Skip to main content Skip to navigation

Module Catalogue

WM279-15 Information Security & Risk Management

Department
WMG
Level
Undergraduate Level 2
Module leader
Olga Angelopoulou
Credit value
15
Module duration
30 weeks
Assessment
Multiple
Study location
University of Warwick main campus, Coventry

Download as PDF

Introductory description

All organisations have information that they value and that value needs protecting. Within an organisation, some individuals carry formal responsibility for protecting the value of information. Ensuring that the responsible persons within an organisation have appropriate confidence in the security measures, which are protecting the organisation's valuable information, is the realm of information security management.

Why the organisation might value the information will vary from organisation to organisation and from information point to information point. The properties of the information that give it value similarly will vary by organisation and by information point. Some information will be special secret knowledge that gives the organisation competitive advantage; if that information leaks to a competitor, then its value is reduced. Some information may control the organisation's processes; if this controlling information is changed, then its value may be reduced since it causes the organisation to behave less well. Some information may relate to external perception of the organisation's ability to function; if external parties perceive this publicity information is not under the control of the organisation, then future opportunities for the organisation may be degraded through loss of trust.

Determining the relationship between the properties of information that give it value, the vulnerability of those properties to degradation, threats that might take advantage of the vulnerability to degradation, and the resultant impact to the organisation when bad things happen, is the realm of information risk management. Things can be done to reduce the vulnerability, the threat, or the severity of the impact. These things enhance information security.

Module aims

The module aims to provide the students with the skills that will allow them to have the confidence to recognise and assess information security risks and identify appropriate ways to manage information security within an organisational context. It is about designing and evaluating the solutions that have the strategy, policy, processes, behaviours, and technology, in place and coherently supporting each other.

Outline syllabus

This is an indicative module outline only to give an indication of the sort of topics that may be covered. Actual sessions held may differ.

  • Information Security Standards
  • Legal and Regulatory frameworks
  • Audit and Compliance
  • Information Security Governance and Planning
  • Information Assurance
  • Planning for Risk Assessment
  • Managing Risks and Threats
  • Information Security Policy Principles
  • Information Security Policy Implementation
  • Physical and environmental security
  • Technical security controls
  • Disaster recovery and business continuity
  • Incident Response and digital investigations
  • Information sharing

Learning outcomes

By the end of the module, students should be able to:

  • Understand a responsible attitude to the social, ethical, legal and regulatory consequences that flow from professional engagement in security management.
  • Apply a relevant risk management approach to a given organisation or scenario.
  • Analyse the organisational consequences that result from inadequate information risk management.
  • Evaluate the overall coherence of an organisation's management of cyber security, recommending remediation where needed.

Indicative reading list

The existing list will be updated with books such as: Information Risk Management: A practitioner's guide, David Sutton, 2021.

View reading list on Talis Aspire

Subject specific skills

  • apply information security concepts on strategic, tactical and operational levels of an organisation
  • design, conduct and manage risk assessments
  • articulate information security management methods
  • design and deliver an information security management system.

Transferable skills

  • Organisational awareness
  • Communication
  • Teamwork
  • Decision making

Study time

Type Required
Lectures 18 sessions of 1 hour (12%)
Seminars 18 sessions of 1 hour (12%)
Private study 54 hours (36%)
Assessment 60 hours (40%)
Total 150 hours

Private study description

Independent activities between workshops, following up on activities initiated in previous activities or preparing for upcoming activities.

Costs

No further costs have been identified for this module.

You must pass all assessment components to pass the module.

Assessment group A
Weighting Study time Eligible for self-certification
Report on managing risks 50% 30 hours Yes (extension)

Conduct a risk assessment on a given scenario and discuss remediation approaches.

This assessment requires significant background practical work, such as a risk assessment that will allow the student to produce the written report. The word count has been reduced from the 50%x15CAT=2,000 words to 1500 to compensate the practical work required to complete the assessment.
Information Security Framework of Policies 50% 30 hours Yes (extension)

Design and apply a framework of policies that adheres to specific requirements.

This assessment requires significant background practical work, such as a policy design that will allow the student to produce the written report. The word count has been reduced from the 50%x15CAT=2,000 words to 1500 to compensate the practical work required to complete the assessment.
Assessment group R
Weighting Study time Eligible for self-certification
Report on managing risks 50% No

Conduct a risk assessment on a given scenario and discuss remediation approaches.
This is a different case study to the original submission.

This assessment requires significant background practical work, such as a risk assessment and policy design that will allow the student to produce the written report. The word count has been reduced from the 100%x15CAT=4,000 words to 3000 to compensate the practical work required to complete the assessment.
Incident Response and Business Continuity 50% No

An executive level report that addresses an organisational incident handling policy.

This assessment requires significant background practical work, such as a policy design that will allow the student to produce the written report. The word count has been reduced from the 50%x15CAT=2,000 words to 1500 to compensate the practical work required to complete the assessment.
Feedback on assessment

Written feedback for each assignment
Verbal feedback during seminars
Summative feedback on assignments

There is currently no information about the courses for which this module is core or optional.