master of science in cybersecurity policy and governance
Please see Course Information and Schedule for details.
CORE REQUIREMENTS (6 COURSES)
Cyber Ecosystem and Cybersecurity: Course provides an overview of Cyberspace, defines the scope of Cybersecurity, and addresses information classification and system compartmentalization. Course includes an appreciation of information confidentiality, integrity, and availability, and covers Cybersecurity architecture, strategy, services, hardware, software, and cloud services. The course also examines national security issues, critical infrastructure, and the potential for cybercrime and cyber terrorism, as well as the need for corporations to align their security with business needs and consider the threat from malicious employees, contractors, and/or vendors.
Cybersecurity Policy: Privacy & Legal Requirements: Course provides a comprehensive examination of the laws, regulations, and Executive Orders concerning privacy, including PCI, HIPAA, GLBA and their overseas counterparts, and the roles of Federal, State and local law enforcement. The course also examines national security issues governed by various Federal agencies (e.g., SEC, FTC, FCC, FERC), including suspicious activity reporting (SAR) requirements under the Patriot Act. Additionally, the course addresses intellectual property protection (e.g., SOX, FISMA, NIST), security classifications, data location requirements, audits, compliancy assessments, and individual, class-action, and shareholder derivative litigation and liability.
Network & Infrastructure Security: Course provides an understanding of the threats and vulnerabilities in Cybersecurity and an introduction to the concepts of layering defense and providing for defense-in-depth. Specific topics include operating system security, component lifecycle management, database security, server security, application security, mobile devices, BYOD, and end-point security. The course covers the roles of physical security, system hardening, firewalls, encryption, anti-virus, and malware defense. The course also introduces identity and access management, role-based access control (RBAC), intrusion detection, penetration testing, and incident response.
Incident Response & Management: Course provides an understanding of the design and development of a Cybersecurity strategy which aligns with private industry and government needs, including incident documentation/analysis, response planning, and the role of a critical event response team (CERT) in determining recovery, managing liability and communications, coordinating with law enforcement, and protecting corporate reputation. Course also examines leadership and the adoption and implementation of a proactive stance through monitoring and responding to internal and external intelligence, including monitoring network traffic, activity logs (SIEM) for data breaches, denial of service (DoS), and integrity events, and outlines the roles of information security operations centers (ISOCs) and network operations centers (NOCs).
Organizational Effectiveness: Governance, Risk Management & Compliancy: Course considers the roles of the Board of Directors, the Audit Committee, the Risk Committee, and the Chief Information Security Officer (CISO) within the governance and overall organizational structures. Topics include enterprise risk management (ERM), policy development under ISO 27001 and the NIST Cybersecurity Framework, derivation of operating procedures, leadership, and the business engagement model. The course specifically addresses threat assessment, mitigation strategies, residual vulnerability, incident response, awareness programs, employee training and awareness, drilling, and tabletop exercises. The course will also identify risk, due diligence and mitigation strategies in mergers and acquisitions settings. Additionally, the course covers compliance monitoring, business continuity planning, risk transfer through the purchase of cyber insurance for both data breach and infrastructure losses, and concepts of resiliency.
Ethical Issues in Cybersecurity & the Ignatian Paradigm:
Course provides “real life” complex, ethical situations for students to evaluate, as both decision-maker and advisor, by addressing the various issues confronted by senior government and corporate professionals, nation states, and other parties of significance, involving the receipt and protection of critical and sensitive data. Specific topics include standard professional ethical frameworks of beneficence and non-maleficence; rights and justice; and issues related to privacy, intellectual property, and corporate espionage and fraud, while contrasting same with freedom of information and intellectual creativity. The course compares and contrasts global governments’ and cultures’ differing approaches to ethics, and enhances, from a framework of dialogue, discernment of action, and deliberation, the ability of students to make reasoned and responsible business decisions in a global economy. The course also examines aspirational versus mandatory ethical standards (i.e., the “right thing to do” vs. what is “legal” or “compliant”), through additional frameworks of reference, including review, reflection, and refinement of decisions.
SAMPLE ELECTIVES (4 COURSES)
International Cybersecurity: Course provides an in depth global perspective of international networking and communication, including foreign government and industrial espionage, global economies, international privacy and liability laws, sovereign threats, non-US government agencies, international security standards, cybercrime, cyber terrorism, cyber warfare, and import/export requirements. Course also examines the requirements for data location, international policing, and the role of Global Security Operating Centers (GSOCs) in monitoring and responding to international security events.
Investigations & Forensics: Course covers forensic investigation, case prioritization, and case management, and addresses procedural documentation, standards of evidence, reporting, and disclosure requirements. The digital forensic portion of the course provides an understanding as to disk imaging, file recovery, trace-back techniques, network analytics, evaluation of metadata, malware, and anti-forensics. Additionally, the course covers the out-sourcing of the investigative function, or part thereof, to third parties, and provides specific case studies, including a practical laboratory project.
Establishing the Business Case & Resource Allocation: Course provides guidance and the necessary skills to lead, design, and frame a business case for investment. Course outlines cost-benefit analysis and return-on-investment (ROI) by utilizing incident analysis, threat, and residual vulnerability analyses to determine and quantify the underlying business parameters. Course also addresses supporting techniques, including benchmarking and normalization, to enable data-based decision-making. Additionally, the course covers executive dashboard design, security metrics, key performance indicators (KPIs), graphics, illustrative techniques, business reach-out, and leadership engagement.
Security in the Cloud: Course provides an understanding of basic cloud deployment models, including private, public, hybrid, and community, and the various service platforms (e.g., SaaS, PaaS, IaaS). Course addresses governance control and responsibility for cloud security together with cloud security components, and covers service provider security and its evaluation, security standards (e.g., SSAE-16, CSA-CCM, Shared Assessments, NIST, CIS), procurement, and service level agreements (SLAs). Security topics include traffic hijacking, data isolation/storage segregation, identity management, virtualization security, continuity, data recovery, logging, notification, and auditing.
Role of Intelligence: Enabling Proactive Security: Course addresses internal and external intelligence sources, including intrusion detection, log analysis, data mining, M&A due diligence, HUMINT, and the role of an Information Security Operations Center (ISOC). From an external perspective, the course covers information gathering, intelligence feeds/sources, and fusion centers as well as the automation, filtering, validation, analysis, and dissemination of intelligence. The course also provides an understanding as to technical countermeasures (e.g., sandboxes, honeypots), and addresses the roles of DHS, FBI, NSA, and DOD.
Managing Cyber Risk: Mobile Devices & Social Networking: Course provides an in depth examination of “The Internet of Things”, mobile devices, BYOD, and social networking. It covers endpoint security, including personal and company data separation and mobile device management (MDM). Course also provides an understanding with respect to threats from phishing, baiting, pretexting, hacking, and rogue employees and/or contractors, and covers password policy, employee training, policy design, and security awareness programs.
Applied Research Project: The applied research project entails an approved applied project, and is completed in conjunction with a current job, externship, or portfolio.
Online Courses: Data Analytics Courses: Students may take up to two (2) of the four (4) online Data Analytics courses offered via the MS in Applied Economics Program at Boston College and receive academic credits towards their MS in Cybersecurity Policy and Governance degree.