WM9C4-15 Managing Cyber Risk, Audit and Compliance
Introductory description
Cyber security consultants are often tasked with:
- Providing advice regarding establishing and maintaining an information risk assessment and management framework.
- Aiding clients in determining which risk assessment approach is the most appropriate for the business outcomes they wish to achieve.
- Providing guidance on how identified risks can be strategically managed.
This module exposes participants to various approaches to information risk assessment and management. There is an emphasis on the practical nature of this process, the issues that face managers in the real world, and the importance of assessing information risk management within the corporate context to ensure that information security and assurance strategies are aligned with business objectives and consistent with legal and regulatory obligations.
This module equips participants with a detailed applied knowledge of how to establish and maintain a risk management framework. A strong focus will be placed on cost effectiveness and value to the objectives of the business or enterprise. The module also covers business continuity and resilience.
Participants will gain a detailed understanding of relevant cyber law, ethics, principles and rules of cyber security, data protection, consent and privacy. There is an emphasis on domestic legislation and cross-boundary issues and international efforts as well as an examination of legal issues relating to the authorised conduct of cyber operations such as ethical (as opposed to unethical) hacking.
Module aims
This module exposes participants to various approaches to information risk assessment and management. There is an emphasis on the practical nature of this process, the issues that face managers in the real world, and the importance of assessing information risk management within the corporate context to ensure that information security and assurance strategies are aligned with business objectives and consistent with legal and regulatory obligations.
This module equips participants with a detailed applied knowledge of how to establish and maintain a risk management framework. A strong focus will be placed on cost effectiveness and value to the objectives of the business or enterprise. The module also covers business continuity and resilience.
Participants will gain a detailed understanding of relevant cyber law, ethics, principles and rules of cyber security, data protection, consent and privacy. There is an emphasis on domestic legislation and cross-boundary issues and international efforts as well as an examination of legal issues relating to the authorised conduct of cyber operations such as ethical (as opposed to unethical) hacking.
Outline syllabus
This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.
- Risk assessment and management approaches and frameworks. International Standards - ISO27001 & ISO3100; certification; the risk assessment and accreditation process; organisational life¬cycle methodologies and processes; interpreting and implementing a security policy as an organisational Information Security Management System (ISMS) Programme.
- Information Governance. Strategic planning and best practices; policy development; business consideration and legal functions; E-discovery; standardisation and accepted practices; auditing and enforcement; monitoring; records management and inventorying; information governance in the Cloud; social media and mobile devices; maintaining an Information governance programme; capability maturity models.
- Business continuity planning. Relating risks to mitigating safeguards and procedures; developing, reviewing and enacting business continuity plans.
- Compliance and auditing. Regulation and compliance including: GDPR, The Data Protection Act, PCI DSS; Understanding auditing standards such as: the International Standards on Auditing (UK) (ISAs (UK)) and International Standard on Quality Control (UK) (ISQC (UK)); security certifications; understanding auditability; the internal audit process.
- Culture and Communication. Techniques and controls; culture and awareness; communicating risk and developing uptake.
Learning outcomes
By the end of the module, students should be able to:
- Demonstrate a critical awareness of the key attributes of an information governance and compliance framework and of legal, regulatory, and good practice guidelines and regulations which govern information/data compliance for delivery in a range of organisational settings.
- Apply an appropriate risk management approach to a given scenario to identify risk, determine risk probability, and identify mitigation strategies.
- Provide original and creative critical responses to the task of developing an appropriate business continuity and disaster recovery plan for an organisation.
- Demonstrate a critical awareness of the process of auditing information systems.
Indicative reading list
Tipton, H.F. and Nozaki, M.K., 2007. Information security management handbook. CRC press.
Fitzgerald, T., 2016. Information security governance simplified: from the boardroom to the keyboard. CRC Press.
Brotby, K., 2009. Information security governance: a practical development and implementation approach (Vol. 53). John Wiley & Sons.
View reading list on Talis Aspire
Research element
There is a strong emphasis on the development, growth and enhancement of individual research skills so as to provide participants with the high level research knowledge, skills and competencies needed to undertake an independent, original piece of research. The module content draws upon and highlights research within the domain and the module assessment requires participants to perform further research before preparing a response to the assessment task.
Interdisciplinary
Although the module is largely dedicated towards the development of discipline-specific technical, professional and analytical skills, there is an inherent emphasis on the interdisciplinary nature of the subject. Risk assessment and management is a skill that is applicable across a multitude of disciplines, so much so that this module could be made available to participants from other degree programmes.
International
The module is designed in such a way that it can be taught anywhere in the world. Learning materials and examples will be drawn from a range of disciplines, cultures and countries covering the whole range of subjects and disciplines taught in WMG.
Subject specific skills
Participants will develop an advanced applied understanding of risk assessment and management approaches and frameworks, issues and challenges relating to information governance, business continuity planning, and the process of compliance and auditing planning and implementation.
Transferable skills
Critical thinking, communication, information literacy, digital literacy, intercultural awareness, professionalism.
Study time
Type | Required |
---|---|
Lectures | 15 sessions of 1 hour (10%) |
Seminars | 15 sessions of (0%) |
Tutorials | (0%) |
Online learning (independent) | 55 sessions of 1 hour (37%) |
Assessment | 80 hours (53%) |
Total | 150 hours |
Private study description
No private study requirements defined for this module.
Costs
No further costs have been identified for this module.
You must pass all assessment components to pass the module.
Assessment group A1
Weighting | Study time | Eligible for self-certification | |
---|---|---|---|
Risk Management Report | 100% | 80 hours | Yes (extension) |
Participants will prepare a risk management report to include a comprehensive mitigation and response plan and strategy. |
Feedback on assessment
Feedback will be provided as annotated commentary within the submitted work. High level feedback will be provided on a standard WMG feedback sheet. Students will have an opportunity to get further feedback and support directly from the module tutor.
Courses
This module is Core for:
- Cyber Security Management (New Degree)