Catalogue of Modules M. Sc. Security Managementfbwcms.fh-brandenburg.de/sixcms/media.php/1083/Catalogue of Modu… · Seite 7/42 Catalogue of Modules M. Sc. Security Management February

Catalogue of Modules M. Sc. Security Management

February 2014

Seite 2/42 Catalogue of Modules M. Sc. Security Management February 2014

Impressum

Autor: Prof. Dr. Sachar Paulus

Redaktion: Prof. Dr. Sachar Paulus

Druck: Druckerei der Fachhochschule Brandenburg

Kontakt: Fachhochschule Brandenburg

University of Applied Sciences

Magdeburger Str. 50

14770 Brandenburg an der Havel

T +49 3381 355 - 101

F +49 3381 355 - 199

E [email protected]

www.fh-brandenburg.de

Stand: 21. Februar 2014

© Fachhochschule Brandenburg


Inhaltsverzeichnis

1 Introduction 4 2 Modules of the first term 5

2.1 Principles of Security Management 5 2.2 Law, Compliance and Data Protection 7 2.3 Principles of ICT Infrastructure Security 9 2.4 Principles of Secure Communication Technology 12 2.5 Principles of forensics and auditing 14 2.6 Term Thesis 1 15

3 Second term 17 3.1 Security and Crisis Management in the international Context 17 3.2 Physical Security 19 3.3 Corporate Governance 21 3.4 Secure Systems Lifecycle Management 23 3.5 Secure IT Services and Business Processes 25 3.6 Project 27 3.7 Term Thesis 2 29

4 Third Term 31 4.1 Master’s Thesis incl. Master’s Seminar 31

5 Examples for Compulsory Optional Modules 33 5.1 ITIL - Information Technology Infrastructure Library 33 5.2 Know-how Protection 35 5.3 Technical Aspects of the IT Forensics 37 5.4 Security Concepts of Nuclear Power Plants 40


1 Introduction

This document contains the module descriptions of Brandenburg University of Applied Sciences’ M. Sc.

Degree program on Security Management. The module content is of 2012, the descriptions have been

translated to English early 2014.

Students can choose a profile amongst a number of offerings. Part of the content consists of

compulsory optional modules that the program management selects every term. You can find a number

of descriptions for compulsory optional modules as examples at the end of this publication.

Module overview

Term Module ∑ Modules

∑ CP/ Term

1

Principles of Security

Management (6CP)

Principles of Secure

Communication Technology

(3CP)

Principles of Forensices and

Auditing (3CP)

Principles of ICT Infrastructure

Security (6CP)

Law, Compliance and Data Protection

(6CP)

Term Thesis 1

(3CP)

Compulsory Optional

Module 1 (3CP)

7 30

2

Security and Crisis

Management in International

Contexts (6CP)

Physical Security

(3CP)

Secure System Lifecycle

Management (6CP)

Secure IT-Services and

Business Processes

(3CP)

Corporate Governance

(3CP)

Term Thesis 2

(3CP)

Project (6CP) 7 30

3

Compulsory Optional Module 2 (3CP) Compulsory Optional Module 3 (3CP) 2 6

Master Thesis incl. Colloquium (21CP), Master Seminar (3CP) 24

90

Subject Area

Security Management

IT Security

Mathematical and Technical Principles

Law and Business Management

Compulsory Optional Modules


2 Modules of the first term

2.1 Principles of Security Management

Brief module label: SM_Ma_GrundlagenSecurityManagement

Module description: Principles of Security Management

Division in teaching sessions, if applicable:

Duration of module: One term

Classification in the curriculum: SM Ma, 1st term, required module

Usability of the module: The module is also offered as a compulsory lecture for the Master’s course in Information Systems. The module can also be offered for Master‘s course in Informatics.

Frequency of offering of modules: Every academic year

Author: Prof. Dr. Sachar Paulus

Lecturer: Prof. Dr. Sachar Paulus

Language of instruction: German

Prerequisites: None

ECTS-Credits: 6

Total workload and ist composition: 180 hours = 60 hours of attendance and 120 hours of self-study

Form of teaching/term hours per week:

Lecture: 15 hours Exercise: 15 hours Practical application based on case studies: 30 hours

Study and examination achievements:

Homework (50%), Presentation (50%).

Weighting of the grade in the overall grade:

2/5 of the subject grade 13.5% of all subject grades 4.725% of the final grade

Learning outcomes:

The objective is to enable the students to acquire basic knowledge and skills in the following aspects of learning: • Preparation of security investigations • Conducting risk evaluations • Analysis of conditions of security and the significance of

counter measures • Development of understanding the importance of security

in the process of decision making by entrepreneurs • Assessment of security organisations in enterprises • Implementing exemplary security processes with the use

of IT tools • Designing security measures and successfully presenting

the same to a committee of decision makers In addition, the students are expected to achieve the following results of learning: • Establish a security organisation in an enterprise • Prepare a skill profile for an individual in charge of


security • Integrate IT and non IT security relevant aspects • Introduce a security management system in an

organisation • Prepare a strategy for a section of IT, information or

corporate security

Contents:

Primary aspects of corporate security: • Security Governance and Security Management System • Security Organisation • Security Policy • Risk management • Analyzing security • Security processes • Norms and standards for information security • Return-on-Security-Investment calculations • Crisis management • Business Continuity Management Additionally: Selected specific areas of the IT and corporate security

Teaching and learning methods: Interactive combination of lectures, preparations and presentation of contents, demonstration of concepts, practical tasks for groups, preparation of own content and role play.

Literature:

• Security Management 2011: Manual of information security, IT security, security of locations, White-collar criminality and Management liability by Guido Birkner, 2011.

• Handbuch Unternehmenssicherheit [Manual of Corporate Security]: Comprehensive security, continuity and risk management with system by Klaus-Rainer Müller, 2010.

• Unternehmenssicherheit [Corporate Security] by Stephan Gundel, and Lars Mülli, 2009.

• Security Risk Management Body of Knowledge by Julian Talbot, Miles Jakeman, Wiley 2009.

Additional information:


2.2 Law, Compliance and Data Protection

Brief module label: SM_Ma_RechtComplianceDatenschutz

Module description: Law, Compliance and Data Protection



Classification in the curriculum: SecMan Master, 1st term, required module

Usability of the module:



Lecturer: Prof. Dr. Michaela Schröter, Dipl. iur. Raoul Kirmes M.Sc., CISA, QMA


Prerequisites:

ECTS-Credits: 6

Total workload and its composition: 180 hours = 60 hours of attendance and 120 hours of self-study


Lecture: 60 hours

Study and examination achievements: Study assignments (30%), Written examination (70%).


2/3 of the subject grade; 8.33% of all subject grades; 2.916% of the final grade

Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Identification of relevant legal position of important activities

concerned with security in organisations • Application of national, European and international

legislations in order to meet the compliance specifications for companies

• Enabling critical discussion with legal target conflicts and for submitting an appropriate evaluation of the risk situation for companies as those affected by regulations

Contents:

1. Introduction to juristic methodology 2. European and international security law 3. Introduction to the WTO law (focus on international law on

product safety) 4. System of fundamental freedom and national security

interests 5. Technical trade restrictions in security law 6. Compliance in the international context 7. International, European and national accreditation law 8. Principles of contractual liability (§§280 BGB)


9. Principles of tortious liability (§§823ff BGB, ProdHaftG) 10. Law governing the private security trade 11. Overview of the German law governing weapons 12. Main features of law of criminal proceedings 13. Electronic legal relations (eCommerce/Signature law) 14. International emoluments and principles of law governing

data security

Teaching and learning methods: Lecture

Literature:

- Harald Jele, Wissenschaftliches Arbeiten: Zitieren [Scientific Working Methods: Quoting], Kohlhammer, 3rd ed., 2012 - Calliess/Ruffert, EUV/AEUV 4th ed. 2011. - Röhl, Akkreditierung und Zertifizierung im Produktsicherheitsrecht [Accreditation and Certification in Law Governing Product Safety], Springer Verlag 2000. - Ensthaler, Zertifizierung und Akkreditierung technischer Produkte [Certification and Accreditation of Technical Products], Springer Verlag 2007. - Martin Schulte, Handbuch des Technikrechts [Manual of Law Governing Technology], 2nd ed. Springer Verlag, 2010. -Abbott/ Kirchner/ et.al., International Standards and the Law, Stämpfli Verlag AG, 2005. - Kurt Schellhammer, Schuldrecht nach Anspruchsgrundlagen [Law of Obligations According to Principles of Claims], 8th ed., 2011. - Martin Kutscha, Handbuch zum Recht der Inneren Sicherheit [Manual of Law Governing Internal Security], 2nd ed., BWV Verlag, 2006. -Rolf Stober, Sven Eisenmenger, Besonderes Wirtschaftsverwaltungsrecht [Special Business Administration Law], 15th ed., Verlag Kohlhammer, 2011 - Knemeyer: Polizei- und Ordnungsrecht [Police and Law Governing Public Order], Beck, 2007 - Busche: Waffenrecht 2012 [Weapons law 2012], Kiel 2012 - Hoeren: Internet- und Kommunikationsrecht [Internet and communication law], Otto Schmidt Cologne 2012 - Schade: Arbeitsrecht [Labour law], Kohlhammer 2010 - Martin T. Biegelman, Building World-Class Compliance Program: Best Practices and Strategies for Success, John Wiley & Sons; 2008. - Acquisti/ Gritzalis/Lambrinoudakis, Digital Privacy: Theory, Technologies, and Practices, Auerbach Pubn, 2007 - Sanjay Anand, Essentials of Sarbanes-Oxley, John Wiley & Sons, 2007. - CCH Incorporated, SEC Compliance and Disclosure Interpretations, Harcourt Professional Publishing, 2009. - Reyes, Carla, WTO-compliant Protection of Fundamental Rights: Lessons from the EU 'Privacy Directive, Melbourne Journal of International Law, Vol. 12, No. 1, Jun 2011: 141-176. - Spiros Simitis, Bundesdatenschutzgesetz [Federal Law Governing Data Security], Nomos, 7th ed., 2011. - Current legal texts

Additional information: Assignments for thorough reading


2.3 Principles of ICT Infrastructure Security

Brief module label: SM_Ma_IKT-Infrastruktursicherheit

Module description: Principles of ICT Infrastructure Security






Author: Prof. Dr. Eberhard von Faber

Lecturer: Prof. Dr. Eberhard von Faber, Dipl. Ing. Dietmar Hausmann


Prerequisites:

Importance of IT security and its role in practice; technical and physical basic knowledge; knowledge of the basics of Internet networks, Operating Systems and cryptography-based techniques

ECTS-Credits: 6



lectures in the range of at least 30 hours and exercises up to 30 hours


Written examination or oral examination including 20% of the result of project work


1/2 of the subject grade 5% of all subject grades 1.75% of the final grade

Learning outcomes:

• Familiarization with the threats and challenges in networks, including important counter measures in the form of protocols and various security solutions

• Familiarization with the functioning of these solutions, understanding of their use, operation and interaction; ability to integrate and deploy independently some of these solutions; familiarization with supplementing measures and solutions

• Development of the ability to integrate the required solutions adequately into various ITC infrastructures and usage scenarios; familiarization with service models including Cloud Computing and its implications

• Development of ability to analyse requirements and industrial practical factors and to integrate solutions based on the practical example of an industrial solution

• Familiarization with security modules and embedded systems as core components for distributed systems; properties, challenges and use; principles of usage and on


the security of smart cards • Details of PKI as infrastructure for secure communication,

including testing schemes as international infrastructure for the risk management based on the example of payment systems

Contents:

• Extended principles of Internet networks (TCP/IP Protocol, ISO/OSI, Routing, active components, cryptography)

• Dangers in the use of IT, categories of threats, weak points and hazards

• Security management, security audits with tools, network monitoring and network logging

• Attacks and counter measures • Cryptography applications (encrypted communication, VPN

protocols, certificates) • Web Server Security, Email security • In depth study and practical application of project topics on

Firewalls, Honeypots and Intrusion Detection Systems, WLAN security and VPN

• Integration of various solutions in the ITC network: business processes vs. ITC; Usage scenarios vs. ITC; service models and Cloud Computing: division of labour, service models, security management

• Learning situation of a special industry application: requirements and solutions; Practical factors and their outcome, result and practice in industry

• Components for distributed systems and mobility: Embedded Systems; Properties, challenges and solutions; Internet of things; Life Cycle; Device Management and Security Design; Practical seminar: application, technology of the chip cards and practical attacks

• PKI: an infrastructure for secure communication (visible or invisible; function, realization, practice)

• Assurance: an infrastructure for “Trust” and “Security” in a (global) division of labour in industrial value-added chains

Teaching and learning methods: Combination of lectures, exercises based on one’s own computer and lab exercises; lectures deploying different media; tasks and exercise examples; control questions/revision course

Literature:

[1] Cisco Networking Academy: CCNA Exploration Companion Guide, Vol. 1-4, Cisco Press, 2008 [2] Alexander Michael: Netzwerke und Netzwerksicherheit - Das Lehrbuch [Networks and Network Security – the text book], Hüthing publishers, 2006. [3] Plötner Johannes, Wendzel Steffen: Praxishandbuch Netzwerk-Sicherheit [Practical Manual of Network Security], Galileo Computing, 2007. [4] Anderson, Ross: Security Engineering, A Guide to Building Dependable Distributed Systems; John Wiley & Sons [5] Common Criteria for Information Technology Security Evaluation; www.commoncriteriaportal.org or ISO 15408 [6] Rankl, Wolfgang and Wolfgang Effing: Handbuch der Chipkarten, Aufbau, Funktionsweise, Einsatz von Smart Cards; [Manual of Chip Cards, Structure, Functioning, Usage of Smart


Cards] by Hanser technical publishers Other reference works on special project topics (VPN, IPSec, IPv6, IDS, WLAN, Attacks, and many more) Scripts and other teaching materials will be distributed directly to the students during the lecture, or made available on the learning platform of the university.



2.4 Principles of Secure Communication Technology

Brief module label: SM_Ma_SichereKommunikation

Module description: Principles of Secure Communication Technology







Lecturer: Prof. Dr. Eberhard von Faber, Prof. Dr. Michael Syriakow


Prerequisites:

ECTS-Credits: 3



Lecture: 30 hours


Written examination


1/4 of subject grade 2.5 % of all subject grades 0.875 % of the final grade

Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Comprehension of the fundamentals and conditions of

secure communication • Thinking out communication scenarios • Comprehension of the cryptographic principles • Evaluation and selection of management tasks around

electronic communication

Contents:

• Logical vs. physical security • Basic concepts of cryptography (symmetrical vs.

asymmetrical methods, encryption, signature, certificates, PKI, RSA, DSA, AES, DES, Hash functions)

• Security modules • Embedded Systems • Devices and key management • Chip cards, incl. management and personalization • Hardware-oriented attacks

Teaching and learning methods: Lecture and exercises in small groups.

Literature: [1] Anderson, Ross: Security Engineering, A Guide to Building Dependable Distributed Systems; John Wiley & Sons, Inc.; 2001


[2] FIPS PUB 140-2, Security Requirements for Cryptographic Modules; National Institute of Standards and Technology; 2002; http://csrc.nist.gov/cryptval/ [3] Common Criteria for Information Technology Security Evaluation (also ISO15408), Part 1: Introduction and general model, Part 2: Security functional requirements, Part 3: Security assurance requirements http://www.bsi.de/cc/index.htm or http://www.commoncriteriaportal.org (and: CEM) [4] BSI-PP-0002, Smartcard Integrated Circuit Platform Protection Profile; Version 1.0, July 2001 (E. von Faber main technical editor); Smartcard Integrated Circuit Augmentations; Version 1.0, March 2002; http://www.bsi.bund.de/cc/pplist/pplist.htm [5] Rankl, Wolfgang and Effing, Wolfgang: Handbuch der Chipkarten, Aufbau, Funktionsweise, Einsatz von Smart Cards [Manual of Chip Cards, Structure, Functioning, Use of Smart Cards]; published by Hanser Fachbuchverlag, 2002 Beutelspacher, Kryptologie [Cryptology], Vieweg, 2005 C. A. Deavours – L. Kruh, Machine Cryptography and Modern Cryptanalysis, Artech House Publishers, 1985 D. E. Knuth, The Art of Computer Programming 2, Seminumerical Algorithms, Addison-Wesley, 1998 A. J. Menezes - P. van Oorschoot - S. Vanstone, Handbook of Applied Cryptography, CRC, 1996 B. Schneier, Angewandte Kryptographie [Applied Cryptography], Pearson Studium, 2005 A. Sinkov, Elementary Cryptanalysis, The Mathematical Association of America, 1998 M. Welschenbach, Cryptography in C and C++, Apress, 2005 J. Bamford, Body of Secret: Anatomy of the Ultra-Secret National Security Agency, Anchor, Reprint Edition, 2002

Additional information: Use of the E-Learning Program CrypTool http://www.cryptool.de/


2.5 Principles of forensics and auditing

Brief module label: SM_Ma_ForensikAuditing

Module description: Principles of forensics and auditing







Lecturer: Prof. Dr. Igor Podebrad


Prerequisites:

ECTS-Credits: 3



Lecture: 30 hours


Written examination



Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning:

• Organisation of IT forensic analyses and IT audits • Operating IT systems while taking into account the

requirements of IT forensics and IT auditing • Development and implementation of IT forensics

related security guidelines • Evaluation of the usability of IT audit results for

forensics

Contents:

• Legal prerequisites for IT forensics • Principles of IT auditing • Organisation of IT forensic analyses

Teaching and learing methods: Lecture and exercises in small groups

Literature:

• IT-Forensik [IT Forensics] by Alexander Geschonnek, 2011

• The Basics of Digital Forensics: The Primer for Getting Started in Digital Forensics by John Sammons, 2012



2.6 Term Thesis 1

Brief module label: SM_Ma_Semesterarbeit1

Module description: Term Thesis 1







Lecturer: Prof. Dr. Friedrich Holl and all other participating teaching faculty members


Prerequisites:

ECTS-Credits: 3

Total workload and its composition:

90 hours = 30 hours of attendance and 60 hours of self-study


Lecture: 15 hours Seminar with preparation of presentation: 15 hours


Written assignments



Learning outcomes: Preparation of scientific papers with tutorial related to the topic of security

Contents:

• Methods of collection of data (statistics, interviews, primary/secondary sources)

• Source discussion: research, reading, evaluation • Creative techniques and self-organisation • Situation-related requirements for writing styles

(advertising, press releases, scientific papers etc.) • Preparation of an exposé • Methodical structure of scientific papers • Phases of scientific working methods • Material collection and research • Material evaluation and selection • Material and topic processing • Method of quoting

Teaching and learning methods: Lecture, discussion, presentation of own results.

Literature:

• DIN 1421 (Classification and Numbering System in texts) • Eco, U. (2005) • Wie man eine wissenschaftliche Abschlussarbeit schreibt


- Doktor-, Diplom- und Magisterarbeit in den Geistes- und Sozialwissenschaften [How to Compile Final Thesis for Doctorate, Graduate and Postgraduate Studies in Humanity and Social Science Studies], Müller, Heidelberg,

• Theisen, Manuel R.: Scientific Papers – Technique & Methodology, Form, 2000.

• Peterssen, Wilhelm H.: Scientific Papers - An Introduction for School and Studies, 1999.



3 Second term

3.1 Security and Crisis Management in international Contexts

Brief module label: SM_Ma_SecurityKrisenManagementInternational

Module description: Security and Crisis Management in international Contexts



Classification in the curriculum: SM Ma, 2nd term, required module





Language of instruction: German, partly English (10%)

Prerequisites: None

ECTS-Credits: 6




Lecture: 30 hours Exercise: 15 hours Practical application based on case studies: 15 hours


Written examination or oral examination



Learning outcomes:

The objective is to enable the students to acquire knowledge and skills in the following aspects of learning: Analysis of security systems in the international context while taking into account the cultural, political and geographical conditions Management of security organisation in international corporations Preparation of security measures during travel or delegation of employees to foreign countries Introduction of a crisis management system Reaction in international crisis situations Controlling the global crisis communication Influencing the public perception of security topics

Contents:

Security management in global organisations Travel Security Security during delegation of employees Crisis management in the international context Communication during crises: principles and procedures for communication during crisis situations Internal and external crisis communication Message House


Handling media during crisis situations Public image of security Campaigns for security topics

Teaching and learning methods:

Interactive combination of lecture, preparation and presentation of content, demonstration of concepts, practical tasks for groups, preparation of own content and role play.

Literature:

Notfall- und Krisenmanagement im Unternehmen [Emergency and Crisis Management in Companies] by Axel Bédé, 2009. Unternehmenskrisen und Krisenmanagement [Corporate Crises and Crisis Management] by Ronny Scharschmidt, 2009. Führen in Krisensituationen [Managing during Crisis Situations] by Markus Klaus, 2008. Global Threat: Target-Centered Assessment and Management by Robert Mandel, 2008. Security Risk Management Body of Knowledge by Julian Talbot and Miles Jakeman, 2009.



3.2 Physical Security

Brief module label: SM_Ma_PhysischeSicherheit

Module description: Physical Security







Lecturer: Ralph Wölpert, Thorsten Weller, Ralf Dahmer, Thomas Koch


Prerequisites: None

ECTS-Credits: 3




Lecture: 30 hours





Learning outcomes:

The objective is to enable the students to acquire basic knowledge and skills in the following aspects of learning: • Knowing the methods of protection and safety

engineering • Analysis of the possibilities of use and effectiveness of

protective mechanisms against elementary damage, mechanical safety installations, hazard alert systems and surveillance systems

• Planning of a security system network • Evaluation of solutions available in the market • Appraisal of the legal aspects for the deployment of

individual security mechanisms

Contents:

• Fundamentals of building safety • Terminology and overview of areas of tasks and

available options • Engineering principles • Physical attacks and their effect • Elementary damage • Attackers, their aims and methods of attack • Weapons and their effect


• Radiation of electronic devices • Mechanical safety systems and access control • Locks, locking systems and their security • Securing doors, windows and fences against attacks • Secure storage and data cabinets • Engineering and legal regulations and directives • Hazard alert systems • Fundamentals • Burglary alarm systems • Attack alert systems • Installation failure alert systems • Fire alarm and fire fighting systems • Engineering and legal regulations and directives • Surveillance systems • Technical possibilities • Open and hidden monitoring • Engineering and legal regulations and directives • Emergency planning and operational safety • Consequential damage analysis • Handling untoward incidents

Teaching and learning methods: Lecture

Literature:

Physical Security Systems Handbook by Michael Kairallah, 2005. Current Journals and Magazines covering the topic: kes, Der Sicherheitsberater [The Safety Advisor], S&I.



3.3 Corporate Governance

Brief module label: SM_Ma_Unternehmensführung

Module description: Corporate Governance



Classification in the curriculum: SecMan Master, 2nd term, required module




Lecturer: Prof. Dr. Robert Franz, Prof. Dr. Friedrich Holl, Prof. Dr. Sachar Paulus


Prerequisites:

ECTS-Credits: 3




Lecture: 15 hours Processing case studies: 15 hours


Oral examination



Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Knowing the principles of successful corporate

governance • Influencing the corporate leaders for observing the

security aspects and for constructive handling of crisis situations

• Derivation of a security strategy and security goals out of the corporate strategy

• Development of a strategy to strengthen the ethical aspects of corporate governance

• Resolution of conflicts

Contents:

• Functions of corporate governance (development of corporate goals, principles, culture; Formulation of strategies; Human Resources and Negotiations Management; international aspects in the global competition)

• Integration of security goals with the corporate strategy • Ethical aspects of corporate governance (anti-corruption

strategies, Code of Conduct etc.)


• Conflict management (conflict diagnosis, typology of conflicts, escalations, strategies for conflict handling)

Teaching and learning methods: Lecture, processing case studies in small groups, presentation of practice examples, role plays.

Literature:

• K. Macharzina: Unternehmensführung [Corporate Governance]

• T. Hutzschenreuther: Krisenmanagement [Crisis Management]

• F. Glasl: Konfliktmanagement [Conflict Management] • B. Stackpole, E. Osendahl: Security Strategy: From

Requirements to Reality.



3.4 Secure Systems Lifecycle Management

Brief module label: SM_Ma_SecureSystems

Module description: Secure Systems Lifecycle Management




Usability of the module: The module can also be offered as WPF for WI [Business Informatics] and Informatics Master courses.




Language of instruction: 80% German, 20% English

Prerequisites:

Initial experience in programming web applications for an exemplary scenario. Normally, this should be ensured by studies completed until this point of time. Alternatively: self-study, for example, based on PHP 5.3: Program Dynamic Websites Professionally by Christian Wenz and Tobias Hauser (December 2009)

ECTS-Credits: 6




Lecture: 30 hours Exercise: 30 hours


Development of a secure web application (30%); Documentation of a secure development cycle for a software application (40%); Carrying out and presentation of a security investigation for another web application (30%).



Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Knowing and application of Best Practices taught during

the development of IT based systems for secure software

• Development of acceptance criteria for non-functional security requirements

• Carrying out threat models • Avoidance of weak points during the development • Carrying out security checks • Secure installation and operation of software • Establishment of a Security Response Program • Analysis of existing software for security-related weak

points


• Development and implementation of a protective program for software during the system development

• Establishment of a Management System for security in the development process, and integration of such Management System into a possibly available quality process

• Carrying out security analyses (“Hacking”) • Presentation of investigation results

Contents:

Basic principles of secure software development: • Security requirements • Safe designing and threat models • Architecture analyses • Secure coding • Security checks • Secure systems • Security Response • Protection of own software against manipulation and

know-how theft

Teaching and learning methods:

Interactive combination of lecture, exercises on own computer, lab exercises, preparation and presentation of content, demonstration of concepts, practical tasks in groups.

Literature:

Basiswissen sichere Software [Basics of secure software] by Sachar Paulus, dpunkt 2011. Software-Qualität, Testen, Analysieren und Verifizieren von Software [Software Quality, Testing, Analysis and Verification of Software] by Peter Liggesmeyer, Spektrum Akademischer Verlag, 2002. Writing Secure Code by Michael Howard & David LeBlanc, 2003 www.owasp.org



3.5 Secure IT Services and Business Processes

Brief module label: SM_Ma_SichereITDienste

Module description: Secure IT Services and Business Processes






Author: Prof. Dr. Eberhard von Faber

Lecturer: Dr. Eberhard von Faber


Prerequisites:

Basic knowledge of business processes and corporate governance; Knowledge of Information and Communications Technology: Applications, Systems and Networks, including the underlying technology.

ECTS-Credits: 3




15 hours: lecture utilizing various media, project assignments for practice, in depth study and self checks, including control questions/revision course





Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Understanding of technologies and organisation of

modern (industrial) ITC production, and especially the incidental security questions

• Usage and integration of IT services in business processes; assessment of security requirements, evaluation and selection of IT services

• Successful implementation of Identity and Access Management (IAM): understanding of basic terminology, architectures and technologies; planning and implementation in companies and in complex value-added chains

Contents:

1. Fundamentals of ITC production; ITC architectures and infrastructure elements; Security aspects; Management of solutions for the system and network security; processes and organisation; Tasks ranging from weak point management to Disaster Recovery


2. User and Producer: IT services; Security requirements, evaluation, selection and integration; Security and risk management in “outsourcing”, basic problems and “sourcing” models

3. Enterprise Security Architecture: ICT Production, Service Design, Transition, Service Delivery Management, Security Management, GRC

4. Basic terminology IAM (from Identification to Accounting),

5. Authentication: Types, methods, technologies; problems and solutions; Architectures and distributed systems (e.g. LDAP, RADIUS, Kerberos, ESSO, Single Sign-On, Federation),

6. Authorization: Services and limitations; Strategies (DAC, MAC, RBAC, IF); Realization (Groups, Roles, ACL, Capabilities); Alternatives; Trends and Outlook including DRM,

7. Identity Management: Administrative tasks, Registration, Workflows, Enrolment; Credential Management, User Self-Service, UHD etc.

8. Accounting; Analytics; Attestation; Intelligence, SOD 9. IAM-Architectures (the whole picture); Infrastructures 10. Erection and implementation of IAM programs in large

enterprises

Teaching and learning methods: Lecture utilizing various media, project assignments for practice, in depth study and self checks, including control questions/revision course

Literature:

[1] Alexander Tsolkas and Klaus Schmidt: Rollen und Berechtigungskonzepte, Ansätze für das Identity- und Access Management im Unternehmen [Roles and Authorization Concepts, Approaches for the Identity and Access Management in the Company]; August 2010, Vieweg+Teubner [2] Martin Kappes: Netzwerk- und Datensicherheit, Eine praktische Einführung [Network and Data Security, A Practical Introduction]; Vieweg+Teubner [3] Hans-Peter Königs: IT-Risiko-Management mit System, Von den Grundlagen bis zur Realisierung. Ein praxisorientierter Leitfaden [IT Risk Management with System, From the Basics to Realization. A Practice-oriented Guide], Vieweg [4] Claudia Eckert: IT Security, Concepts - Methods – Protocols [5|: J. R. Winkler: Securing the Cloud: Cloud Computer Security Techniques and Tactics, Syngress. [6] Current Journals and Magazines on the topic: kes, Der Sicherheitsberater [The Security Advisor], S&I.



3.6 Project

Brief module label: SM_Ma_Projekt

Module description: Project







Lecturer: Prof. Dr. Friedrich Holl and all other participating teaching faculty members


Prerequisites:

ECTS-Credits: 6




Lecture: 15 hours Practical work: 45 hours + self-study time


Project report (50%) Presentation (50%)



Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Conducting security projects • Planning a security-related project while following all

requirements of security • Application of project management methodologies

Contents:

Problem identification: -‐ Systematic preparation of the “State of the Art”

technology -‐ Integration into the available practical context -‐ Basic conditions of deployment -‐ Use of different techniques of analysis such as interview

method, questionnaire Delphi method, preparation of the context concerning documents and so on.

Development of expected concepts: -‐ Systematically founded development of a practice-

oriented approach to solutions -‐ Use of creative methods -‐ Cost-benefit analyses -‐ Development of basic conditions for deployment Prototypical implementation


-‐ the prototypical implementation is carried out by developing a software prototype

-‐ implementation in an enterprise/organisation or e.g. development of an application for R&D sponsorship

Teaching and learning methods: Lecture, practical work in groups comprising maximum 7 participants, presentation of own results.

Literature: A Guide to the Project Management Body of Knowledge, PMI, 2008

Additional information: For this course, the candidate’s willingness to undertake practical work with cooperating partners is a prerequisite.


3.7 Term Thesis 2

Brief module label: SM_Ma_Semesterarbeit2

Module description: Term Thesis 2







Lecturer: Prof. Dr. Friedrich Holl and all other participating faculty members


Prerequisites:

ECTS-Credits: 3




Lecture: 15 hours Seminar including topic presentation: 15 hours


Writing assignment



Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: Preparation of independent scientific paper on the topic of security

Contents:

Source discussion: research, reading, evaluation Covering all relevant topics Logical coherence and consistency Formulate complex coherences comprehensibly Present own findings

Teaching and learning methods: Lecture, discussion, presentation of own findings.

Literature:

DIN 1421 (Classification and Numbering System in Texts) Eco, U. (2005) Wie man eine wissenschaftliche Abschlussarbeit schreibt - Doktor-, Diplom- und Magisterarbeit in den Geistes- und Sozialwissenschaften [How to Compile Final Thesis for Doctorate, Graduate and Postgraduate Studies in Humanity and Social Science Studies], Müller, Heidelberg, Theisen, Manuel R.: Scientific Papers – Technique & Methodology, Form, 2000. Peterßen, Wilhelm H.: Wissenschaftliche(s) Arbeiten - Eine Einführung für Schule und Studium [Scientific Papers – An Introduction to Schools and Studies], 1999.


Additional information: Ideally, the student should prepare his own scientific publication during this course.


4 Third Term

4.1 Master’s Thesis incl. Master’s Seminar

Brief module label: SM_Ma_Masterarbeit

Module description: Master’s Thesis incl. Master’s Seminar


Master’s seminar is offered simultaneously, where state of work done is appraised without grading.


Classification in the curriculum: SecMan Master, 3rd term, required module




Lecturer: All faculty members of the university teaching in the course

Language of instruction: German / English (as per student’s option).

Prerequisites:

Only candidates may register themselves for Master’s Thesis, who have successfully completed all examinations and course achievements expected to be completed until incl. the 2nd term.

ECTS-Credits: 24


690 hours of self-study, 30 hours of attendance (Master’s seminar)


Self-study.


Master’s Thesis (75%) Colloquium (25%)


30% of the final grade

Learning outcomes:

This course aims to enable the students to acquire knowledge and skills in the following aspects of learning: • Preparation of a scientific paper under the guidance

with own creative and/or constructive portions of the topic “Security Management” within a period of 4 months

Contents: The Master’s Thesis is intended as related preoccupation with an extensive topic and the resulting solution for a theoretical or practical problem.

Teaching and learning methods: Self-study.

Literature:

• Booth, W. C. et a. (1995). The draft of research. Chicago London

• Brown, S. R. et al. (1990) Experimental Design and Analysis. London

• Cialdini, R. B. (2001). Influence, Science and Practice. Bosten, M.A.

• Hussley, J., Hussley, R. (1997). Business Research. A practical guide for undergraduate and postgraduate


students • Karmasin, M. et al. (1999). Die Gestaltung

wissenschaftlicher Arbeiten: ein Leitfaden für Haus-, Seminar- und Diplomarbeiten sowie Dissertationen [The Designing of Scientific Papers: A Guide for Homework, Seminar and Graduation Papers and Dissertations]. Vienna

• Pyrczak, S. et. Al. (1998). Writing empirical Research Reports. Los Angeles. C.A.

• Seale, C. (1999). The quality of quantitative research. London

• Trachim, W. M. K. (2000). The Research Knowledge Base. Cincinatti. Ohio



5 Examples for Compulsory Optional Modules

5.1 ITIL - Information Technology Infrastructure Library

Brief module label: SM_Ma_ITIL

Module description: ITIL - Information Technology Infrastructure Library



Classification in the curriculum: SecMan Master, 1st / 2nd /3rd terms, elective module



Author: Thekla Ludwig

Lecturer: Timothy Ross


Prerequisites:

ECTS-Credits: 3




Lecture: 30 hours


Homework (100%)



Learning outcomes:


- Application of the ITIL model - Evaluation of company/security processes in

regard to the implementation of the ITIL model


Contents:

The students are introduced to ITIL (IT Infrastructure Library “v3“) and IT Service Management, comprising:

- ITIL model

- 5 Phases of the ITIL lifecycle (Service Strategy, Service Design, Service Transition, Service Operation and Continual Service Improvement) and their individual processes.

Supplementing the theoretical introduction, various practical scenarios are presented and practically developed. Different situations of ITIL introductions are presented and the significance of ITIL is highlighted through examples. Individual topics are studied in depth through presentations. In addition to this, the option is offered to acquire an official “ITIL Foundation” certificate.

Teaching and learning methods: Lecture with projector, Flipchart, Whiteboard, exercises (in groups and plenary sessions, presentations.

Literature:

- Jan van Bon, et al., Foundations in IT Service Management based on ITIL v3, Van Haren Publishing, Zaltbommel 2008

- Jan van Bon, et al., Foundations in IT Service Management based on ITIL, Zaltbommel 2006

- David Cannon, et al., ITIL Service Strategy 2011 Edition, TSO, London, 2011

- Lou Hunnebeck, et al., ITIL Service Design 2011 Edition, TSO, London, 2011

- Stuart Rance, et al., ITIL Service Transition 2011 Edition, TSO, London, 2011

- Randy Steinberg, et al. ITIL Service Operation 2011 Edition, TSO, London, 2011

- Vernon Lloyd, et al., ITIL Continual Service Improvement 2011 Edition, TSO, London, 2011



5.2 Know-how Protection

Brief module label: SM_Ma_Know-HowSchutz

Module description: Know-how Protection



Classification in the curriculum: SecMan Master, 1st / 2nd / 3rd terms, elective module




Lecturer: Peter Mnich and Dr. Jörg Treffke


Prerequisites:

ECTS-Credits: 3




Lecture: 15 hours


Oral examination



Learning outcomes:


- Evaluation of corporate risks in regard to the Know-how protection

Contents14:

The students learn about contents related to: - the explanation of protection of know-how and products

- definitions and differentiation of information outflow and espionage - current position of espionage worldwide

- risks for German enterprises - offenders, offender models and their modus operandi - protective measures, processes and current spheres of activity in the domain of Know-how Protection


Teaching and learning methods: Lecture, exercises in small groups.

Literature:

- Lindemann U. et al.: Know-How-Schutz im Wettbewerb: Gegen Produktpiraterie und unerwünschten Wissenstransfer [Know-how Protection in the World of Competition: Against Product Piracy and undesired Transfer of Knowledge], Springer Berlin Heidelberg, 2012

- Kochmann, K.: Schutz des „Know-How“ gegen ausspähende Produktanalysen [Protection of ”know-how” against spying product analyses], De Gruyter, 2009

- Abele, E. at all.: Schutz vor Produktpiraterie: Ein Handbuch für den Maschinen- und Anlagenbau [Protection against Proct Piracy: a Manual for Construction of Machines and Installations], Springer Berlin Heidelberg, 2011

- Kahle/Merkel: Fall- und Schadensanalyse bzg. Know-how-/Informationsverlusten in Baden-Württemberg ab 1995 [Case and Damage Analysis reg. Know-how/Information losses in the State of Baden-Würtemberg from 1995], Uni Lüneburg, 2004

- Wurzer/Kaiser: Praxishandbuch Internationaler Know-how-Schutz [Practical manual for international Know-how Protection], Bundesanzeiger Verlag, 2010

- Lux/Peske: Competitive Intelligence und Wirtschaftsspionage [Competitive Intelligence and Industrial espionage], Gabler Verlag, 2002

- Michaeli, Competitive Intelligence, Springer Verlag, 2004

- Schaaf, Industriespionage [Industrial espionage], Boorberg, 2009

- Fussan: Managementmaßnahmen gegen Produktpiraterie und Industriespionage [Management measures against product piracy and industrial espionage], Gabler Verlag, 2010

- Fink, Lauschziel Wirtschaft [Business world, the target of bugging], Boorberg, 1996

- Kenan, Vertrag versus Vertrauen [Contract vs. Trust], VDM, 2008

- Liman: Bewertung des irregulären Verlustes von Know-how [Assessment of irregular loss of know-how], Wirtschaftsverlag Bachem, 1999

- Westermann: Handbuch Know-how-Schutz [Manual of Know-how Protection], Verlag C.H. Beck, 2007

- http://www.sicherheitsforum-bw.de/ - http://www.verfassungsschutz.de/ - http://www.verfassungsschutz-bw.de - http://www.verfassungsschutz.bayern.de/



5.3 Technical Aspects of the IT Forensics

Brief module label: SM_Ma_IT-Forensik

Module description: Technical Aspects of IT Forensics



Classification in the curriculum: SecMan Master, 1st / 2nd / 3rd terms, elective module




Lecturer: Prof. Dr. Igor Podebrad


Prerequisites:

ECTS-Credits: 3




Lecture: 2 term hours per week


Homework (100%)



Learning outcomes:


- Analysis of data media, Operating Systems and networks

- Evaluation of data media and Operating Systems in regard to their forensic case-related information


Contents14:

The students will receive leaning content concerning: Data media analysis

- Overview of types of hard disks

- Overview of physical and logical distribution of a disk

- Overview of file systems and file administration

- Details of hard disk analysis (files and their properties, including the types of files)

- Details of FAT

Analysis of Operating Systems

- Server vs. Workstation

- Location of OS on the disk

- Process analysis

- Network connectivity

- Registry

- NTFS

- Details of Alternate Datastreams and Filetypes

- Windows artefacts

- Timelining

- Details of Registry

- Email analysis

Network analysis

- Fundamentals

- Protocols

- Details of analysis (anomalies, hidden communication, types of attacks)



Literature:

- Dewald, A. et al.: Forensische Informatik [Forensic Informatics], Books on Demand, 2011

- Geschoneck, A.: Computer-Forensik: Computerstraftaten erkennen, ermitteln, aufklären [Computer Forensics: Identifying, investigating, solving computer criminality], dpunkt.verlag, 2011

- Carrier, B.: File System Forensic Analysis, Addision-Wesley Professional, 2005

- Carvey, H.: Windows Forensic Analysis DVD Toolkit, Syngress, 2009

- Pogue, C.: UNIX and Linux Frensic Analysis DVD Toolkit, Syngress, 2008



5.4 Security Concepts of Nuclear Power Plants

Brief module label: SM_Ma_KonzepteSicherheitKernkraftwerken

Module description: Security Concepts of Nuclear Power Plants



Classification in the curriculum: SecMan Master, 1st /2nd / 3rd terms, elective module




Lecturer:


Prerequisites:

ECTS-Credits: 3




Lecture: 2 term hours per week


Homework (100%)



Learning outcomes:


- Application of the ITIL model

- Evaluation of corporate/security processes in regard to the implementation of the ITIL model


Contents14:

The students receive comprehensive information concerning the fundamentals and requirements of:

- Integrated management system (interaction between Man-Technology-Organisation (MTO concept))

- Aims of security (radiological and technical aims)

- Defence in Depth concept, independence of security levels

- Barrier concept

- Events and situations on security levels

- Installation internal emergency protection concept

- Protection against overlapping impacts

- Principles of proofs of safety (deterministic and probabilistic approaches)

- Classification concept

- Concept for practical exclusion of events

- Principles of layout

o Diversity principle – avoidance of CCF

o Individual error concept

o 30 minute concept

o Inherent safety, fail-safe principle

o Passive principles of operation

o Basic safety, leak-before-break concept

- Safety requirements for future nuclear power plants



Literature:

- Borlein, M.: Kerntechnik [Nuclear Technology], Vogel Business Media, 2011

- Smidt, D.: Reaktor-Sicherheitstechnik [Reactor Safety Technology], Springer-Verlag, Berlin, 1979

- IAEA: http://www-ns.iaea.org/standards/default.asp?s=11&l=90

- WENRA: http://www.wenra.org/extra/pod/?id=20&module_instance=1&action=pod_show

- KTA: http://www.kta-gs.de/

- GRS: http://www.grs.de/content/kerntechnisches-regelwerk

- Handbuch für Reaktorsicherheit und Strahlenschutz, http://www.bfs.de/de/bfs/recht/RSH

- BMU: Sicherheitskriterien für Kernkraftwerke, http://www.bmu.de/atomenergie_sicherheit/rechtsvorschriften_technische_regeln/doc/40327.php


Documents

Catalogue of Modules M. Sc. Security Managementfbwcms.fh-brandenburg.de/sixcms/media.php/1083/Catalogue of Modu… · Seite 7/42 Catalogue of Modules M. Sc. Security Management February