Purdue School of Engineering and Technology

Purdue School of Engineering and Technology

IT Risk Assessment

CIT 45100 / 3 Cr. (2 Class, 2 Lab)

Students will learn the basic tools of security risk assessment and risk management. Students will be able to identify and assess security risk, conduct information asset valuation, and apply risk control strategies. Other topics discussed will be: security policies, NIST Security Models, and training education and awareness. At the end of the course students will be able to assess vulnerabilities and document them according to a published assessment standard.




Course Outcomes (What are these?)

  • Identify and prioritize information assets (CIT e, j, m, n)
  • Identify and prioritize threats to information assets (CIT e, j, m, n)
  • Define an information security strategy and architecture (CIT e, j, m, n)
  • Plan for and respond to intruders in an information system (CIT j)
  • Explain legal and public relations implications of security and privacy issues (CIT e, j, m)
  • Present a risk assessment plan using a published assessment standard (CIT e, j, m)

CIT Student Outcomes (What are these?)

(e) An understanding of professional, ethical, legal, security and social issues and responsibilities.

(j) An ability to use and apply current technical concepts and practices in the core information technologies.

(m) An understanding of best practices and standards and their application.

(n) An ability to assist in the creation of an effective project plan.

  • Planning for Security
  • Planning for Contingencies
  • Security Policy
  • Developing the Security Program
  • Security Management Models and Practices
  • Risk Management: Identifying and Assessing Risk
  • Risk Management: Assessing and Controlling Risk
  • Protection Mechanisms
  • Personnel and Security
  • Law and Ethics
  • Perform Complete Risk Management and Assessment Plan
Principles of Undergraduate Learning (PULs)

3. Integration and Application of Knowledge

4. Intellectual Depth, Breadth, and Adaptiveness

5. Understanding Society and Culture

6. Values and Ethics

What You Will Learn

Planning for Security

  • Recognize the importance of information technology and understand who is responsible for protecting an organization's information assets
  • Know and understand the definition and key characteristics of information security
  • Know and understand the definition and key characteristics of leadership and management
  • Recognize the characteristics that differentiate information security management from general management
  • Recognize the importance of planning and describe the principal components of organizational planning
  • Know and understand the principal components of information security system implementation planning as it functions within the organizational planning scheme

Planning for Contingencies

  • Understand the need for contingency planning
  • Know the major components of contingency planning
  • Create a simple set of contingency plans, using Business Impact Analysis
  • Prepare and execute a test of contingency plans
  • Understand the combined contingency plan approach

Security Policy

  • Define information security policy and understand its central role in a successful information security program
  • Know the three major types of information security policy often used and what goes into each type
  • Develop, implement, and maintain various types of information security policies

Developing Security Program

  • Recognize and understand the organizational approaches to information security
  • List and describe the functional components of the information security program
  • Determine how to plan and staff an organization's information security program based on its size
  • Evaluate the internal and external factors that influence the activities and organization of an information security program

Security Management Models and Practices

  • Select from the dominant information security management models, including U.S. government sanctioned models, and customize them for your organization's needs
  • Implement the fundamental elements of key information security management practices
  • Follow emerging trends in the certification and accreditation of U.S. Federal IT systems

Risk Management: Identifying and Assessing Risk

  • Define risk management and its role in the organization
  • Begin using risk management techniques to identify and prioritize risk factors for information assets
  • Assess risk based on the likelihood of adverse events and the effects on information assets when events occur
  • Begin to document the results of risk identification

Risk Management: Assessing and Controlling Risk

  • Understand and select from the risk mitigation strategy options to control risk
  • Identify the risk control classification categories
  • Use existing conceptual frameworks to evaluate risk controls, and formulate a cost benefit analysis
  • Maintain and perpetuate risk controls
  • Understand the NIST approach to managing risk, and locate more detailed information about it if and when necessary

Protection Mechanisms

  • Know and understand access control approaches, including authentication, authorization, and biometric access controls
  • Define and identify the various types of firewalls and the common approaches to firewall implementation
  • Discuss the current issues in dial-up access and protection
  • Identify and describe the types of intrusion detection systems and the two strategies on which they are based
  • Discuss cryptography and the encryption process, and compare and contrast symmetric and asymmetric encryption

Personnel and Security

  • Identify the skills and requirements for information security positions
  • Recognize the various information security professional certifications, and identify which skills are encompassed by each
  • Understand and implement information security constraints on the general hiring processes
  • Understand the role of information security in employee terminations
  • Describe the security practices used to control employee behavior and prevent misuse of information

Law and Ethics

  • Understand the ethical implications of performing risk assessments
  • Understand the ethical implications of performing penetration tests
  • Understand Laws associated with risk assessments and management
  • Understand the implications of compliance in risk assessment and management

Perform Complete Risk Management and Assessment Plan