IST 456 - Security and Risk Management

Penn State Altoona
INSTRUCTOR: Charlotte Eudy McConn, M.S., CDP, CISSP   

Web site

Office:106 Hawthorn Building Office Hours: M: 10am-12pm, W: 2:30-3:30

Access to course material and readings can be found in the ANGEL Course Management System (CMS), 
Click here to see

* Course Description

* Course Objectives

* Course Outline

* Class Policies & Grading

Angel Logon,(Submit labs, check due dates)

Why should SRA majors be interested in this course?

Communication technologies have become a key component to support critical infrastructure services in various sectors of our society. In an effort to share information and streamline operations, organizations are creating complex networked systems and opening their networks to customers, suppliers, and other business partners. Increasing network complexity, greater access, and a growing emphasis on the Internet have made information systems and network security a major concern for organizations.

COURSE DESCRIPTION: (University catalog )
IST 456 Security and Risk Management

IST 456 focuses on security and risk management. Students will learn contemporary security issues; security management processes, architecture and models; risk analysis and management; security planning, analysis and safeguards; security policies development and administration; contingency planning, incidence handling and response; and security standards and certification processes. 456 will also address security certification and accreditation, security inspections, security processing mode, and system certification .

A major component of the course will be case studies and a final team-based project. This course will incorporate collaborative and action-learning experiences wherever appropriate. Emphasis will be placed on developing and practicing writing and speaking skills through application of the concepts, theories and technologies that define the course.


Upon completion of the course, the student will:

• Have experience researching and analyzing security and risk management procedures
• Define an information security strategy and architecture
• Be able to develop a comprehensive information systems security strategy
• Understand the interactions between systems design, systems management, social factors and the socio-political environment as pertain to security and risk management
• Describe the components of and the importance of management involvement in disaster recovery and continuity planning
• Understand the role of security inspections, security certification and accreditation, and system certification.

Learning Outcomes:

• Explain integral parts of overall good information security practices
• Identify the social and technical issues related to effective security management
• Describe the need for and development of information security policies, and identify guidelines and models for writing policies
• Create an effective security assessment of an organization
• Define risk management and explain why it is an important component of an information security strategy and practice
• Present a disaster recovery plan for recovery of information assets after an incident
• Identify security issues related to personnel decisions, and qualifications of security personnel
• Research current best practices in security management as supported by major professional organizations


I recommend that you set aside at least two hours per week in the library for completing the assigned readings for this course and download all online readings at the beginning of the semester to mitigate risk. Weekly reading assignments can be found on the Angel course management Calendar and links to online readings can be found in the Angel Lessons tab.

1) Text: Management of Information Security, 3rd ed. Whitman & Mattord, Course Technology, ISBN 13: 978-1-4354-8884-7

2)At NIIST website
•This site contains many of the links to the government security documents (SP 800-xx) mentioned in your text.

3) At "Security and Risk Management Guide"

Supplementary information for the course is available on the Angel course management system at The Web site contains class notes, PowerPoint slides, class announcements, the course syllabus, test dates, and other information for the course. Answers to the end-of-chapter review questions, student assignment files, and hands-on projects also can be obtained from the Web site.

Library Reserve: Reference materials and copies of readings are available for your use at the course reserve desk in the library. Other articles & case studies may be assigned throughout the semester.


Check the Angel course management system for course topics by week, assignments, tests dates, and other course announcements.

Week Topic Assignments: Notes & Due dates:
1 Introduction & course overview Text Cpt 1
2 Investigate InfoSec standards websites NIST, CERT, DHS, Angel Qz 1 Due Microsoft Technet Website Presentation 3 Planning for Security, Text Cpt 2
4 SDLC vs SecSDLC Text Cpt 2 Angel Qz 2 Due 5 Planning for Contingencies Text Cpt 3 (Incident response vs Disaster Recovery Planning)
6 World Trade Center Case Study Angel Qz 3 Due 7 Disaster Recovery Case Study Research Research Presentations 8 Review & exam Exam Cpt 1-3 9 InfoSec Policy Development & Mgmt Text Cpt 4
10 Policy Standards SP 800-18 NIST Website Policy Manual Project
11 Developing the Security Program Text Cpt 5 InfoSec Policies & Training Plan Due 12 IT Security Training SP 800-16 NIST Website Angel Qz 5 Due 13 Security Management Practices Text Cpt 7 Angel Qz 7 Due
Thanksgiving Break, no class
14 Personnel and Security Text Cpt 11
15 Security Self Assessment Text Appendix A Angel Qz 11 Due Exam Week Exam Cpt 4,5,7,11

Check Angel for specific instructions.
(10% of grade) Attendance and participation 
(40% of grade) Research Assignments and Presentations: 
(10% of grade) Online quizzes for each assigned reading by specific target dates.  
(40% of grade) Exams
Last Update 8/2010