Assignment 1

Due: Friday, Feb. 6 at class time; bring a hard copy to class (send it electronically if
you won't be in class).

Note you can work with one other student on this project. If you so, be sure to
identify both members of the team and include a sentence explaining the
contributions of each.

Consider the various definitions/characterizations of Information Assurance given in

the first part of slideset 1. Write your own definition of Information Assurance.
Explain how your definition relates to or encompasses the following:

 the ISO/IEC aspects of software quality (slide 5);

 Raggad's conceptual resources (slide 8);
 the DoD aspects of information needing protection (slide 11);
 Herrmann's security engineering domains (slide2 13ff).

There is no page limit, but I'd guess that this shouldn't take more than about 3 pages.
Use the information from the slides; you don't have to read (or cite) the source
documents behind these.

Grading Information:

This and subsequent writing assignments will be graded on the following criteria:

1. Did you do the assignment as specified?

2. Did you give it adequate thought and care?
3. Is your argument well reasoned and supported by evidence?
4. Is the document formatted reasonably? (It's better short than padded.)
5. Are references cited correctly?
6. Is the writing style acceptable?

We're not grading on grammar or spelling, but you should make a credible effort to
write in a style worthy of a student at a top-tier university.
Assignment 2
Due: Monday, Feb. 16. You'll be submitting this one, and most subsequent
assignments via Canvas. We'll be setting up the link there shortly.

Note: you can work with one other student on this project. If you do so, be sure
to identify both members of the team and include a sentence explaining the
contributions of each.

Imagine that you are a security consultant to a large organization; (you can choose
whether the organization is commercial or governmental). The organization annually
purchases hundreds of COTS (commercial-off-the-shelf) software and/or hardware
products from a variety of vendors, both foreign and domestic. These products vary
widely in functionality, importance to the organizational mission, complexity, cost,
etc.

Management has recently become concerned that purchasing and deploying COTS
products might introduce exploitable security vulnerabilities into the organization's
computing infrastructure. They would like you to formulate a strategy to manage this
risk.

Write a draft proposal to the management of your organization suggesting a screening

procedure that could be applied prior to the deployment within your organization of
any newly acquired COTS product. You can assume that the product has been
purchased but is awaiting deployment. The outcome of the screening procedure
should be a determination either that the product is "adequately secure" for
deployment within the company infrastructure or that it is not. Your procedure can use
technical and/or non-technical methods.

Your draft proposal should justify your suggested procedure, explaining how it
manages the security risks inherent in using COTS products.

The reason a draft proposal is requested is that this is a surprisingly complex question
on which you could spend months. This problem is called supply chain security.
Spend an hour or so thinking about this problem in the context above and write up
your initial ideas as a draft. You will be refining your procedure in a later assignment.
There is no page limit; write as much as you need to address this question, but not a
lot more.

Grading Information:
This and subsequent writing assignments will be graded on the following criteria:

1. Did you do the assignment as specified?

2. Did you give it adequate thought and care?
3. Is your argument well reasoned and supported by evidence?
4. Is the document formatted reasonably? (It's better short than padded.)
5. Are references cited correctly?
6. Is the writing style acceptable?

We're not grading on grammar or spelling, but you should make a credible effort to
write in a style worthy of a student at a top-tier university.
Assignment 3
Due: Friday, February 27. You'll be submitting this one, and most subsequent
assignments via Canvas. We'll be setting up the link there shortly.

Note: you can work with one other student on this project. If you worked with a
partner on Assignment 2, use the same partner for this one. As usual, you only
need one submission, but be sure to identify both members of the team and
include a sentence explaining the contributions of each.

In assignment 2 you wrote a draft proposal to an organization proposing a scheme to

mitigate the risks involved in acquiring and deploying COTS products. Revise your
proposal in light of the class discussions. The result should be a final version of your
proposal.

Be sure to take account of the following information: Organizational resources are not
sufficient to perform a thorough technical assessment for all acquired products given
the volume of applications within the procurement pipeline. Therefore, your proposal
must include non-technical assessments.

Grading Information:

This and subsequent writing assignments will be graded on the following criteria:

1. Did you do the assignment as specified?

2. Did you give it adequate thought and care?
3. Is your argument well reasoned and supported by evidence?
4. Is the document formatted reasonably? (It's better short than padded.)
5. Are references cited correctly?
6. Is the writing style acceptable?

We're not grading on grammar or spelling, but you should make a credible effort to
write in a style worthy of a student at a top-tier university.
Assignment 4 (Declare Project Topic)
Due: March 2, 2015.

The Assignment

Hopefully, by now you have been in contact with your group members and
collectively deciding on a project topic. It's time to get started on the project in
earnest. By March 2, you should do the following:

1. Reserve your project topic with Dr. Young via email. There will be a list of
topics that are already taken on the website. Your topic must be substantively
different from that of any other group. So select sooner rather than later.

2. Create and submit a document containing the following:

1. a short but informative description (a few paragraphs) describing your

project topic and why it is relevant to this class; and

2. at least six resourses you have found (on-line or otherwise) that you will
use as sources for your project research. List them with descriptions in
the form of an annotated bibliography. If the resources are on-line
resources, be sure that you include a URL. Use good citation style.
Assignment 5a
Due: the paper is due Friday, March 27 at class time. Submit a hard copy of your
paper.

Your group should prepare a report and presentation on the topic you've claimed and
described in assignment 4. Your report should summarize the topic and current
research on the topic succinctly and precisely. It should indicate that you have done
the research necessary to understand the topic. The formatting requirements for this
paper are described below.

Beginning Monday (3/30), your group should be prepared to give a presentation on

your paper and answer any questions that may arise relating to your topic. I would
suggest preparing PowerPoint (or equivalent) for the presentation. The presentation
order will be decided by a lottery which will be posted as soon as assignment 4 is
complete.

Due to the number of groups and limited time, prepare for a 20 minute
presentation. Your group must not go over 25 minutes. I'll cut you off if you do.
The goal is to have two presentations each day, so the limit is very firm. It is much
better if you prepare to highlight your findings, and not try to cover everything. Also,
designate one or two folks to present. Don't have all members of your group present.

Your paper should contain 2 pages of text for each group member. E.g., if your group
contains 5 members, you need to produce a 10 page paper, independent of graphs,
pictures, figures, etc. The paper must be formatted using LaTeX. The following
documents illustrate the format requirements: Formatting guidelines input, Formatting
guidelines output (postscript), Formatting guidelines output (pdf), Sample
bibliography file.

You must have this file in the directory where you are creating your paper: style file.
It is the LaTeX style file that defines the format. Don't modify it to adjust margins or
spacing, fonts, etc. If you need to make other modification, you can.

Use either latex (and dvips) to generate a postscript version of the paper, or pdflatex to
generate a pdf version. Either should work, though the input format for figures may be
slightly different in the two cases. Use bibtex to generate the bibliography. Ask for
help with any of these things.

Some writing guidelines are here: Writing Guidelines. You are strongly advised to

follow these. The most important proviso is to make sure that you don't plagarize. If
you get lazy and try to copy all or a portion of your report from the Internet, you will
suffer.

I will be reading your papers and returning them to you with comments. My plan is to
have all of them read and returned by the end of the presentations. You will then
revise your paper in response to the comments and submit a revised version by May 1.
Assignment 5b
Due: the day after we finish the presentations.

Prepare two "quiz" questions for each of the presentations (including your own).
Imagine that you were preparing a quiz to test your classmates' attentiveness during
the presentation. Write two questions to see if they were paying attention. Make them
about the substantive issues of the presentations, not about trivial matters. They
should be questions that would be answered by a short essay, not short answer
questions.

If it happens that you miss a presentation day, you must indicate that on your
assignment. I.e., don't prepare questions for any presentations you missed. Each
individual is expected to do this assignment, no matter how many are in your
group. Do not copy someone else's questions.

You don't have to prepare questions for your own presentation.