Master of Science in Information Security & Assurance

Quick Info

  • All classes taken online
  • Coursework completed in 18 months
  • Classes capped at 15 students
  • NSA/DHS National Center of Excellence
Next Session Start Date
June 3, 2013
Admissions Deadline
May 3, 2013

Building Secure Systems and Business Strategies

Today’s organizations rely on the Internet to conduct business and share information with their employees and customers in real time. With this reliance, however, comes an increased risk for information security breaches and critical business disruption. Now more than ever, organizations are looking to information security professionals who understand the complexity of today’s information technology infrastructures, the effect of technology on business objectives, and the importance of recognizing and managing risk to design and implement their information security and assurance strategies.

Norwich University’s Master of Science in Information Security & Assurance program helps working adults interested in the many aspects of information security to develop the business acumen and management skills needed to pursue leadership positions in information security and assurance.

Our rigorous curriculum explores the technical theories and methods behind information assurance, best practices in information security technology, organizational structure and policy development, the regulatory environment and compliance, and management strategies. Key skills fostered throughout the program include written communications, critical analysis, problem solving, project management, and leadership.

During their four core courses, students conduct a case study of their current workplace or other relevant organization that examines current security strategies and identifies recommendations for improvement. This year-long project series adds value to the student’s organization and establishes the student’s credibility as an information assurance practitioner. For their last two courses, students focus their studies on a selected concentration that can include: business continuity management, computer forensics and incident response management, or continuity of governmental operations.

Norwich is recognized by the National Security Agency and of Department of Homeland Security as a Center for Academic Excellence in Information Assurance Education. That excellence is driven in large part by our faculty members, whose vast professional and research experience ensures that students graduate with highly relevant and sought-after skills.

The Norwich Advantage

  • Our specialized program curriculum blends the management and technical aspects of an information security/assurance program, enabling you to develop the skills required to protect your organization and its critical information.
  • You’ll learn from faculty members who are top practitioners and thought leaders in their fields.
  • Your case study project gives you the opportunity to develop a set of recommendations for your current workplace or other relevant organization and demonstrate in a tangible way the knowledge and skills you’ve gained throughout the program.
  • Through our flexible online platform, you can access program content and contribute to class discussions on your own schedule and at your own pace each week.
  • Four start dates per year (March, June, September, and December) allow you to begin the program when it’s most convenient for you.
  • One of the earliest institutions to be recognized as a Center of Academic Excellence in Information Assurance Education by the National Security Agency and Department of Homeland Security, Norwich has been a leader in information assurance instruction for more than a decade.

Career Preparation

A master's degree in information security and assurance from Norwich University prepares you for leadership positions such as chief information security officer and chief risk manager. Our alumni help shape and administer information security for leading companies such as Cisco Systems, Fidelity Investments, General Electric, and Bank of America as well as the Department of Defense and other government organizations. Learn more »

How to Get Started

With so much to learn and do, it’s easy to lose track of how to get started. Don’t worry: Norwich works hard to make it easy for you. We can guide you through the application process, give you tips on how to get the most out of your Norwich experience, and assist you in getting the required materials for the Master of Science in Information Security & Assurance program.

Admissions Information »
Talk to an Advisor »
Read Frequently Asked Questions »

Core Curriculum

Norwich’s Master of Science in Information Security & Assurance program is presented in three six-month semesters, each comprising two 11-week, six-credit courses. The course topics introduce today’s most critical and relevant areas of information assurance. Students master one course at a time, with each course building on the next to create a strong foundation of knowledge and context for future topics. The final semester offers a concentration option through which students may pursue a specialized area of interest. The program culminates in a one-week residency and a graduation ceremony at Norwich University in June. There are four program start dates per year: March, June, September, and December.  An overview of the courses required for each concentration and complete course descriptions are listed below. More information about program requirements is also available in our course catalog.

  • Foundations and Historical Underpinnings of Information Assurance • GI512 6 credit hours

    This course explores the historical foundations of information assurance, from the early days of mainframes to the foundations of today’s sophisticated networks and distributed computing systems. You will explore the earliest thinking about data structures and domains, interoperability among various computing platforms, mechanisms for data transfer, and the emergence of encryption as a defense against early forms of computer crime. The course examines privacy, policies, security standards and regulatory requirements, and the underlying models that define information assurance. You will also be introduced to IA architecture.

  • Information Assurance Technology • GI522 6 credit hours

    This course focuses on the use of technological defenses against threats and exploitations of vulnerabilities in information systems. Topics include physical security measures, access controls, security elements of operating systems, network security measures, anti-malware tools, anti-spam measures, anti-piracy systems, software development methods supporting security, and security certifications for software products.

  • Human Factors and Managing Risk • GI532 6 credit hours

    This course focuses on the ways business objectives, user attitudes, and user activities significantly influence both the development of an information assurance program and its successful implementation. The first week focuses on operations security and why it’s the foundation of an IA program.

    During the following five weeks, you will explore security awareness as a component of organizational culture; the process of crafting an information assurance message; ethical decision making as a factor in security; social psychology and how behaviors influence the effectiveness of security activities; the use of employment practices and policies to support information security; and the creation of acceptable use and email policies.

    The final four weeks of the course examine elements of risk management from basic principles through application, using the NIST Special Publication 800-30 as a solid foundation for the risk management issues. You will also discuss two popular risk assessment processes and several other processes that help identify risk.

  • Information Assurance Management & Analytics • GI542 6 credit hours

    This course covers four general areas of information assurance management and analytics – from the strategic to the tactical level: compliance; management, leadership, and policy development; relationships and adding value; and project management. You will explore the aspects, methods, and alternatives in information assurance management and compare and utilize them with respect to non-IT-related management approaches and styles. The course covers alternatives in building support and consensus for projects and activities and focuses heavily on adding value to the organization. You will examine the development of an information assurance marketing plan and use it to help identify techniques of improving information assurance awareness. Topics also include analytics in terms of both metrics and measuring business impact, and problem solving and project management techniques and alternatives.

Concentration in Private Sector Business Continuity Management
  • Foundations of Business Continuity Management • BC510 6 credit hours

    This course introduces the field of business continuity management with an emphasis on developing a business continuity plan and risk management program. Students will learn about the functions and goals of a business continuity manager, and will experience first-hand the challenges of developing a continuity plan. Weekly sessions target the major steps in plan development such as project initiation, risk and business impact analysis, risk mitigation and control strategy development and implementation, response strategies, plan testing, and the organizational structure needed to sustain a continuity program over time.

  • Principles of Incident Management and Emergency Response • BC520 6 credit hours

    In this course, you will learn to develop a plan for responding to a business disruption. Topics include response procedures, notification, communication, and event management. Students will also learn how to manage public perceptions and work with outside agencies and public sector emergency responders during and after an incident.

Concentration in Computer Forensic Investigation/Incident Response Team Management
  • Computer Forensic Investigation • GI551 6 credit hours

    This course focuses on the spectrum of tools and techniques used to investigate digital incidents, whether in a civil or criminal environment. The course provides the broad understanding that information assurance professionals must have of the management, investigation, and analysis of digital incidents. It also places that understanding in the context of other information assurance domains. Discussions of digital investigation and forensics cover topics from both technical and management perspectives to increase the information assurance professional’s understanding and application of domain-specific knowledge.

  • Computer Security Incident Response Team Management • GI554 6 credit hours

    In this course, you will analyze and apply the key points in creating and managing a computer security incident response team (CSIRT), also known as a computer incident response team (CIRT) or a computer emergency response team (CERT). Topics include establishing CSIRTs; responding to computer emergencies; securing the CSIRT; managing the CSIRT with respect to professionalism, setting priorities for triage, and protecting personnel against burnout; and learning from emergencies using the incident postmortem and establishing continuous process improvement within the organization. Students will use their case study to apply their knowledge to real-world situations and will prepare recommendations for the establishment of a new CSIRT or improvement of their existing CSIRT.

Concentration in Continuity of Governmental Operations
  • Continuity of Government Operations • BC511 6 credit hours

    This course presents the elements necessary to develop a Continuity of Operations Plan for a governmental agency. Topics include organizational analysis, risk and threat analysis, mitigation and control strategy development and implementation, and implementation of the organizational structure needed to sustain a continuity program over time.

  • Public Sector Incident Management & Emergency Response • BC521 6 credit hours

    This course instructs students in responding to incidents and emergencies that affect governmental agencies. Topics include developing a response plan, emergency operations centers, emergency communications, and working with the first responder community. Students will also learn best practices for developing off-site backups and work areas and the placement of personnel and equipment for continuing operations during an emergency.

Residency

The final academic requirement for the information security and assurance program is a week-long residency at the beautiful and historic Norwich University campus in Vermont. Students have the opportunity to meet with fellow students, faculty, and program staff in both formal classroom and informal settings. Norwich covers the cost of all meals and accommodation on campus. Academic recognition ceremonies and commencement cap off the week, and family and friends are encouraged to attend.

Program Director

Chrisan Herrod, MS, CISM, PMP

Welcome to Norwich University's Information Security & Assurance Program

The evolution of information security and assurance continues. Information security is a key component in creating and maintaining an organizational governance, risk, and compliance (GRC) program. Information security is an integral business enabler that supports the organization, from data to infrastructure protection to the complexity of cloud infrastructures and mobile technologies. Information security and assurance encompasses technology considerations such as, computer forensics, threat detection, vulnerability analysis and continuous monitoring. It also includes the ability to manage large complex projects and conduct business risk assessments that span global companies and business partnerships. The Master of Science in Information Security & Assurance program at Norwich is a unique program combining information security and assurance best practices with an emphasis on risk management, governance, and compliance in order to provide the most comprehensive and business focused approach to securing and protecting the organization.

We provide you with a unique online experience combining a current and relevant curriculum that emphasizes strategic problem solving and critical thinking. Our online classroom setting provides focused interaction with our faculty practitioners who are experts in the many facets of information security and risk management. I look forward to having you join the Master of Science in Information Security & Assurance program.

Read Bio

Chrisan Herrod comes to the information security and assurance program from University of Maryland University College (UMUC), where she was associate vice president for enterprise risk and compliance, chief information security officer, and associate professor of cyber security. She has done consulting in the defense arena, and was chief security officer of the Securities & Exchange Commission. She has directed global IT Risk Management for a large pharmaceutical firm, and served in the Air Force and Army as an Intelligence Officer. She has taught graduate-level courses at George Washington University, and the National Defense University, among others. She received her MS in business management from National Defense University and is completing the Doctor of Management program at University of Maryland University College.

Associate Program Director

Elizabeth Templeton, MS

Elizabeth Templeton is the interim program director for the Master of Science in Information Security & Assurance program. She received a BA in english and secondary education from Northwestern University and had a 35-year career as an IT professional. She joined Norwich University in 2004, earned the Master of Science in Information Assurance degree in 2007, and became associate program director for the program in 2008.

Student Services Advisor

Andrew Liptak, MA

Andrew Liptak holds his BA in history and a MA in military history, both from Norwich University. First joining Norwich as a student in 2003, he joined College of Graduate and Continuing Studies in 2007, where he has worked as a student services advisor. In addition to his duties at Norwich, he works as a freelance historian and writer.

Featured Faculty for Master of Science in Information Security & Assurance

John Mason, MBA, CISM, CISA, CGEIT, CFE, CBA, CFSA, CFSSP
John Mason has more than 20 years of experience in internal audit, regulatory compliance, information security, SSAE 16s/SAS 70s, enterprise risk management, investigations/loss prevention, and process reengineering. He is director at SSAE 16 Professionals, a leading PCAOB-registered CPA firm.He has held senior positions in a variety of companies where he has helped establish information risk management programs and designed risk-based audit programs. He has written, reviewed, and researched finance control policies and procedures; performed audits for governmental agencies; and managed a full spectrum of financial, operational, SOX compliance, and data processing audits. He is a co-author of Computer Security Handbook, 5th Edition.He holds an MBA degree and several certificates including a CISM, CISA, CGEIT, CFE, CBA, CFSA, and CFSSP. He lives in Manhattan Beach, California.
Michael Miora, MS, CISSP-ISSMP, FBCI
Michael Miora has designed and assessed secure, survivable, and highly robust systems for industry and government for 35 years. He has worked extensively in the financial, health care, and communications industries and developed business continuity and disaster recovery plans for companies and government agencies in the US and internationally.He originated the Generalized Cost Consequence (GCC) model for performing business impact analysis, now an industry standard methodology. He has consulted to the National Computer Security Center and is certified as a CISSP-ISSMP professional. He has served as the director of the security consulting organization for the National Computer Security Association (now a part of Verizon).A frequent speaker and prolific author, he is a contributor to Computer Security Handbook, 5th Edition, and the Handbook of Information Security. His undergraduate and master’s degrees, both in mathematics, were earned at UCLA and UC Berkeley.
Peter Stephenson, PhD, CISSP, CISM, FICAF
Peter Stephenson is a cyber criminologist, digital investigator, and digital forensic scientist. He teaches network attack and defense, digital forensics, and cyber investigation at Norwich, where he serves as the chief information security officer and director of the school’s Center for Advanced Computing and Digital Forensics.He began his career in 1964 as a crypto tech in the US Navy. He operated a consulting practice for more than 20 years and has worked for companies such as Siemens and Tektronix. He lectures extensively on digital investigation and security and has written, edited, or contributed to 16 books and several hundred articles. He is an information assurance advisor for the state of Vermont and Combined Endeavor (the world’s largest international joint interoperability event).He holds a doctorate degree in computing from Oxford Brookes University, Oxford, England, and master’s degree in diplomacy from Norwich University. He also holds CISSP, CISM, and FICAF designations.

Faculty

Martin J. Devine, MS, CISSP, CISM, CBCP
Cris Ewell, PhD, CISSP, CISM
Robert Guess, MS, CISSP, MSA-IAM, -IEM
Dawn Hendricks, MS, CISSP
Thomas Hendricks, MS, CISSP
Donald Holden, MBA, CISSP-ISSMP
Sanford Sherizen, PhD, CISSP
Ric Steinberger, MSME, CISSP
George Silowash, MS, CISSP
Dennis Opacki, MS, CISSP
Rebecca Herold, MS, CISSP, CISM, CISA, FLMI
Kathryn Riesing, MA, CISSP, CEH, ITILv3

At a Glance

  • No GRE/GMAT required to apply
  • Undergraduate GPA of 2.75 or higher

Admissions Requirements »

Next Start Date
June 3, 2013
Application Deadline
May 3, 2013

Admissions Department Hours
Mon - Thurs: 9 a.m. to 9 p.m. EST
Friday: 9 a.m. to 3:30 p.m. EST
Extended hours available by appointment

Phone: 1-800-460-5597 ext. 3363 (U.S. and Canada); +1-647-722-6642 ext. 3363 (International)
  • Transfer Credits
    Norwich will accept the equivalent of up to 12 semester credits for study you’ve completed at another institution. We evaluate all requests for transfer credits on a case-by-case basis. Norwich University complies with VA regulations and guidelines as they pertain to transfer credits.
    Learn more »
  • International Admissions
    Students from outside the U.S. are encouraged to apply to Norwich. As an international student applicant, you must have an acceptable TOEFL score, submit official transcripts showing that you have completed the equivalent of a US bachelor’s degree, and complete all steps in the admissions process.
    Learn more »
  • Admissions Webinars
    Listen and learn as our admissions advisors explain the details of applying to Norwich University. You’ll learn about the information assurance program and about Norwich’s long history of academic excellence and innovation - a history we welcome you to be a part of.
    View more »

Tuition and Finance

Norwich provides a top-notch educational experience; we also work hard to help make it affordable. There are many ways to get financial aid and several strategies to help you finance your education. Norwich is committed to making this often-difficult process easier for you.

See the Tuition and Fee Schedule »

Tuition at a Glance

  • Credit Hours: 36
  • Cost Per Credit Hour: $779

Financial Planning Resources

Ways to Pay
Do You Qualify for a Tuition Discount?

Answers to Your Questions

Our admissions advisors are ready to help you plan your education at Norwich University.

Admissions Department Hours

Mon - Thurs: 9 a.m. to 9 p.m. EST

Friday: 9 a.m. to 3:30 p.m. EST

Extended hours available by appointment

Phone: 1-800-460-5597 ext. 3363 (U.S. and Canada); +1-647-722-6642 ext. 3363 (International)
Email: msisa@online.norwich.edu
Resources
  • Financing Your Education
    Financing your graduate school education can be challenging. Our job is to make it easier. That’s why we’ve developed a step-by-step approach that guides you through the financial aid process and directs you to the information and support you need.
    Learn more »
  • Military Benefits
    Norwich accepts GI Bill benefits, military scholarships, and funding from the Veterans Administration to help you pay for tuition to the Master of Science in Information Security & Assurance program as well as any related program fees. We are also proud to be a part of the Yellow Ribbon Program.
    Learn more »
  • Do You Qualify for a Tuition Discount?
    Norwich University partners with more than 800 organizations and associations worldwide to offer accredited degree programs to their employees and members at specially reduced tuition rates. If your organization is a Norwich partner, you could be eligible for a discount to the information assurance program.
    Learn more »

Organizational Resilience through Cyber Security: A Need for Additional Workplace Education

There is little that changes more frequently and drastically than cyber security threats and mitigation methods to answer those threats, yet information assurance training programs are often scheduled on an annual basis or even less often. Think about it – Many patch changes are made weekly because of the changing IT threat landscape, but little weekly attention is given to social engineering or other information security threats that are exacerbated through human impact. 

Most of us have heard stories of cyber security issues in the news and beyond, and we’ve heard that negative cyber security events have sometimes occurred because users or IT staff did not have adequate training to protect and/or respond to threats. Yet education and training are often still low on the list of organizational priorities. There are several reasons this is so: 

Assumptions that everyone already knows enough:

Sometimes management does not understand that organizational staff and even the managers themselves are not well trained. There can be false perception  the environment is safe since IT staff members have deployed antivirus software or patch programs, even when minimal information security training opportunities have been offered. Protection of a complex IT structure requires a deep and meaningful information security understanding by all stakeholders, and a comprehensive plan. Plans should include the use of compound processes such as Defense in Depth that include regular behavior training sessions for all staff – even those who think they are already well versed in secure behaviors.   

Human resistance to change:

Many people do not like to change their behaviors and they might not even be interested in learning about behavior changes that need to be made, yet changes must be required of staff to adapt to changing threats. Adopting unusual strategies such as requiring computer users to answer an information security question before logging on each day can help to address the resistance to learning new information since the process becomes one that is built into people’s daily routines.    

Funding constraints:

When budgets are limited, prioritization of funds can be focused on more tangible needs. Physical needs are easier to ‘see’ and understand than cyber threats, and there is generally a feeling that bad things will happen to someone else. Why should money be spent to protect against a disaster or cyber attack that may never occur? It might seem that spending money on generating profit would be much more beneficial; however, that line of thinking ignores statistics that show organizational failures following disasters of many kinds, including cyber attacks. 

Last, but certainly not least -  Implementation of ineffective programs:

This category refers to the old ‘checkmark’ process, denoting that a task has been completed. There are many education and training programs in use that are not effective, but still acceptable to management since they answer an organizational requirement to provide some type or level of training. If training is not effective, staff members will not learn to adopt more secure behaviors. ‘Testing out’ of training also falls into this category, since staff members are not learning new information or reinforcing old concepts when they fill in multiple choice bubbles.    

There are certainly more reasons that training is not what it should be – What do you see in your environment? How can the issues you identify be resolved, so stakeholders can be effectively trained to help control cyber security threats?

- Suzanne Warner Hart, MS, CBCP, CISSP, currently heads disaster recovery for the Delaware Department of Transportation as a senior member of the IT security team. A certified expert in business continuity planning, she also teaches courses on this topic for Norwich University Online.