INFORMATION SECURITY FOR BUSINESS AND GOVERNMENT - 2022/3
Module code: COMM050
Module Overview
Key to modern business operation is Risk Management, and a modern entrant on any Risk Register maintained by the executive of an organisation is the risk posed from falling victim to cybercrime and civil litigation resulting from, for example, data breaches.
In order to understand how best to shape and evolve an organisation’s response to the cyber security threat, the module will cover what the more detailed operations in cyber security involve. The module will introduce the key disciplines that we are likely to encounter in the real-world. It will provide an industry perspective on the common practices, latest innovations, technologies and the problems and concerns associated with information security. The module will show that cyber security is not just technical subject, but is a truly multidisciplinary function.
The module looks broadly at the implications of regulations on the cyber crime landscape. It also brings together the issues of cyber from a high-level perspective. It will also equip students with an awareness of what is very current out there in terms of leading-edge applications of information security.
The module uniquely accesses leading international speakers in their field, draws on the significant expertise of leading industrialists and through shaping the module into distinct learning blocks we are also able to ensure that our students will be directed to key industry reports, regulations and best practice guidance that shapes current industry thinking in information security for business and government.
Module provider
Computer Science and Electronic Eng
Module Leader
ASGHAR Rizwan (CS & EE)
Number of Credits: 15
ECTS Credits: 7.5
Framework: FHEQ Level 7
Module cap (Maximum number of students): N/A
Overall student workload
Workshop Hours: 4
Independent Learning Hours: 90
Tutorial Hours: 11
Guided Learning: 18
Captured Content: 27
Module Availability
Semester 2
Prerequisites / Co-requisites
Information Security Management- COMM037
Module content
The content is structured into distinct blocks.
Block 1: will give a perspective on how to manage security. It will cover the international and legal perspectives and link to regulations and standards (for example PCI-DSS) and good risk management practices (ISO and NIST) that should be followed.
Block 2: will focus on various methodologies and techniques that are involved in daily management of security, for example threat intelligence, threat modelling, pen testing and web security.
Block 3: will focus on how cyber security is viewed from those that have to bring it all together within an organisation, the CISO perspective and executives from a variety of sectors will share their perspectives on current concerns.
Block 4: will look to the future of security and how technologies such as IoT and data science will impact information security in business.
There will also be workshops on analysing a case study data breach and critically evaluating a case study risk assessment.
Assessment pattern
| Assessment type | Unit of assessment | Weighting |
|---|---|---|
| Coursework | Group | 50 |
| Coursework | Individual | 50 |
Alternative Assessment
Individual coursework as alternative to coursework 1 (group)
Assessment Strategy
The assessment strategy is designed to provide students with the opportunity to demonstrate that they have achieved the module learning outcomes.
The summative assessment consists of:
Coursework 1 (group) focussing on a detailed risk assessment on a case study system. It will focus on following the ISO standard to conduct the risk assessment and expect that the students will be able to identify controls to mitigate that risks that reflect their understanding of industry best practices. This addresses LO1 – 5 with particular emphasis on the engagement of a risk assessment part of LO2.
Coursework 2 (individual) focussing on critically evaluating the group risk assessment and comparing the benefits of different approaches to risk assessment. It will also cover proposing new features for a system under consideration and evaluate the implications of these new features from a technological and business perspective. This addresses LO1 – 5 with particular emphasis on the critical comparison of the risk assessment standards mentioned in LO2.
Formative assessment
During the module, students will have an opportunity to develop their skills in working in groups through their preparations for a workshop and a flipped tutorial that examines two incident breaches.
Module aims
- This module will prepare the students with a comprehensive insight into how information security is more than just the technologies needed to develop secure systems and required to improve the security posture of an organisation. It will introduce the students to commonly used technologies, methods and solutions related to information security. Importantly, it will place these within the context of an incident breach and risk assessment. It will consist of a series of lectures presented by security experts from industry. These lectures will include regulatory issues, frameworks, developer concerns, information assurance and experiences from high level security executives.
By working on a group risk assessment the students will obtain hands-on knowledge and experience of how to apply risk assessment techniques to large scale systems and critically explore the appropriateness of technologies and processes that need to be introduced to mitigate the risks. It will provide an opportunity for students to research how systems evolve and how to critically evaluate the business impact of the changes.
Learning outcomes
| Attributes Developed | ||
| 001 | Understand the importance of designing solutions to mitigate security risks | KC |
| 002 | Engage in conducting a risk assessment of a system and understand the difference between various risk management methods in particular ISO and NIST | KCPT |
| 003 | Understand the regulatory implications and security technologies used to manage cyber incidents | KCT |
| 004 | Recognise the benefits, concerns and problems associated with the security of computer systems | KPT |
| 005 | Gain awareness of relevant functions within a security platform / system and trends relating to these, based on topics covered by industrial experts | KT |
Attributes Developed
C - Cognitive/analytical
K - Subject knowledge
T - Transferable skills
P - Professional/Practical skills
Methods of Teaching / Learning
The learning and teaching strategy is designed to:
- Help students to understand the latest technological solutions, applications, problems, and concerns related to information security
- Enable students to critically judge and make an informed decision about the adoption of security solutions and applications for business and government IT systems
- Think broadly about the subject so that they are aware of where to find reports and guidance that represent current industry thinking
It is recognised that this module is different in structure to other modules since it is industry-led. It uniquely provides access to leading industrialists who are experts in their field.
The module does feel different to other modules due to the number of lessons given by industry experts, but this reflects the fact that the purpose of the course is to inform students what the real-world of information security is like and who better to give that perspective than industrial speakers.
The breadth of the module is challenging and there will be a lot of broad reading to do but it will ensure that the students are fully prepared for the real-world.
The learning and teaching methods have also been designed to support the assessment; they include:
Lessons – captured content by the industry speakers. All the speakers were given a brief by the module convenor so that we ensured that all the sessions linked together as a cohesive whole.
Guided learning – reading, exercises, quizzes. The reading will be a combination of reading parts of key industry reports, exercises to practice the risk assessment and threat modelling techniques covered. The quizzes used reinforce the key concepts covered in the lessons.
Tutorials – each week there is a tutorial by the module convenor to steer the content of the module and recap on key points, to complete group exercises, and support for formative feedback with the assessments.
Workshop – there will be an opportunity for students to work in groups to analyse a data breach and to share their findings with the all the students early on in the module
Practicals – each week the groups will be encouraged to get together to work on the exercises, share their findings from the reading and prepare for the workshop and tutorials.
The workshop and practicals will develop the skills of the students to work together.
Independent learning – students will also be advised to follow up on the topics in more depth and perform the necessary research to complete the summative assessments.
Each week a checklist is published identifying the work to be completed each week and the expectations on what the groups should be doing each week.
Indicated Lecture Hours (which may also include seminars, tutorials, workshops and other contact time) are approximate and may include in-class tests where one or more of these are an assessment on the module. In-class tests are scheduled/organised separately to taught content and will be published on to student personal timetables, where they apply to taken modules, as soon as they are finalised by central administration. This will usually be after the initial publication of the teaching timetable for the relevant semester.
Reading list
https://readinglists.surrey.ac.uk
Upon accessing the reading list, please search for the module using the module code: COMM050
Programmes this module appears in
| Programme | Semester | Classification | Qualifying conditions |
|---|---|---|---|
| Information Security MSc | 2 | Optional | A weighted aggregate mark of 50% is required to pass the module |
| Criminology (Cybercrime and Cybersecurity) MSc | 2 | Compulsory | A weighted aggregate mark of 50% is required to pass the module |
| Data Science MSc | 2 | Optional | A weighted aggregate mark of 50% is required to pass the module |
Please note that the information detailed within this record is accurate at the time of publishing and may be subject to change. This record contains information for the most up to date version of the programme / module for the 2022/3 academic year.