if anything about - worc module … · web viewintroduction . body . conclusion ... the...
TRANSCRIPT
Module Outline Template v6
Module Outline: COMP3357 Managing Cyber Risk 2016-17
Contents PageThings you need to know at the beginning 1Assignment 1 and 2 3, 10Assessment 1 grading matrix 8If you have problems with assessments 6, 13Module Content 18
Things you need to know at the beginningOccurrence A Monday 1315-1415; 1615-1815 Rooms: CH2006; CH1007Occurrence B Thursday 1315-1415; 1415-1615
Except weeks 25, 27 (Thurs 1715-1915)Rooms: CH2008; CH1007CH1001
Teaching team Richard Henson, [email protected], CH1004http://staffweb.worc.ac.uk/hensonr
Richard Henson FBCS MSc ARCS CITP CEng is a Senior Lecturer in Computing at the University of Worcester, specializing in Information Security. He is also a member the government’s IAAC (Information Assurance Advisory Committee), through its Academic Liaison Panel. His research leans towards knowledge transfer, although he is also helping to develop a body of knowledge informing thinking on information security in smaller businesses. He has written and co-written published papers over a number of years covering aspects of information security, particularly in relation to small to medium enterprises (SMEs) and the supply chain.
How this module fits into your course
It develops information systems knowledge and skills relating to systems and business analysis to cover information risk management issues for organisations wishing to secure digital data over local systems and the full expanse of the Internet
How this module engages with the external environment
It covers business and human aspects of cyber security, and covers the basic IT knowledge required to secure a network against attack to defined requirements of the organisation’s information security policy, as well as looking at important related matters such as IT law, cyber insurance, business continuity, and information assurance certification
How this module will enhance your employability
Application of Relevant Knowledge: This module will provide you with the skills and knowledge to address potential and actual security issues relating to organisation digital data, including relevant principles relating to securing digital data both on the move and at rest.Research and Problem-solving: This module will provide you with the skills and knowledge needed to provide a risk-based assessment of security issues relating to organisation digital dataCritical Analysis: This module requires scrutiny of data from organisational scenarios, and suggest possible solutionsCommunication: In addition to reports for verbal communication, this module requires you to do a presentation relating to a strategic level view of security policyAll these skills are highly sought after in the IT industry, as can be readily confirmed through the
1
Module Outline Template v6
website www.itjobswatch.co.uk
What you need to know before you start this module
Basics of information systems and data flow diagrams will certainly be helpful, but no prior technical knowledge is assumed.You are recommended to at least look at the freely available course on Cyber Security which also covers some technical aspects of cyber security:https://www.futurelearn.com/courses/introduction-to-cyber-security
You should also take a look at the recommended reading list: https://worc.rl.talis.com/lists/82F18CFA-5693-B496-690F-08701B395071.html and see how it relates to each taught and practical session.If you have further questions about reading materials please contact Stephanie Allen the Academic Liaison Librarian for the Business School [email protected] or go to Business LibGuide www.worc.ac.uk/library/business or ComputingLibGuide www.worc.ac.uk/library/computing
Your responsibility
This module will provide all the background information you need as a basis for completing the assessments to a high standard in advance of the class through PowerPoint presentations. There is usually no soundtrack, however, and you must attend all sessions and undertake required pre-reading, since failure to do so will affect your performance. If you cannot attend for any reason you must notify the module leader [email protected] by email as soon as possible.
It is your responsibility to actively and positively engage with the 2 hour practical sessions - for example asking questions if stuck -and take responsibility for your learning. This way you’ll get the most out of the sessions.
If there is anything which is unclear or you do not understand ask me… ask me… either in person or at the email address above
What help is there if you have a disability or a particular learning need?
The University of Worcester is committed to ensuring diversity and equality within its teaching practice. If you have a registered disability or particular learning need and you wish this to be taken into account please speak to your Personal Academic Tutor or let the module leader know. You will find additional useful information on the Disability and Dyslexia webpages at http://www.worcester.ac.uk/student-services/disability-and-dyslexia.htmhttp://www.worcester.ac.uk/registryservices/documents/StudentFeedbackCharter.pdf
2
Module Outline Template v6
Assessment(s) Two
Assessment 1 Report/Individual PresentationWord Limit or equivalent (e.g. time) Report: 1,350 words, Presentation: 150 word-
equivalentWeighting 50%Learning Outcomes Assessed 1. Identify strategic, financial and operational
benefits and issues of cyber-risk management
2. Review current and future trends of the technical and non-technical risks and aspects of information risk management and security, including laws, regulations, and human factors
Submission date 30th March 2017Feedback date 29th April 2017Module Leader Richard HensonVerified by Dr Joanne Kuzma
If anything about either assignment is not clear to you, please contact the module leader.
You are expected to plan your time and work to manage your overall assessment workload.
What you need to do
Scenario:
Moor-4-U is a microbusiness selling a variety of baby goods and consumables online. They have grown rapidly in recent years through good promotion using search engine optimisation, offering goods at a competitive price, and providing a good service. There are recent signs, however, that their systems are not as reliable as they used to be (when they had fewer customers…) and existing customers are beginning to show concern.
The Directors of Moor-4-U have informally approached you because they have been listening to the recent media stories about hacking and are worried about their organisation’s security. They are worried in particular about outsourcing of IT, BYOD, and the new employees with average data management skills but a high propensity to use Facebook. They wondered if they and are too trusting of their business partners and employees but the CEO was told not to worry by other businesses in her network… she was told that hackers are only interested in larger organisations and Government computers.
The Directors weren’t so sure about this and ask you to produce a report highlighting potential concerns for information risk. You request to spend some time inside the organisation, watching data flows in association with the various stages of production of their finely machined parts for the automotive industry. You want to find the current state of play within the organisation and decide to start with the company information security policy. This is a very short document, which states:
“All employees are responsible for the careful use of data in accordance within the principles of the Data Protection Act. Those using computers need to make sure they enter data accurately and those connected to the Internet need to be vigilant against
3
Module Outline Template v6
phishing emails.
Anyone infringing this policy can expect considerable financial penalties and a repeat performance will result in suspension.”
There is currently no email policy, no passwords policy, and no policy covering business partners and their data, and no easily visible privacy policy on the website
Your tasks.
Write a management report (1350 words) for Moor-4-U to…
1. Explain why the policy as it stands is totally ineffective and this can have operational and financial implications (350 words)
2. List typical personal and “business sensitive” data that might be held by the organisation, and explain why it needs special treatment (350 words)
3. Summarise the evolving Computer Misuse Act and explain how the likelihood of cyber criminals committing offences can be reduced by appropriate protective measures within the network and at its boundary (350 words)
4. Identify all the critical data flows to the running of the business, and describe an enhanced information security policy so that takes these into account (300 words on report;150 word equivalent presentation)
The presentation will be delivered in late March in normal session time with the help of PowerPoint (or equivalent). It will be of 10 minutes duration and counts as 10% of the total (hence the 150-word equivalent) of the total marks and your presentation slides should be submitted with the assignment.
Assessment briefingThis document provides details of the assessment. There will also be an oral briefing conducted during week 3.
There is also an assessment Q&A Page on Blackboard.
Assessment criteriaIn addition to assessment according to the general learning objectives for computing, as outlined in the Course Handbook, the following specific criteria will be used for this work:
Explanation of why the policy is ineffective, why it could have operational and/or financial consequences, and what needs to be done
Correctness and appropriateness of lists and why these types of data should be considered to be so important
Explanation of Computer Misuse Act and its implications for organisations Identification of critical information flows in a business and explanation as
to how good organisational policy can help protect them Referencing, using the Harvard system (see the link to ‘Referencing’ from
http://www.worc.ac.uk/studyskills for more information.)
Assessment feedback
4
Module Outline Template v6
Feedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).
Formative Feedback opportunityYour opportunity to receive written feedback will be until Monday 20th March 2017 before 3pm via Blackboard. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email by Monday 27th March, or sooner. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this tend to achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.
Handing in and returnWork must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work electronically via SOLE by the 3pm deadline on Thursday, 30/3/17. The return date for this assignment is electronically via SOLE by Thursday, 29/4/17
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg.
If for any reason the systems are down, email your work to [email protected] before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.
Turnitin
For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website turnitinuk.com. You will need a class id and password. Included below:
Class ID: 3397397Password: computer
Technical support is available by emailing [email protected]
How you should present your work
Report Template
As a structured report. Embedded diagrams are encouraged but they must be referred to from the text and labelled
On the title page list the followingModule name and code
5
Module Outline Template v6
Student numberSubmission dateAssignment Number/Title
Include also:Grading MatrixTable of ContentsIntroductionBodyConclusionReferences (use the University Harvard referencing system, support is available through the library www.worc.ac.uk/library/guides/study-skills/referencing)
How we’ll give you guidance
You can submit up to 20% of the assignment as a “sample”. This will be marked and returned to you in good time before the assignment deadline.
If you want to check whether your work will fall foul of plagiarism (copying someone else’s work without an appropriate attribution) check out this library guide which deals with how to use Turnitin http://libguides.worc.ac.uk/guides/study-skills/plagiarism
How and when to hand the assessment in
Work must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work by the 3pm deadline on 30th March. You should submit your work to SOLE, which is available via your student portal.
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg .
If you have issues uploading your assessment to sole you will need to contact [email protected], if you have issues with Blackboard, Turnitin or PebblePad you will need to contact [email protected]
How the assessment will be marked
Specific criteria are in the Grading Matrix for this assignment, which can be found on page 8 of this document
How you will get feedback
Submitted work for formative feedback should be submitted at least one week before assignment hand-in date, and feedback will usually be available within 72 hours.
If you have problems submitting work or submitting work on time:
Firstly, contact someone, your Module Leader or personal Academic Tutor.I t is essential that you submit your work, in order to be able to pass the module . Work which is submitted late will be subject to grade penalties as below.
Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.
Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.
For full details of submission regulations see Undergraduate Regulatory Framework at http://www.worcester.ac.uk/registryservices/documents/UndergraduateRegulatoryFramework20
6
Module Outline Template v6
07entry.pdf
If you are ill or have personal problems
The University has a system for applying for mitigating circumstances where things happen, beyond your control, which affect your assessments. Don’t suffer in silence. Speak to your Module Leader, your Personal Academic Tutor or a Programme Advisor.Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at http://www.worcester.ac.uk/registryservices/679.htm
If you engage in academic misconduct (cheating)
Do not use material from sources without acknowledging them using a recognised referencing system. Do not copy another student’s work. If you do you will be referred to the School’s Academic Integrity Tutor and may face further penalties. Details in your Course Handbook accessible via SOLE and at http://www.worcester.ac.uk/registryservices/documents/Proceduresforinvestigationofallegedcheating.pdf
If you don’t pass at the first attempt
DON’T PANIC. In the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at http://www.worcester.ac.uk/registryservices/655.htm
7
Module Outline Template v6
Student Number: Academic Year and Semester:
Learning Outcomes:1. Identify strategic, financial and operational benefits and issues of cyber-risk
management2. Review current and future trends of the technical and non-technical risks and
aspects of information risk management and security, including laws, regulations, and human factors
Module Code/Title: COMP3357
Assignment No/Weighting: 1 (50%)
Occurrence: Assessment Title: Report/Individual Presentation
Assessment CriteriaGRADE Explanation of why the
policy is ineffective, operational/financial consequences, what needs to be done
Correctness and appropriateness of lists, why these types of data so important
Explanation of Computer Misuse Act and its implications for organisations
Identify critical data flows to the running of the business, describe an enhanced information security policy
Content, Pace, Delivery of Presentation and Appropriateness of Slides
A Very detailed, in-depth critique of existing information security policy, appropriate and appropriately explained consequences, and a detailed, workable solution to the problem suggested
Extensive list of types of typical company data categorised appropriately with suitable examples given for each type. Detailed explanation of reasons why each data type might need to be protected and consequences if lost or stolen
Excellent discussion of origin and evolution of Computer Misuse Act and detailed discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders
Excellent context diagram and level one DFD, showing high risk data. Excellent explanation of ways information security policy could be changed to ensure these data flows are protected
Excellent
B Fairly detailed critique of existing information security policy, clear indication of potential consequences, and a workable solution to the problem suggested
Appropriate list of types of typical company data categorised appropriately with suitable examples given for each type. Some explanation of reasons why each data type might need to be protected and consequences if lost or stolen
Good discussion of origin and evolution of Computer Misuse Act, discussion about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders
Good context diagram and level one DFD, and resource list covering information flows and data stores. Some logical attempt at prioritisation into high medium or low risk based on impact to organisation of loss of that resource
Good
8
Module Outline Template v6
C Some valid critique of information security policy, possible consequences described, and some indication for a way forward suggested.
Appropriate list of types of typical company data categorised appropriately but with limited examples given for each type. Reasons why each data type might need to be protected given and consequences if lost or stolen provided but rather descriptive
Reasonable discussion of origin and evolution of Computer Misuse Act, but a rather descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders
Either context diagram or level 1 DFD missing or inappropriate but resource register satisfactory, and some attempt at categorisation of the list according to impact of loss
Satisfactory
D Critique of information security policy offered, possible consequences described, but few suggestions regarding how this problem needs to be tackled.
Limited list of categorised types of typical company data and limited range of with suitable examples. Limited description of reasons why each data type might need to be protected and consequences if lost or stolen
Some discussion of origin and evolution of Computer Misuse Act, and a highly descriptive account about how effectively offenders (hackers) can be caught and brought to justice, and what an organisation can do to keep offenders out or catch intruders
Either context diagram or level 1 DFD missing or inappropriate and resource register, whilst complete, fails to distinguish list items according to impact of loss
Poor
Fail (E-G)
Critique, consequences, way forward all addressed but at least one of these unconvincing.
Some data types included, but few examples, and consequences of loss only covered superficially
Limited discussion about the Computer Misuse Act itself, and the role of the organisation in preventing intrusions
Limited diagramming, list incomplete, or makes little effort at differentiation of information resources according to impact of loss
Unacceptable
General comment:
What you can do better in future assignments:
How successful completion of this assignment helps your employability:
Assignment Grade: Marker: Moderator*:
9
Module Outline Template v6
Assessment 2 ReportWord Limit or equivalent (e.g. time)
1500
Weighting 50%Learning Outcomes Assessed
3.Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share4.Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan
Submission date 11th May 2017Feedback date 9nd June 2017Module Leader Richard HensonVerified by Dr Joanne KuzmaWhat you need to do
Scenario:Continuing the scenario from assignment 1….Although Moor-4-U are currently successful as a business, they are aware of intense competition from other businesses also wishing to gain market share in that space, and that there are external factors that may impinge upon their information systems, and affect their ability to trade effectively, if at all.
The management have taken some steps to successfully gain market share since starting up, but the earlier wobbles in delivery and after sales service have caused one of two areas for concern for customers, which continue to effect potential for growth. The operational problems causing customer dissatisfaction were promptly dealt with, but the management is keen to ensure that market share is gained, and not lost, as the company moves forward. They are aware that privacy is becoming an issue for customers buying online, but that availability of data is also an issue.
They wish to be able to boast to customers that they take utmost care with their data, and that their online facilities are maintained to the highest standards so there is little danger that the site will be “down” (i.e. taken down due to hacking or “natural” events) and that their normal 24-7 trading would continue.
They are also aware of imminent changes in EU data protection legislation, and despite the Brexit vote they are taking that legislation very seriously. They are aware that changes may need to take place within the organisation in order to maintain a stable trading platform and expand their markets, but, like most small businesses they have little experience of information risk, its assessment, or its management. They are seeking good advice that will provide a basis for successful global trading post-2018. They have heard about you through a local business network and have decided to approach you…
Your tasks
Analyse, from the information you know about Moor-4-U, how they can mitigate their own cyber risk
Investigate the online retail market for competitor organisations that may be in the same consumer space as Moor-4-U and suggest good practice that Moor-4_U may wish to consider
Discuss how they could use digital security and managing cyber risk differentiate from competition to increase market share
10
Module Outline Template v6
Devise a risk assessment plan for an organisation Create a business continuity/disaster recovery plan for the company based
on your risk assessment
In each task, state any assumptions that you have made.
Assessment briefingThis document provides details of the assessment. There will also be an oral briefing conducted during week 8.
There is also an assessment Q&A Page on Blackboard
Assessment criteriaIn addition to the general points that apply to all assessed work as outlined in the Course Handbook, the following specific criteria will be used for this work:
Depth of analysis, and advice offered, on mitigating risk (300 words) Online retail market and competitor organisations identified in the same
consumer space as Moor-4-U and relevance of good practice suggested (300 words)
Explanation of examples positive use of cyber risk management to gain market share from rivals (300 words)
Quality of risk assessment plan (300 words) Quality of business continuity plan (300 words) Referencing, using the Harvard system (see the link to ‘Referencing’
from http://www.worc.ac.uk/studyskills for more information.)
Assessment feedbackFeedback is provided in an ongoing basis over the course of the module (see “Types of Feedback on my Module” slides on Blackboard and Assessment & Feedback section in the Module Outline).
Formative Feedback opportunityYour opportunity to receive written feedback will be until Tuesday 2nd May 2017 before 3pm via Blackboard, and you will receive a response by Monday 8th May. You can submit up to 20% of your Word document via email with your student number. You will receive written feedback on the document itself in the form of comments also via email. Seek out as much feedback as you can, it is your responsibility to initiate it and helps you get at issues that need attention early on. Students who do this always achieve higher marks than those who don’t fully participate in the process because they have continued to improve their work.
Handing in and returnWork must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work electronically via SOLE by the 3pm deadline on Thursday, 11/5/17. The return date for assignment feedback is electronically via SOLE by Thursday, 9/6/17
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg.
11
Module Outline Template v6
If for any reason the systems are down, email your work to [email protected] before the deadline just to be on the safe side. You may also email your tutor before the deadline. Providing that the documents emailed are the final copy, these emails will be treated as on time submission. You can then submit to the required system when it is working again. With technology sometimes, things can go wrong; these are back-up safeguards.
Turnitin
For this assignment, please put your work through Turnitin to generate an originality report. You should include a print screen of the part of the Turnitin report showing the overall similarity percentage at the front of your assignment file and submit it with your work. In the event of problems with Turnitin, you should submit your work on time as normal but without the Turnitin report/screen dump, and then e-mail the Turnitin report to your module tutor as soon as possible when Turnitin is back working properly. Use the website turnitinuk.com. You will need a class id and password, included below:
Class ID: 3397397Password: computer
Technical support is available by emailing [email protected] you should present your work
As a structured report. Embedded diagrams are encouraged but they must be referred to from the text and labelled
On the title page list the followingModule name and codeStudent numberSubmission dateAssignment Number/Title
Include also:Grading MatrixTable of ContentsIntroductionBodyConclusionReferences (use the University Harvard referencing system, support is available through the library www.worc.ac.uk/library/guides/study-skills/referencing )
How we’ll give you guidance
You can submit up to 20% of the assignment as a “sample”. This will be marked and returned to you in good time before the assignment deadline.
If you want to check whether your work will fall foul of plagiarism (copying someone else’s work without an appropriate attribution) check out this library guide which deals with how to use Turnitin http://libguides.worc.ac.uk/guides/study-skills/plagiarism
12
Module Outline Template v6
How and when to hand the assessment in
Work must be word-processed/typed and should clearly show your student number. You are required to keep a copy of work handed in. You should submit your work by the 3pm deadline on 11th May. You should submit your work to SOLE, which is available via your student portal.
See the University’s guide to uploading and submitting assessment items at the University of Worcester via SOLE in under 60 seconds on You Tube http://youtu.be/yAEnTkVchMg .
If you have issues uploading your assessment to sole you will need to contact [email protected], if you have issues with Blackboard, Turnitin or PebblePad you will need to contact [email protected]
How the assessment will be marked
Specific criteria are in the Grading Matrix for this assignment, which can be found on page 8 of this document
How you will get feedback
Submitted work for formative feedback should be submitted at least one week before assignment hand-in date, and feedback will usually be available within 72 hours.
If you have problems submitting work or submitting work on time:
Firstly, contact someone, your Module Leader or personal Academic Tutor.I t is essential that you submit your work, in order to be able to pass the module . Work which is submitted late will be subject to grade penalties as below.
Students who submit course work late but within 5 days of the due date will have work marked, but the grade will be capped at the minimum pass grade unless an application for mitigating circumstances is accepted.
Students who submit work later than 5 days but within 14 days of the due date will not have work marked unless they have submitted a valid claim of mitigating circumstances.
For full details of submission regulations see Undergraduate Regulatory Framework at http://www.worcester.ac.uk/registryservices/documents/UndergraduateRegulatoryFramework2007entry.pdf
If you are ill or have personal problems
The University has a system for applying for mitigating circumstances where things happen, beyond your control, which affect your assessments. Don’t suffer in silence. Speak to your Module Leader, your Personal Academic Tutor or a Programme Advisor.Full details of Procedures for Dealing with Exceptional Mitigating Circumstances are available at http://www.worcester.ac.uk/registryservices/679.htm
If you engage in academic misconduct (cheating)
Do not use material from sources without acknowledging them using a recognised referencing system. Do not copy another student’s work. If you do you will be referred to the School’s Academic Integrity Tutor and may face further penalties. Details in your Course Handbook accessible via SOLE and at http://www.worcester.ac.uk/registryservices/documents/Proceduresforinvestigationofallegedcheating.pdf
If you don’t pass at the first attempt
DON’T PANIC. In the event you are required to take reassessment you will receive formal notification of this via a letter from Registry Services posted on the SOLE page after the meeting of the Board of Examiners. The letter will normally include a copy of the reassessment task(s). Deadlines for re-assessment can be found in the University Calendar at http://www.worcester.ac.uk/registryservices/655.htm
13
Module Outline Template v6
Grading MatrixThis matrix captures the assessment criteria for this part of the coursework.
Student Number: Academic Year and Semester:
Learning Outcomes:3.Analyse how firms can mitigate cyber risk and differentiate from competition to increase market share4.Devise a risk assessment plan for an organisation, and use this to create a business continuity/disaster recovery plan
Module Code/Title: COMP3357
Assignment No/Weighting: 2 (50%)
Occurrence: Assessment Title: Report to Assess Business for Information Risk and create Business Continuity Plan
Assessment CriteriaGRADE Analyse, from the
information you know about Moor-4-U, how they can mitigate their own cyber risk
Investigate the online retail market for competitor organisations that may be in the same consumer space as Moor-4-U and suggest good practice that Moor-4-U may wish to consider
Discuss how they could use digital security and managing cyber risk differentiate from competition to increase market share
Devise a risk assessment plan for an organisation
Create a business continuity/disaster recovery plan for the company based on your risk assessment
A Identify all types of data that organisations like Moor-4-U carry that might have black market value or are essential to keep the organisation running, and what would happen if that data is lost
List a range of online retail organisations that have significant online presence in Moor-4-U’s retail sector, and report identified good practice gleaned (if any!) from their respective websites that Moor-4-U could apply in their own website
Report the extent to which rival organisations promote good information management on their websites, report positive practices that (if part of Moor-4-U’s own practice) could be boasted on the website and say what Moor-4_U would need to be doing to make such claims and say what operational practices would need to be in place
Detailed and appropriate register of well described information assets, and well-structured treatment plan for protecting those assets (or not) with security controls
Detailed and appropriate list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation, Detailed system to assess if threats have changed and test out the backups on a regular basis
B Identify typical types of data that organisations
List online retail organisations with
Note where rival organisations have
Fairly detailed and appropriate register of
Detailed and appropriate list of environmental and man-
14
Module Outline Template v6
like Moor-4-U carry that might have black market value or are essential to keep the organisation running and typical consequences of data loss
significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.
promoted good information management on their websites, report positive practices that (if part of Moor-4-U’s own practice) could be boasted on the website and say what operational practices would need to be in place to justify this
information assets, and treatment plan for protecting those assets (or not) with security controls
made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation. Some system in place to look at threats and test backups
C Identify some types of data that organisations like Moor-4-U carry that might have black market value or are essential to keep the organisation running and what might happen if such data is lost
Explore at least two online retail organisations with significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.
Note how rival organisations promote good information management on their websites, and report positive practices that (if part of Moor-4-U’s own practice) could be boasted on their website
Reasonable accurate register of information assets, and treatment plan for protecting those assets (or not) with security controls
Appropriate list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation. Suggestion of a cycle for to assessing threats and testing backups
D Identify types of data that organisations like Moor-4-U carry that might be of interest to others outside the organisation and should therefore be protected
Explore at least one online retail organisations with significant online presence in Moor-4-U’s retail sector, and report identified good practice from their respective websites that could be applied to their own website.
Note how rival organisations promote good information management on their websites, and a report positive practice that (if part of Moor-4-U’s own practice) could be boasted on their website
Limited register listing some information assets, and a clear treatment plan to ensure assets are protected
Limited but workable list of environmental and man-made threats to the organisation, and detailed plan to backup information assets essential to the normal running of the organisation
Fail (E-G)
Discussion is data and information, but not prioritising types of data whose loss would be bad/disastrous for organisation
Discussion about good practice in e-commerce websites, without focusing websites offering products/services in the relevant retail sector.
Discussion of good practice on rival websites but not applying this to improving Moor-4-U’s business practices
Inadequate register excluding important assets, and treatment plan either absent or superficial.
Inadequate list of environmental and man-made threats to the organisation, and unconvincing plan to backup information assets
15
Module Outline Template v6
essential to the normal running of the organisation
General comment:
What you can do better in future assignments:
How successful completion of this assignment helps your employability:
Assignment Grade: Marker: Moderator*:
* This person is responsible for moderating a sample of student work for this module. Your work may, or may not, have been included in this sample
RESULTS ARE PROVISIONAL UNTIL AGREED BY THE BOARD OF EXAMINERS
16
Module ContentW/C date
Teaching week number
Pre/post-class reading or activity
This symbol indicates points at which you should be
in contact with your Personal Academic Tutor
Topic How does this link to the Assessment?
23 Jan
Future Week
30 Jan
13 Developing an Information Security Policy for an organisation and matters to be considered e.g. laws and regulations. Specific focus on Computer Misuse Act and Data Protection Act
LO 1 & 2Smallwood, Chapter 2, 3Carey, Chapters 1-7
6 Feb
14Information Security Management as a continuous cyclical process... and the risk-based approach to protection of data enshrined in the ISO standard
LO 1, 2SmallwoodChapter 3
13 Feb
15 Boundary and scope. Information flows within and outside an organisation
LO 1, 2WheelerChapter 1-4
20 Feb
16 Protecting the network from insiders; making use of an Information Security Policy. Outsiders and hacking. Purpose and use of Penetration and Vulnerability testing
LO 1 & 4CareyChapters 8-10
27 Feb
17 Implementation of Information Security Policy. CIA (Confidentiality, Integrity, Availability) of organisational data.
LO 1 & 3Smallwood Chapter 7
6 Mar
18 Threats (to information) and vulnerabilities (of system) Information risk management: principles of cataloguing, assessing, and prioritising protection of information assets
LO 2 & 4Smallwood Chapter 4Wheeler Chapter 4
13 Mar
19 Management controls: scope, assets and prioritising, putting CIA etc. into practice at operational level, third party data, risk assessment and mitigation/management (relate to standards ISO27001, ISACA, IASME), Business Continuity
LO 1, 2, 4Burtles,Section 1
20 Mar
20 Student Presentations LO 1,.2
27 Mar
21 Student Presentations LO 1, 2
3 22 Deception: Verbal & Social media LO 3
17
Apr manipulation, Phishing, Spear phishing, extortion, bribery, cyber bullying
CareyChapter 11-12
10 Apr
Easter
17 Apr
Easter
24 Apr
23 Business Continuity as a continuous cyclical process.... and the ISO standard
LO 1 & 3Burtles,Section 2
1 May
24 Global view: US data processing standards, other countries standards, the digital single market and the new EU GDPR legislation
LO 2 & 3Carey 17-18, appendices
8 May
Assessment Week
15 May
Assessment Week
18