School of Library and Information Studies

LIS 598 Information Security

Syllabus - LIS 598 Information Security

July 8-10, 2011 

Instructors: Lisa Yeo (             Office hours by appointment only
                   Michael McDonnell ( )

The goal of this course is to introduce students to the theory and practice of information security – the protection of information and information systems. The course will focus on foundational concepts, assessment and evaluation of information security practices in the library context.


 By the end of the course, students should be able to:

  • Understand and apply the foundational concepts of information security (Confidentiality, Integrity, Availability, and Defence-in-Depth) in a library context.
  • Discuss and articulate current issues of information security as they apply to libraries.
  • Select and evaluate security related information technology.
  • Perform basic risk assessment/threat analysis tasks.
  • Respond to information security incidents.

The course will be delivered through a combination of lecture, hands-on activities, class discussion, and group work. The list of topics to be covered include:

  • Introduction to Information Security
  • The importance of information security for librarians
  • Library principles and their relationship to information security
  • Goals of a good security program
  • Planning
    • Risk assessment
    • Security threats
    • Security vulnerabilities
  • Creating a policy
  • Protection strategies
  • Contingency planning
  • Incident response
  • Future considerations


There are two components to the marks for LIS students. The final mark assigned will be based on the University’s guidelines regarding grade distribution.

Class participation (10%)

All students are expected to participate fully in any class activities and discussion. Completion of the pre-assigned readings will help prepare students to participate fully, but is not considered mandatory. It is expected that all students will be respectful of others and not disruptive in the classroom.

Final Project (90%)

The final project is mandatory for LIS students. Workshop participants are encouraged to also complete the final project – I will provide feedback to them as well. The exact details of the final project will be handed out separately, but in summary

  • It is made up of 4 parts
    • Part 1: Policy Analysis. The goal of this part is to identify and evaluate a policy related to information security, data integrity or privacy. It involves examining an existing information security policy.
    • Part 2: Software evaluation. The purpose of the assignment on software evaluation is to demonstrate your ability to critique the effectiveness software related to information security. Since I expect different levels of software familiarity in the class, it will be important that each person choose software that is at an appropriate level for his/her experience.
    • Part 3: Future Forecast. The goal of this part is to think creatively about the future of an information security topic with respect to libraries.
    • Part 4: Incident Report. Write a 1-2 page report summarizing a hypothetical security incident. You will be provided with documents describing a mock-security incident from various organization roles (incident handler, helpdesk staff, management, policy documents similar to Part 1). You have to provide a  concise report actionable by management, similar to example covered in class.
  • The assignment is due on Friday, June 11 at 5 p.m. MDT. Submissions are to be emailed to and should have ‘LIS 598’ in the subject. I will email confirmation that I have received your submission no later than 5:30 p.m. on the due date.

There is no textbook for this course. A pre-reading list was supplied to all students via email and posted to the SLIS website for this course.

Required Statements

“Policy about course outlines can be found in Section 23.4(2) of the University Calendar.”

“The University of Alberta is committed to the highest standards of academic integrity and honesty.  Students are expected to be familiar with these standards regarding academic honesty and to uphold the policies of the University in this respect.  Students are particularly urged to familiarize themselves with the provisions of the Code of Student Behaviour (online at and avoid any behaviour which could potentially result in suspicions of cheating, plagiarism, misrepresentation of facts and/or participation in an offence.  Academic dishonesty is a serious offence and can result in suspension or expulsion from the University.” 

Tentative class schedule




Delivery Method



Lecture, group discussion


What is information security

Activity, Lecture


Library Principles

Lecture, group discussion, Activity


Goals of a Good Security Program

Lecture, Activity





Importance of InfoSec for librarians



Instructions for Saturday






Delivery Method



Lecture, Discussion


Planning – P&P



Risk Assessment (I)

Lecture, Activity





Security Threats & Vulnerabilities

Lecture, Demo







Security Threats & Vulnerabilities

Demo, continued


Risk Assess. (II)






Risk Assessment (II)






Creating a Policy (I)

Lecture, Activity





Protection Strategies



Wireless networks

Guest lecture on Deep Freeze and/or Group Policy?



Travel to site visit location, if necessary


Site Visit (TBA)




Return from site visit location, if necessary


Creating a Policy (II)



Instructions for Sunday






Delivery Method


Security Awareness programs

Lecture, Discussion


Contingency Planning (DR)

Lecture, Discussion





Incident response

Lecture, Activity





The Future



Final instructions


LIS 598 – Information Security Final Assignment July 2011

Students taking this course for credit must complete all three parts of this assignment. Workshop participants who choose to complete all or part of this assignment will receive feedback on their submissions provided they hand them in by the due date.


  • All parts of this assignment are due on  at 5 p.m. MDT. Details of how to submit will be provided in class.
  • Your submission should be in MS Word or PDF format.
  • Appendices count to the word limit, unless otherwise noted.
  • Specific requirements for each part of the assignment are presented below.

Part I – Policy Analysis (30 marks) 500-1500 words

The goal of this part is to develop business level policy development skills. You are to identify and evaluate a policy related to information security, data integrity or privacy. Specific requirements for this assignment are:

  1. Find a real-world example of an existing written policy related to information security, data integrity, privacy or a related topic. This policy may be the same as the one you bring to class (part of the pre-reading list), but it needn’t be the same one.  The policy should somehow pertain to you. Supply a bibliographic citation or reference to the policy and an online link if available. If the policy is not available to your instructor online, you must also provide a copy of the policy as an appendix not included in the word count. 3 points.
  2. Provide a summary of the policy or of some of the most interesting points (to you) of the policy if it is extremely lengthy. 6 points.
  3. Develop criteria for analyzing the policy. Identify at least 4 criteria. The criteria should be based on your interests, the domain of the policy, and your readings and experiences in the class. Examples of criteria will be discussed in class. 6 points.
  4. Analyze the policy by applying your criteria. Use policy quotes or other substantiation (e.g., examples) as needed to support your analysis. 9 points.
  5. Provide and support recommendations for changes to the policy. 6 points.

Part II – Software Evaluation (30 marks) 500-1500 words plus screen shots, as necessary

The purpose of this part is to develop some hands-on technical skills and to demonstrate your ability to critique the effectiveness software related to information security. I recommend that you select software that relates in some way to addressing the needs of the policy chosen in Part I.

Since each student will have a different level technical ability, you should choose software at an appropriate level for you. Regardless of the difficulty of getting the software to work, the level of analysis should be approximately the same for all students. The specific requirements are:

  1. Get the software to work (or demonstrate exhaustively how it will not or cannot work). 7.5 points.
  2. Describe the software: its source, intended functionality, target audience, cost, features, etc. This is not intended to be a reproduction of the feature list or product brochure. Instead, you should identify the most relevant, distinguishing or otherwise important features. 7.5 points.
  3. Analyze the software's effectiveness. See how well it performs for the tasks you believe are important. Develop some criteria for testing, and carry out the tests. 7.5 points.
  4. Provide a recommendation on whether the software should or should not be used in a particular environment. Substantiate your recommendation. 7.5 points.

Part III – Future Forecast (30 marks) 500-1500 words plus screen shots, as necessary

The goal of this part is to develop skills related to identifying future trends, learning how to stay up-to-date with information security developments in policy, threats, and technology. Choose a technology, product, service, legislative area, social phenomenon or other topic. Specific requirements for this assignment are:

  1. Introduce the topic and its importance. 7.5 points.
  2. Provide the background on the topic, including citation to relevant literature as appropriate. 7.5 points.
  3. Evaluate the current state of the topic. E.g., what are the most important challenges, uses and unknowns? 7.5 points.
  4. Provide a future forecast for the topic. What do you think will happen, when, and with what level of confidence do you make this prediction? 7.5 points.

Part IV – Incident Report (30 marks) 500-1000 words.

Write an incident report summarizing the response to a hypothetical security incident. The goal is evaluate a series of provided documents such as organization security policy, technical reports from security staff, reports from helpdesk about the incident, and to produce a concise report that could be presented to upper-management for action or decision. Your role is that of a middle manager (not the security or technical staff handling the incident, but they person they report to). This will be similar to incident reports examined in class.

[1] This assignment is adapted from three assignments for the course INLS 187: Information Security from UNC at Chapel Hill posted at