COMMGMT 2509 - Policies & Procedures in Organisational Cyber Security

North Terrace Campus - Semester 1 - 2020

The risks and costs of cyber-attacks that threaten organisations grow exponentially every year, yet the discipline of cyber security is so young that most organisations (and governments) still do not have adequate cyber security policies or procedures. There is an urgent and ongoing need for personnel who understand the core principles of organisational cyber security, and have the knowledge and skills to research policies and procedures as they develop and tailor them to specific industry needs; and to develop policies and procedures where they do not yet exist. This course addresses the necessary knowledge and skill-set for researching, developing and tailoring cyber security policies and procedures, standards and guidelines, appropriate to specific industries and organisations.

Open All

Course Details

Course Code	COMMGMT 2509
Course	Policies & Procedures in Organisational Cyber Security
Coordinating Unit	Adelaide Business School
Term	Semester 1
Level	Undergraduate
Location/s	North Terrace Campus
Units	3
Contact	Up to 3 hours per week
Available for Study Abroad and Exchange	Y
Incompatible	COMMGMT 7026
Assessment	Situation analysis, report and exam

Course Staff

Course Coordinator: Dr Cate Jerram

Dr Cate Jerram
10.34 Nexus 10
cate.jerram@adelaide.edu.au
#8313 4757

Course Timetable

The full timetable of all activities for this course can be accessed from Course Planner.

Course Learning Outcomes

On successful completion of this course, students will be able to:
1. Identify policy needs (incorporating procedures, standards, and guidelines) to address cyber security requirements for a specific organisation.
2. Research national and international policies for organisational cyber security.
3. Interpret cyber security policies, evaluate their relevance and appropriateness for a specific industry or organisation, and adopt and adapt them to specifically address identified organisational needs.
4. Draft core cyber security policies, procedures and guidelines (compliant with standards) and accompanying documentation, for a specific industry or organisation.
5. Log, analyse, reflect on, and report on, interaction with clients, demonstrating reflection.

University Graduate Attributes

This course will provide students with an opportunity to develop the Graduate Attribute(s) specified below:

University Graduate Attribute	Course Learning Outcome(s)
Deep discipline knowledge informed and infused by cutting edge research, scaffolded throughout their program of studies acquired from personal interaction with research active educators, from year 1 accredited or validated against national or international standards (for relevant programs)	1 - 4
Critical thinking and problem solving steeped in research methods and rigor based on empirical evidence and the scientific approach to knowledge development demonstrated through appropriate and relevant assessment	1 - 4
Teamwork and communication skills developed from, with, and via the SGDE honed through assessment and practice throughout the program of studies encouraged and valued in all aspects of learning	-
Career and leadership readiness technology savvy professional and, where relevant, fully accredited forward thinking and well informed tested and validated by work based experiences	1 - 4
Intercultural and ethical competency adept at operating in other cultures comfortable with different nationalities and social contexts able to determine and contribute to desirable social outcomes demonstrated by study abroad or with an understanding of indigenous knowledges	2 - 4

Learning Resources

Required Resources

Students will be researching and sourcing material.

Recommended Resources

A Vaseashta, P Susmann, & E Braman. Cyber Security and Resiliency Policy Framework. IOS Press. 2014-09-19 (Free download through ProQuest Ebook Central, via University of Adelaide Library)

Potentially helpful (not required):
Michael N. Schmitt (Ed). Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations.
Cambridge University Press, 2017.

Learning & Teaching Modes

This course is taught in seminars - weekly 3-hour classes.

It is industry-based. In teams, students apply what they are learning in the course to real businesses who are their team client.

INTEGRITY is critical in this class as clients must be able to expect absolute CONFIDENTIALITY.

Timetables are worked around client need and interaction more than around normal 'semester timetable' or 'student expectations' - as students are being entrusted with the well-being of real businesses, it is necessary for students to understand the requirement to work to client need, not just classroom norms.

Workload

No information currently available.

Learning Activities Summary

Week

Seminar Topic

Learning Activities

Week 1

Course overview

§ Learning Outcomes

§ Assessment

Topic overview:

§ Policy

§ Procedures & Processes

§ Standards

§ Guidelines

§ Organisational Cyber Security

§ Business Writing

§ Writing for a Lay Audience

Client & Teams Allocation

Discussion of

§ assessments & rubrics

§ Individual Contribution to Team Project

§ Communicating with Clients

§ Professionalism

§ Mentoring & Being Mentored

§ Team Process Documentation

Teams start work:

§ Developing team protocols

§ Researching clients

Week 2

The role of policy in organisations.

§ The role of drafting policy in organisations.

§ The challenges of drafting policy in organisations.

Hierarchy of data uses – hierarchy or policy criticality

Data Governance & Policy (& Culture)

§ Modernising Data Governance

§ Changing Data Culture & Policy

Policy Framework

Guest speaker:

Special Guest speaker: tbc

Ensuring all organisational policies are privacy- & security-centric

Contact Clients – First Visit

Research national and international policies for organisational cyber security

Discuss: adopt, adapt, write from scratch

https://www.nist.gov/itl/applied-cybersecurity/nice/nice-cybersecurity-workforce-framework-resource-center

Week 3

Needs Analysis

Prioritization

The 4 steps of Policy Development:

1. Plan

2. Analyse

3. Research

4. Pre-Write

Consultation throughout 4 stages

§ Consultation vs collaboration

Workshop – Needs Analysis

Workshop - The 4 steps of Policy Development:

§ Step 1 – Plan.

Creating & Working with Templates

Wording, phrasing & formatting for:

§ clarity and communication

§ being read

§ being followed

Consultation & Collaboration Processes for Semester

Week 4

Strategic Policy Setting (primary)

§ Set a strategic direction

§ Maximise positive impacts

§ Engage stakeholders

§ Establish clear levels of accountability

Workshop – writing, wording, formatting.

Workshop - The 4 steps of Development:

Step 1 – Plan.

Step 2 – Analyse.

https://www.business.gov.au/Risk-management/Cyber-security/How-to-create-a-cyber-security-policy

Week 5

Operational Policy Setting (secondary)

§ Clearly outline processes to be followed

§ Meet legislative requirements

§ Address audit findings

§ Address stakeholder concerns

Special Guest speaker: tbc

Workshop - The 4 steps of Development:

Step 3 - Research

Step 4 – Pre-writing

Week 6

Open Mic Share Session – Challenges to Date

Processes, Procedures and Standards

§ Designing

§ Writing

Workshop

Algorithms & Algorithmic thinking & planning

Workshop

Common Cyber Security Policies

Ongoing communication and work with clients, as required by client/team arrangements.

Week 7

Policy Frameworks & Roadmaps

Core Policies required

§ Prevention

§ Control

§ Damage mitigation

Core Cyber Security Policies required

· Hygiene

· Mitigation

· Incident Reporting

· Hiring, Firing, & Retirement

· Access

· BYOD & Mobile

· Retention, Storage & Disposal

· etc

Workshop

Common Cyber Security Policies (continued)

Understanding categories, priorities, criticality.

Week 8

Standards:

§ Prescriptive Standards

§ Performance Standards

§ Researching Standards

§ Making standards intelligible

§ Compliance & Non-compliance

Special Guest speaker: tbc

Explore PCI standards, docs, compliance…

https://www.pcisecuritystandards.org/pci_security/

Week 9

Scope & Future Work Declarations

Creating standard forms.

Workshop templates & standard forms eg:

§ Account Setup Request

§ Guest Access Request

§ Notice of Policy Noncompliance

§ Policy Acknowledgement Form

§ Request for Policy Exemption

§ Security Incident Report

§ etc

Week 10

Guidelines and Handbooks

§ Designing

Writing

Workshop

Special Guest speaker: tbc

Week 11

Verification and Validation

Maintaining & Updating Policies

Retiring Policies

Workshop: verification & validation

Workshop: Layout, Proofing & Editing

Writing policies on policy management

Week 12

Publishing Policies:

§ Online

§ On paper

Notifying, Training and Updating Users

Open Mic Share Session – Challenges to Date

Workshop: Publishing Policies

Workshop: Training & Notifying

Anonymous Feedback for Cate Survey (found in Quiz)

Week 13

Week 15

The University's policy on Assessment for Coursework Programs is based on the following four principles:

Assessment must encourage and reinforce learning.
Assessment must enable robust and fair judgements about student performance.
Assessment practices must be fair and equitable to students and give them the opportunity to demonstrate what they have learned.
Assessment must maintain academic standards.

Assessment Summary

Due to the current COVID-19 situation modified arrangements have been made to assessments to facilitate remote learning and teaching. Assessment details provided here reflect recent updates.

Assessment Task	Weighting	Word Count / Time	Due	Learning Outcome
Client Project Phase 1	10%	n/a	Class *Week 4	1 - 4
Phase 2 (temporary)	(10%)	n/a	Class Week 7	5
Phase 2A (overwrites)	10%
Phrase 3: Process & Procedures Needs Analysis & Prioritization	15%	n/a	Class Week 6 & 12	1 - 4
Phrase 4: Policy, Procedures & Documentation	30%	n/a	Week 13	1 - 4
Report Log & Reflective Journal (temporary)	(20%)	13 entries 500-1000 words each	Class Week 3	5
Report Log & Reflective Journal (overwrites)	20%		Week 13+	5
Online Engagement	15%
Total	100%

Assessment Detail

Please note that the Assessment Details below incorporate both Undergraduate and Postgraduate Assessments - there are some slight differences.

Note: Assessments are linked to Course Learning Outcomes.

Assessment Task	Weighting	Word Count / Time	Due	Learning Outcome
Client Project student teams comprised of Postgraduate & Undergraduate students will be allocated clients (real clients with real businesses) for whom they will conduct the following...	80%
Note: Individual Contribution to Team Reports (& client & teacher observations) will modify all team grades for individuals.
Step 1: Policy Situation Analysis, Needs Analysis, & Prioritization The student team will: meet with the client; sign NDAs; review all relevant cybersecurity situations, documents, and existing Cyber Security Frameworks & Policies (if any); then determine what Cybersec policies that client most urgently needs; then prioritize those needs.	15%	n/a	Class *Week 4	1 - 4
Step 2: Research & Client Consultation Report – A (mark redeemable/overwritten by 2B mark). Each student in the team, and the client, will write up a report about consultation to date.	15%	n/a	Class Week 7	5
Step 3: Process & Procedures Needs Analysis & Prioritization In the context of the Policy needs analysis conducted (and feedback from the client about this), the team will then analyse what processes and procedures will need to be analysed and documented to support the prioritized policies.	15%	n/a	Class Week 6 & 12	1 - 4
Step 4: Policy, Procedures & Documentation The team will provide the negotiated policy/policies and supporting procedures and documentation to the course coordinator for approval for submission to the client. UG: Draft Undergraduate Students are responsible for all these documents up until the Final Draft Stage. PG: Finalised with Recommendations Postgraduate team members are then responsible to polish and finalise all the submissions both for submission to the course coordinator, then for any changes prior to submission to the client.	35%	n/a	Class Week 12 Week 13	1 - 4
Step 2B: Research & Client Consultation Report – Again, each team member and the client will file a report about the consultation and feedback process for this project. The grade received for this second report over-writes the grade received for the earlier report.	15%	n/a	Week 13+	3 - 5
Report Log & Reflective Journal Students are expected to write up a learning log and reflective journal each week in their allocated MyUni site pages. Templates, expectations and exemplars are available in MyUni. Draft week 3 journal – Provisional Grade The first 3 entries will be marked with a provisional/redeemable grade that is indicative of quality-to-date, and feedback to enable improvement for ongoing weekly entries. Final – after final submission to client Journals will be marked in entirety after students have made their final entries after completion of their final project. This mark will over-write the week 3 mark.	20% 20%	13 entries 500-1000 words each	Class Week 3 Week 13+	5
Total	100%

Assessment Detail

Client Project

Step 1: Cyber Security Situation Analysis, Policy Needs Analysis & Prioritization

In teams, students will research the needs of the client, and present a Situation Analysis (broad brush) that outlines the organisation’s cyber security status compared to existing appropriate national or international policies and known current threats.

Building on the Situation Analysis, teams will then conduct a Needs Analysis (focused and specific) of the most critical cyber security policy needs of the organisation, and prioritize them in terms of urgency of need and value to the organisation. Rubrics available in MyUni.

Step 2: Research & Client Consultation Report

Students will (in consultation with the client) select two of the most critical policy needs, and research how best to address them (in terms of adapting a known policy or developing a new policy) – to be specific to that organisation’s situation and needs. The report will summarise the research conducted and the client consultation process, and final decisions made collaboratively between client and student. Rubrics available in MyUni.

Step 3: Process & Procedures Needs Analysis & Prioritization

Teams will research the best procedures to address the policies created for the client, prioritize them in consultation with the client, and then develop the procedures and documentation to support them.

Rubrics available in MyUni.

Step 4: Client Policies, Procedures & Documentation (UG: Draft/ PG: Final)

Teams will draft the Policies and core Procedures selected in consultation with the client, ensuring that they are written in such a way that Policies and Procedures are implementable. Teams are responsible to ensure (& document) that their Policies & Procedures ensure that their client is enabled to meet their requisite industry and government Standards. They will accompany their Policies & Procedures with supporting documentation for client implementation (eg: posters, employee handouts or handbooks…)

Teams will, after marking and feedback, be able to submit their finalised Policies & Procedures, with support documentation, to their client. Rubrics available in MyUni.

Report Log & Reflective Journal

Each week students will be expected to log their interaction with clients and write 500 – 1000 words of analysis and reflection on that week’s learning. This includes reflection on the work involved in polishing and submitting the final Policies Procedures and Documentation for and to their client.

Logs & Journals are to be entered and updated weekly on assigned Journal Pages in MyUni completed each week before the following week’s class. Students may be called upon to show their up-to-date log & journal at any class throughout the semester.

Week 3 due date & grade

Students do not need to submit their journal entries as they will be read on site in the Canvas Journal entry pages. The first three entries to each journal will be marked and graded with feedback before Census Date. The final grading of the completed journal at the end of semester will over-write the week 3 grading.

Rubric available in MyUni.

Submission

Critical: all work for clients must be cleared with the Course Coordinator (during class) before being submitted to the client.

Course Grading

Grades for your performance in this course will be awarded in accordance with the following scheme:

M10 (Coursework Mark Scheme)
Grade	Mark	Description
FNS		Fail No Submission
F	1-49	Fail
P	50-64	Pass
C	65-74	Credit
D	75-84	Distinction
HD	85-100	High Distinction
CN		Continuing
NFE		No Formal Examination
RP		Result Pending

Further details of the grades/results can be obtained from Examinations.

Grade Descriptors are available which provide a general guide to the standard of work that is expected at each grade level. More information at Assessment for Coursework Programs.

Final results for this course will be made available through Access Adelaide.

Student Feedback

The University places a high priority on approaches to learning and teaching that enhance the student experience. Feedback is sought from students in a variety of ways including on-going engagement with staff, the use of online discussion boards and the use of Student Experience of Learning and Teaching (SELT) surveys as well as GOS surveys and Program reviews.

SELTs are an important source of information to inform individual teaching practice, decisions about teaching duties, and course and program curriculum design. They enable the University to assess how effectively its learning environments and teaching practices facilitate student engagement and learning outcomes. Under the current SELT Policy (http://www.adelaide.edu.au/policies/101/) course SELTs are mandated and must be conducted at the conclusion of each term/semester/trimester for every course offering. Feedback on issues raised through course SELT surveys is made available to enrolled students through various resources (e.g. MyUni). In addition aggregated course SELT data is available.
Student Support
Policies & Guidelines
This section contains links to relevant assessment-related policies and guidelines - all university policies.
Fraud Awareness

Students are reminded that in order to maintain the academic integrity of all programs and courses, the university has a zero-tolerance approach to students offering money or significant value goods or services to any staff member who is involved in their teaching or assessment. Students offering lecturers or tutors or professional staff anything more than a small token of appreciation is totally unacceptable, in any circumstances. Staff members are obliged to report all such incidents to their supervisor/manager, who will refer them for action under the university's student’s disciplinary procedures.

The University of Adelaide is committed to regular reviews of the courses and programs it offers to students. The University of Adelaide therefore reserves the right to discontinue or vary programs and courses without notice. Please read the important information contained in the disclaimer.

Authorised by:	Deputy Vice-Chancellor and Vice-President (Academic)
Maintained by:	Course Outlines Administrator