Module Outline Template v6

Module Outline: COMP3357 Managing Cyber Risk 2016-17

Contents PageThings you need to know at the beginning 1Assignment 1 and 2 3, 10Assessment 1 grading matrix 8If you have problems with assessments 6, 13Module Content 18

Things you need to know at the beginningOccurrence A Monday 1315-1415; 1615-1815 Rooms: CH2006; CH1007Occurrence B Thursday 1315-1415; 1415-1615

Except weeks 25, 27 (Thurs 1715-1915)Rooms: CH2008; CH1007CH1001

Teaching team Richard Henson, r.henson@worc.ac.uk, CH1004http://staffweb.worc.ac.uk/hensonr

Richard Henson FBCS MSc ARCS CITP CEng is a Senior Lecturer in Computing at the University of Worcester, specializing in Information Security. He is also a member the government’s IAAC (Information Assurance Advisory Committee), through its Academic Liaison Panel. His research leans towards knowledge transfer, although he is also helping to develop a body of knowledge informing thinking on information security in smaller businesses. He has written and co-written published papers over a number of years covering aspects of information security, particularly in relation to small to medium enterprises (SMEs) and the supply chain.

How this module fits into your course

It develops information systems knowledge and skills relating to systems and business analysis to cover information risk management issues for organisations wishing to secure digital data over local systems and the full expanse of the Internet

How this module engages with the external environment

It covers business and human aspects of cyber security, and covers the basic IT knowledge required to secure a network against attack to defined requirements of the organisation’s information security policy, as well as looking at important related matters such as IT law, cyber insurance, business continuity, and information assurance certification

How this module will enhance your employability

Application of Relevant Knowledge: This module will provide you with the skills and knowledge to address potential and actual security issues relating to organisation digital data, including relevant principles relating to securing digital data both on the move and at rest.Research and Problem-solving: This module will provide you with the skills and knowledge needed to provide a risk-based assessment of security issues relating to organisation digital dataCritical Analysis: This module requires scrutiny of data from organisational scenarios, and suggest possible solutionsCommunication: In addition to reports for verbal communication, this module requires you to do a presentation relating to a strategic level view of security policyAll these skills are highly sought after in the IT industry, as can be readily confirmed through the

1

Module Outline Template v6

website www.itjobswatch.co.uk

What you need to know before you start this module

Basics of information systems and data flow diagrams will certainly be helpful, but no prior technical knowledge is assumed.You are recommended to at least look at the freely available course on Cyber Security which also covers some technical aspects of cyber security:https://www.futurelearn.com/courses/introduction-to-cyber-security

You should also take a look at the recommended reading list: https://worc.rl.talis.com/lists/82F18CFA-5693-B496-690F-08701B395071.html and see how it relates to each taught and practical session.If you have further questions about reading materials please contact Stephanie Allen the Academic Liaison Librarian for the Business School s.allen@worc.ac.uk or go to Business LibGuide www.worc.ac.uk/library/business or ComputingLibGuide www.worc.ac.uk/library/computing

Your responsibility

This module will provide all the background information you need as a basis for completing the assessments to a high standard in advance of the class through PowerPoint presentations. There is usually no soundtrack, however, and you must attend all sessions and undertake required pre-reading, since failure to do so will affect your performance. If you cannot attend for any reason you must notify the module leader r.henson@worc.ac.uk by email as soon as possible.

It is your responsibility to actively and positively engage with the 2 hour practical sessions - for example asking questions if stuck -and take responsibility for your learning. This way you’ll get the most out of the sessions.

If there is anything which is unclear or you do not understand ask me… ask me… either in person or at the email address above

What help is there if you have a disability or a particular learning need?

The University of Worcester is committed to ensuring diversity and equality within its teaching practice. If you have a registered disability or particular learning need and you wish this to be taken into account please speak to your Personal Academic Tutor or let the module leader know. You will find additional useful information on the Disability and Dyslexia webpages at http://www.worcester.ac.uk/student-services/disability-and-dyslexia.htmhttp://www.worcester.ac.uk/registryservices/documents/StudentFeedbackCharter.pdf

2

Module Outline Template v6

Assessment(s) Two

Assessment 1 Report/Individual PresentationWord Limit or equivalent (e.g. time) Report: 1,350 words, Presentation: 150 word-

equivalentWeighting 50%Learning Outcomes Assessed 1. Identify strategic, financial and operational

benefits and issues of cyber-risk management

2. Review current and future trends of the technical and non-technical risks and aspects of information risk management and security, including laws, regulations, and human factors

Submission date 30th March 2017Feedback date 29th April 2017Module Leader Richard HensonVerified by Dr Joanne Kuzma

If anything about either assignment is not clear to you, please contact the module leader.

You are expected to plan your time and work to manage your overall assessment workload.

What you need to do

Scenario:

Moor-4-U is a microbusiness selling a variety of baby goods and consumables online. They have grown rapidly in recent years through good promotion using search engine optimisation, offering goods at a competitive price, and providing a good service. There are recent signs, however, that their systems are not as reliable as they used to be (when they had fewer customers…) and existing customers are beginning to show concern.

The Directors of Moor-4-U have informally approached you because they have been listening to the recent media stories about hacking and are worried about their organisation’s security. They are worried in particular about outsourcing of IT, BYOD, and the new employees with average data management skills but a high propensity to use Facebook. They wondered if they and are too trusting of their business partners and employees but the CEO was told not to worry by other businesses in her network… she was told that hackers are only interested in larger organisations and Government computers.

The Directors weren’t so sure about this and ask you to produce a report highlighting potential concerns for information risk. You request to spend some time inside the organisation, watching data flows in association with the various stages of production of their finely machined parts for the automotive industry. You want to find the current state of play within the organisation and decide to start with the company information security policy. This is a very short document, which states:

“All employees are responsible for the careful use of data in accordance within the principles of the Data Protection Act. Those using computers need to make sure they enter data accurately and those connected to the Internet need to be vigilant against

3

Module Outline Template v6

phishing emails.

Anyone infringing this policy can expect considerable financial penalties and a repeat performance will result in suspension.”

There is currently no email policy, no passwords policy, and no policy covering business partners and their data, and no easily visible privacy policy on the website

Your tasks.

Write a management report (1350 words) for Moor-4-U to…

1. Explain why the policy as it stands is totally ineffective and this can have operational and financial implications (350 words)

2. List typical personal and “business sensitive” data that might be held by the organisation, and explain why it needs special treatment (350 words)

3. Summarise the evolving Computer Misuse Act and explain how the likelihood of cyber criminals committing offences can be reduced by appropriate protective measures within the network and at its boundary (350 words)

4. Identify all the critical data flows to the running of the business, and describe an enhanced information security policy so that takes these into account (300 words on report;150 word equivalent presentation)

The presentation will be delivered in late March in normal session time with the help of PowerPoint (or equivalent). It will be of 10 minutes duration and counts as 10% of the total (hence the 150-word equivalent) of the total marks and your presentation slides should be submitted with the assignment.

Assessment briefingThis document provides details of the assessment. There will also be an oral briefing conducted during week 3.

There is also an assessment Q&A Page on Blackboard.

Assessment criteriaIn addition to assessment according to the general learning objectives for computing, as outlined in the Course Handbook, the following specific criteria will be used for this work:

Explanation of why the policy is ineffective, why it could have operational and/or financial consequences, and what needs to be done

Correctness and appropriateness of lists and why these types of data should be considered to be so important

Explanation of Computer Misuse Act and its implications for organisations Identification of critical information flows in a business and explanation as

to how good organisational policy can help protect them Referencing, using the Harvard system (see the link to ‘Referencing’ from

http://www.worc.ac.uk/studyskills for more information.)

Assessment feedback

4

Module Outline Template v6

Feedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).

Formative Feedback opportunityYour opportunity to receive written feedback will be until Monday 20th March 2017 before 3pm via Blackboard. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email by Monday 27th March, or sooner. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this tend to achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.

Handing in and returnWork must be word-processed/typed and should clearly show your student number.  You are required to keep a copy of work handed in.  You should submit your work electronically via SOLE by the 3pm deadline on Thursday, 30/3/17. The return date for this assignment is electronically via SOLE by Thursday, 29/4/17

See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg.

If for any reason the systems are down, email your work to solehelp@worc.ac.uk before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.

Turnitin

For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website turnitinuk.com. You will need a class id and password. Included below:

Class ID: 3397397Password: computer

Technical support is available by emailing eos@worc.ac.uk

How you should present your work

Report Template

As a structured report. Embedded diagrams are encouraged but they must be referred to from the text and labelled

On the title page list the followingModule name and code

5

Module Outline Template v6

Student numberSubmission dateAssignment Number/Title

Include also:Grading MatrixTable of ContentsIntroductionBodyConclusionReferences (use the University Harvard referencing system, support is available through the library www.worc.ac.uk/library/guides/study-skills/referencing)

How we’ll give you guidance

You can submit up to 20% of the assignment as a “sample”. This will be marked and returned to you in good time before the assignment deadline.

If you want to check whether your work will fall foul of plagiarism (copying someone else’s work without an appropriate attribution) check out this library guide which deals with how to use Turnitin http://libguides.worc.ac.uk/guides/study-skills/plagiarism

How and when to hand the assessment in

Work must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work by the 3pm deadline on 30th March. You should submit your work to SOLE, which is available via your student portal.

See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg .

If you have issues uploading your assessment to sole you will need to contact solehelp@worc.ac.uk, if you have issues with Blackboard, Turnitin or PebblePad you will need to contact eos@worc.ac.uk

How the assessment will be marked

Specific criteria are in the Grading Matrix for this assignment, which can be found on page 8 of this document

How you will get feedback

Submitted work for formative feedback should be submitted at least one week before assignment hand-in date, and feedback will usually be available within 72 hours.

If you have problems submitting work or submitting work on time:

Firstly, contact someone, your Module Leader or personal Academic Tutor.I t is essential that you submit your work, in order to be able to pass the module . Work which is submitted late will be subject to grade penalties as below.

Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.

Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.

For full details of submission regulations see Undergraduate Regulatory Framework at http://www.worcester.ac.uk/registryservices/documents/UndergraduateRegulatoryFramework20

6

Module Outline Template v6

07entry.pdf

If you are ill or have personal problems

The University has a system for applying for mitigating circumstances where things happen, beyond your control, which affect your assessments. Don’t suffer in silence. Speak to your Module Leader, your Personal Academic Tutor or a Programme Advisor.Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at http://www.worcester.ac.uk/registryservices/679.htm

If you engage in academic misconduct (cheating)

Do not use material from sources without acknowledging them using a recognised referencing system. Do not copy another student’s work. If you do you will be referred to the School’s Academic Integrity Tutor and may face further penalties. Details in your Course Handbook accessible via SOLE and at http://www.worcester.ac.uk/registryservices/documents/Proceduresforinvestigationofallegedcheating.pdf

If you don’t pass at the first attempt

DON’T PANIC. In the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at http://www.worcester.ac.uk/registryservices/655.htm

7

Module Outline Template v6

Student Number: Academic Year and Semester:

Learning Outcomes:1. Identify strategic, financial and operational benefits and issues of cyber-risk

management2. Review current and future trends of the technical and non-technical risks and

aspects of information risk management and security, including laws, regulations, and human factors

Module Code/Title: COMP3357

Assignment No/Weighting: 1 (50%)

Occurrence: Assessment Title: Report/Individual Presentation

Assessment CriteriaGRADE Explanation of why the

policy is ineffective, operational/financial consequences, what needs to be done

Correctness and appropriateness of lists, why these types of data so important

Explanation of Computer Misuse Act and its implications for organisations

Identify critical data flows to the running of the business, describe an enhanced information security policy

Content, Pace, Delivery of Presentation and Appropriateness of Slides

A Very detailed, in-depth critique of existing information security policy, appropriate and appropriately explained consequences, and a detailed, workable solution to the problem suggested

Extensive list of types of typical company data categorised appropriately with suitable examples given for each type. Detailed explanation of reasons why each data type might need to be protected and consequences if lost or stolen

Excellent discussion of origin and evolution of Computer Misuse Act and detailed discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders

Excellent context diagram and level one DFD, showing high risk data. Excellent explanation of ways information security policy could be changed to ensure these data flows are protected

Excellent

B Fairly detailed critique of existing information security policy, clear indication of potential consequences, and a workable solution to the problem suggested

Appropriate list of types of typical company data categorised appropriately with suitable examples given for each type. Some explanation of reasons why each data type might need to be protected and consequences if lost or stolen

Good discussion of origin and evolution of Computer Misuse Act, discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders

Good context diagram and level one DFD, and resource list covering information flows and data stores. Some logical attempt at prioritisation into high medium or low risk based on impact to organisation of loss of that resource

Good

8

Module Outline Template v6

C Some valid critique of information security policy, possible consequences described, and some indication for a way forward suggested.

Appropriate list of types of typical company data categorised appropriately but with limited examples given for each type. Reasons why each data type might need to be protected given and consequences if lost or stolen provided but rather descriptive

Reasonable discussion of origin and evolution of Computer Misuse Act, but a rather descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders

Either context diagram or level 1 DFD missing or inappropriate but resource register satisfactory, and some attempt at categorisation of the list according to impact of loss

Satisfactory

D Critique of information security policy offered, possible consequences described, but few suggestions regarding how this problem needs to be tackled.

Limited list of categorised types of typical company data and limited range of with suitable examples. Limited description of reasons why each data type might need to be protected and consequences if lost or stolen

Some discussion of origin and evolution of Computer Misuse Act, and a highly descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders

Either context diagram or level 1 DFD missing or inappropriate and resource register, whilst complete, fails to distinguish list items according to impact of loss

Poor

Fail (E-G)

Critique, consequences, way forward all addressed but at least one of these unconvincing.

Some data types included, but few examples, and consequences of loss only covered superficially

Limited discussion about the Computer Misuse Act itself, and the role of the organisation in preventing intrusions

Limited diagramming, list incomplete, or makes little effort at differentiation of information resources according to impact of loss

Unacceptable

General comment:

What you can do better in future assignments:

How successful completion of this assignment helps your employability:

Assignment Grade: Marker: Moderator*:

9

Module Outline Template v6

Assessment 2 ReportWord Limit or equivalent (e.g. time)

1500

Weighting 50%Learning Outcomes Assessed

3.Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share4.Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan

Submission date 11th May 2017Feedback date 9nd June 2017Module Leader Richard HensonVerified by Dr Joanne KuzmaWhat you need to do

Scenario:Continuing the scenario from assignment 1….Although Moor-4-U are currently successful as a business, they are aware of intense competition from other businesses also wishing to gain market share in that space, and that there are external factors that may impinge upon their information systems, and affect their ability to trade effectively, if at all.

The management have taken some steps to successfully gain market share since starting up, but the earlier wobbles in delivery and after sales service have caused one of two areas for concern for customers, which continue to effect potential for growth. The operational problems causing customer dissatisfaction were promptly dealt with, but the management is keen to ensure that market share is gained, and not lost, as the company moves forward. They are aware that privacy is becoming an issue for customers buying online, but that availability of data is also an issue.

They wish to be able to boast to customers that they take utmost care with their data, and that their online facilities are maintained to the highest standards so there is little danger that the site will be “down” (i.e. taken down due to hacking or “natural” events) and that their normal 24-7 trading would continue.

They are also aware of imminent changes in EU data protection legislation, and despite the Brexit vote they are taking that legislation very seriously. They are aware that changes may need to take place within the organisation in order to maintain a stable trading platform and expand their markets, but, like most small businesses they have little experience of information risk, its assessment, or its management. They are seeking good advice that will provide a basis for successful global trading post-2018. They have heard about you through a local business network and have decided to approach you…

Your tasks

Analyse, from the information you know about Moor-4-U, how they can mitigate their own cyber risk

Investigate the online retail market for competitor organisations that may be in the same consumer space as Moor-4-U and suggest good practice that Moor-4_U may wish to consider

Discuss how they could use digital security and managing cyber risk differentiate from competition to increase market share

10

Module Outline Template v6

Devise a risk assessment plan for an organisation Create a business continuity/disaster recovery plan for the company based

on your risk assessment

In each task, state any assumptions that you have made.

Assessment briefingThis document provides details of the assessment. There will also be an oral briefing conducted during week 8.

There is also an assessment Q&A Page on Blackboard

Assessment criteriaIn addition to the general points that apply to all assessed work as outlined in the Course Handbook, the following specific criteria will be used for this work:

Depth of analysis, and advice offered, on mitigating risk (300 words) Online retail market and competitor organisations identified in the same

consumer space as Moor-4-U and relevance of good practice suggested (300 words)

Explanation of examples positive use of cyber risk management to gain market share from rivals (300 words)

Quality of risk assessment plan (300 words) Quality of business continuity plan (300 words) Referencing, using the Harvard system (see the link to ‘Referencing’

from http://www.worc.ac.uk/studyskills for more information.)

Assessment feedbackFeedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).

Formative Feedback opportunityYour opportunity to receive written feedback will be until Tuesday 2nd May 2017 before 3pm via Blackboard, and you will receive a response by Monday 8th May. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this always achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.

Handing in and returnWork must be word-processed/typed and should clearly show your student number.  You are required to keep a copy of work handed in.  You should submit your work electronically via SOLE by the 3pm deadline on Thursday, 11/5/17. The return date for assignment feedback is electronically via SOLE by Thursday, 9/6/17

See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg.

11

Module Outline Template v6

If for any reason the systems are down, email your work to solehelp@worc.ac.uk before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.

Turnitin

For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website turnitinuk.com. You will need a class id and password, included below:

Class ID: 3397397Password: computer

Technical support is available by emailing eos@worc.ac.ukHow you should present your work

As a structured report. Embedded diagrams are encouraged but they must be referred to from the text and labelled

On the title page list the followingModule name and codeStudent numberSubmission dateAssignment Number/Title

Include also:Grading MatrixTable of ContentsIntroductionBodyConclusionReferences (use the University Harvard referencing system, support is available through the library www.worc.ac.uk/library/guides/study-skills/referencing )

How we’ll give you guidance

You can submit up to 20% of the assignment as a “sample”. This will be marked and returned to you in good time before the assignment deadline.

If you want to check whether your work will fall foul of plagiarism (copying someone else’s work without an appropriate attribution) check out this library guide which deals with how to use Turnitin http://libguides.worc.ac.uk/guides/study-skills/plagiarism

12

Module Outline Template v6

How and when to hand the assessment in

Work must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work by the 3pm deadline on 11th May. You should submit your work to SOLE, which is available via your student portal.

See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg .

If you have issues uploading your assessment to sole you will need to contact solehelp@worc.ac.uk, if you have issues with Blackboard, Turnitin or PebblePad you will need to contact eos@worc.ac.uk

How the assessment will be marked

Specific criteria are in the Grading Matrix for this assignment, which can be found on page 8 of this document

How you will get feedback

Submitted work for formative feedback should be submitted at least one week before assignment hand-in date, and feedback will usually be available within 72 hours.

If you have problems submitting work or submitting work on time:

Firstly, contact someone, your Module Leader or personal Academic Tutor.I t is essential that you submit your work, in order to be able to pass the module . Work which is submitted late will be subject to grade penalties as below.

Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.

Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.

For full details of submission regulations see Undergraduate Regulatory Framework at http://www.worcester.ac.uk/registryservices/documents/UndergraduateRegulatoryFramework2007entry.pdf

If you are ill or have personal problems

The University has a system for applying for mitigating circumstances where things happen, beyond your control, which affect your assessments. Don’t suffer in silence. Speak to your Module Leader, your Personal Academic Tutor or a Programme Advisor.Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at http://www.worcester.ac.uk/registryservices/679.htm

If you engage in academic misconduct (cheating)

Do not use material from sources without acknowledging them using a recognised referencing system. Do not copy another student’s work. If you do you will be referred to the School’s Academic Integrity Tutor and may face further penalties. Details in your Course Handbook accessible via SOLE and at http://www.worcester.ac.uk/registryservices/documents/Proceduresforinvestigationofallegedcheating.pdf

If you don’t pass at the first attempt

DON’T PANIC. In the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at http://www.worcester.ac.uk/registryservices/655.htm

13

Module Outline Template v6

Grading MatrixThis matrix captures the assessment criteria for this part of the coursework.

Student Number: Academic Year and Semester:

Learning Outcomes:3.Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share4.Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan

Module Code/Title: COMP3357

Assignment No/Weighting: 2 (50%)

Occurrence: Assessment Title: Report to Assess Business for Information Risk and create Business Continuity Plan

Assessment CriteriaGRADE Analyse, from the

information you know about Moor-4-U, how they can mitigate their own cyber risk

Investigate the online retail market for competitor organisations that may be in the same consumer space as Moor-4-U and suggest good practice that Moor-4-U may wish to consider

Discuss how they could use digital security and managing cyber risk differentiate from competition to increase market share

Devise a risk assessment plan for an organisation

Create a business continuity/disaster recovery plan for the company based on your risk assessment

A Identify all types of data that organisations like Moor-4-U carry that might have black market value or are essential to keep the organisation running, and what would happen if that data is lost

List a range of online retail organisations that have significant online presence in Moor-4-U’s retail sector, and report identified good practice gleaned (if any!) from their respective websites that Moor-4-U could apply in their own website

Report the extent to which rival organisations promote good information management on their websites, report positive practices that (if part of Moor-4-U’s own practice) could be boasted on the website and say what Moor-4_U would need to be doing to make such claims and say what operational practices would need to be in place

Detailed and appropriate register of well described information assets, and well-structured treatment plan for protecting those assets (or not) with security controls

Detailed and appropriate list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation, Detailed system to assess if threats have changed and test out the backups on a regular basis

B Identify typical types of data that organisations

List online retail organisations with

Note where rival organisations have

Fairly detailed and appropriate register of

Detailed and appropriate list of environmental and man-

14

Module Outline Template v6

like Moor-4-U carry that might have black market value or are essential to keep the organisation running and typical consequences of data loss

significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.

promoted good information management on their websites, report positive practices that (if part of Moor-4-U’s own practice) could be boasted on the website and say what operational practices would need to be in place to justify this

information assets, and treatment plan for protecting those assets (or not) with security controls

made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation. Some system in place to look at threats and test backups

C Identify some types of data that organisations like Moor-4-U carry that might have black market value or are essential to keep the organisation running and what might happen if such data is lost

Explore at least two online retail organisations with significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.

Note how rival organisations promote good information management on their websites, and report positive practices that (if part of Moor-4-U’s own practice) could be boasted on their website

Reasonable accurate register of information assets, and treatment plan for protecting those assets (or not) with security controls

Appropriate list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation. Suggestion of a cycle for to assessing threats and testing backups

D Identify types of data that organisations like Moor-4-U carry that might be of interest to others outside the organisation and should therefore be protected

Explore at least one online retail organisations with significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.

Note how rival organisations promote good information management on their websites, and a report positive practice that (if part of Moor-4-U’s own practice) could be boasted on their website

Limited register listing some information assets, and a clear treatment plan to ensure assets are protected

Limited but workable list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation

Fail (E-G)

Discussion is data and information, but not prioritising types of data whose loss would be bad/disastrous for organisation

Discussion about good practice in e-commerce websites, without focusing websites offering products/services in the relevant retail sector.

Discussion of good practice on rival websites but not applying this to improving Moor-4-U’s business practices

Inadequate register excluding important assets, and treatment plan either absent or superficial.

Inadequate list of environmental and man-made threats to the organisation, and unconvincing plan to backup information assets

15

Module Outline Template v6

essential to the normal running of the organisation

General comment:

What you can do better in future assignments:

How successful completion of this assignment helps your employability:

Assignment Grade: Marker: Moderator*:

* This person is responsible for moderating a sample of student work for this module. Your work may, or may not, have been included in this sample

RESULTS ARE PROVISIONAL UNTIL AGREED BY THE BOARD OF EXAMINERS

16

Module ContentW/C date

Teaching week number

Pre/post-class reading or activity

This symbol indicates points at which you should be

in contact with your Personal Academic Tutor

Topic How does this link to the Assessment?

23 Jan

Future Week

30 Jan

13 Developing an Information Security Policy for an organisation and matters to be considered e.g. laws and regulations. Specific focus on Computer Misuse Act and Data Protection Act

LO 1 & 2Smallwood, Chapter 2, 3Carey, Chapters 1-7

6 Feb

14Information Security Management as a continuous cyclical process... and the risk-based approach to protection of data enshrined in the ISO standard

LO 1, 2SmallwoodChapter 3

13 Feb

15 Boundary and scope. Information flows within and outside an organisation

LO 1, 2WheelerChapter 1-4

20 Feb

16 Protecting the network from insiders; making use of an Information Security Policy. Outsiders and hacking. Purpose and use of Penetration and Vulnerability testing

LO 1 & 4CareyChapters 8-10

27 Feb

17 Implementation of Information Security Policy. CIA (Confidentiality, Integrity, Availability) of organisational data.

LO 1 & 3Smallwood Chapter 7

6 Mar

18 Threats (to information) and vulnerabilities (of system) Information risk management: principles of cataloguing, assessing, and prioritising protection of information assets

LO 2 & 4Smallwood Chapter 4Wheeler Chapter 4

13 Mar

19 Management controls: scope, assets and prioritising, putting CIA etc. into practice at operational level, third party data, risk assessment and mitigation/management (relate to standards ISO27001, ISACA, IASME), Business Continuity

LO 1, 2, 4Burtles,Section 1

20 Mar

20 Student Presentations LO 1,.2

27 Mar

21 Student Presentations LO 1, 2

3 22 Deception: Verbal & Social media LO 3

17

Apr manipulation, Phishing, Spear phishing, extortion, bribery, cyber bullying

CareyChapter 11-12

10 Apr

Easter

17 Apr

Easter

24 Apr

23 Business Continuity as a continuous cyclical process.... and the ISO standard

LO 1 & 3Burtles,Section 2

1 May

24 Global view: US data processing standards, other countries standards, the digital single market and the new EU GDPR legislation

LO 2 & 3Carey 17-18, appendices

8 May

Assessment Week

15 May

Assessment Week

18