COMMGMT 2507 - Information Risks, Threats & Controls

North Terrace Campus - Semester 2 - 2019

The course Information Risks, Threats & Controls consider a broad perspective of organisational vulnerabilities of the digital age, including Enterprise Risk Assessment. Topics addressed include recognition, analysis, and synthesis of risks, threats, and vulnerabilities, and measures to mitigate them, including policy, control, and implementation. Risk management and assurance are critical to all aspects of all businesses and on a broad level. While this course acknowledges the need to recognise and analyse risks, threats, and vulnerabilities across and within the various disciplinary structures of an organisation, (including fiscal risk, brand and reputation, production, operations, legal, and OH&S) it does so from the perspective of the responsibility for Information and Cyber Security plans to support and ensure the risk management of other departments and disciplines. The focus, throughout, is specifically on Information & Cyber Security and Data Privacy.

  • General Course Information
    Course Details
    Course Code COMMGMT 2507
    Course Information Risks, Threats & Controls
    Coordinating Unit Business School
    Term Semester 2
    Level Undergraduate
    Location/s North Terrace Campus
    Units 3
    Contact Up to 3 hours per week
    Available for Study Abroad and Exchange Y
    Incompatible COMMGMT 7025
    Course Description The course Information Risks, Threats & Controls consider a broad perspective of organisational vulnerabilities of the digital age, including Enterprise Risk Assessment. Topics addressed include recognition, analysis, and synthesis of risks, threats, and vulnerabilities, and measures to mitigate them, including policy, control, and implementation. Risk management and assurance are critical to all aspects of all businesses and on a broad level. While this course acknowledges the need to recognise and analyse risks, threats, and vulnerabilities across and within the various disciplinary structures of an organisation, (including fiscal risk, brand and reputation, production, operations, legal, and OH&S) it does so from the perspective of the responsibility for Information and Cyber Security plans to support and ensure the risk management of other departments and disciplines. The focus, throughout, is specifically on Information & Cyber Security and Data Privacy.
    Course Staff

    Course Coordinator: Dr Cate Jerram

    Dr Cate Jerram
    10.34 Nexus 10
    cate.jerram@adelaide.edu.au
    #8313 4757
    Course Timetable

    The full timetable of all activities for this course can be accessed from Course Planner.

  • Learning Outcomes
    Course Learning Outcomes
    On successful completion of this course, students will be able to:
    1. Explain the differences between risk, threat, and vulnerabilities, how they inter-relate, and the principle means of recognising them.
    2. Identify and describe the different types of risks and their nature, across the various core business functions and processes.
    3. Demonstrate different methods of conducting risk analyses and impact assessments.
    4. Detail the core requirements of an Information Risk Assurance process.
    5. Develop an Information Security Framework for a specified business.
    University Graduate Attributes

    This course will provide students with an opportunity to develop the Graduate Attribute(s) specified below:

    University Graduate Attribute Course Learning Outcome(s)
    Deep discipline knowledge
    • informed and infused by cutting edge research, scaffolded throughout their program of studies
    • acquired from personal interaction with research active educators, from year 1
    • accredited or validated against national or international standards (for relevant programs)
    1 - 4
    Critical thinking and problem solving
    • steeped in research methods and rigor
    • based on empirical evidence and the scientific approach to knowledge development
    • demonstrated through appropriate and relevant assessment
    5
    Teamwork and communication skills
    • developed from, with, and via the SGDE
    • honed through assessment and practice throughout the program of studies
    • encouraged and valued in all aspects of learning
    3
    Career and leadership readiness
    • technology savvy
    • professional and, where relevant, fully accredited
    • forward thinking and well informed
    • tested and validated by work based experiences
    1 - 5
    Intercultural and ethical competency
    • adept at operating in other cultures
    • comfortable with different nationalities and social contexts
    • Able to determine and contribute to desirable social outcomes
    • demonstrated by study abroad or with an understanding of indigenous knowledges
    3, 4
    Self-awareness and emotional intelligence
    • a capacity for self-reflection and a willingness to engage in self-appraisal
    • open to objective and constructive feedback from supervisors and peers
    • able to negotiate difficult social situations, defuse conflict and engage positively in purposeful debate
    -
  • Learning Resources
    Required Resources
    No required text.
    Students will be researching and resourcing core materials, primarily on the Internet.
  • Learning & Teaching Activities
    Learning & Teaching Modes
    • Info Risks Threats & Controls will be taught in time blocks that will (usually) be comprised of research, workshop, discussion, and work on projects for real clients.
    • Each session will comprise workshop, research and problem-solving activities, and class discussion, and some sessions will also include presentation, peer review, and coaching.
    Workload

    The information below is provided as a guide to assist students in engaging appropriately with the course requirements.

    The University expects full-time students (i.e. those taking 12 units per semester) to devote a total of 48 hours per week to their studies.
    • This means that students are expected to commit approximately 12 hour per week to this course (including class time and the research, collaboration, online, & study time outside of your regular classes).
    • Students are required to attend all class sessions.
    • Students are required to complete class preparation (posted in MyUni) before the start of class.
    • A proportion of this course will be in team-mode. It is recognised that outside commitments can mean that team-work is challenging in terms of compatible scheduling, but much of the team work can be managed online, so full participation in out-of-class team work is expected.
    Learning Activities Summary

    Week

    Topics

    Core Activities

    01

    Introduction

    Fundamentals

    NDA

    Clarify course expectations

    Discuss finding clients

    Assessment clarification

    Workshop & produce NDAs

    02

    Overview of Risk

    Concepts and definitions

    Risk categories

    Risk appetite and risk tolerance

    Client interview skills

    Research & Discussion

    Workshop

    03

    Frameworks, Policies, ISO, and Other Systems

    value chain and supply chain models.

    Client interview protocols, schedules & skills

     

    Research & Discussion

    Workshop

    04

    Risk Assessment (methods & methodologies)

    RAM 1: Risk context

    Vulnerabilities

    Client interview skills

    QUIZ

    Research & Discussion

    Workshop

    05

    MEET THE CLIENT

    Analysis of client meeting

    Analysis of Client documents

    Revise & Review

    Research & Discussion

    Workshop

    06

    Risk assessment formulae

    Threats

    RAM 2 – identify risks

    RAM 3 – map risks

    RAM 4 – analyse risks

    RAM 5 – evaluate risks

     

    Research & Discussion

    Workshop

    07

    RAM 5 – Evaluate Risks

    RAM 6 – Treat & Control Risks

    Client InfoSec Framework Stage 1 DRAFT is due

    Workshop

    Peer & mentor review

    08

    Presentation & Phase 1 Submission

    Class & Mentor feedback

    QUIZ

    PRESENTATIONS

    MSB

    Mid-Semester Break 1

    After approval received, present Phase 1 InfoSec Framework to Client

    MSB

    Mid-Semester Break 2

    Client gives feedback re Phase 1

    09

    RAM 7 – Monitor

    RAM 8 – Review

    RAM C&C revisit

    Discuss client feedback and revise Phase 1 accordingly.

    Prepare for Documentation phase

    10

    RAM 9 – Documentation

    Research & Discussion

    Workshop

    11

    RAM 9 – Documentation cont…

    Start PRESENTATIONS

    Research & Discussion

    Workshop

    Early PRESENTATIONS

    12

    Client InfoSec Framework Stage 2

    QUIZ

    FINAL PRESENTATIONS

    13

    Course Coordinators & Mentors mark & approve InfoSec Frameworks for distribution to clients.

    After receiving approval, present final InfoSec Framework & Documentation to client organisation.

     

  • Assessment

    The University's policy on Assessment for Coursework Programs is based on the following four principles:

    1. Assessment must encourage and reinforce learning.
    2. Assessment must enable robust and fair judgements about student performance.
    3. Assessment practices must be fair and equitable to students and give them the opportunity to demonstrate what they have learned.
    4. Assessment must maintain academic standards.

    Assessment Summary
    Assessment Task
    Task Type  
    Weighting
    Word Count / Time
    Time Due
    Learning Outcome
    In-class Quiz Quiz 30
    (10 ea)
    n/a Weeks 4, 8 & 12 1  - 4
    Client InfoSec Framework stage 1 Project 40 tn Week 7 class 1 - 4, 5
    Client InfoSec Framework stage 2 Project 30 tbn Week 12 class 1 - 4, 5
    Total 100%

    OPTIONAL FOR EXTRA CREDIT

    Analytical & Reflective Journal (13 weekly entries, 300 – 700 words each). Final due Week 13.

    Assessment Detail

    In-class Quiz

    Seminars in weeks 4, 8, and 12 will include a quiz on previous weeks’ material. Each quiz is worth 10% of final mark, totalling 30% of final grade.

    Client InfoSec Framework

    Each student will have a small business client for whom they will, over the course of the semester, develop an Information Security Framework. These will be developed in consultation with the course academics and the clients.

    Stage 1


    In week 7, the first stage of the Information Security Framework will be submitted and presented for feedback and grades to the course academics, then (after receiving approval) discussed with the client. Rubric available in MyUni.

    Stage 2


    In week 12, the full DRAFT Information Security Framework will be submitted and presented – in class – to the course academics and peers for feedback, then submitted for marking.
    In week 13, (or shortly after) once the full InfoSec Framework has been approved by course academics, the full FINAL Information Security Framework will be submitted and presented to the client. Rubric available in MyUni.


    optional for extra credit for UG

    Reflective Journal 

    Each week students will be expected to write 300 – 700 words of analysis and reflection on that week’s learning on their assigned webpage in MyUni. This includes week 13 reflection on the work involved in polishing, submitting and presenting the final Information Security Framework for and to their client.
    The full Journal is to be completed by 12 noon on the Friday of Week 13 (unless an extension is granted due to marking delaying final presentation to client).
    Students may be called upon to show their up-to-date journal at any class throughout the 13 weeks. Rubric available in MyUni.
    Submission
    As clients are involved, it is critical that work is submitted in a timely fashion.
    No student may submit their work to their client until approved by a course academic.
    Course Grading

    Grades for your performance in this course will be awarded in accordance with the following scheme:

    M10 (Coursework Mark Scheme)
    Grade Mark Description
    FNS   Fail No Submission
    F 1-49 Fail
    P 50-64 Pass
    C 65-74 Credit
    D 75-84 Distinction
    HD 85-100 High Distinction
    CN   Continuing
    NFE   No Formal Examination
    RP   Result Pending

    Further details of the grades/results can be obtained from Examinations.

    Grade Descriptors are available which provide a general guide to the standard of work that is expected at each grade level. More information at Assessment for Coursework Programs.

    Final results for this course will be made available through Access Adelaide.

  • Student Feedback

    The University places a high priority on approaches to learning and teaching that enhance the student experience. Feedback is sought from students in a variety of ways including on-going engagement with staff, the use of online discussion boards and the use of Student Experience of Learning and Teaching (SELT) surveys as well as GOS surveys and Program reviews.

    SELTs are an important source of information to inform individual teaching practice, decisions about teaching duties, and course and program curriculum design. They enable the University to assess how effectively its learning environments and teaching practices facilitate student engagement and learning outcomes. Under the current SELT Policy (http://www.adelaide.edu.au/policies/101/) course SELTs are mandated and must be conducted at the conclusion of each term/semester/trimester for every course offering. Feedback on issues raised through course SELT surveys is made available to enrolled students through various resources (e.g. MyUni). In addition aggregated course SELT data is available.

  • Student Support
  • Policies & Guidelines
  • Fraud Awareness

    Students are reminded that in order to maintain the academic integrity of all programs and courses, the university has a zero-tolerance approach to students offering money or significant value goods or services to any staff member who is involved in their teaching or assessment. Students offering lecturers or tutors or professional staff anything more than a small token of appreciation is totally unacceptable, in any circumstances. Staff members are obliged to report all such incidents to their supervisor/manager, who will refer them for action under the university's student’s disciplinary procedures.

The University of Adelaide is committed to regular reviews of the courses and programs it offers to students. The University of Adelaide therefore reserves the right to discontinue or vary programs and courses without notice. Please read the important information contained in the disclaimer.