COMMGMT 2509 - Policies & Procedures in Organisational Cyber Security

North Terrace Campus - Semester 1 - 2020

The risks and costs of cyber-attacks that threaten organisations grow exponentially every year, yet the discipline of cyber security is so young that most organisations (and governments) still do not have adequate cyber security policies or procedures. There is an urgent and ongoing need for personnel who understand the core principles of organisational cyber security, and have the knowledge and skills to research policies and procedures as they develop and tailor them to specific industry needs; and to develop policies and procedures where they do not yet exist. This course addresses the necessary knowledge and skill-set for researching, developing and tailoring cyber security policies and procedures, standards and guidelines, appropriate to specific industries and organisations.

  • General Course Information
    Course Details
    Course Code COMMGMT 2509
    Course Policies & Procedures in Organisational Cyber Security
    Coordinating Unit Business School
    Term Semester 1
    Level Undergraduate
    Location/s North Terrace Campus
    Units 3
    Contact Up to 3 hours per week
    Available for Study Abroad and Exchange Y
    Incompatible COMMGMT 7026
    Course Description The risks and costs of cyber-attacks that threaten organisations grow exponentially every year, yet the discipline of cyber security is so young that most organisations (and governments) still do not have adequate cyber security policies or procedures. There is an urgent and ongoing need for personnel who understand the core principles of organisational cyber security, and have the knowledge and skills to research policies and procedures as they develop and tailor them to specific industry needs; and to develop policies and procedures where they do not yet exist. This course addresses the necessary knowledge and skill-set for researching, developing and tailoring cyber security policies and procedures, standards and guidelines, appropriate to specific industries and organisations.
    Course Staff

    Course Coordinator: Dr Cate Jerram

    Dr Cate Jerram
    10.34 Nexus 10
    cate.jerram@adelaide.edu.au
    #8313 4757
    Course Timetable

    The full timetable of all activities for this course can be accessed from Course Planner.

  • Learning Outcomes
    Course Learning Outcomes
    On successful completion of this course, students will be able to:
    1. Identify policy needs (incorporating procedures, standards, and guidelines) to address cyber security requirements for a specific organisation.
    2. Research national and international policies for organisational cyber security.
    3. Interpret cyber security policies, evaluate their relevance and appropriateness for a specific industry or organisation, and adopt and adapt them to specifically address identified organisational needs.
    4. Draft core cyber security policies, procedures and guidelines (compliant with standards) and accompanying documentation, for a specific industry or organisation.
    5. Log, analyse, reflect on, and report on, interaction with clients, demonstrating reflection.
    University Graduate Attributes

    This course will provide students with an opportunity to develop the Graduate Attribute(s) specified below:

    University Graduate Attribute Course Learning Outcome(s)
    Deep discipline knowledge
    • informed and infused by cutting edge research, scaffolded throughout their program of studies
    • acquired from personal interaction with research active educators, from year 1
    • accredited or validated against national or international standards (for relevant programs)
    1 - 4
    Critical thinking and problem solving
    • steeped in research methods and rigor
    • based on empirical evidence and the scientific approach to knowledge development
    • demonstrated through appropriate and relevant assessment
    1 - 4
    Teamwork and communication skills
    • developed from, with, and via the SGDE
    • honed through assessment and practice throughout the program of studies
    • encouraged and valued in all aspects of learning
    -
    Career and leadership readiness
    • technology savvy
    • professional and, where relevant, fully accredited
    • forward thinking and well informed
    • tested and validated by work based experiences
    1 - 4
    Intercultural and ethical competency
    • adept at operating in other cultures
    • comfortable with different nationalities and social contexts
    • Able to determine and contribute to desirable social outcomes
    • demonstrated by study abroad or with an understanding of indigenous knowledges
    2 - 4
  • Learning Resources
    Required Resources
    Students will be researching and sourcing material.


    Recommended Resources
    A Vaseashta, P Susmann, & E Braman. Cyber Security and Resiliency Policy Framework. IOS Press. 2014-09-19 (Free download through ProQuest Ebook Central, via University of Adelaide Library)
    Potentially helpful (not required):
    Michael N. Schmitt (Ed). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
    Cambridge University Press, 2017.
  • Learning & Teaching Activities
    Learning & Teaching Modes
    This course is taught in seminars - weekly 3-hour classes.

    It is industry-based. In teams, students apply what they are learning in the course to real businesses who are their team client.

    INTEGRITY is critical in this class as clients must be able to expect absolute CONFIDENTIALITY.

    Timetables are worked around client need and interaction more than around normal 'semester timetable' or 'student expectations' - as students are being entrusted with the well-being of real businesses, it is necessary for students to understand the requirement to work to client need, not just classroom norms.
    Workload

    No information currently available.

    Learning Activities Summary

    Week

    Seminar  Topic

    Learning Activities

    Week 1

    Course overview

    §  Learning Outcomes

    §  Assessment

    Topic overview:

    §  Policy

    §  Procedures & Processes

    §  Standards

    §  Guidelines

    §  Organisational Cyber Security

    §  Business Writing

    §  Writing for a Lay Audience

     

    Client & Teams Allocation

     

    Discussion of

    §  assessments & rubrics

    §  Individual Contribution to Team Project

    §  Communicating with Clients

    §  Professionalism

    §  Mentoring & Being Mentored

    §  Team Process Documentation 

     

    Teams start work:

    §  Developing team protocols

    §  Researching clients

    Week 2

    The role of policy in organisations.

    §  The role of drafting policy in organisations.

    §  The challenges of drafting policy in organisations.

    Hierarchy of data uses – hierarchy or policy criticality 

    Data Governance & Policy (& Culture)

    §  Modernising Data Governance

    §  Changing Data Culture & Policy

    Policy Framework

    Guest speaker:

    Special Guest speaker: tbc

    Ensuring all organisational policies are privacy- & security-centric

    Contact Clients – First Visit

    Research national and international policies for organisational cyber security

    Discuss: adopt, adapt, write from scratch

    https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center

    Week 3

    Needs Analysis

    Prioritization

     The 4 steps of Policy Development:

    1.     Plan

    2.     Analyse

    3.     Research

    4.     Pre-Write

     

    Consultation throughout 4 stages

    §  Consultation vs collaboration

    Workshop – Needs Analysis

     

    Workshop - The 4 steps of Policy Development:

    §  Step 1 – Plan.

    Creating & Working with Templates

    Wording, phrasing & formatting for:

    §  clarity and communication

    §  being read

    §  being followed

    Consultation & Collaboration Processes for Semester

    Week 4

    Strategic Policy Setting (primary)

    §  Set a strategic direction

    §  Maximise positive impacts

    §  Engage stakeholders

    §  Establish clear levels of accountability

     

    Workshop – writing, wording, formatting.

     

    Workshop - The 4 steps of Development:

     Step 1 – Plan.

     Step 2 – Analyse.

      

    https://www.business.gov.au/Risk-management/Cyber-security/How-to-create-a-cyber-security-policy

    Week 5

    Operational Policy Setting (secondary)

    §  Clearly outline processes to be followed

    §  Meet legislative requirements

    §  Address audit findings

    §  Address stakeholder concerns

    Special Guest speaker: tbc

    Workshop - The 4 steps of Development:

     Step 3 - Research

     Step 4 – Pre-writing

     

    Week 6

     

    Open Mic Share Session – Challenges to Date

    Processes, Procedures and Standards

    §  Designing

    §  Writing

    Workshop

    Algorithms & Algorithmic thinking & planning

     

     

     Workshop

    Common Cyber Security Policies

     

    Ongoing communication and work with clients, as required by client/team arrangements.

    Week 7

     

    Policy Frameworks & Roadmaps

     

    Core Policies required

    §  Prevention

    §  Control

    §  Damage mitigation

    Core Cyber Security Policies required

    ·         Hygiene

    ·         Mitigation

    ·         Incident Reporting

    ·         Hiring, Firing, & Retirement

    ·         Access

    ·         BYOD & Mobile

    ·         Retention, Storage & Disposal

    ·         etc

    Workshop

    Common Cyber Security Policies (continued)

     

    Understanding categories, priorities, criticality.

    Week 8

    Standards:

    §  Prescriptive Standards

    §  Performance Standards

    §  Researching Standards

    §  Making standards intelligible

    §  Compliance & Non-compliance

     

    Special Guest speaker: tbc

    Explore PCI standards, docs, compliance…

    https://www.pcisecuritystandards.org/pci_security/

    Week 9

    Scope & Future Work Declarations

     

    Creating standard forms.

     

    Workshop templates & standard forms eg:

    §  Account Setup Request

    §  Guest Access Request

    §  Notice of Policy Noncompliance

    §  Policy Acknowledgement Form

    §  Request for Policy Exemption

    §  Security Incident Report

    §  etc 

    Week 10

    Guidelines and Handbooks

    §  Designing

    Writing

    Workshop

    Special Guest speaker: tbc

    Week 11

    Verification and Validation

     

    Maintaining & Updating Policies

     

    Retiring Policies

     

    Workshop: verification & validation

     Workshop: Layout, Proofing & Editing

    Writing policies on policy management

    Week 12

     

    Publishing Policies:

    §  Online

    §  On paper

     

    Notifying, Training and Updating Users

    Open Mic Share Session – Challenges to Date

     Workshop: Publishing Policies

     

     Workshop: Training & Notifying

     

    Anonymous Feedback for Cate Survey (found in Quiz)

     

     

    Week 13

     

     

    Week 15

     

     

     

  • Assessment

    The University's policy on Assessment for Coursework Programs is based on the following four principles:

    1. Assessment must encourage and reinforce learning.
    2. Assessment must enable robust and fair judgements about student performance.
    3. Assessment practices must be fair and equitable to students and give them the opportunity to demonstrate what they have learned.
    4. Assessment must maintain academic standards.

    Assessment Summary
    Due to the current COVID-19 situation modified arrangements have been made to assessments to facilitate remote learning and teaching. Assessment details provided here reflect recent updates.


    Assessment Task

    Weighting

    Word Count / Time

    Due

    Learning Outcome


    Client Project Phase 1

    10%

    n/a

    Class *Week 4

    1 - 4


    Phase 2 (temporary)

    (10%)

    n/a

    Class Week 7

    5


    Phase 2A (overwrites)

    10%

    Phrase 3: Process & Procedures Needs Analysis & Prioritization

    15%

           n/a Class Week 6 & 12       1 - 4


    Phrase 4: Policy, Procedures & Documentation


    30%


    n/a


    Week 13


    1 - 4

    Report Log & Reflective Journal
    (temporary)

    (20%)

    13 entries

    500-1000 words each

    Class Week 3

    5

    Report Log & Reflective Journal
    (overwrites)

    20%

    Week 13+

    5

    Online Engagement

    15%

    Total

    100%

     

     

     

     

    Assessment Detail
    Please note that the Assessment Details below incorporate both Undergraduate and Postgraduate Assessments - there are some slight differences.

    Note: Assessments are linked to Course Learning Outcomes.

     

    Assessment Task

    Weighting

    Word Count / Time

    Due

    Learning Outcome

    Client Project

    student teams comprised of Postgraduate & Undergraduate students will be allocated clients (real clients with real businesses) for whom they will conduct the following...

    80%

     

     

     

    Note: Individual Contribution to Team Reports (& client & teacher observations) will modify all team grades for individuals.

    Step 1: Policy Situation Analysis, Needs Analysis, & Prioritization
    The student team will: meet with the client; sign NDAs; review all relevant cybersecurity situations, documents, and existing Cyber Security Frameworks & Policies (if any); then determine what Cybersec policies that client most urgently needs; then prioritize those needs.

    15%

    n/a

    Class *Week 4

    1 - 4

    Step 2: Research & Client Consultation Report – A (mark redeemable/overwritten by 2B mark).
    Each student in the team, and the client, will write up a report about consultation to date.

    15%

    n/a

    Class Week 7

    5

    Step 3: Process & Procedures Needs Analysis & Prioritization
    In the context of the Policy needs analysis conducted (and feedback from the client about this), the team will then analyse what processes and procedures will need to be analysed and documented to support the prioritized policies.

    15%

    n/a

    Class Week 6 & 12

    1 - 4

    Step 4: Policy, Procedures & Documentation
    The team will provide the negotiated policy/policies and supporting procedures and documentation to the course coordinator for approval for submission to the client.

    UG: Draft
    Undergraduate Students are responsible for all these documents up until the Final Draft Stage.

    PG: Finalised with Recommendations
    Postgraduate team members are then responsible to polish and finalise all the submissions both for submission to the course coordinator, then for any changes prior to submission to the client.
     

    35%

    n/a

    Class Week 12

    Week 13

    1 - 4

    Step 2B: Research & Client Consultation Report – Again, each team member and the client will file a report about the consultation and feedback process for this project. The grade received for this second report over-writes the grade received for the earlier report.

    15%

    n/a

    Week 13+

    3 - 5

    Report Log & Reflective Journal

    Students are expected to write up a learning log and reflective journal each week in their allocated MyUni site pages. Templates, expectations and exemplars are available in MyUni.

    Draft week 3 journal – Provisional Grade

     The first 3 entries will be marked with a provisional/redeemable grade that is indicative of quality-to-date, and feedback to enable improvement for ongoing weekly entries.

    Final – after final submission to client
    Journals will be marked in entirety after students have made their final entries after completion of their final project. This mark will over-write the week 3 mark.

     

     

     

    20%

    20%

     

    13 entries

    500-1000 words each

    Class Week 3

     

    Week 13+

     

    5

    Total

    100%

     

     

     

    Assessment Detail

    Client Project

     

    Step 1: Cyber Security Situation Analysis, Policy Needs Analysis & Prioritization

    In teams, students will research the needs of the client, and present a Situation Analysis (broad brush) that outlines the organisation’s cyber security status compared to existing appropriate national or international policies and known current threats.

    Building on the Situation Analysis, teams will then conduct a Needs Analysis (focused and specific) of the most critical cyber security policy needs of the organisation, and prioritize them in terms of urgency of need and value to the organisation. Rubrics available in MyUni.

     
    Step 2: Research & Client Consultation Report

    Students will (in consultation with the client) select two of the most critical policy needs, and research how best to address them (in terms of adapting a known policy or developing a new policy) – to be specific to that organisation’s situation and needs. The report will summarise the research conducted and the client consultation process, and final decisions made collaboratively between client and student. Rubrics available in MyUni.

     

     Step 3: Process & Procedures Needs Analysis & Prioritization

    Teams will research the best procedures to address the policies created for the client, prioritize them in consultation with the client, and then develop the procedures and documentation to support them.

    Rubrics available in MyUni.

     

    Step 4: Client Policies, Procedures & Documentation (UG: Draft/ PG: Final)

     Teams will draft the Policies and core Procedures selected in consultation with the client, ensuring that they are written in such a way that Policies and Procedures are implementable. Teams are responsible to ensure (& document) that their Policies & Procedures ensure that their client is enabled to meet their requisite industry and government Standards. They will accompany their Policies & Procedures with supporting documentation for client implementation (eg: posters, employee handouts or handbooks…)

     

    Teams will, after marking and feedback, be able to submit their finalised Policies & Procedures, with support documentation, to their client. Rubrics available in MyUni.

     

    Report Log & Reflective Journal

    Each week students will be expected to log their interaction with clients and write 500 – 1000 words of analysis and reflection on that week’s learning. This includes reflection on the work involved in polishing and submitting the final Policies Procedures and Documentation for and to their client.

     

    Logs & Journals are to be entered and updated weekly on assigned Journal Pages in MyUni completed each week before the following week’s class. Students may be called upon to show their up-to-date log & journal at any class throughout the semester.

     

    Week 3 due date & grade

    Students do not need to submit their journal entries as they will be read on site in the Canvas Journal entry pages. The first three entries to each journal will be marked and graded with feedback before Census Date. The final grading of the completed journal at the end of semester will over-write the week 3 grading.

     

    Rubric available in MyUni.

      

     

    Submission


    Critical: all work for clients must be cleared with the Course Coordinator (during class) before being submitted to the client.

    Course Grading

    Grades for your performance in this course will be awarded in accordance with the following scheme:

    M10 (Coursework Mark Scheme)
    Grade Mark Description
    FNS   Fail No Submission
    F 1-49 Fail
    P 50-64 Pass
    C 65-74 Credit
    D 75-84 Distinction
    HD 85-100 High Distinction
    CN   Continuing
    NFE   No Formal Examination
    RP   Result Pending

    Further details of the grades/results can be obtained from Examinations.

    Grade Descriptors are available which provide a general guide to the standard of work that is expected at each grade level. More information at Assessment for Coursework Programs.

    Final results for this course will be made available through Access Adelaide.

  • Student Feedback

    The University places a high priority on approaches to learning and teaching that enhance the student experience. Feedback is sought from students in a variety of ways including on-going engagement with staff, the use of online discussion boards and the use of Student Experience of Learning and Teaching (SELT) surveys as well as GOS surveys and Program reviews.

    SELTs are an important source of information to inform individual teaching practice, decisions about teaching duties, and course and program curriculum design. They enable the University to assess how effectively its learning environments and teaching practices facilitate student engagement and learning outcomes. Under the current SELT Policy (http://www.adelaide.edu.au/policies/101/) course SELTs are mandated and must be conducted at the conclusion of each term/semester/trimester for every course offering. Feedback on issues raised through course SELT surveys is made available to enrolled students through various resources (e.g. MyUni). In addition aggregated course SELT data is available.

  • Student Support
  • Policies & Guidelines
  • Fraud Awareness

    Students are reminded that in order to maintain the academic integrity of all programs and courses, the university has a zero-tolerance approach to students offering money or significant value goods or services to any staff member who is involved in their teaching or assessment. Students offering lecturers or tutors or professional staff anything more than a small token of appreciation is totally unacceptable, in any circumstances. Staff members are obliged to report all such incidents to their supervisor/manager, who will refer them for action under the university's student’s disciplinary procedures.

The University of Adelaide is committed to regular reviews of the courses and programs it offers to students. The University of Adelaide therefore reserves the right to discontinue or vary programs and courses without notice. Please read the important information contained in the disclaimer.