IS 6383/ IS 4473:
Policy Assurance for Infrastructure Assurance
Fall 2011
Department of Information Systems and Technology Management
The University of Texas at San Antonio

Instructor:                             Prof. Seok-Won Lee, Ph.D.
Web page:                  
Email:                           (Always insert “IS 6383/IS 4473” in the Subject line)
Office Phone:                        210-458-8548  
Office Location & Hours:      BB 4.02.22, Thursday 4:00 – 5:00 PM
Classroom:                           MH (previously HSS) 3.01.18
Meeting Time:                       Tuesdays & Thursdays, 7:00 – 8:15 PM

Course Objectives:  
The course provides students with the foundations Information Security Policies, Procedures and Standards. A successful Information Security program relies not only on technical measures but on the convergence of technology, policy and people. The course will discuss fundamentals of designing, creating and deploying information and infrastructure assurance policies. Topics will include: policy development practices, frameworks, writing mechanism, design techniques, standards and best practices, and legal, ethical and privacy issues. Course content is derived from reference text and extensive external sources.

Required Course Materials:   
1. Introduction to Computer Security, by M. Bishop (ISBN 0321247442)

Recommended Course Materials (Reference Books): 
2. Information Security Policies, Procedures and Standards: Guidelines for Effective Information Security Management, by Thomas R. Peltier (ISBN 0849311373)
3. Information Security Policies and Procedures: A Practitioner’s Reference, by Thomas R. Peltier (ISBN 0849319587)
4. Security Policies and Procedures: Principles and Practices, by Sari Stern Greene, Prentice Hall (ISBN 0131866915)
5. Security in Computing, by C. P. Pfleeger (ISBN 0130355488)

The following is a tentative schedule of topics, textbook references, assignments, and assignment due dates. As circumstances dictate, I reserve the right to change this schedule including but not limited to tests, assignments, due dates, etc. Please review these assignments before they are due so you turn in the proper material

Topics (Tentative)
Overview of Computer Security                             Overview of Information Protection Fundamentals
Writing Mechanics and the Message                       Policy Development
Access Control Matrix                                           Security, Confidentiality, Integrity, Hybrid Policies
Design Principles                                                    Access Control Mechanisms
Intro to Assurance                                                  Evaluating Systems
Vulnerability Analysis                                              Auditing
Security Certification & Accreditation                     Risk Analysis and Management

Schedule (Tentative)



Topics (Tentative)



1 (W1)





2 (W2)



Overview of Computer Security


Bishop Ch1


Information Protection Fundamentals, Writing Mechanics, Messages and the Policy Development (Policy, Standard, Process)

SANS: Information Security Policy Templates

Access Control Matrix


Peltier Ch3



Bishop Ch2

4 (W3)


Security Policies


Bishop Ch4


Confidentiality Policies

Project Topics Due

Bishop Ch5

6 (W4)


Integrity Policies///Hybrid Policies


Bishop Ch6,7


Group Project Discussion

Reading1: Role-based access control Models by Ravi Sandhu

Reading2: Authorization and Authentication using XACML & SAML



8 (W5)


Hybrid Policies


Bishop Ch7


Design Principles /Access Control Mechanisms


Bishop Ch 12, 14

10 (W6)


Role-based Access Control (RBAC)




Group Project Midterm Review



12 (W7)


Midterm Exam (In Class)




Introduction to Assurance


Bishop Ch17

14 (W8)


Security Certification & Accreditation




Preliminary Presentation on Group Project (by this time, you are expected to have finalized the company description, defined stakeholders, interfaces, threats, and vulnerabilities, reviewed regulations and legislation, and created the structure of policies with their rationales in relation to the company type)

Risk Analysis & Management  (NIST 800-30)



16 (W9)


Identifying Security Controls
(NIST SP 800-53, 800-36)

Graduate Student Presentation




Evaluating Systems/Auditing
/Vulnerability Analysis


Bishop Ch 18, 20, 21

18 (W10)


XACML (Extensible Access Control Markup Language)




Information Categorization, System Categorization and Asset Profiling
(NIST SP 800-60, FIPS 199)



20 (W11)



Security Compliance & Related Policies




Evaluating Security Controls
(NIST SP 800-53A, 800-115)

Graduate Student Presentation  



22 (W12)


SCADA Control Policies 




Morality and Ethics in Policy Assurance, Managing Trust

Written Report Due


24 (W13)


Invited Talk: Activity Centric Access Control for Socail Computing




Project Presentation



26 (W14)


Project Presentation




Thanksgiving Holiday 11/24-26 (No Class)



27 (W15)


Project Presentation




Project Presentation



29 (W16)


Project Presentation & Final Reviews




Final Exam 5:00 – 7:30 PM  (Saturday)



Course Requirements:
This course is designed to be highly interactive. I will present the basic concepts, and you are expected to apply them. You should be prepared to attend class, read the assignments (including the material provided from external sources), participate in class discussions, conduct outside research to better understand the material, study for exams, seek help if you do not understand any material, and produce a product that you would be proud to show to others.

Group Project:
There is one project for this class: Design a comprehensive Information Security Policy for an organization in a specific business type. The project would involve understanding the business policies, procedures, operations and strategies for the selected business. The project will also require outside research to familiarize you with legal, privacy and ethical concerns for that business type.

Project Description:
Organize into teams of 3-4 students each (depending upon the class size) to design, formulate and deploy an Information Security Policy. (Note: IS 6383 Graduate students need to organize into teams of 2-3 students. IS 4473 Undergraduate students need to organize into teams of 3-4 students. A team can consist of either undergraduate students or graduate students but not both).   Specifically, you are to choose one of the business types and based upon the business type you selected, you are to define a company (real or fictitious) that meets the business type, and then apply the concepts from the chapters, external material, as well as class discussions. You are expected to present the information security policy, focusing on the characteristics of their given company. It will soon become obvious to you that the security policy is not the same for all companies and all situations.

Business types include the following:
• Full Service Bank
• Hospital
• Law Enforcement Agency (ex. Police department)
• Global Telecommunications Company
• Web-based Vendor
• Charitable Organization
• Online Auctions
• Hospitality Firm (ex. Hotel)
• Educational Institution and more…

You may use any other business/industry type. However, you would need my prior permission and I would have to approve the business type.

Topic Selection: Topic selections are on a first come, first serve basis. Each team is expected to send me, via e-mail ( ) a list of all team members and a ranked order (in case of tie) of your topic selection by Thursday, September 8, 2011.

Written Report: The results of your project are to be presented in the following format - cover page, table of contents (including location of illustrations and exhibits, the report, alphabetical list of references cited, and hard copy of all references cited). The table of contents should list all major headings, exhibits, and illustrations (including page locations).
Write the policy as if you are writing an actual information assurance and security policy for the chose organization. The written report should be at least 15 pages long (not including the title page, table of contents and references). Include at least 15 references other than your textbook. Written reports are due on Thursday, November 10, 2011.

The written report should contain at least the following:
• Organizational Overview
• Description of stakeholders
• Mission Statement
• Objectives
• Current information infrastructure
• Risk assessment and security requirements
• Security Architecture
• Legal issues specific to the organization
• Standards, guidelines, best practices that governed your design
• Policy development approach
• Any design technique utilized (provide detailed analysis)
• Actual written policy for the chosen organization. Some of the suggested specific policies are:
• Email use policy
• Software deployment and use policy
• Password policy
• Asset classification policy
• Laptop use policy
• File sharing policy
• Network use policy
• Anti-virus policy
• Disaster Recovery policy
• Including system backup policy
• Remote access policy
• Training policy
• Approaches to handle security violations
• Vendor selection criteria
• Deployment strategy
• Policy awareness program
• Criteria for evaluating the policy effectiveness
• Policy re-assessment plan

NOTE: The final report should reflect at least eight weeks of work, producing a quality product. Grading will be based upon this amount of expected effort. If you put minimal effort in the project, your project grade will also probably reflect minimal effort.

Submission Guidelines: Your written report is due Thursday, November 10, 2011. Submit to me an electronic copy of your paper (preferably in PDF format, MS Word format also acceptable). Best way to submit the files electronically is through email. Also, where possible, include electronic copies of your cited references. If the reference is from the Web, save a copy, assuring the URL is noted on the footer. If you do not have access to an electronic copy of your reference, either scan the reference or include a hard copy. If you are citing from a book, only include the area referenced within the book. If all citations are in electronic format, you do not need to submit any of your report in hard copy format.

Your final paper submission should contain the following:
• Electronic copy of your paper and project presentation
• Electronic copies of cited papers or the web links to the cited sources
• Hard copy of any papers, books, etc. cited which are NOT in electronic format

Presentation: The presentations offer you the chance to impart knowledge to the rest of the class. Each group will be allocated 25 minutes for presentation. 10 additional minutes will be dedicated to discussion and questions. Presentation content will focus on the methods and process used to finalize the policies presented in the written report. Presentation should clearly identify the information and requirements that were instrumental in the development of the policies. Discussion on actual policies should be restricted to a few key elements.

At the end of your presentation, include a slide that contains two questions pertaining to your presentation that you expect the rest of the class to be able to answer. These questions will be used as study guides for the final exam.

Group presentations will be held during class periods starting from the week of Tuesday, November 15, 2011. Absence of a team member on the day of presentation is not sufficient cause for delaying a presentation.

Peer Evaluation: This is expected to be a group project. All team members are expected to contribute equally to the project. Any team member who does not contribute his or her fair share on the project should not expect to receive the same project grade as others. Following the team presentation, each team is to submit evaluations of each team member. Please use the attached peer evaluation form. If there are three members on a team, A and B evaluate C; B and C evaluate A; and A and C evaluate B. Individual project grade = team project grade * peer evaluation percentage. For example, if your group project grade = 90, and peer evaluation grade = 100, your individual project grade = 90. However, if your team project grade = 90 and peer evaluation grade = 50, your individual project grade = 45!
Peer evaluations are due within one week after your presentation. If I do not receive evaluations by that time, I will assume that all group members received a 100% evaluation
Choose your teammates wisely. If you have a problem with a teammate, try to work it out among yourselves. If you cannot resolve the problem, you can elect to fire a member. However, all other team members must agree, and no member can be fired after Thursday, September 29, 2011.

Class Participation:
Questions, comments, etc. are encouraged. If you do not understand some of the material, please ask questions. You are expected to participate in discussions during the class periods. You may also be called upon to do research on specific topic/topics and present it to the class.

Exam content is based on reading assignments, class discussion, and group presentations related to the cases. You are expected to fully understand these topics. Exams may include a mix of multiple choice, short answer and essay questions. Exam questions are based on one’s understanding of the subject, rather than one’s ability to memorize. The best way to study for these exams is to review class and lecture notes, formulate questions related to the content, and write out a detailed response to the question. Also, you are responsible for knowing the answers to the questions posed by presentation groups. Please feel free to see me during office hours (or by appointment) to discuss your proposed questions and responses prior to an exam.   Make Up Exams Will Not Be Given. If you miss an exam and notify me prior to the exam, you will be required to take a comprehensive final, and the final exam grade will count twice (for the final and for the exam missed). If you miss an exam and DO NOT notify me prior to the exam, you will receive a zero for the exam.

Graduate students registered for IS 6383 will have to make two 20 minutes presentations on specified topics. The list of topics represent few key legislations, regulations, standards or best practices that are critical for development of information security policies. Students are expected to present the key elements of the document and how they relate to the information assurance. Instructor will provide more specific guidance in class.

IS 4473
Project 130 points (group project * peer evaluation %)
Attendance/Participation 20 points
Exams 300 points
Total 450 points
IS 6383
Project 130 points (group project * peer evaluation %)
Attendance/Participation 20 points
Class Presentation 50 points
Exams 300 points
Total 500 points
IS 4473                                    IS 6383
A = 405 – 450 points                A = 450 – 500 points
B = 360 – 404 points                B = 400 – 449 points
C = 315 – 459 points               C = 350 – 399 points
D = 270 – 314 points               D = 300 – 349 points
F = < 270 points                       F = < 300 points

Special Notes:

Academic Honesty:
As written in the UTSA Student Code of Conduct, “The University can best function and accomplish its objectives in an atmosphere of high ethical standards. All students are expected and encouraged to contribute to such an atmosphere in every way possible, especially by observing all accepted principles of academic honesty. It is recognized, however, that a large university will include a few students who do not understand, appreciate or practice these principles. Consequently, alleged cases of academic dishonesty involving UTSA students will inevitably occur.
Academic or scholastic dishonesty includes, but is not limited to, cheating, plagiarism, collusion, the submission for credit of any work or materials that are attributable in whole or in part to another person, taking an examination for another person, any act designed to give unfair advantage to a student or the attempt to commit such acts. Academic dishonesty is a violation of the Student Code of Conduct.” Students are expected to follow the UTSA honor pledge:

"On my honor, as a student of The University of Texas at San Antonio, I will uphold the highest standards of academic integrity and personal accountability for the advancement of the dignity and the reputation of our university and myself.”


IS 6383 / IS 4473
FALL 2011



(Maximum Points = 30 points)

Was the presentation clear (i.e. did not read presentation to audience,
spoke clearly and loudly)?
(0-10)                                                                                                                                                                       ___________________

Provided in-depth coverage of the subject- clearly evident that group relied
upon material other than that available in the text book
(0-10)                                                                                                                                                                       ___________________

Provided well thought out secure design for given company and
(0-10)                                                                                                                                                                       ___________________

TOTAL                                                                                                                                                                      ___________________


Presentation exceeded or was significantly under the allotted time
(Loss of 5 points)                                                                                                                                             ___________________


IS 6383 / IS 4473
FALL 2011



(Maximum Points = 100 points)

Was the paper well organized, well written, and thorough?
(0-20)                                                                                                                                                                       ___________________

Was the paper in format specified (cover page, TOC, illustrations and/or tables,
references, etc.)?
(0-10)                                                                                                                                                                       ___________________

Did the paper provide a convincing, well thought out policy for the company? Was the
policy tailored to specific company rather than generic? Did the group explain how
they arrived at the policy? Was the quality of paper indicative of 8 weeks of work?
(0-50)                                                                                                                                                                       ___________________

Did the group perform a thorough review of the literature? Were at least 15 references
cited, and were they of high quality, directly related to the given topic?
(0-10)                                                                                                                                                                       ___________________

Was the paper properly referenced? Were electronic copies of each article submitted?
(0-10)                                                                                                                                                                       ___________________

TOTAL                                                                                                                                                                      ___________________

Evidence of plagiarism will result in a project grade of zero for all team members. All team members are expected to have fully reviewed the paper before submission.


IS 6383 / IS 4473
FALL 2011



Each category is rated on a scale of 1 to 5 in which 5 = outstanding, 4 = very good, 3 = acceptable, 2 = had some problems, 1 = poor, and 0 = totally unacceptable.

Team Member Name



Completed assignments on



Provided Quality Work



Provided Valuable input
during group discussions



Was available, when needed,
to complete the project



Would like to work with this
person again






Percentage = Total X 4



Evaluating team member:

Name ____________________________ Signature ___________________________

Submit one form per evaluating team member. Team members do not participate in evaluation of themselves