risk_and_information_management

This is an old revision of the document!

Risk and information management

Module CY302 (temporary code)

All information on this page is subject to validation and may change

Module team leader: Leonard Shand

Module specification

Overview

Risk assessments are used to identify, estimate, and prioritize risk to organisational operations (i.e., mission, functions, image, finance and reputation), organisational assets, individuals and other organisations, resulting from the operation and use of information systems.

In order to assess risk, the systems need to be explored for weaknesses, either technical or social. Reconnaissance methods emulate those of attackers.

This module examines:

  • the methods and roles of those involved in attacking systems
  • analysing system weaknesses
  • assessing the associated risks and managing them

You will cover:

  • the role of information security awareness and training
  • behavioural analysis and security culture management in maintaining good information security
  • the motivations and ways of thinking of different classes of threat actors, criminal intent, activism, state actors, hackers, and how this drives the behaviour of the threat actors
  • tailoring mitigations for the different classes of threat actor
  • social engineering and phishing
  • insider threat
    • malicious intent and human error
  • usable security
  • creation of a reasoned argument employing evidence to support a position
  • how threat actors’ actions appear in typical sources of information
  • sourcing intelligence ethically so that it may be used as required
  • methods attackers/threat actors may use to build knowledge of a system they have limited or no direct access to, such as:
    • phishing
    • exploiting an insider
    • port scanning
  • open source intelligence
  • asset valuation and management concepts
  • risk analysis methodologies in common use
  • risk appetite and risk tolerance concepts
  • economics of security concepts
  • different ways of treating risk (mitigate, transfer, accept etc.)
  • principles of system risk modelling a system risk modelling methodology
  • an enterprise modelling technique such as UML
  • risk assessment and risk management methodologies
  • approaches to risk treatment (mitigate, transfer, accept, etc.)
  • risk management in practice
    • examples such as technical, business process, or other
  • description of risk in qualitative, quantitative, or mixed terms
  • role of risk owner, contrasting role with other stakeholders

Assignment Brief

The full assignment brief will be placed here when it is issued

Component A: Report (1,500 words)

Issued: Start of block release week 1

Due: Start of block release week 3

Apprentices will write a report (1,500 words) on their research into the roles and actions people play in cybersecurity, both beneficial and harmful

Component B: Notebook

Issued: End of block release week 3

Due: Start of block release week 1 of next module

Apprentices will be provided with a case study of a system (in document and physical form) for them to perform a complete risk assessment. They will submit a notebook of their findings and methods, alongside a formal documented assessment.

Submission details

To be added

Reading lists

To be added

Communication

All questions about this module, after the course commences, should be initially directed to the module leader. Prior to that contact Bob Higgie bob.higgie@gloscol.ac.uk

Please contact via email, which is monitored continuously

Advice and support

To be added

  • risk_and_information_management.1584462926.txt.gz
  • Last modified: 2020/09/18 13:17
  • (external edit)