1-800-460-5597 (US & Canada)
Bachelor's and Certificate Admissions
Today’s organizations rely on the Internet to conduct business and share information with their employees and customers in real time. With this reliance, however, comes an increased risk for information security breaches and critical business disruption. Now more than ever, organizations are looking to information security professionals who understand the complexity of today’s information technology infrastructures, the effect of technology on business objectives, and the importance of recognizing and managing risk to design and implement their information security and assurance strategies.
Norwich University’s Master of Science in Information Security & Assurance program helps working adults interested in the many aspects of information security to develop the business acumen and management skills needed to pursue leadership positions in information security and assurance.
Our rigorous curriculum explores the technical theories and methods behind information assurance, best practices in information security technology, organizational structure and policy development, the regulatory environment and compliance, and management strategies. Key skills fostered throughout the program include written communications, critical analysis, problem solving, project management, and leadership.
During their four core courses, students conduct a case study of their current workplace or other relevant organization that examines current security strategies and identifies recommendations for improvement. This year-long project series adds value to the student’s organization and establishes the student’s credibility as an information assurance practitioner. For their last two courses, students focus their studies on a selected concentration that can include: business continuity management, computer forensics and incident response management, or continuity of governmental operations.
Norwich is recognized by the National Security Agency and of Department of Homeland Security as a Center for Academic Excellence in Information Assurance Education. That excellence is driven in large part by our faculty members, whose vast professional and research experience ensures that students graduate with highly relevant and sought-after skills.
A master's degree in information security and assurance from Norwich University prepares you for leadership positions such as chief information security officer and chief risk manager. Our alumni help shape and administer information security for leading companies such as Cisco Systems, Fidelity Investments, General Electric, and Bank of America as well as the Department of Defense and other government organizations. Learn more »
With so much to learn and do, it’s easy to lose track of how to get started. Don’t worry: Norwich works hard to make it easy for you. We can guide you through the application process, give you tips on how to get the most out of your Norwich experience, and assist you in getting the required materials for the Master of Science in Information Security & Assurance program.
Norwich’s Master of Science in Information Security & Assurance program is presented in three six-month semesters, each comprising two 11-week, six-credit courses. The course topics introduce today’s most critical and relevant areas of information assurance. Students master one course at a time, with each course building on the next to create a strong foundation of knowledge and context for future topics. The final semester offers a concentration option through which students may pursue a specialized area of interest. The program culminates in a one-week residency and a graduation ceremony at Norwich University in June. There are four program start dates per year: March, June, September, and December. An overview of the courses required for each concentration and complete course descriptions are listed below. More information about program requirements is also available in our course catalog.
This course explores the historical foundations of information assurance, from the early days of mainframes to the foundations of today’s sophisticated networks and distributed computing systems. You will explore the earliest thinking about data structures and domains, interoperability among various computing platforms, mechanisms for data transfer, and the emergence of encryption as a defense against early forms of computer crime. The course examines privacy, policies, security standards and regulatory requirements, and the underlying models that define information assurance. You will also be introduced to IA architecture.
This course focuses on the use of technological defenses against threats and exploitations of vulnerabilities in information systems. Topics include physical security measures, access controls, security elements of operating systems, network security measures, anti-malware tools, anti-spam measures, anti-piracy systems, software development methods supporting security, and security certifications for software products.
This course focuses on the ways business objectives, user attitudes, and user activities significantly influence both the development of an information assurance program and its successful implementation. The first week focuses on operations security and why it’s the foundation of an IA program.
During the following five weeks, you will explore security awareness as a component of organizational culture; the process of crafting an information assurance message; ethical decision making as a factor in security; social psychology and how behaviors influence the effectiveness of security activities; the use of employment practices and policies to support information security; and the creation of acceptable use and email policies.
The final four weeks of the course examine elements of risk management from basic principles through application, using the NIST Special Publication 800-30 as a solid foundation for the risk management issues. You will also discuss two popular risk assessment processes and several other processes that help identify risk.
This course covers four general areas of information assurance management and analytics – from the strategic to the tactical level: compliance; management, leadership, and policy development; relationships and adding value; and project management. You will explore the aspects, methods, and alternatives in information assurance management and compare and utilize them with respect to non-IT-related management approaches and styles. The course covers alternatives in building support and consensus for projects and activities and focuses heavily on adding value to the organization. You will examine the development of an information assurance marketing plan and use it to help identify techniques of improving information assurance awareness. Topics also include analytics in terms of both metrics and measuring business impact, and problem solving and project management techniques and alternatives.
This course introduces the field of business continuity management with an emphasis on developing a business continuity plan and risk management program. Students will learn about the functions and goals of a business continuity manager, and will experience first-hand the challenges of developing a continuity plan. Weekly sessions target the major steps in plan development such as project initiation, risk and business impact analysis, risk mitigation and control strategy development and implementation, response strategies, plan testing, and the organizational structure needed to sustain a continuity program over time.
In this course, you will learn to develop a plan for responding to a business disruption. Topics include response procedures, notification, communication, and event management. Students will also learn how to manage public perceptions and work with outside agencies and public sector emergency responders during and after an incident.
This course focuses on the spectrum of tools and techniques used to investigate digital incidents, whether in a civil or criminal environment. The course provides the broad understanding that information assurance professionals must have of the management, investigation, and analysis of digital incidents. It also places that understanding in the context of other information assurance domains. Discussions of digital investigation and forensics cover topics from both technical and management perspectives to increase the information assurance professional’s understanding and application of domain-specific knowledge.
In this course, you will analyze and apply the key points in creating and managing a computer security incident response team (CSIRT), also known as a computer incident response team (CIRT) or a computer emergency response team (CERT). Topics include establishing CSIRTs; responding to computer emergencies; securing the CSIRT; managing the CSIRT with respect to professionalism, setting priorities for triage, and protecting personnel against burnout; and learning from emergencies using the incident postmortem and establishing continuous process improvement within the organization. Students will use their case study to apply their knowledge to real-world situations and will prepare recommendations for the establishment of a new CSIRT or improvement of their existing CSIRT.
This course presents the elements necessary to develop a Continuity of Operations Plan for a governmental agency. Topics include organizational analysis, risk and threat analysis, mitigation and control strategy development and implementation, and implementation of the organizational structure needed to sustain a continuity program over time.
This course instructs students in responding to incidents and emergencies that affect governmental agencies. Topics include developing a response plan, emergency operations centers, emergency communications, and working with the first responder community. Students will also learn best practices for developing off-site backups and work areas and the placement of personnel and equipment for continuing operations during an emergency.
The final academic requirement for the information security and assurance program is a week-long residency at the beautiful and historic Norwich University campus in Vermont. Students have the opportunity to meet with fellow students, faculty, and program staff in both formal classroom and informal settings. Norwich covers the cost of all meals and accommodation on campus. Academic recognition ceremonies and commencement cap off the week, and family and friends are encouraged to attend.
Chrisan Herrod comes to the information security and assurance program from University of Maryland University College (UMUC), where she was associate vice president for enterprise risk and compliance, chief information security officer, and associate professor of cyber security. She has done consulting in the defense arena, and was chief security officer of the Securities & Exchange Commission. She has directed global IT Risk Management for a large pharmaceutical firm, and served in the Air Force and Army as an Intelligence Officer. She has taught graduate-level courses at George Washington University, and the National Defense University, among others. She received her MS in business management from National Defense University and is completing the Doctor of Management program at University of Maryland University College.
Elizabeth Templeton is the interim program director for the Master of Science in Information Security & Assurance program. She received a BA in english and secondary education from Northwestern University and had a 35-year career as an IT professional. She joined Norwich University in 2004, earned the Master of Science in Information Assurance degree in 2007, and became associate program director for the program in 2008.
Andrew Liptak holds his BA in history and a MA in military history, both from Norwich University. First joining Norwich as a student in 2003, he joined College of Graduate and Continuing Studies in 2007, where he has worked as a student services advisor. In addition to his duties at Norwich, he works as a freelance historian and writer.
Admissions Department Hours
Mon - Thurs: 9 a.m. to 9 p.m. EST
Friday: 9 a.m. to 3:30 p.m. EST
Extended hours available by appointment
Norwich provides a top-notch educational experience; we also work hard to help make it affordable. There are many ways to get financial aid and several strategies to help you finance your education. Norwich is committed to making this often-difficult process easier for you.
Our admissions advisors are ready to help you plan your education at Norwich University.
Mon - Thurs: 9 a.m. to 9 p.m. EST
Friday: 9 a.m. to 3:30 p.m. EST
Extended hours available by appointment
There is little that changes more frequently and drastically than cyber security threats and mitigation methods to answer those threats, yet information assurance training programs are often scheduled on an annual basis or even less often. Think about it – Many patch changes are made weekly because of the changing IT threat landscape, but little weekly attention is given to social engineering or other information security threats that are exacerbated through human impact.
Most of us have heard stories of cyber security issues in the news and beyond, and we’ve heard that negative cyber security events have sometimes occurred because users or IT staff did not have adequate training to protect and/or respond to threats. Yet education and training are often still low on the list of organizational priorities. There are several reasons this is so:
Sometimes management does not understand that organizational staff and even the managers themselves are not well trained. There can be false perception the environment is safe since IT staff members have deployed antivirus software or patch programs, even when minimal information security training opportunities have been offered. Protection of a complex IT structure requires a deep and meaningful information security understanding by all stakeholders, and a comprehensive plan. Plans should include the use of compound processes such as Defense in Depth that include regular behavior training sessions for all staff – even those who think they are already well versed in secure behaviors.
Many people do not like to change their behaviors and they might not even be interested in learning about behavior changes that need to be made, yet changes must be required of staff to adapt to changing threats. Adopting unusual strategies such as requiring computer users to answer an information security question before logging on each day can help to address the resistance to learning new information since the process becomes one that is built into people’s daily routines.
When budgets are limited, prioritization of funds can be focused on more tangible needs. Physical needs are easier to ‘see’ and understand than cyber threats, and there is generally a feeling that bad things will happen to someone else. Why should money be spent to protect against a disaster or cyber attack that may never occur? It might seem that spending money on generating profit would be much more beneficial; however, that line of thinking ignores statistics that show organizational failures following disasters of many kinds, including cyber attacks.
This category refers to the old ‘checkmark’ process, denoting that a task has been completed. There are many education and training programs in use that are not effective, but still acceptable to management since they answer an organizational requirement to provide some type or level of training. If training is not effective, staff members will not learn to adopt more secure behaviors. ‘Testing out’ of training also falls into this category, since staff members are not learning new information or reinforcing old concepts when they fill in multiple choice bubbles.
There are certainly more reasons that training is not what it should be – What do you see in your environment? How can the issues you identify be resolved, so stakeholders can be effectively trained to help control cyber security threats?
- Suzanne Warner Hart, MS, CBCP, CISSP, currently heads disaster recovery for the Delaware Department of Transportation as a senior member of the IT security team. A certified expert in business continuity planning, she also teaches courses on this topic for Norwich University Online.