master of information technology security · computer security technology and management. skill...

University of Ontario Institute of Technology

Master of Information Technology Security 1

Program Proposal for

Master of Information Technology Security

Submission to Post-secondary Education Quality Assessment Board

February 3, 2004



1 ORGANIZATION AND PROGRAM INFORMATION 1.1 Submission Title Page Full Legal Name of Organization: University of Ontario Institute of Technology Operating Name of Organization: University of Ontario Institute of Technology Common acronym of Organization: UOIT URL for Organization Homepage: www.uoit.ca Degree Level and Type to be awarded for program or part of program: Master of Information Technology Security (MITS) Proposed Degree Title: Information Technology Security Proposed Degree Nomenclature: M.I.T.S. Date of Submission: February 2, 2004 Location where program to be delivered: University of Ontario Institute of Technology 2000 Simcoe St. N. Oshawa, ON L1H 7K4 Contact Information: Person responsible for this submission: Dr. Bernadette Schell Dean, School of Business and Information Technology University of Ontario Institute of Technology 2000 Simcoe Street North Oshawa, Ontario, L1H 7K4 Tel: 905-721-3158 Fax: 905-721-3140 E-mail: [email protected]



1.2 Table of Contents Section of Submission

Page #

1. Title Page

1.1 Title Page 2

1.2 Table of Contents 3

4. Program Degree-Level Standard

4.1 Program Degree-Level Standard Summary 4

6. Program Content Standard

6.3 Program Comparison Statement 11

6.3.1 – 6.3.5 Tables: Program Comparison 11

6.6.1 Table: Course Descriptions and Learning Outcomes 14

8. Capacity to Deliver Standard

8.7 Table: Enrolment Projections and Staffing Implications 23

8.8.5 Resource Renewal and Upgrading Plans 24

9. Credential Recognition Standard

9.1 Program Design and Credential Recognition 26

9.2 Consultation 26



4 PROGRAM DEGREE-LEVEL STANDARD 4.1.1 Degree-Level Summary UOIT is committed to providing high quality, challenging, research-oriented

graduate programs of study which clearly meet and/or exceed the standards required of

masters degrees. The MITS program is a graduate professional program as defined in

the Handbook for Public Organizations, 7.1.4. and its design is guided by benchmarks

described in the Postsecondary Education Quality Assessment Board Handbook for

Applicants. This unique MITS program is the first of its kind in Canada and one of a

handful of such specialized IT Security graduate degree programs in North America and

globally. (These include James Madison University, Mary Washington College, and

Idaho State University in the United States and the University of The Hague in the

Netherlands),

Eminently qualified faculty and well-respected educators have reviewed the draft

of the MITS program. UOIT's School of Business and Information Technology currently

has at least five highly qualified faculty who will deliver the curriculum in interesting and

challenging ways and ensure that students are exposed to knowledge at the forefront of

the discipline.

The MITS program expects students to advance their knowledge and

understanding of complex issues in the field of information technology security and to

approach problems in systematic and innovative ways.

Relevant Knowledge and Understanding

The MITS program is designed to enable students to acquire a high level of

knowledge and to develop skills to tackle problems in the rapidly evolving information

technology security field. The program draft has been reviewed by academics and



industry professionals. Each course has been designed to help students develop an

understanding of current theory, research, and practice in information technology

security. The proposed MITS program not only emphasizes excellence in graduate level

business and information technology security knowledge but soundness in transferable

skills (i.e., interpersonal relations, leadership and team building, communication, critical

analysis and decision making) and in business and IT ethics.

Graduates of the MITS program will engage in a general research-based

curriculum and gain a solid foundation of technical knowledge related to the key areas of

information technology security. They will have an in-depth understanding of the

technological, managerial, social, political, economic, and global issues that affect

computer security technology and management.

Skill Development

The MITS program prepares graduates to take the CISSP exam offered by the

International Information Systems Security Certification Consortium, Inc. (ISC)2 is a not-

for-profit consortium and certification organization. It is charged with the responsibility for

maintaining various Common Bodies of Knowledge (CBK) for Information Security

Professionals, including those for CISSPs (Certificate of Information Systems Security

Professionals), certifying the minimum acceptable competence for professionals seeking

to hold various credentials (also including CISSP and SSCP). The CISSP Certification

designations are recognized and honored by the technology industry worldwide. They

continue to grow in recognition and stature as a mark of excellence in the industry.

Moreover, (ISC)2 certifications are required for employment in an ever-increasing

number of private and public sector organizations. CISSP and other (ISC)2 certifications

identify individuals as having demonstrated competence and industry knowledge directly

related to job performance by virtue of meeting the examination prerequisites and



passing the required examination(s). Clearly, as more and more employers seek and

even require one or more of the (ISC)2 certifications, these certifications significantly

benefit individuals seeking advancement, improved marketability or access to peer

networking.

Therefore, the MITS curriculum consists of learning outcomes based on the

identified (ISC)2 common bodies of knowledge. These outcomes include:

a. To understand the research process in the discipline of information

technology security. b. Demonstrates mastery of the basics of information security by

producing a practical, original research paper or case study. c. Demonstrates mastery of risk assessment, IT infrastructure, and

related security policies. d. Master the content of these 10 Domains in the CISSP exam:

d.1 Access Control Systems and Methodology d.2 Applications and Systems Development d.3 Business Continuity Planning d.4 Cryptography d.5 Law, Investigation and Ethics d.6 Operations Security d.7 Physical security d.8 Security Architecture and Models d.9 Security Management Practices d.10 Telecommunications, Network and Internet Security

e. Master the content of these Domains in the SANS Security Essentials Course:

e.1 Risk Assessment and Auditing e.2 Host and Network Based Intrusion Detection e.3 Honeypots, Firewalls and Perimeter Protection e.4 Security Policy e.5 Password Management e.6 Security Incident Handling e.7 Information Warfare and Hacking e.8 Web Security e.9 Network Fundamentals and IP Concepts and Behaviour e.10 Primary Threats for Perimeter Protection e.11 PGP, Steganography e.12 Anti-viral tools e.13 Windows (2000, XP, NT, 98) Security Administration and

Auditing e.14 IIS Security e.15 Unix Security Fundaments

f. Understand different types of security related issues and applications in various businesses and disciplines.



To achieve the objectives of the program and to enhance students’ learning

experiences, it is important for the program to provide students with the necessary

hands-on skills and knowledge and opportunities to apply these in original ways. The

School of Business and Information Technology will have a Hacker Research Lab, a

dedicated space which literally mimics a network setting. Faculty members will

incorporate various IT security lab assignments into the MITS courses. For example,

groups of students will be assigned to work as either “defense” or “attack” teams. The

“defense” team’s role will be to secure its system with available hardware and software

tools, while the “attack” team’s role will be to attempt to breach the security system as

designed by the “defense” team. This simulated network environment will train our

graduate students to better understand IT security from two different perspectives;

namely, from that of a technology security officer and from that of a criminally-motivated

hacker.

Application

Students will acquire a systematic knowledge of inquiry and research methods,

including qualitative and quantitative approaches. They will use technology models and

infrastructure to examine and evaluate risks involved in technological applications, and

they will be expected to use sound decision-making strategies to solve problems.

Students will be called upon to use IT tools and techniques with greater frequency and

efficiency as they complete multifaceted assignments and group projects, analyze

progressively complex cases and problems and participate in field-based projects.

The IT Security Capstone Research Projects I & II offer students the opportunity

to apply core course concepts and techniques to a substantial project in the workplace.

The MITS students will understand and be able to apply the best of current practice, but

they will also be able to act as managers of transformation to improve that practice as



the field evolves. They will be required to work with a faculty member in conducting a

research project in areas of IT security. They will be expected to identify a realistic

problem or set of problems, and, over two semesters (approximately 7-8 months), to

engage in a comprehensive analysis of the problem area(s) to arrive at appropriate

solution(s) based on empirical research processes. They will be required to present their

findings to a panel of faculty assessors. Their understanding of relevant theory related to

IT security technology, their ability to use appropriate qualitative and quantitative

methods of analysis and to create and evaluate a range of options, and their research

and project management skills will all be challenged during the design and

implementation of the project and at the final presentation.

Cognitive Skills

Problem solving, critical analysis, and synthesis are cognitive skills essential to

success in any discipline. MITS students are expected to utilize these skills throughout

the program and they will be provided with ample opportunities to refine these skills

through such delivery models as problem based learning activities, collaborative and

independent work, simulation lab exercises, “attack” and “defense” role play in the

Hacker Research Lab, written critiques of theory and research, structured debates and

discussions in classes, and oral presentations that require justification of decisions.

Students will be actively engaged in these intellectual processes as they work with IT

security challenges encountered by individuals in the profession. Such realistic and

practical assignments will develop and strengthen students’ abilities to critically analyze

the information they see, hear and read, to identify assumptions and implicit values, to

gather appropriate data to inform and guide decision-making, to propose new

hypotheses, to create and assess a range of solutions, to predict risks and to evaluate

outcomes. Students will be required to work in teams in appropriate courses; they will



be exposed to a variety of perspectives and called upon to listen, assess and

incorporate the ideas of others into the problem solving process. Collaborative activities

will enable them to pose questions, devise and sustain arguments, and, most

importantly, to be active participants in the learning process. While engaged in such

interactive processes, they will learn from and contribute to the learning of others.

Lifelong Learning

Realistic case studies and lab exercises, presentations by representatives from

the IT industry, and the capstone research projects will expose MITS students to the

complexities and challenges of a dynamic and ever-changing IT security field. MITS

graduates will work in highly complex and unpredictable environments, across different

types of corporations and institutions, with a wide variety of colleagues and clients.

Change and ambiguity are normal features of a technological environment and students

will develop positive attitudes and pro-active strategies to manage them. Students will

come to recognize that a strong base of technology knowledge and management skills,

an ability to locate and utilize resources effectively, and a willingness to take informed

risks will serve them well in demanding situations and changing environments.

Students will learn how to engage in advanced research by using print and

electronic publications, including scholarly journals, books, and prominent security

research websites for the most up-to-date information on IT security. They will recognize

the need for independent and ongoing learning to maintain currency in a rapidly

changing field and to further develop their professional skills. MITS graduates will have

the advanced knowledge base and skill set to undertake further education to support

and advance their careers.



Transferable Skills

All courses in the MITS curriculum have been designed to emphasize the

development of qualities and transferable skills which contribute to the students' success

as independent learners and as team players. Throughout the entire program, MITS

students will be involved in a variety of tasks that involve the demonstration of effective

communication skills using oral, written, graphic and electronic formats. They will be

expected to share information in ways which are suitable for both lay and specialist

audiences. Students will participate in small and large group activities and hone their

skills as both team members and leaders. The coursework in the program will require

hours of research along with activities involving practical applications. The demanding

workload will require students to organize their time and manage their projects efficiently

in order to meet clearly defined standards of performance and expected deadlines.

UOIT is confident that the proposed MITS program is sufficiently comprehensive

and rigorous to meet the standards of a graduate degree program and to provide

students with the necessary knowledge base, technical, cognitive, and interpersonal

skills and positive attitudes that will enable them to experience personal, academic, and

professional success during their graduate studies at UOIT and beyond.

4.1.2 Samples of Student Work Since this program is not yet offered by the University, this section is not applicable to this submission.



6 PROGRAM CONTENT STANDARD 6.3 Program Comparisons The Applicant has on file and available upon request the research undertaken to complete Appendix 6.3.2 – 6.3.n. The Applicant found that there are not more than five similar or related existing programs offered at Ontario universities and that there are more than three similar or related existing programs offered at universities in other jurisdictions (outside Canada) which could have been included in Appendix 6.3.2 – 6.3.n.

This unique MITS program, the first of its kind in Canada and one of a handful of such specialized IT Security graduate degree programs in North America and globally, prepares students to work in the high-tech professions as well as in business corporations, particularly in the IT security areas. Moreover, UOIT's partnership with the SANS (SysAdmin, Audit, Network, Security) Institute in the United States, the trusted leader in information security research, education, and certification, will allow MITS graduates to write tests for GIAC (Global Information Assurance Certification). No other graduate degree programs in Canada offer such a tangible career outcome.

6.3.2 Program Comparison Tables Institution: Carleton University

Program Name & Credential: Bachelor of Computer Science - Information Systems Security Stream

Program Description: Information Systems Security is concerned with security issues related to all aspects of networked information systems. Security has become an important parameter in the technological well being of our society, and affects all sectors in business, government and academia due to our dependence on information technology. This stream is for students interested in acquiring a solid background in computer science and software engineering, as well as depth in both the foundations and the practice of information systems security, including computer and network security, cryptography, and software security. It provides new career opportunities for security analysts and software engineers with an understanding of security issues in networked information systems. The broad spectrum of subject areas covered ranges from cryptographic applications to secure operating systems to security threats impacting network availability, and includes information storage, transmission and delivery. (http://www.scs.carleton.ca/~paulv/iss_stream.html)

Similarities and Differences: Although there is no graduate degree level program in information technology security offered at Carleton University, this stream is offered at the undergraduate level. UOIT's proposed program provides opportunities for graduates of Carleton's program with appropriate qualifications to pursue a graduate level degree.



Institution: University of Ottawa

Program Name & Credential: B.Sc. and M.Sc. in Computer Science

Program Description: The University of Ottawa offers Masters level courses in the areas of Software Engineering, Theory of Computing, Computer Applications and Computer Systems.

Similarities and Differences: There are a few courses related to Information Technology Security within these offerings but there is not a distinct undergraduate or master's level degree in the security area.

Institution: James Madison University, Virginia

Program Name & Credential: M.Sc. in Computer Science (with a concentration in Information Security)

Program Description: People involved in information security must be able to understand and systematically employ and manage InfoSec concepts, principles, methods, techniques, practices and procedures drawn from U.S. statutes, current or pending. InfoSec experts also must understand procedures followed by the Department of Defense, federal, state and local governments, industry and businesses.

The nature of information security education demands expertise concentrated in areas of information technologies, administrative operations, and law and regulation. The JMU Master of Science in Computer Science with a concentration in Information Security program will deliver this to the graduate student. The program is entirely Internet-based, with courses designed so that students and professors can maximize the use of their time asynchronously.

Course objectives center on the the technical aspects of information security including:

• network and web security, • intrusion detection, • trusted systems, • audit trails, • secure operations, • cryptography, • legal issues, • policies and procedures,

as well as the management and implementation of computer science technology as it focuses on information security. Managing information security programs consists of preserving information confidentiality and protection, risk management, data and system integrity, availability, authenticity and utility.

http://www.infosec.jmu.edu/program/html/program.htm

Similarities and Differences: The components of UOIT's proposed program are similar to the JMU model described above. Unlike JMU, UOIT's program is not Internet-based.



Institution: Mary Washington College, Virginia

Program Name & Credential: Graduate Certificate in Information Security

Program Description: James Monroe Center for Graduate and Professional Studies (JMC) at Mary Washington College in Virginia offers an entirely online 18-credit graduate certificate in Information Security.

To offer the most up-to-date material, JMC partnered with a national leader in information security research and education, the SANS (SysAdmin, Audit, Network, Security) Institute. A SANS certification exam is included with each course. Students learn how to improve information security in order to prevent and minimize attacks on computer systems using commercially available tools.

To gain admission to JMC's information security program, a student must have a bachelor's degree from a regionally accredited college or university, as well as a strong background in computer networks or operating systems. The typical participant is currently employed as a systems or network administrator or in a similar position.

http://www.jmc.mwc.edu/

Similarities and Differences: UOIT's proposed program targets a similar applicant market and the curriculum has been developed to prepare the program graduates for SANS certification. The UOIT program is not offered in the online format.



6.6.2 Course Descriptions and Learning Outcomes Program Map - Master of Information Technology Security

YEAR ONE SEMESTER ONE (9 credit hours)

MITS 5100G Law & Ethics of IT Security MITS 5200G Advanced Communications Networks MITS 5300G Operating Systems Security

SEMESTER TWO (9 credit hours) MITS 5400G Secure Software Systems MITS 5500G Cryptography and Secure Communications MITS 5600G Elective*

YEAR TWO SEMESTER ONE (9 credit hours)

MITS 6100G Attack and Defence MITS 6200G eCommerce Infrastructure Security MITS 6300G IT Security Capstone Research Project I

SEMESTER TWO (9 credit hours) MITS 6400G Biometrics/Access Control and Smart Card Technology MITS 6500G Incident Handling, Recovery, Policies, & Risk Management MITS 6600G IT Security Capstone Research Project II *ELECTIVES MITS 5610G Special Topics in IT Security

Example: Multimedia Technology MITS 5620G Special Topics in IT Management

Examples: Economics of Information Technology Contemporary Management for IT Security Professionals

Risk Management for Information Systems Nuclear Safety Management

Note: All courses are 3 credit hours unless otherwise noted.



Classroom Requirements Naturally, classes for students will be scheduled in rooms which are an appropriate size to accommodate the learning activity. Smaller lecture rooms and break-out rooms for tutorials and small group activities will be available as needed. Classes and tutorials in all subjects require the use of computers and so all classrooms, seminar rooms and labs used by students will have wireless connectivity or will be wired for computer use and internet access. Additional physical requirements will include: data projectors in all classrooms, blinds on windows to reduce sun glare, comfortable and ergonomically sound chairs and tables for computing, white board with markers/eraser, and bulletin board display space in classrooms. Construction for the 50,000-square-foot School of Business and Information Technology building is expected to complete by September 2004. Details about this new facility are provided in Section 8.8.5. Laboratory Facilities

In order to enhance students’ learning experience and provide them with the necessary security hands-on skills and knowledge, the School will launch a Hacker Research Lab. This lab will mimic a network setting with equipment such as servers, clients, firewalls, routers, etc. Two groups of students will be assigned to work as “defense” and “attack” teams. The “defense” team is to secure their system with available hardware and software tools while the “attack” team will attempt to breach the security system as designed by the “defense” team. This simulated environment will train our students to better understand the information technology security from two different perspectives, namely, a technology security officer and a hacker. This lab is described in detail in Section 8.8.5. Equipment Requirements The University of Ontario Institute of Technology is committed to advancing the highest quality of learning, teaching, research and professional practice. This means using educational technologies to enhance the learning experience, inspire innovative teaching and foster student success. This is learning and teaching for the 21st century. A laptop in every hand At the heart of our program is a personal laptop for each student. The connectivity that the laptop provides gives every student an equal opportunity to communicate with faculty, access course materials, make quality presentations, conduct research and pursue personal knowledge. The laptop facilitates broad access to information and gives professors the opportunity to employ advanced learning technologies.



Each student receives a current model of the IBM ThinkPad complete with hardware and software. Personal assistance, computer support, service and training are included. The laptop is upgraded every two years to ensure students and faculty have the most current capacity and technology. Students' laptops will be equipped with software tools which are relevant to the course and program. Access anytime The latest wireless technology is available in common public areas such as seminar rooms, learning commons, cafeterias and other special areas. Every laptop includes a wireless network card to ensure connectivity at the user's convenience as well as connection to wired laptop classrooms. A comprehensive data network-part of the campus and residence infrastructure-provides access to other students, faculty, program materials and the internet. Access to education resources from residence and off campus is available. Support and Service From the moment that students pick up a personal laptop at the university's Mobile Computing Centre, the University will ensure that they have access to on-going support and service. The Centre provides personal assistance in configuring, installing and testing software as well as regularly scheduled training seminars and hardware servicing. Drop-in or call-in Helpdesk services are available at the Centre.



6.6.1 Course Descriptions and Learning Outcomes Year 1, Semester 1 LAW AND ETHICS OF IT SECURITY This course covers the many ways in which commercial law applies to information technology security. As more and more business transactions and communications are now conducted electronically, the IT function within an institution has become the custodian of the official business records. This course introduces the laws governing the daily business of an institution or government agency, as those laws apply to the protection of information and computer systems. Emerging issues, such as privacy and information disclosures, will be discussed in the course. Learning Outcomes:

1. To assess technological issues in respect to legal and ethical issues. 2. To analyze the legal and ethical implications when implementing and deploying

technology. 3. To demonstrate the basic understanding of legal and privacy issues related to

technology by citing landmark cases. 4. To state legal resources used in technology applications. ADVANCED COMMUNICATION NETWORKS Networks are the essential components to information transmission, without which there are no communications. This course presents an overview of telecommunications networks and the fundamental concepts of the field, as well as advanced topics and detailed network architectures. This course blends an accessible technical presentation of important networking concepts with many business applications. Addressing networks from a top-down approach, this course shows students the big picture of networks in general so that they may see how the various parts of the network fit in to the picture. The course gives detailed descriptions of the principles associated with each layer and highlights many examples drawn from the Internet and wireless networks. The TCP/IP protocol stack will be discussed in detail with a variety of examples on its various layers. This course also describes all aspects of various wireless systems, from cordless phones, pagers, PDAs to mobile phones and wireless computers. The wide deployment of cellular phones for M-commerce applications and wireless LANs in corporate environments have resulted in interesting security challenges. Learning Outcomes:

1. To identify, describe, and evaluate a variety of electronic communications environments.

2. To apply the best communication environments and tools to solve problems. 3. Estimate the need for a communications networks and to evaluate methods for the

selection of the best solutions.



4. To demonstrate the ability to design and implement security features for

communications networks and related computer hardware and software. 5. To understand the various networking protocols and their applications and

implications of security issues. OPERATING SYSTEMS SECURITY Study of operating system security with particular focus on the Windows and Unix/Linux operating system. Provide an overview of the security risk and management of the specified operating systems, and the preventive efforts to use the security features built-in within the systems and third-party applications. Understand and familiarize with various essentials reference sources available on the subjects on computer security, including organizations such as CERT. Learning Outcomes: 1. To understand the core security environment in an operating systems. 2. To demonstrate strengthening security features in an operating systems, including

Unix and Windows. 3. To gain work experience in securing operating system via updates and patches. Year 1, Semester 2 SECURE SOFTWARE SYSTEMS Computer security is a bigger problem today than ever before even though most organizations have firewalls, antivirus software, and intrusion detection in place to keep attackers out. The simple cause for the problem at the heart of all computer security problems is bad software. This course takes a proactive approach to computer security and covers areas from the technical side of coding secure software to more managerial and project management tasks. Common coding problems like buffer overflows, random number generation and password authentication are addressed. A secondary focus is set on the a software design process; it needs to be set up so that security is built in at the very early stages and considered throughout the design process and not patched in a later point of time. Risk management in the development cycle as well as software and system audits will be discussed within the course. Learning Outcomes:

1. To understand the issues in developing secure software systems and how it differs from “traditional” software design.

2. To apply the knowledge by developing practical software secure systems. 3. To test software systems for their security measures. 4. To be aware of the current and future trends in secure software systems. 5. To describe the role and limitations of formal management and quality assurance

practices in ensuring software quality. 6. To understand the security feature development in software engineering. 7. To understand how to manage risk in software planning.



CRYPTOGRAPHY AND SECURE COMMUNICATIONS Secrecy is certainly important to the security or integrity of information transmission. Indeed, the need for secure communications is more profound than ever, recognizing that the conduct of much of our commerce and business is being carried out today through the medium of computers and digital networks. This course is on cryptography, the umbrella term used to describe the science of secret communications. In this course, students with strong mathematical background learn the details about the transformation of a message into coded form by encryption and the recovery of the original message by decryption. This course describes cryptography through which secrecy, authentication, integrity, and non-repudiation can all be provided. Learning Outcomes:

1. To know how to break a number of historical ciphers. 2. To understand the different roles of information and complexity theory in

cryptography. 3. To be aware of the number theory used in the RSA system. 4. To discuss and evaluate the security of new ciphers either in later courses or when in

jobs. 5. To implement the DES and RSA algorithms in a high level language. 6. To state the modern methods of cryptography.

ELECTIVES Students will select one of the following: Special Topics in IT Security OR Special Topics in IT Management Year 2, Semester 1 ATTACK AND DEFENCE The course covers attackers’ tactics and strategies and presents ways in finding vulnerabilities and discovering intrusions. It also discusses the latest cutting-edge insidious attack vectors, the “oldie-but-goodie” attacks that are still so prevalent, and everything in between. This course also presents the understanding tools needed to defend against attackers maintaining access and covering their tracks. This course examines and reviews various types of hacking tools and ways to harden the system or application against the attack. The course also discusses defenses and attacks for Windows, Unix, switches, routers and other systems.



Learning Outcomes: 1. To demonstrate the skills to identify potential targets for a computer attack and to

locate tools needed to test the systems effectively for vulnerabilities. 2. To understand various tools exploit holes and to state ways to protect systems from

each type of attacks. 3. To understand how attackers manipulate systems to discover hints associated with system compromise. ECOMMERCE INFRASTRUCTURE SECURITY This course introduces the main components of an eCommerce setup and covers the security related problems with these components. This course will visit some topics that are addressed in context of Advanced Networking or Operating System Security. It will provide an eCommerce context to these more technical issues. Major components that will be discussed are VPNs in business contexts, Mail Systems, Web Servers, and in particular Middleware Suites like Microsoft’s .NET framework and Sun’s J2EE architecture and it’s implementation in industrial strength products like JBOSS and IBM’s WebSphere. Strategy and policy topics on how to find the right balance between security and usability will be addressed as well as the management of maintaining a secure infrastructure. Learning Outcomes:

1. To understand issues raised by securing e-commerce and other related applications. 2. To state how institutions and corporations should protect sensitive and confidential

information. 3. To demonstrate how to work with Web Services applications, such as .NET or J2EE

technology by developing applications for the environments. 4. To understand the ways to secure an eCommerce environment. IT SECURITY CAPSTONE RESEARCH PROJECT I This course provides students with an opportunity to gather knowledge and skills learned from the program coursework and to conduct a research project with industrial applications. Students are expected to do a research literature review and to develop a set of hypotheses for a research project in IT security. A research proposal outlining alternative remedies to the problem and hypotheses should be submitted to the research faculty advisor by the end of the course semester. Learning Outcomes: 1. To apply and synthesize the knowledge and skills gained in the individual courses in

the program of study to a project in information technology security. 2. To define a project, formulate its requirements and processes for carrying it out to a

satisfactory conclusion 3. To research existing work and other relevant information for the project. 4. To perform project planning, preparation, budgeting, documentation and presentation

of the conduct and results of the project 5. To demonstrate the required level of technical knowledge to solve problems

presented by the chosen project.



6. To use design tools, available data and relevant resources in the conduct of the project.

Year 2, Semester 2 BIOMETRICS/ACCESS CONTROL AND SMART CARD TECHNOLOGY Traditionally, most security systems authenticate you based on something you know, i.e., a password. However, where security really matters, it makes sense to add a second layer, which could be something you have (e.g., a smartcard). Also, as a third option, probably the most authentic method, it could be something you are, something that, at least theoretically, would be virtually impossible to forge. To this end, this course is about biometric controls, where biometrics is generally the study of measurable physical characteristics and behavioral patterns. This course deals with various authentication techniques their effectiveness, cost, intrusiveness, and accuracy. Learning Outcomes:

1. To state the applications of biometrics and smart card as access control. 2. To understand the technology of biometrics and smart cards and how to apply them in

various environment for security. 3. To describe the current state of the art in biometrics and smart card technology. 4. To describe the design of a smart card. INCIDENT HANDLING, RECOVERY, POLICIES, & RISK MANAGEMENT This course introduces a practical approach for responding to computer incidents, a detailed description of how attackers undermine computer systems in order to learn how to prepare, detect, and respond to them. The course will also explores the legal issues associated with responding to computer attacks, including employee monitoring, working with law enforcement, and handling evidence. This course will also focus in particular on practical, computer-assisted techniques for risk-related modeling and calculations. Identification of threats through Hazard and Operability Analysis [HAZOP]) and PHA (Process Hazards Analysis) will be illustrated, as well as probabilistic techniques for estimating the magnitude and likelihood of particular loss outcomes. Learning Outcomes: 1. To prepare for and deal with a computer incident. 2. To state ways for a strong incident response capability to meet the needs of

business. 3. To describe a detailed incident handling process, and applies that process to several

in-the-trenches cases studies. 4. To understand the identification, containment, eradication, and recovery of an

incident. 5. To perform a projection on the risk of an incident and apply appropriate policies.



IT SECURITY CAPSTONE RESEARCH PROJECT II The research outlined in the MITS 6300G proposal should be completed during the Winter semester. The final report of the research findings and recommendations for the problem addressed should be submitted to the research faculty advisor, along with a presentation of the results. The results should have direct practical applications and/or be publishable in refereed publications. See previous page - IT Security Capstone Research Project I



8 CAPACITY TO DELIVER STANDARD 8.7 Enrolment Projections and Staffing Implications

PROJECTED INTAKE AND ENROLMENTS Master’s of Information Technology Security Program

Cumulative Enrolment Staff Requirements - Projected

YEAR Full-time Part-time

Cumulative Full-time

Faculty FTE

Cumulative Part-time

Faculty FTE

Technical Support

Teaching Assistants,

etc.

Ratio of Full-time

Students/ Full-time Faculty

2004 (Year 1) 16-24 32-48 4.0 0.5 0.5 18:1

2005 (Year 2) 30-48 62-96 4.0 0.5 1.0 36:1

2006 (Year 3) 30-48 62-96 5.0 0.5 2.0 28:1

2007 (Year 4) 30-48 62-96 5.0 1.0 2.0 28:1

8.8.5 Resource Renewal and Upgrading

New Academic Building

Construction for the 50,000-square-foot School of Business and Information Technology building is expected to complete by September 2004. This building will consist of four floors which will house faculty and teaching assistant offices plus three state-of-the-art classrooms that hold 36, 50, 250 students respectively. There are currently 4 rooms which have been assigned for graduate student assistants. Each room fits at least 2-4 graduate assistants. In addition, there are two discussion rooms which fit 8-10 students; these will also be available for our graduate students.

Hacker Research Lab In order to enhance students’ learning experience and provide them with the necessary security hands-on skills and knowledge, the School will launch a Hacker Research Lab. This lab will mimic a network setting with equipment such as servers, clients, firewalls, routers, etc. The Hacker Research Lab will consist of a variety of network connectivity, including CAT5, wireless (802.11x), Bluetooth, etc., and dedicated servers, workstations, laptops, as well as handheld devices. The “defense” and “attack” systems will also have a variety of hardware and software installed. An initial plan is to include Unix (Solaris/Linux) and Windows operating systems.



The Hacker Research Lab has a capacity for 24 workstations/students which will be divided into eight groups of three students. Four groups will be assigned as the “defense” team while the other four groups will be the “attack” team. Courses that require the use of the Hacker Research Lab are identified in Section 6.6.2 of this submission. A tentative hardware configuration has been planned for the development of the Hacker Research Lab. There will be 8 sets of servers/workstations for each group of the students. However, both types of the “defense” and “attack” hardware equipment are expected to be similar. The following is the description of the hardware, software, and operating system configurations:

a. 8 Sun Sparc Servers installed with Unix (Solaris/Linux) operating

systems. One or more may be used for Firewall configuration. Each server will have 2 network cards installed.

b. 8 Pentium-based Servers installed with Windows operating systems. One or more may be used for Firewall configuration. Each server will have multiple network cards installed.

c. 8 Pentium-based workstations installed with a mix of Unix (Solaris/Linux) and Windows operating systems.

d. 8 Pentium-based laptops installed with Unix (Solaris/Linux) or Windows operating systems.

e. 4 handheld PDAs with wireless/Bluetooth capabilities. f. 8 Ethernet routers with a minimum of 4 connections g. 4 switches with a minimum of 4 connections h. 4 switches with VLAN capabilities and a minimum of 4 connections i. 8 wireless access points j. 4 smart card readers k. 4 smart card programming devices l. Checkpoint Firewall software m. IDS software n. Content scanning software

The UOIT IT department will set up a separate network routing for this Hacker Research Lab' this will provide a better and more secure learning environment for the MITS students. It is also expected that the School will partner with the industry in ethical hacking of new software under development.



9 CREDENTIAL RECOGNITION STANDARD

9.1.1 Program Design and Credential Recognition This unique MITS program is the first of its kind in Canada. UOIT's proposed partnership with the SANS (SysAdmin, Audit, Network, Security) Institute in the United States, the trusted leader in information security research, education, and certification, will allow our MITS graduates to write tests for GIAC (Global Information Assurance Certification). In addition, the MITS program prepares graduates to take the CISSP exam offered by the International Information Systems Security Certification Consortium, Inc. This organization and its certification are described on pages 4-5 of this submission. 9.2 Consultation A draft of this Appraisal was reviewed by Dr. Ali Miri, Assistant Professor, School of Information Technology and Engineering at the University of Ottawa, and Dr. Ali Ghorbani, Professor, Faculty of Computer Science at the University of New Brunswick. As a result of the review, the School of Computer Science at the University of New Brunswick (UNB) has expressed its intention to form a partnership with the UOIT School of Business and Information Technology (SBIT) in IT Security. Dr. Virendra Bhavsar, Dean of Computer Science, UNB, had met with UOIT SBIT faculty to discuss on the partnership. Under the partnership, the MITS graduates would have direct entry into the UNB’s computer science PhD program. Both universities would encourage adjunct appointments of faculty. The UOIT faculty could supervise UNB doctoral students, and the UNB faculty could supervise UOIT graduate students. Moreover, faculty from UOIT and UNB can conduct joint research—an arrangement that would likely lead to innovative research projects and grants. The documents on the following pages are evidence of feedback from external parties who were asked to review the program proposal during its development phase. They include: Dr. A. Ghorbani, Professor, School of Computer Science University of New Brunswick Mr. Merv Matson, Chairman and Founder RightsMarket Inc.

master of information technology security · computer security technology and management. skill...

Documents