ARCHITECTURAL THINKING FOR SECURITY - 2019/0
Module code: COMM058
Module Overview
Integrating security components into an information system to identify, protect, detect, respond and recover from an increasingly diverse set of threats has become more complex with new computing concepts such as cloud infrastructure, cloud native applications and edge computing. Organisations need a systematic approach to defining security for information systems that integrate processes, people and technology.
The Architectural Thinking for Security module is designed to teach concepts and practice techniques that Security Architects can apply to delivering consistent and effective security solutions. The architectural thinking process can be applied either acting as an adviser to a project or a primary security solution architect.
The course will introduce an architectural thinking process that a Security Architect would use to protect the data at the centre of a business. As part of this process the security architect needs to think about the integration of security controls to protect the confidentiality, integrity and availability of business data. This module provides insights into both the theory and the practical aspects of this process allowing students to critically evaluate the cyber security posture of an organisation and define a solution that can be described to key decision makers within an organisation.
Module provider
Computer Science
Module Leader
CROSSAN Andrew (Computer Sci)
Number of Credits: 15
ECTS Credits: 7.5
Framework: FHEQ Level 7
Module cap (Maximum number of students): N/A
Overall student workload
Independent Learning Hours: 120
Lecture Hours: 30
Module Availability
Semester 1
Prerequisites / Co-requisites
None
Module content
Indicative content includes:
• System context - Examine the external context of system, the actors and data flows to identify what to protect in the system
• Requirements and Constraints - Describe how to define functional and non-functional requirements, legal and regulatory constraints and process modelling
• Architecture Principles - Describe guiding principles including common security principles used to guide creating the architecture
• Architecture Concepts - Describe the Architecture, Enterprise, Architecture, RAID, Architectural Decisions
• Components and Data Flows - Describe the interaction of components and data flows inside a system with how threats are modelled
• Operational Models - Describe how functional components are placed onto operational components and the placement into security zones
• Detect and Respond - Describe the need for detecting residual risks and response incidents with the key components of a solution
• Secure Engineering and Assurance - Describe different engineering lifecycles including waterfall and DevOps with how security and assurance integrates
• Architectural Patterns and Anti-Patterns - Describe the purpose of patterns and anti-patterns giving examples of available patterns to provide a fast-start to a security solution
• Avoiding the Gaps - Highlights how as an architect the hand-off between teams can create gaps in the solution and how to avoid them
• Using Logic for Productive Presentations and Reports - Learn how use create consulting-style presentation using the pyramid principle
Assessment pattern
Assessment type | Unit of assessment | Weighting |
---|---|---|
Coursework | Individual coursework based on workshop exercises | 60 |
Coursework | Group presentation | 20 |
Coursework | Group project report | 20 |
Alternative Assessment
Where group work is not possible, assessment 2 and assessment 3 will revert to individual submissions
Assessment Strategy
Summative Assessment
The assessment strategy is based on a piece of individual coursework and a group coursework with presentation that will encourage the students to both engage with and apply the techniques learned in the lectures.
Thus, the summative assessment for this module consists of
* An individual piece of coursework that the students will build up over the weekly exercises supporting the lecture material (LO1, LO2, LO3, LO4 and LO5)
* A group project where the students work together to analyse a case study and design and implement a security solution based on Architectural Thinking principles. This will be assessed through a report submitted by each group (LO2, LO3, and LO5) and a final presentation in week 10 (LO2, LO3, and LO5).
Formative assessment and feedback
Formative feedback will be given regularly through the Group Exercises that support the lecture material each week.
Module aims
- Study and practice a series of techniques and artefacts to enable use of a repeatable and consistent approach to developing a security architecture integrating security controls into an information system
- Learn how to gather functional and non-functional requirements then critically analyse, in the context of information system constraints, to define the process, people and technology security controls needed to protect business data and processes
- Develop the skills to analyse security risks in the context of the threats and countermeasures within an information system
- Practice the use of architectural concepts, techniques and artefacts using a realistic case study to develop a security solution
- Persuasively articulate the components of a security solution using standard architectural artefacts and consulting techniques to key stakeholders in an organisation
Learning outcomes
Attributes Developed | ||
001 | Articulate an understanding of the need for security architecture for applications and infrastructure in an enterprise context | CK |
002 | Explain the process and apply that knowledge to gather requirements and develop a security solution architecture | CKP |
003 | Apply the architectural thinking process in the context of risk, threats and countermeasures | CKP |
004 | Explain the approach to architecting an integrated security solution | KT |
005 | Articulate an understanding of the components of a solution using standard architectural artefacts and apply that knowledge to the creation of artefacts | CKP |
Attributes Developed
C - Cognitive/analytical
K - Subject knowledge
T - Transferable skills
P - Professional/Practical skills
Methods of Teaching / Learning
The learning and teaching methods include:
30 hours of lectures incorporating in-class discussions and exercises. 3 hours per week will be divided as required between lectures with in class discussion and group work to support the lecture material.
Students will be expected to undertake self-study where necessary, and to prepare appropriately for , assessments.
Indicated Lecture Hours (which may also include seminars, tutorials, workshops and other contact time) are approximate and may include in-class tests where one or more of these are an assessment on the module. In-class tests are scheduled/organised separately to taught content and will be published on to student personal timetables, where they apply to taken modules, as soon as they are finalised by central administration. This will usually be after the initial publication of the teaching timetable for the relevant semester.
Reading list
https://readinglists.surrey.ac.uk
Upon accessing the reading list, please search for the module using the module code: COMM058
Other information
None
Programmes this module appears in
Programme | Semester | Classification | Qualifying conditions |
---|---|---|---|
Information Security MSc | 1 | Optional | A weighted aggregate mark of 50% is required to pass the module |
Please note that the information detailed within this record is accurate at the time of publishing and may be subject to change. This record contains information for the most up to date version of the programme / module for the 2019/0 academic year.