WORLDCOMP'10 Tutorial: Prof. Susan Lincke

Information systems security is complex because attackers need to find only one vulnerability, while defenders need to close all holes. A security approach that focuses only on the most recent technology can be expensive and can leave a security analyst feeling insecure that the entire security problem is not understood. A business-oriented, risk-based approach combined with good technology is more satisfying, because it approaches the problem from a high-level down, focuses on where risk lies, and considers all options.

This tutorial provides an overview of security planning. We will consider how to plan for fraud prevention, information and network security, business impact analysis, disaster recovery and incident response, security program, and audit. We will look at a small medical office as an example case study. Medicine is an excellent example, because HIPAA legislation emphasizes privacy but requires comprehensive security practices.

In addition to enjoying a security planning overview, attendees will have access to a Small Business Security Workbook and a medical case study, from which to learn, use, and/or teach. The workbook and lecture notes were developed from best practices, as expected by professional organizations or certifications, including COBIT, Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and Certified Information Systems Security Professional (CISSP).

• Obtain an overview of information security from a practical and professional perspective
• Plan or design security in an economically feasible way
• View an example security implementation related to HIPAA legislation (medical privacy and security)
• Understand the different aims of three certificates within the security/audit field: CISA, CISM, and CISSP

The intended audience includes students, practitioners, instructors and faculty. You may be interested if you:

• Are interested in incorporating security into your skill set
• Would like to broaden your security expertise, if you have focused security knowledge
• Would like to learn about a useful workbook to introduce or enhance security in a small to medium-size professional organization
• Would like to teach information security using a practical approach
• Are considering adding a certification to enhance your credentials

Susan Lincke, PhD CISA, and Associate Professor of Computer Science, has 17 years of industry experience in the telecommunications industry. She teaches network security and information systems security (and other courses) at the University of Wisconsin-Parkside. Both security courses involve students active in community-based learning.

Dr Lincke has created a Small Business Security Workbook that is meant to simplify the design of a security system for staff with few IT staff and potentially no security expertise. The workbook guides the user via a step-by-step approach through security design. Topics in the workbook include policy development, risk and business impact analysis, information security, network security, physical security, and incident response. For educational use, this Workbook can be used with the Health First Case Study, and/or can be used in service learning with community partners. This material has been developed with financial assistance from the National Science Foundation (NSF) as CCLI grant 0837574: Information Security: Audit, Case Study, and Service Learning.

Dr Lincke’s other research interests include wireless networks, security auditing, modeling and simulation.