Skip to main content Skip to navigation

Module Catalogue

WM3E1-15 Information Assurance

Department
WMG
Level
Undergraduate Level 3
Module leader
Sandy Taramonli
Credit value
15
Module duration
12 weeks
Assessment
100% coursework
Study locations
  • University of Warwick main campus, Coventry Primary
  • Distance or Online Delivery

Download as PDF

Introductory description

Information assurance is defined by NIST as " Measures that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation. These measures include providing for restoration of information systems by incorporating protection, detection, and reaction capabilities." This module is grounded within the Authentication, Authorisation & Accountability Knowledge Area CYBOK (cyber security body of knowledge). The module aligns closely with the CYBOK KA and readers are referred to the CYBOK for more information on technical content covered within the module. The CYBOK KA is also the main reading list item.

In certain scenarios, IT systems are engineered to prevent undesirable behaviour completely. Conversely, some IT systems are designed with a high degree of flexibility, necessitating additional measures to control undesirable behaviour based on specific circumstances. As highlighted by Lessig, this control can be achieved either by coding within the system to prohibit rule-violating behaviour or by establishing codes of conduct for users to follow. In the latter case, disciplinary or legal actions address those who breach the rules, framing the context for authentication, authorization, and accountability.
While readers familiar with academic conventions might anticipate precise definitions and current methodologies regarding authentication, authorization, and accountability, this conventional approach faces an immediate challenge. These terms suffer from overloading, leading to potential confusion and debate. For instance, authorization encompasses both rule establishment and compliance verification. Therefore, readers should approach literature on this Knowledge Area with caution.
Moreover, the evolving landscape of IT usage poses its own challenges to taxonomies. How closely should terms be anchored to their original contexts? There's a tendency in trade and research literature to associate terms solely with traditional conceptualizations while inventing new terminology for emerging environments, even if the underlying concepts remain unchanged.

Module web page

Module aims

The module focuses on the discipline of Information Assurance and compliance, encompassing its associated theories, practices, and principles governing modern information systems within multi-disciplinary structures, processes, and procedures. Special attention is given to frameworks, standards, and strategies for managing an organization's information assets, ensuring compliance with legal and regulatory requirements.

The objective of this module is to enable students to systematically address threats, vulnerabilities, and their potential negative consequences in an organization's daily cyber activities. Students will learn to establish and maintain a risk management framework, providing assurance that information security and assurance strategies align with business objectives and meet legal and regulatory obligations. Various approaches to information risk management and resolution will be examined for a simplified system, with an emphasis on practical application and addressing real-world managerial challenges.

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

Understanding authentication, authorisation & accountability, and the role they play in information assurance.
Access Control
Biometrics and other access control systems
SAML
OAUTH2
DRM
Auditing

Encryption

  • terminology: hash, digest, Message Authentication Code, function
  • properties: irreversible, deterministic, collision resistance, length
  • applications in the cybe domain- authentication, known good/ bad files, file integrity,
  • attacks- brute force, rainbow tables, password salting/ stretching, collisions
  • specific hashes- MD5 (and collisions), SHA1, SHA2** series
  • practical application of specific algorithms to specific tasks

Encryption theory:

  • terminology: plaintext, ciphertext, key, algorithm, protocol,
  • concepts: entropy, one time pad, complexity, modular arithmetic, initialisation vectors

Symmetric encryption:

  • encryption over distance or time- the key exchange problem
  • example algorithms- DES, Triple DES, AES,

Asymmetric encryption:

  • properties- encrypting for known recipient, signing by authentic sender,
  • establishing trust- hierarchy (X509) and web (OpenPGP), certificates,
  • consequences of loss of key control- revocation certificates.

Hybrid encryption:

  • Using asymmetric encryption to share symmetric key,
  • SSL/TLS

Other specific protocols:

  • Kerberos.
  • IPSEC.

Learning outcomes

By the end of the module, students should be able to:

  • Apply cryptosystem based solutions to information assurance problems. [CITP 2.1.7]
  • Develop processes designed to assess the reliability of technologies and processes. [ CITP 2.1.11]
  • Develop robust information assurance strategies. [CITP 2.1.5] [AHEP4, C9]
  • Using different methods to communicate information assurance concepts and technologies to lay people. [ CITP 2.1.13] [AHEP4, C10] [AHEP4, C17]

Indicative reading list

The reading list comprises the three main standards/documents acknowledged by the cyber security industry as providing a comprehensive overview of

CYBOK, 2021, Authentication, Authorisation & Accountability Knowledge Area, Available at: https://www.cybok.org/media/downloads/Authentication_Authorisation_Accountability_v1.0.2.pdf

NIST, 2020, Security and Privacy Controls for Information Systems and Organizations, available at: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf

NCSC 2015, Information Assurance Maturity Model, available at: https://www.ncsc.gov.uk/information/hmg-ia-maturity-model-iamm - This text is useful as a sample framework that organisations could use/apply.

The following book is useful from an cryptosystem viewpoint but contains much more technical detail than we cover in the module. Do not be put off by the date, it is still considered a standard in the world of crypto:

Schneier, 1996, Applied Cryptography, Wiley, USA

Subject specific skills

This module covers the following Knowledge and Skills based on the latest published DTS DA standard:
-- S2: Identify risks, and determine mitigation strategies and opportunities for improvement in a digital and technology solutions project.
-- S41: Undertake security risk assessments for complex systems without direct supervision and propose a remediation strategy relevant to the context of the organisation.
-- S42: Recommend improvements to the cyber security approaches of an organisation based on research into future potential cyber threats and considering threat trends.
-- S44: Use appropriate cyber security technology, tools and techniques in relation to the risks identified.
has context menu

In addition, the module covers these skills:

  • Rationalise the selection of information assurance strategies for economical deployment, by industry standards.
  • Participate actively in the investigation throughout the educational journey, exploring information assurance management frameworks, technologies, and tools within authentic scenarios, assessing and contrasting their efficacy, and dissecting outcomes.
  • Acquire proficiency in developing information assurance strategies pertinent to business activities within practical cyber security contexts, to grasp the fundamental principles of information assurance management, and the methodologies and infrastructures employed for their execution.

Transferable skills

team working
leadership
communication skills
decision making

Study time

Type Required
Lectures 10 sessions of 1 hour (7%)
Practical classes 20 sessions of 1 hour (13%)
Work-based learning 15 sessions of 1 hour (10%)
Online learning (independent) 10 sessions of 1 hour (7%)
Other activity 5 hours (3%)
Private study 30 hours (20%)
Assessment 60 hours (40%)
Total 150 hours

Private study description

The private study can include revision of module contents, solution of additional seminar-type questions, video tutorials and supplementary materials.

Other activity description
  • Pre-module reading list given on Moodle to encourage flipped learning approach.
  • Preparation for the practical activities.

Costs

No further costs have been identified for this module.

You must pass all assessment components to pass the module.

Assessment group A1
Weighting Study time Eligible for self-certification
Coursework 40% 24 hours Yes (extension)

Implementation of a crypto based solution to an information assurance problem with report submitted on completion.
Coursework 20% 12 hours Yes (extension)

Video based demo for crypto based solution submitted in Coursework 1.
Coursework 40% 24 hours Yes (extension)

Development of a strategic solution to an information assurance problem. The report is aimed at senior exec in an organisation.
Feedback on assessment

Feedback will be given as appropriate to the assessment type:

  • formative feedback for the assignment,
  • verbal feedback during tutorial & lab sessions,
  • Solutions provided to tutorial questions,
  • summative feedback on post module assessment & exam.

Courses

This module is Core for:

  • Year 4 of DWMS-H653 Undergraduate Digital and Technology Solutions (Network Engineering) (Degree Apprenticeship)