I’ve thought about this off and on over the last few years. Today I noticed that Kees Leune (http://www.leune.org/blog/kees/2010/07/teaching-agai.html) is going to be teaching a class this school year. He was asking for comments and so here’s mine….
I’d like to see a threefold class system. The first class would entail an overview of the 10 Domains. The second would be Offensive Security and the third would be Defensive Security.
There is a reason for that ordering. Without a good understanding of the fundamentals of security (10 domains) the second two classes will have less value. Understanding the idea of physical security as well as separation of duties and such really support defensive and offensive security. Defenders are better when they understand the threats. Therefore, I place Offensive Security before Defensive Security. But that’s preference. You could teach them together and make it a two-part class (firewall defense/offense; Linux offense/defense and so forth).
Let’s get back to class 1: Information Security Fundamentals. Here are my general thoughts on how such a class could be arranged if I were to teach it.
I’d assign Shaun Harris’ CISSP book. Each week we would cover the 1 of the 10 domains. On a MWF schedule, Monday would be the overview of the domain and a discussion of the critical questions that need to be asked about each domain. Wednesday and Friday would be in depth discussion of the domain.
Because this is an overview class, each Monday the student would be required to have read the chapter covering the domain to be discussed that week. The student would also write a two-page paper explaining the critical point of the domain discussed the week before.
In this manner, the goal would be to instill into the student a working understanding about the critical ideas of the domain.
I wouldn’t make this a CS only class though. One struggle IT faces is that the business units often purchase software or services that are poorly designed. IT is then faced with the prospect and demand of fixing/defending dumb apps. So, I’d make this course a business elective.
Business students would get 1-2 credits and attend Mondays only. They would get the high level overview. My pie-in-the-sky hope is that it would start to create an environment in which the business teams would ask generic security questions to sales guys and/or see through marketing lies.
A business student would write their two-page paper for the benefit of an IT staff. This will hopefully help them improve communication with IT people. As such the paper would be graded by an CS teacher.
The CS student would write their paper explaining the domain to a business person who doesn’t really understand IT. That paper would be graded by a business teacher.
At least the CS/Business teachers would give a grade and I would give a grade. Hopefully, (again pie-in-the-sky) this improves ever so slightly the ability to communicate between specialties.
I might even require students to sign up for SANS alert emails and to find recent articles that discuss pro/con the domains we are discussing. This idea is to keep students learning to read/research in a lifelong way and to encourage them to learn to see how the domains interact with real life.
Maybe in the future we can discuss more in depth the other classes, but for now, I’m leaving this here. Maybe someone can tweak the general idea and improve it or just use it as is.
Do you have thoughts?