The University of Ontario Institute of Technology (UOIT) in Oshawa, Ont., will offer what it says is the first Master of Information Technology Security program in Canada — and one of few such programs in the world — starting in September.
Clemens Martin, director of IT programs at UOIT, said the program will give students an opportunity to develop an understanding of security through theory and applied learning, while at the same time polishing their communications skills and examining business and IT ethics in a team environment.
Martin said the curriculum includes 10 courses, two of which are non-technical. “[Students] will start with a law and ethics course of IT security, where they will learn what is acceptable [behaviour] and what is not, what is legal and illegal,” when dealing with security and privacy of information, he said.
Near the end of the program, students will also take a course on policies, procedures and risk assessments. “This course will give them a business perspective — the tools, mechanisms and methodologies — so that they can give their employers a rationale of why it makes sense or doesn’t make sense to invest in a new technology or follow a new market trend.”
Technical courses will include topics such as operating system security, secure communications and cryptography. Students will also learn skills that “cater to the software development side — how to build secure software systems with security in mind from the beginning of the development process,” Martin said.
Students will also have access to the UOIT Hacker Research Lab in their second year of the program. Lab assignments will involve two teams working on a network — one group striving to secure the system, while the other attempts to breach security, Martin said.
“They will study scenarios in which students build up an IT infrastructure — a Web service or an ERP mechanism, for example — that they have to protect by setting up a firewall, a content scanning mechanism,” and other security measures. “Another team will try to break in or find vulnerabilities exposed in the infrastructure.” After the fact, the two teams will sit down and examine “what happened, what could have been done to better secure the system and what the attackers overlooked,” he said.
The program is meant for people who have had at least two years’ experience in the IT field and is ideal training for those who eventually want to become chief security officers or chief information security officers, Martin said.
Nathan Percival, IT specialist with UOIT’s Faculty of Engineering and Applied Science, is one of the first students to sign up for the program. In 2000 Percival graduated with a bachelor’s degree in mathematics and computer science from the University of Waterloo, with a specialization in information systems.
Before joining UOIT as an employee, he worked for a small consulting firm that deals with intelligent traffic systems, which is where his interest in security grew. “I saw how IT changed with the events of 9/11 and how security has become much more important,” he said. “I was always interested in privacy and security — how to keep information private, and how to work against viruses, and, more recently, phishing.”
While Percival said he has a keen interest in the network, he said it’s impossible to grow one’s career in that field without focusing on security. “I believe that you can’t stay in a leadership role in an IT environment without being very aware of security. It is a major component of IT in the future…both on a technical and non-technical level. It’s the way IT is going.”
Percival said he signed up for UOIT’s program because of the breadth of its offerings, both from a technical and business perspective. “[The program] gives you an overview of hardware (and) software, and allows you to look at the issues regarding their use….It gives you a strong technical base but not just a raw base without any context to put into it.”
He said anyone looking to learn more about security at a master’s level should look for a program that “gives you a very good technical basis but doesn’t completely neglect the softer side — social engineering, how people interact with systems.” The program should also cover a broad range of topics — “things like telecommunications, wireless networking, the whole gamut. Everything is part of a system and you have to take a systems approach to IT security. You can’t secure a system independent of the rest of the world.”