Crain - Computer Security (Proposal)
Develop a series of 5 assignments and scaffolding lecture notes for a security audit of OpenMRS.
Junior-level course — Computer Security (3 cr.)
A survey of the theory and practice of computer security. Topics will include mandatory and discretionary access control, cryptography, policies, mechanisms, profiles, and threat assessment. Prerequisite: CS1.
Target Student Audience
This course is mainly taken by students in one of our majors. It is required for the Computer Security major and minor. Generally it is taken by juniors and seniors, although the prerequisites are pretty light. This course has about 30 students.
The intended learning outcomes are:
- Students solidify understanding of what HIPAA compliance entails.
- Students are able to locate PII in a database or application.
- Students gain experience interviewing developers, administrators and users for a security audit.
- Students are able to trace the use of PII through source code.
- Students are able to evaluate existing security mechanisms in the context of a policy.
- Students are able to effectively communicate the results of a security audit.
The activities will be a series of 5 group assignments that together conduct a security audit of OpenMRS, with a special emphasis on HIPAA compliance. The activities will involve: interviews with members of the OpenMRS community; analysis of existing security-related documentation; identifying PII used in the application; tracking how the PII is used, existing access controls and audit trails; identifying HIPAA violations; documenting the results of the audit.
The results of the audits will be verified by the instructor and then combined into a report and made available to the OpenMRS community. In addition, the instructor will work with the students to submit bug reports for individual modifications that are needed for compliance.
The assignments together with relevant lecture notes will be made available on foss2serve.
I will use the standard survey instruments with the addition of computer-security-specific questions that I can also make available. I will be administering the surveys at the start of the course, around midterm before the HFOSS is added (as a control), at the end of the semester and at the end of summer (to see if the students did participate in HFOSS over the summer). The instruments used and results will be provided on foss2serve.
The assignments are scheduled to be piloted 3/23 - 5/7/2015, so I will be developing them over the next few months. Evaluation will be completed by August, with most results available in May. The assignments will be posted as they are developed, by 5/1/2015.