"Assurance" Full Course Description

Course Description:

All of us have experienced at one time or another the disquieting circumstance of having an information system upon which we depend (to one degree or another) behave in some unanticipated fashion. The instances of this unanticipated behavior have been sufficiently frequent that the manifestations of it have crept into the common vernacular. “The blue screen of death,” “you got 404ed” and the like are examples thereof. With the addition of networking and ubiquitous communications the problem has become yet more extensive and subtle. We are falling in thrall to the seductive song of the “cloud”. Just park all your data in the “cloud” and it will always be there for you to use. How do you know it will “always be there for you to use”? Generally how do we know that any of these all-encompassing services will always be there? The notion of how do you know is expressed in many fields of endeavor, and particularly in the digital domain as Assurance.

For the purposes of this course, Assurance is defined as “the basis for believing an information system will behave as expected”.

The extent to which one can believe that a particular system will behave as expected has been one of the major challenges in fielding “secure” information systems. There are way too many areas that can hide bugs, errors, design flaws, implementation errors, undocumented assumptions and the like, for any exhaustive approach to assurance to be effective. Consequently there has emerged a somewhat undisciplined if not chaotic approach(s) to assurance. This course will survey these approaches and analyze strengths, weaknesses, and shortcomings toward solving the challenge of fielding “secure information systems” that are fit for purpose.

This course revisits the ideas intended to be captured and enabled by assurance. It reviews the initial introduction of the concept in the computer / information security discipline; studies the evolution of the thinking; examines the multiple attempts to codify assurance; examines the current trajectory of assurance with regard to modern IT systems acquisition; addresses assurance with regard to the whole lifecycle and logistics process(s); addresses assurance with regard to hardware, assurance with regard to software, change control and systems management.

It turns out that assurance has been a major challenge from the beginning of the development of “secure” systems. In some perspectives we have achieved observable improvement. In other areas we cannot tell and in others we have clearly lost ground.

It is recommended that students have some background in computer security, or a strong willingness to learn. Recommended previous courses of study include computer science, electrical engineering, computer engineering, management information systems, and/or mathematics. Because this is a foundational course, it is of reasonable technical difficulty so that it may be considered for students in non-technical programs that have good technical acumen in degree programs such as business.

This class will be primarily individual study, with weekly assigned readings, seven homework assignments, four quizzes, one project, a midterm and a final.

Objectives:

Students will be given the opportunity to examine the source material for the original motivation and introduction of assurance into the vernacular and analysis of information security. They will follow the motivation and evolution of the concepts of assurance through the codification of assurance to its subsequent dilution and disassociation as is captured in today’s common criteria. Students will examine mechanisms and processes that support / subtract from the assurance argument. Students will have the opportunity to study the relationship between assurance and risk management. Hopefully we will have the opportunity to examine the role of assurance to the emerging practice of underwriting (selling) risk in the form of insurance.