ARCHITECTURAL THINKING FOR SECURITY - 2019/0

Module code: COMM058

Module Overview

Integrating security components into an information system to identify, protect, detect, respond and recover from an increasingly diverse set of threats has become more complex with new computing concepts such as cloud infrastructure, cloud native applications and edge computing. Organisations need a systematic approach to defining security for information systems that integrate processes, people and technology.

The Architectural Thinking for Security module is designed to teach concepts and practice techniques that Security Architects can apply to delivering consistent and effective security solutions. The architectural thinking process can be applied either acting as an adviser to a project or a primary security solution architect.

The course will introduce an architectural thinking process that a Security Architect would use to protect the data at the centre of a business. As part of this process the security architect needs to think about the integration of security controls to protect the confidentiality, integrity and availability of business data. This module provides insights into both the theory and the practical aspects of this process allowing students to critically evaluate the cyber security posture of an organisation and define a solution that can be described to key decision makers within an organisation.

Module provider

Computer Science

Module Leader

CROSSAN Andrew (Computer Sci)

Number of Credits: 15

ECTS Credits: 7.5

Framework: FHEQ Level 7

Module cap (Maximum number of students): N/A

Overall student workload

Independent Learning Hours: 120

Lecture Hours: 30

Module Availability

Semester 1

Prerequisites / Co-requisites

None

Module content

Indicative content includes:

System context - Examine the external context of system, the actors and data flows to identify what to protect in the system

Requirements and Constraints - Describe how to define functional and non-functional requirements, legal and regulatory constraints and process modelling

Architecture Principles - Describe guiding principles including common security principles used to guide creating the architecture

Architecture Concepts - Describe the Architecture, Enterprise, Architecture, RAID, Architectural Decisions

Components and Data Flows - Describe the interaction of components and data flows inside a system with how threats are modelled

Operational Models - Describe how functional components are placed onto operational components and the placement into security zones

Detect and Respond - Describe the need for detecting residual risks and response incidents with the key components of a solution

Secure Engineering and Assurance - Describe different engineering lifecycles including waterfall and DevOps with how security and assurance integrates

Architectural Patterns and Anti-Patterns - Describe the purpose of patterns and anti-patterns giving examples of available patterns to provide a fast-start to a security solution

Avoiding the Gaps - Highlights how as an architect the hand-off between teams can create gaps in the solution and how to avoid them

Using Logic for Productive Presentations and Reports - Learn how use create consulting-style presentation using the pyramid principle

Assessment pattern

Assessment type Unit of assessment Weighting
Coursework Individual coursework based on workshop exercises 60
Coursework Group presentation 20
Coursework Group project report 20

Alternative Assessment

Where group work is not possible, assessment 2 and assessment 3 will revert to individual submissions

Assessment Strategy

Summative Assessment

The assessment strategy is based on a piece of individual coursework and a group coursework with presentation that will encourage the students to both engage with and apply the techniques learned in the lectures.

Thus, the summative assessment for this module consists of

     * An individual piece of coursework that the students will build up over the weekly exercises supporting the lecture material (LO1, LO2, LO3, LO4 and LO5)

     * A group project where the students work together to analyse a case study and design and implement a security solution based on Architectural Thinking principles. This will be assessed through a report submitted by each group (LO2, LO3, and LO5) and a final presentation in week 10 (LO2, LO3, and LO5).

 

Formative assessment and feedback

Formative feedback will be given regularly through the Group Exercises that support the lecture material each week.

Module aims

  • Study and practice a series of techniques and artefacts to enable use of a repeatable and consistent approach to developing a security architecture integrating security controls into an information system
  • Learn how to gather functional and non-functional requirements then critically analyse, in the context of information system constraints, to define the process, people and technology security controls needed to protect business data and processes
  • Develop the skills to analyse security risks in the context of the threats and countermeasures within an information system
  • Practice the use of architectural concepts, techniques and artefacts using a realistic case study to develop a security solution
  • Persuasively articulate the components of a security solution using standard architectural artefacts and consulting techniques to key stakeholders in an organisation

Learning outcomes

Attributes Developed
001 Articulate an understanding of the need for security architecture for applications and infrastructure in an enterprise context CK
002 Explain the process and apply that knowledge to gather requirements and develop a security solution architecture CKP
003 Apply the architectural thinking process in the context of risk, threats and countermeasures CKP
004 Explain the approach to architecting an integrated security solution KT
005 Articulate an understanding of the components of a solution using standard architectural artefacts and apply that knowledge to the creation of artefacts CKP

Attributes Developed

C - Cognitive/analytical

K - Subject knowledge

T - Transferable skills

P - Professional/Practical skills

Methods of Teaching / Learning

The learning and teaching methods include:

30 hours of lectures incorporating in-class discussions and exercises. 3 hours per week will be divided as required between lectures with in class discussion and group work to support the lecture material.

Students will be expected to undertake self-study where necessary, and to prepare appropriately for , assessments.

Indicated Lecture Hours (which may also include seminars, tutorials, workshops and other contact time) are approximate and may include in-class tests where one or more of these are an assessment on the module. In-class tests are scheduled/organised separately to taught content and will be published on to student personal timetables, where they apply to taken modules, as soon as they are finalised by central administration. This will usually be after the initial publication of the teaching timetable for the relevant semester.

Reading list

https://readinglists.surrey.ac.uk
Upon accessing the reading list, please search for the module using the module code: COMM058

Other information

None

Programmes this module appears in

Programme Semester Classification Qualifying conditions
Information Security MSc 1 Optional A weighted aggregate mark of 50% is required to pass the module

Please note that the information detailed within this record is accurate at the time of publishing and may be subject to change. This record contains information for the most up to date version of the programme / module for the 2019/0 academic year.