Information security officers are faced with strategic decisions on a daily basis, and are required to make informed decisions on the security options relevant to business and organisational objectives.

In modern organisations, the growth of distributed systems and cloud computing has led to the increasing and dynamic convergence of users and computers through computer networks connected by the Internet. This has led to an increase in attacks on organisations’ information systems in the form of viruses, worms and denial of service attacks. Attacks such as these can cripple an organisation, bringing its business process to a halt, and has the potential to expose and corrupt sensitive data that is managed within computer networks.

This module focuses on the concepts of information security and privacy within the context of strategic information systems and also computer networks. This includes: the need to deter, prevent, detect and react to attacks on computer networks; attacks on information while in transmission between distributed networks; the risk to data stored in the cloud; and the risks to privacy in social networks and “big data”. The human factor also has a part to play in the increase in attacks and this is also discussed.

The module introduces the need for risk assessments and information security policies, standards, legal and ethical aspects of information security, as well as the technical concepts of cryptography for providing transport-level security for protecting communications between networks, types of network intrusion, types of malicious software, and computer network protection mechanisms.

1.  Describe the key concepts of confidentiality, integrity and availability, and the relationship between them.
2. Explain what is meant by authentication and non-repudiation, in the context of electronic transactions, and options for securing them.
3. Describe approaches to determining the value of business assets, including information, and assessing the risks to them.
4. Explain how to assess countermeasures to identified risks, and determine the cost-effectiveness of candidate measures.
5. Describe national and international schemes for the evaluation of security products, and their relevance to organisational or business needs.
6. Describe the purpose of a security policy in an organisation, and explain how to develop and implement such a policy.
7. Reflect on the issues faced by multi-national organisations and their approaches to information risk.
8. Analyse the relationship between security theory and security practice.
9. Explain the relationship between prevention, detection and reaction.
10. Reflect on the systemic nature of information security within a purposeful organisation.
11. Understand and describe the types of attack that occur on computer networks and distributed systems.
12. Explain the anatomy of a different types of Malware and how it spreads between connected information systems
13. Identify, evaluate and recommend a selection of configurations and countermeasures to reduce the likelihood and impact of potential security attacks.
14. Identify and evaluate the risks to computer networks emerging from Cloud computing and wireless connectivity.
15. Understand and explain the complexities of managing and authenticating identity between distributed networks.
16. Understand how to detect and react to network intrusions.

This module will be delivered through a combination of lectures, supervised lab sessions, example classes and tutorials, as appropriate.

Students will be able to demonstrate the ability to complete a security risk analysis, and produce a draft security policy, for a purposeful organisation. This will require the ability to work as a team. Students will also understand how computer networks are configured and where their vulnerabilities lie. They will be able to deploy tools and techniques that will protect and defend information from attack. They will also understand the issues related to the expansion of the traditional computer network as systems become more integrated and distributed between organisations.
 

ILOs 1-7 and 12-16 are assessed in a 2hr written examination

ILOs 8-11 are assessed in a written essay on access control and securing of information in collaborative distributed networks, reflecting on the limitation of existing security technologies

The assessments will allow the student to demonstrate their knowledge and practical skills and to apply the principles taught in lectures.

The potential for reassessment in this module is a 100% resit examination during the summer.

Introduction to Information Security.

Security concepts, standards, and codes of practice.

Identification of business critical processes and assets.

Risk assessment and countermeasures.

Organisation aspects of information security and security policies.

Assurance/accreditation issues.

Introduction to Computer Networks.

Cryptography for Confidentiality and Authentication.

User Authentication.

Transport-Level Security.

Wireless Network Security.

IP Security.

Intrusion Types and Methods.

Malicious Software and Viruses.

Firewalls.