Course Content and Outcome Guide for CIS 277D
- Course Number:
- CIS 277D
- Course Title:
- Database Security
- Credit Hours:
- Lecture Hours:
- Lecture/Lab Hours:
- Lab Hours:
- Special Fee:
Course DescriptionCovers all aspects of securing a database. Uses Oracle database security to explain concepts in an relational database. Topics covered include: the importance of a database policy, identification and authorization methods (including web applications), securing connection pools and proxy authorization, identity management and enterprise users, authorizations and auditing, fine-grained access control (including application contexts security, views, row -level security, virtual private database, Oracle label security and database encryption). Recommended: CIS 276. Additional lab hours may be required. Audit available.
Intended Outcomes for the course
On completion of this course a student should be able to:
1. Carry out a risk analysis for a large database.
2. Implement identification and authentication procedures, fine-grained access control and data encryption techniques.
3. Set up accounts with privileges and roles.
4. Audit accounts and the database system.
5. Back-up and Restore a database.
Course Activities and Design
This course is presented with a combination of lectures and labs.
Students will be expected to complete DB security assignments.
Outcome Assessment Strategies
Students will complete the following assessments:
• Design and set up a DB with security principles in mind.
• Develop a risk analysis for a DB.
• Conduct an audit of DB usage.
• Create secure authentication procedures for web application users.
• Use well-established Encryption routines for data storage and retrieval.
• Troubleshoot DB security issues.
• Backup and restore a DB.
Course Content (Themes, Concepts, Issues and Skills)
• Review of System/Software/Security Development Life Cycle
• Survey typical security policies
o Importance of having a policy
o Policy must be weighed against the need for DB access
o DB security best practices
• Risk analysis
o Analysis is ongoing
o Contingency planning
o Good Vs Bad passwords
o Practicality of password rules
o User-supplied Vs Technological
o Protecting against spoofing and Identity theft
• Authentication (Is the person who they say they are?)
o Connection pools and proxy authentication
o Enterprise users
o Web users
o Application audit
o Trigger audit
o Autonomous audit
o Data versioning
o Best practices for auditing
o Performance Testing
o Fine-grained auditing
• Fine-grained access control
o Local context
o Global context
o Object level
o Row or column level
• Label security
• Data encryption
o Key management
o Performance monitoring
• DB Backup and recovery
• Troubleshoot data integrity problem