Information Risk Management

 

 

Coursework Specification

 

 

 

Module Details

 

Module Title Information Risk Management
Year 2022-23
Weighting 75%
Element Description Written Report (3000 words) Weighting – 75%
   

 

 

Dates

 

Date issued to students 28th October 2022
Submission Date   Report 10th December 2023 at 14:00 (GMT)
   
Submission Place Blackboard
Submission Time 14:00 (GMT)
   

 

 

 

 

 

 

 

1

 

 

Contents

 

Section 1:          Overview of Assessment

 

Section 2:          Task Specification

 

Section 3:          Deliverables

 

Section 4:          Marking Criteria

 

 

 

Section 1:          Overview of Assessment

 

This assignment assesses the following module learning outcomes:

 

  1. Form a deep and systematic understanding of relevant standards, such as ISO27001, in the context of Information Security Management.

 

  1. Analyse a broad range of issues related to real-world security issues that face commercial organisations and other institutions.

 

  1. Evaluate and critique the shortcomings of real-world security incidents and provide clear justification and innovation solutions for how ISMS could help mitigate future incidents.

 

  1. Assess and evaluate the appropriateness of security laws and regulations.

 

  1. Reflect on personal capabilities for the proposal of an ISMS, providing a strong rationale for the methods adopted.

 

The assignment is worth 75% mark for the module.

 

Broadly speaking, the assignment requires you to produce a 3000-word report that provides a critical reflection on a real-world security scenario provided in the case study, with evidence of risk assessment using suitable methodologies, and how this can inform mitigation of future incidents.

 

The assignment is described in more detail in section 2. This is an individual assignment.

 

Working on this assignment will help you to develop your knowledge and understanding of applying risk methodologies to resolve real-world security incidents. It will also help to develop your critical thinking skills for identifying appropriate mitigation strategies to avoid future security incidents.

 

 

 

 

 

 

 

 

2

 

 

Section 2:          Task Specification

 

(worth 75% towards the final grade):

 

Produce a 3000-word report to address a case study of information risk management, informed by a real-world security incident and demonstrating concepts of information risk management.

 

For this assignment, you are provided with the following case study built around a real-world security incident,

 

Case study:

 

Imagine you are in charge of an organisational risk management strategy across three distinct departments of the organisation. The organisation envisions risk as, ‘potential vulnerabilities present across our security landscape leads to exposure which enables a cyber incident against the infrastructure, capability, services and applications, which leads to an impact upon Confidentiality, Integrity and/or Availability resulting in reduced resilience, reduced safety, ineffective capabilities, loss of business services, financial impact and reputational damage to UK Government’.

 

The risk applies to three main business domains:

 

  1. IT & Infrastructure

 

  1. Equipment

 

  1. Logistics & Support services

 

Each business domain is managed by a separate Director, but collectively they (all three) own the risk. There is a separate Director who is accountable for the risk, and they report the status to the Executive Board throughout the year.

 

Given the complexity of the risk and its significant breadth and depth it’s difficult to establish a baseline level of risk exposure – a pre-mitigation level, which represents the whole business (all three domains). Defining the Risk Appetite (RA) is also challenging given the differences across the domains, the views from each Director, the level of resources available etc.

 

Considering all of the above, answer the following questions,

 

  1. How would a baseline risk level be established? How ISMS and FAIR can be applicable to organisation.

 

  1. What approach could be taken to define a risk assessment and can a single approach work or it will be more appropriate to individually assess for each domain? Along with risk analysis and treatment strategies.

 

  1. How would the effectiveness of controls (risk response) be measured? What can be risk quantification measures and metrics? How to monitor ongoing (residual) risk?

 

You are expected to use risk assessment methodologies as covered in this module with critical reflection on your choice of risk methodology, and its strengths and limitations.

You have the freedom to select the risk assessment approach.

 

 

 

 

3

 

 

Section 3: Deliverables

 

Part 1: A written report is to be submitted via Blackboard in either DOC or PDF format.

 

 

Section 4:          Marking Criteria

 

The marking criteria for both the technical report can be found on the next page:

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

4

 

 

Report (Contribution of each marking component is shown)

 

Component 0-29 30-39 40-49 50-59 60-69 70-84 85-100
1.       Application of a Little or no Some Discussion on Discussion on the Discussion on the use Good discussion on Excellent discussion
relevant risk Discussion discussion on the use of an use of an ISMS and of an ISMS and FAIR the use of an ISMS on the use of an ISMS
on the use the use of an ISMS and FAIR with with a good and FAIR with the and FAIR with the
management approach
of an ISMS ISMS and FAIR, FAIR, however application to the discussion on the justification of how strong justification of
 
  and FAIR however lacking little organisation, but at application to the this can apply to the how this can apply to
(30%)   in details application to a fairly basic level. organisation. organisation. the organisation.
      organisation        
2.       Analysis of Identified No attempt Identification of Identification Identification of a Identification of a Identification of a Identification of a
Risks, and proposal of At some risks, with of some risks, variety of risks, with variety of risks, with broad variety of broad variety of risks,
Identifying limited analysis. with some analysis and detail of clear analysis and risks, with clear with excellent
treatment strategies
or analysing   basic analysis treatment strategies good detail of analysis and good analysis and strong
including measurement  
Risks   and treatment   treatment strategies detail of treatment justification of
of the effectiveness of     strategies     strategies treatment strategies
controls             choices
(40%)              
               
3.       Critical reflection of No evidence Limited Some Discussion about the Good discussion Good discussion Excellent discussion
appropriate security of critical evidence of discussion choice of security about the choice of about the choice of about the choice of
reflection on critical about the controls and security controls and security controls security controls and
controls and legislation
Security reflection on choice of relevant legislation, relevant legislation, and relevant relevant legislation,
 
  controls and security security with some evidence with some evidence legislation, with with strong evidence
(20%) Legislation controls and controls and of critique of critique strong evidence of and justification of
    legislation legislation     critique critique
4.       Report Presentation Poor Weak Fair Good presentation Good presentation Excellent Excellent
  Presentation presentation presentation but with some with minor errors presentation but presentation
(10%)       grammatical errors   with minor errors