintain configuration and change management? What is the impact on information security? Read and respond to another student’s submissions for this topic.

Discussion 16

The importance of managing risk cannot be over emphasized. There is no such thing as having a 100% solution to securing your network. Given the fact that no organization has an unlimited amount of money and personnel that they can apply to securing the network, there is a level of risk that must be accepted. This is a balance of the type and sensitivity of the information being secured and the amount of resources available to apply to securing it. Identify and discuss the three primary areas of information security risk management. Since we must apply resources to each, what is the value that each brings to the organization’s successful security implementation? Read and respond to another student’s submissions for this topic.

Paper Assignment

Write 3 policies, each geared to a different type of organization. The primary introduction for this topic is in Chapter 4 of the textbook. However, you can conduct some additional research to gain a better understanding of these policies.

The first policy is an Enterprise Information Systems Policy (EISP). Write this policy from the perspective that you are part of a large medical organization that stores patient history on your network. Use the components of an EISP as described in Table 4-1 on page 164 of the textbook.

The second policy is an Issue-Specific Security Policy (ISSP). You will write an Independent ISSP that is tailored to a specific issue. You may choose any one of the 10 topics listed at the top of page 165 of the textbook as your Issue-Specific topic. Write this policy from the perspective of the manager of a department within an organization that works with highly classified material on a regular basis. Use the components of an ISSP as described in Table 4-2 on page 166 of the textbook.

The third policy is also an Issue-Specific Security Policy (ISSP). Select a different topic from the same list on page 165 of your text. In this case, write the policy from the perspective of a manager that has no employees located in the main building of the organization. All employees in this department work from home and are spread throughout the country. They must access the company’s servers and storage for information to do their jobs. This information is sensitive to the company but not highly classified. Use the components of an ISSP as described in Table 4-2 on page 166 of the textbook.

Final Exam

The final exam is a closed book, proctored exam consisting of 50 multiple choice questions. You will have 75 minutes and only one attempt to complete the exam. It is worth 200 points and is based on chapters 8 - 12.

  Course Policies

Student Conduct

All Columbia College students, whether enrolled in a land-based or online course, are responsible for behaving in a manner consistent with Columbia College's Student Conduct Code and Acceptable Use Policy. Students violating these policies will be referred to the office of Student Affairs and/or the office of Academic Affairs for possible disciplinary action. The Student Code of Conduct and the Computer Use Policy for students can be found in the Columbia College Student Handbook. The Handbook is available online; you can also obtain a copy by calling the Student Affairs office (Campus Life) at 573-875-7400. The teacher maintains the right to manage a positive learning environment, and all students must adhere to the conventions of online etiquette.


Your grade will be based in large part on the originality of your ideas and your written presentation of these ideas. Presenting the words, ideas, or expression of another in any form as your own is plagiarism. Students who fail to properly give credit for information contained in their written work (papers, journals, exams, etc.) are violating the intellectual property rights of the original author. For proper citation of the original authors, you should reference the appropriate publication manual for your degree program or course (APA, MLA, etc.). Violations are taken seriously in higher education and may result in a failing grade on the assignment, a grade of "F" for the course, or dismissal from the College.

Collaboration conducted between students without prior permission from the instructor is considered plagiarism and will be treated as such. Spouses and roommates taking the same course should be particularly careful.

All required papers may be submitted for textual similarity review to Turnitin.com for the detection of plagiarism. All submitted papers may be included in the Turnitin.com reference database for the purpose of detecting plagiarism. This service is subject to the Terms and Conditions of Use posted on the Turnitin.com site.


There will be no discrimination on the basis of sex, race, color, national origin, sexual orientation, religion, ideology, political affiliation, veteran status, age, physical handicap, or marital status.

Student Accessibility Resources

Students with documented disabilities who may need academic services for this course are required to register with the office of Student Accessibility Resources. Until the student has been cleared through this office, accommodations do not have to be granted. If you are a student who has a documented disability, it is important for you to read the entire syllabus as soon as possible. The structure or the content of the course may make an accommodation not feasible. Student Accessibility Resources is located in Student Affairs in AHSC 215 and can be reached by phone at (573) 875-7626 or email at sar@ccis.edu.

Online Participation

You are expected to read the assigned texts and participate in the discussions and other course activities each week. Assignments should be posted by the due dates stated on the grading schedule in your syllabus. If an emergency arises that prevents you from participating in class, please let your instructor know as soon as possible.

Attendance Policy

Attendance for a week will be counted as having submitted any assigned activity for which points are earned. Attendance for the week is based upon the date work is submitted. A class week is defined as the period of time between Monday and Sunday (except for week 8, when the work and the course will end on Saturday at midnight.) The course and system deadlines are based on the Central Time Zone.

Cougar Email

All students are provided a CougarMail account when they enroll in classes at Columbia College. You are responsible for monitoring email from that account for important messages from the College and from your instructor. You may forward your Cougar email account to another account; however, the College cannot be held responsible for breaches in security or service interruptions with other email providers.

Students should use email for private messages to the instructor and other students. The class discussions are for public messages so the class members can each see what others have to say about any given topic and respond.

Late Assignment Policy

An online class requires regular participation and a commitment to your instructor and your classmates to regularly engage in the reading, discussion and writing assignments. Although most of the online communication for this course is asynchronous, you must be able to commit to the schedule of work for the class for the next eight weeks. You must keep up with the schedule of reading and writing to successfully complete the class.

No late discussion posts will be accepted.

Refer to the Assignment Overview above for late assignment policy details for Dropbox Assignments and Quizzes.

Course Evaluation

You will have an opportunity to evaluate the course near the end of the session. A link will be sent to your CougarMail that will allow you to access the evaluation. Be assured that the evaluations are anonymous and that your instructor will not be able to see them until after final grades are submitted.

Proctor Policy

Students taking courses that require proctored exams must submit their completed proctor request forms to their instructors by the end of the second week of the session. Proctors located at Columbia College campuses are automatically approved. The use of ProctorU services is also automatically approved. The instructor of each course will consider any other choice of proctor for approval or denial. Additional proctor choices the instructor will consider include: public librarians, high school or college instructors, high school or college counseling services, commanding officers, education service officers, and other proctoring services. Personal friends, family members, athletic coaches and direct supervisors are not acceptable.

  Additional Resources

Orientation for New Students

This course is offered online, using course management software provided by Desire2Learn and Columbia College. The course user guide provides details about taking an online course at Columbia College. You may also want to visit the course demonstration to view a sample course before this one opens.

Technical Support

If you have problems accessing the course or posting your assignments, contact your instructor, the Columbia College Helpdesk, or the D2L Helpdesk for assistance. Contact information is also available within the online course environment.

Online Tutoring

Smarthinking is a free online tutoring service available to all Columbia College students. Smarthinking provides real-time online tutoring and homework help for Math, English, and Writing. Smarthinking also provides access to live tutorials in writing and math, as well as a full range of study resources, including writing manuals, sample problems, and study skills manuals. You can access the service from wherever you have a connection to the Internet. I encourage you to take advantage of this free service provided by the college.

Access Smarthinking through CougarTrack under Students -> Academics -> Academic Resources.