M.S. in Information Security Management

M.S. in Information Security Management


The SANS Technology Institute is no longer accepting new applications to the MSISM program. Students interested in in-depth management coursework may choose to focus their studies within the MSISE program.

The Master of Science in Information Security Management program is a non-thesis program. Students must earn 35 credit hours by completing a series of technical, management, leadership, and communications courses and completing several projects, simulations and a capstone examination.

The core curriculum consists of required courses, shown below, that equip students with the processes, techniques, and tools required to practice information security engineering. An elective course is included in the program so that students can address their specific needs.

Required Courses (31 credit hours)

ISM 5101: Security Essentials (3)

SANS class: MGT 512 Security Leadership Essentials
Assessment: GIAC GSLC
3 Credit Hours

ISM 5101 is the introductory, survey course in the information security management master's program. It establishes the foundations for developing, assessing and managing security functions at the end-user, network and enterprise levels of an organization. The faculty instruction, readings, and exam are coordinated to introduce and develop the core technical, management, and enterprise-level capabilities that will be developed throughout the master's program.

ISM 5201: Hacking Techniques & Incident Response (3)

SANS class: SEC 504 Hacker Techniques, Exploits & Incident Handling
Assessment: GIAC GCIH
3 Credit Hours

By adopting the viewpoint of a hacker, ISM 5201 provides an in-depth focus into the critical activity of incident handling. Students are taught how to manage intrusions by first looking at the techniques used by attackers to exploit a system. Students learn responses to those techniques, which can be adopted within the framework of the incident handling process to handle attacks in an organized way. The faculty instruction, lab exercises, and exam are coordinated to develop and test a student's ability to utilize the core capabilities required for incident handling.

ISM 5300: Building Security Awareness (1)

SANS class: MGT 433 Securing the Human: Building and Deploying an Effective Security Awareness Program
Assessment: Writing Exercise
1 Credit Hour

One of the most effective ways to secure the human factor in an enterprise is an active awareness and education program that goes beyond compliance and leads to actual changes in behaviors. In ISM 5300, students learn the key concepts and skills to plan, implement, and maintain an effective security awareness program that makes organizations both more secure and compliant. In addition, metrics are introduced to measure the impact of the program and demonstrate value. Finally, through a series of labs and exercises, students develop their own project and execution plan, so they can immediately implement a customized awareness program for their organization.

ISM 5400: IT Security Planning, Policy & Leadership (3)

SANS class: MGT 514 IT Security Strategic Planning, Policy, and Leadership
Assessment: GIAC GSTRT, Writing Exercise
3 Credit Hours

ISM 5400 covers the entire strategic planning process: how to plan the plan, horizon analysis, visioning, environmental scans (SWOT, PEST, Porter's etc.), historical analysis, mission, vision, and value statements. The course also reviews the planning process core, candidate initiatives, the prioritization process, resource and IT change management in planning, how to build a roadmap, setting up assessments, and revising the plan.

RES 5500: Graduate Research Practicum (2)

Assessment: Research Paper
2 Credit Hours

RES 5500 is a graduate-level research course in which students will identify, investigate and analyze a problem. Students will write a research paper interpreting the data collected and making recommendations for action. The research paper will reflect original work towards a new practice, solution, tool, policy, or paradigm offering the potential for real impact in the field of information security.

ISM 5550: Research Presentation 1 (1)

SANS class: MGT 305 Research & Communications Methods
Assessment: Oral Presentation
1 Credit Hour

ISM 5550 requires students to convert written technical material into a persuasive oral presentation appropriate in an enterprise environment. Students engage in an iterative process, using research material written for a previous course, as a base from which to build and deliver a 40-minute presentation, typically given at a SANS Residential Institute/instructional event.

ISM 5601: Law of Data Security and Investigations (3)

SANS class: LEG 523 Law of Data Security and Investigations
Assessment: GIAC GLEG
3 Credit Hours

ISM 5601 introduces students to the new laws on privacy, e-discovery, and data security so students can bridge the gap between the legal department and the IT department. It also provides students with skills in the analysis and use of contracts, policies, and records management procedures.

ISM 5700: Situational Response Practicum (1)

Assessment: Oral Presentation, Writing Exercise
1 Credit Hour

In ISM 5700, a small group of students is given an information security scenario that is partly based on current events, and requires a broad knowledge of information security concepts. Their task is to evaluate the scenario and to recommend a course of action. This experience is a timed 24-hour event and culminates in a group written report and presentation at the end of the 24-hour preparation time.

ISM 5800: IT Security Project Management (3)

SANS class: MGT 525 IT Project Management, Effective Communication, and PMP® Exam Prep
Assessment: GIAC GCPM
3 Credit Hours

In ISM 5800 you will learn how to improve your project planning methodology and project task scheduling to get the most out of your critical IT resources. The course utilizes project case studies that highlight information technology services as deliverables. ISM 5800 follows the basic project management structure from the PMP® Guide 5th edition and also provides specific techniques for success with information assurance initiatives. All aspects of IT project management are covered - from initiating and planning projects through managing cost, time, and quality while your project is active, to completing, closing, and documenting as your project finishes.

RES 5900: Advanced Graduate Research Practicum (2)

Assessment: Research Paper
2 Credit Hours

RES 5900 is an advanced graduate-level research course in which students will identify, investigate and analyze a problem. Students will write a research paper interpreting the data collected and making recommendations for action. The research paper will reflect original work towards a new practice, solution, tool, policy, or paradigm offering the potential for real impact in the field of information security.

ISM 5900: Research Presentation 2 (1)

Assessment: Oral Presentation
1 Credit Hour

ISM 5900 repeats and builds on the skills developed in ISE 5550, and students once again must convert written material into a persuasive oral presentation appropriate in an enterprise environment. Students use research material written from previous courses in the curriculum to build and deliver a 40-minute presentation, delivered either at a SANS Residential Institute/instructional event or via an online delivery mechanism.

ISM 6001: Standards Based Implementation of Security (3)

SANS class: SEC 566 Implementing and Auditing the Critical Security Controls - In-Depth
Assessment: GIAC GCCC
3 Credit Hours

Cybersecurity attacks are increasing and evolving so rapidly that is more difficult than ever to prevent and defend against them. ISM 6001 will help you to ensure that your organization has an effective method in place to detect, thwart, and monitor external and internal threats to prevent security breaches. As threats evolve, an organization's security should too. Standards based implementation takes a prioritized, risk-based approach to security and shows you how standardized controls are the best way to block known attacks and mitigate damage from successful attacks.

ISM 6100: Security Project Practicum (1)

Assessment: Group Written Project Plan
1 Credit Hour

In ISM 6100, a small group of students is given an information security project that requires a broad knowledge of information security concepts. Their task is to evaluate the project assignment and to recommend a course of action. This experience is a timed 30-day event. Students receive the project assignment from faculty, and must respond with a project plan to address the assignment within 5 days. The group then uses their plan to address the assignment, and deliver a written report at the end of the 30-day period.

ISM 6201: Auditing Networks, Perimeters and Systems (3)

SANS class: AUD 507 Auditing Networks, Perimeters, and Systems
Assessment: GIAC GSNA
3 Credit Hours

ISM 6201 is organized specifically to provide a risk driven method for tackling the enormous task of designing an enterprise security validation program. After covering a variety of high level audit issues and general audit best practice, students have the opportunity to dive deep into the technical how to for determining the key controls that can be used to provide a level of assurance to an organization. Tips on how to repeatably verify these controls and techniques for continuous monitoring and automatic compliance validation are given from real world examples.

ISM 6300: NetWars Continuous Practicum (1)

Assessment: NetWars Continuous
1 Credit Hour

In ISE 6300, students will complete an online training program, NetWars Continuous, that guides students through hands-on lessons to locate vulnerabilities, exploit diverse machines, and analyze systems. NetWars provides a forum to test and perfect cyber security skills in a manner that is legal and ethical. Students will face challenges derived from real-world environments and actual attacks that businesses, governments, and military organizations must deal with every day.

Elective Course (3 credit hours)

Candidates for the MSISM degree have one elective course, to be chosen from the same technical elective courses within the MSISE program (listed below), excluding courses in the 67XX series.

ISE 6215: Advanced Security Essentials

SANS class: SEC 501 Advanced Security Essentials - Enterprise Defender
Assessment: GIAC GCED
3 Credit Hours

ISE 6215 reinforces the theme that prevention is ideal, but detection is a must. Students will learn how to ensure that their organizations constantly improve their security posture to prevent as many attacks as possible. A key focus is on data protection, securing critical information no matter whether it resides on a server, in robust network architectures, or on a portable device.

Despite an organization's best effort at preventing attacks and protecting its critical data, some attacks will still be successful. Therefore students will also learn how to detect attacks in a timely fashion through an in-depth understanding the traffic that flows on networks, scanning for indications of an attack. The course also includes instruction on performing penetration testing, vulnerability analysis, and forensics.

ISE 6230: Securing Windows with the Critical Security Controls

SANS class: SEC 505 Securing Windows and PowerShell Automation
Assessment: GIAC GCWN
3 Credit Hours

ISE 6230 shows students how to secure servers, workstations and portable devices running Microsoft Windows. Windows is the most frequent target of hackers and advanced malware. While other courses focus on detection or remediation of a compromise after the fact, the aim of this course is to substantially reduce these compromises in the first place. For scalability and automation, this course includes many hands-on labs with Group Policy and PowerShell scripting. No prior scripting experience is required. Learning at least the basics of PowerShell is an essential skill for anyone who manages Windows servers or clients in an enterprise. This course applies the Critical Security Controls to Windows, so it is a natural follow-on to ISE 6000 (SEC566), which is a required course for the curriculum.

ISE 6235: Securing Linux/Unix

SANS class: SEC 506 Securing Linux/Unix
Assessment: GIAC GCUX
3 Credit Hours

ISE 6235 provides students with experience in in-depth coverage of Linux and Unix security issues, examining how to mitigate or eliminate general problems that apply to all Unix-like operating systems, including vulnerabilities in the password authentication system, file system, virtual memory system, and applications that commonly run on Linux and Unix. This course provides specific configuration guidance and practical, real-world examples, tips, and tricks.

ISE 6240: Continuous Monitoring and Security Operations

SANS class: SEC 511 Continuous Monitoring and Security Operations
Assessment: GIAC GMON
3 Credit Hours

ISE6240 teaches a proactive approach to enterprise security that presumes attackers will penetrate your environment and therefore emphasizes timely incident detection. The Defensible Security Architecture, Network Security Monitoring, Continuous Diagnostics and Mitigation, and Continuous Security Monitoring taught in this course - aligned with the National Institute of Standards and Technology (NIST) guidelines described in NIST SP 800-137 for Continuous Monitoring (CM) -- are designed to enable you and your organization to analyze threats and detect anomalies that could indicate cybercriminal behavior.

ISE 6315: Web App Penetration Testing and Ethical Hacking

SANS class: SEC 542 Web App Penetration Testing and Ethical Hacking
Assessment: GIAC GWAPT
3 Credit Hours

ISE 6315 is a highly technical information security course in offensive strategies where students learn the art of exploiting Web applications so they can find flaws in enterprise Web apps before they are otherwise discovered and exploited. Through detailed, hands-on exercises students learn the four-step process for Web application penetration testing. Students will inject SQL into back-end databases, learning how attackers exfiltrate sensitive data. They then utilize cross-site scripting attacks to dominate a target infrastructure in a unique hands-on laboratory environment. Finally students explore various other Web app vulnerabilities in-depth with tried-and-true techniques for finding them using a structured testing regimen.

ISE 6320: Network Penetration Testing and Ethical Hacking

SANS class: SEC 560 Network Penetration Testing and Ethical Hacking
Assessment: GIAC GPEN
3 Credit Hours

ISE 6320 prepares students to conduct successful penetration testing and ethical hacking projects. The course starts with proper planning, scoping and recon, and then dives deep into scanning, target exploitation, password attacks, and wireless and web apps with detailed hands-on exercises and practical tips for doing the job safely and effectively. Students will participate in an intensive, hands-on Capture the Flag exercise, conducting a penetration test against a sample target organization.

ISE 6325: Mobile Device Security

SANS class: SEC 575 Mobile Device Security and Ethical Hacking
Assessment: GIAC GMOB
3 Credit Hours

ISE 6325 helps students resolve their organization's struggles with mobile device security by equipping then with the skills needed to design, deploy, operate, and assess a well-managed secure mobile environment. From practical policy development to network architecture design and deployment, and mobile code analysis to penetration testing and ethical hacking, this course teaches students to build the critical skills necessary to support the secure deployment and use of mobile phones and tablets in their organization.

ISE 6330: Wireless Penetration Testing

SANS class: SEC 617 Wireless Ethical Hacking, Penetration Testing, and Defenses
Assessment: GIAC GAWN
3 Credit Hours

ISE 6330 takes an in-depth look at the security challenges of many different wireless technologies, exposing students to wireless security threats through the eyes of an attacker. Using readily available and custom-developed tools, students will navigate through the techniques attackers use to exploit WiFi networks, Bluetooth devices, and a variety of other wireless technologies. Using assessment and analysis techniques, this course will show students how to identify the threats that expose wireless technology and build on this knowledge to implement defensive techniques that can be used to protect wireless systems.

ISE 6350: Python for Penetration Testers

SANS class: SEC573: Python for Penetration Testers
Assessment: GIAC GPYC
3 Credit Hours

The ISE 6350 course teaches student in the pen testing specialization, and other students who want to use the Python programming language, how to enhance their overall effectiveness during information security engagements. Students will learn how to apply core programming concepts and techniques learned in other courses through the Python programming language. The course teaches skills and techniques that can enhance an information security professional in penetration tests, security operations, and special projects. Students will create simple Python-based tools to interact with network traffic, create custom executables, test and interact with databases and websites, and parse logs or sets of data.

ISE 6360: Advanced Penetration Testing

SANS class: SEC 660 Advanced Penetration Testing, Exploits, and Ethical Hacking
Assessment: GIAC GXPN
3 Credit Hours

ISE 6360 builds upon ISE 6320 - Network Penetration Testing and Ethical Hacking. This advanced course introduces students to the most prominent and powerful attack vectors, allowing students to perform these attacks in a variety of hands-on scenarios.

ISE 6420: Computer Forensic Investigations - Windows

SANS class: FOR 500 Computer Forensic Investigations - Windows In-Depth
Assessment: GIAC GCFE
3 Credit Hours

ISE 6420 Computer Forensic Investigations - Windows focuses on the critical knowledge of the Windows Operating System that every digital forensic analyst needs to investigate computer incidents successfully. Students learn how computer forensic analysts focus on collecting and analyzing data from computer systems to track user-based activity that can be used in internal investigations or civil/criminal litigation. The course covers the methodology of in-depth computer forensic examinations, digital investigative analysis, and media exploitation so each student will have complete qualifications to work as a computer forensic investigator helping to solve and fight crime.

ISE 6425: Advanced Computer Forensic Analysis and Incident Response

SANS class: FOR 508 Advanced Digital Forensics, Incident Response, and Threat Hunting
Assessment: GIAC GCFA
3 Credit Hours

ISE 6425 teaches the necessary capabilities for forensic analysts and incident responders to identify and counter a wide range of threats within enterprise networks, including economic espionage, hacktivism, and financial crime syndicates. The course shows students how to work as digital forensic analysts and incident response team members to identify, contain, and remediate sophisticated threats-including nation-state sponsored Advanced Persistent Threats and financial crime syndicates. Students work in a hands-on lab developed from a real-world targeted attack on an enterprise network in order to learn how to identify what data might be stolen and by whom, how to contain a threat, and how to manage and counter an attack.

ISE 6440: Advanced Network Forensics and Analysis

SANS class: FOR 572 Advanced Network Forensics and Analysis
Assessment: GIAC GNFA
3 Credit Hours

ISE 6440: Advanced Network Forensics and Analysis focuses on the most critical skills needed to mount efficient and effective post-incident response investigations. Moving beyond the host-focused experiences in ISE 6420 and ISE 6425, ISE 6440 covers the tools, technology, and processes required to integrate network evidence sources into investigations, covering high-level NetFlow analysis, low-level pcap exploration, and ancillary network log examination. Hands-on exercises in FOR 572 cover a wide range of open source and commercial tools, and real-world scenarios help the student learn the underlying techniques and practices to best evaluate the most common types of network-based attacks.

ISE 6445: Cyber Threat Intelligence

SANS class: FOR 578 Cyber Threat Intelligence
Assessment: GIAC GCTI
3 Credit Hours

ISE 6445 will equip you, your security team, and your organization in the tactical, operational, and strategic level cyber threat intelligence skills and tradecraft required to better understand the evolving threat landscape and to accurately and effectively counter those threats. This course focuses on structured analysis in order to establish a solid foundation for any security skillset and to amplify existing skills.

ISE 6450: Advanced Smartphone Forensics

SANS class: FOR585: Advanced Smartphone Forensics
Assessment: GIAC GASF
3 Credit Hours

The focus of ISE 6450 is on teaching students how to perform forensic examinations on devices such as mobile phones and tablets. Students will add to their forensics skills with this course's focus on the advanced skills of mobile forensics, device file system analysis, mobile application behavior, event artifact analysis and the identification and analysis of mobile device malware. Students will learn how to detect, decode, decrypt, and correctly interpret evidence recovered from mobile devices. The course features a number of hands-on labs that allow students to analyze different datasets from smart devices and leverage the best forensic tools and custom scripts to learn how smartphone data hide and can be easily misinterpreted by forensic tools.

ISE 6460: Malware Analysis and Reverse Engineering

SANS class: FOR 610 Reverse-Engineering Malware: Malware Analysis Tools and Techniques
Assessment: GIAC GREM
3 Credit Hours

ISE 6460 teaches students how to examine and reverse engineer malicious programs - spyware, bots, Trojans, etc. - that target or run on Microsoft Windows, within browser environments such as JavaScript or Flash files, or within malicious document files (including Word and PDF). The course builds a strong foundation for reverse-engineering malicious software using a variety of system and network monitoring utilities, a disassembler, a debugger and other tools. The malware analysis process taught in this class helps students understand how incident responders assess the severity and repercussions of a situation that involves malicious software and plan recovery steps. Students also experience how forensics investigators learn to understand key characteristics of malware discovered during the examination, including how to establish indicators of compromise (IOCs) for scoping and containing the incident.

ISE 6515: ICS/SCADA Security Essentials

SANS class: ICS 410: ICS/SCADA Security Essentials
Assessment: GIAC GICSP, Paper
3 Credit Hours

ISE 6515 provides students with the essentials knowledge and techniques for conducting cybersecurity work in industrial control system environments. ISE 6515 ICS/SCADA Security Essentials provides a foundational set of standardized skills and knowledge for industrial controls and their associated supervisory controls and data acquisition systems, and students will learn the language, the underlying theory, and the basic tools for industrial control system security in settings across a wide range of industry sectors and applications.

ISE 6520: ICS Active Defense and Incident Response

SANS class: ICS 515 ICS Active Defense and Incident Response
Assessment: GIAC GRID
3 Credit Hours

ISE 6520 will empower students to understand their networked industrial control system environment, monitor it for threats, perform incident response against identified threats, and learn from interactions with the adversary to enhance network security.

ISE 6525: Essentials for NERC Critical Infrastructure Protection

SANS class: ICS 456 Essentials for NERC Critical Infrastructure Protection
Assessment: GIAC GCIP
3 Credit Hours

ISE 6525 empowers students with knowledge of the "what" and the "how" of the version 5/6 standards. The course addresses the role of FERC, NERC and the Regional Entities, provides multiple approaches for identifying and categorizing BES Cyber Systems and helps asset owners determine the requirements applicable to specific implementations. Additionally, the course covers implementation strategies for the version 5/6 requirements with a balanced practitioner approach to both cybersecurity benefits, as well as regulatory compliance.

ISE 6615: Defending Web Applications Security Essentials

SANS class: DEV 522 Defending Web Applications Security Essentials
Assessment: GIAC GWEB
3 Credit Hours

ISE 6615 covers the OWASP Top 10 and provides students with a better understanding of web application vulnerabilities, enabling them to properly defend organizational web assets. Mitigation strategies from an infrastructure, architecture, and coding perspective are discussed alongside real-world implementations that really work. The testing aspect of vulnerabilities is also covered so students can ensure their application is tested for the vulnerabilities discussed in class.

Required Program Capstone (1 credit hour)

MSISM Program Capstone

Assessment: GSM
1 Credit Hour

The GSM exam Capstone experience is a two day hands-on lab exercise where students demonstrate their ability to formulate and implement policies and solutions that demonstrate a thorough understanding of security foundations and practical applications of information technology. Students work through scenarios which require them to: construct information security approaches that balance organizational needs, apply standards-based approaches to information security risk management, and devise incident response strategies.