Security Audit & Compliance

Requirements

This is a formal piece of work covering all LOs in the Module Descriptor. This is a two-part assessment, consisting a preliminary assessment and a final report. Together they are worth 90% of your mark for the module. The other 10% is made out of your responses to the ten end-of-unit tests.

These courseworks address all of the module Learning Outcomes (LOs):

LO1: Demonstrate an understanding of the roles and responsibilities of the professionals involved, including practical application of codes of practice/ethics.

LO2: Review and critically appraise relevant laws and relevant standards, their interrelationships and international trends in their development.

LO3: Critically appraise the principles of information security management systems and the roles of risk management, controls and audit in supporting IS governance

LO4: Demonstrate an understanding of the role of human and organisational factors in delivering information security

LO5: Research, examine and evaluate relevant academic literature and real-world situations, identify issues and solutions and make recommendations to management

Context
You are a newly recruited information security expert at Napier Partners LLC, an international firm of consultants with offices across the world. Existing and prospective clients include commercial companies, public sector organisations and the third sector.

In the light of many recent high-profile poorly-handled information security incidents, you have been asked to demonstrate your knowledge of industry and current academic research by writing a 3000- word white-paper style report. This should be aimed at senior management of clients and potential clients. The report should research and evaluate the business challenges presented by one of the topics listed below, identifying the information security risks involved, and possible responses.

You should base your report on academic and credible professional sources. Illustrate and analyse the issues using examples from current news stories (from 2018 onwards). It should be clear how you decided the sources used can be considered credible.

Topics
Choose ONE of these topics:

1. Control over information in a serverless computing context, digital supply chains and the move to hosting core information on externally supplied services. A review of cloud services is not expected.

2. The management of digital identities and access for employees and/or customers in a distributed environment.

3. The interaction of culture and technology in together managing insider threats and social engineering.

4. Issues with Incident response models in the context of the evolving threat of ransomware.

5. Managing the security risks in rapid/agile system development processes.

Part A: Preliminary assessment

This coursework will be used to give you feedback on your progress and writing skills. You are required to submit this before you can complete and submit the coursework described in Part B below. This is worth 10% of the module marks.

NB: You are allowed to adapt, reuse or amend the material from Part A to help you complete Part B.

Requirement
You are required to write a brief 500-700-word pitch to your manager which explains which topic you wish to write about, giving an overview of the aim and scope of the white paper you will write, and its intended purpose. It can be sector and country specific if you wish.
It should make use of enough academic and professional sources to demonstrate that you are able to find and explain relevant material. You should therefore base your article around at least 5 (and no more than 10) relevant and good quality sources. You may use any of the module materials, resources or any other relevant materials that you find.

The pitch should be supported by correctly formatted references. It can include one or two diagrams or tables, and include appendices with supplementary information.

Part B: Final report
This is worth 80% of the module marks. You are allowed to adapt, use or amend the material from Part A to help you complete Part B.
In this part, you are required to submit the completed white paper.

Required structure
In more detail, the report should follow the following structure:
• Cover sheet (as described below)
• Executive summary1 (This does not count towards the 3000-word limit)
• Introduction: An overview of the aim and scope of the white paper and its intended purpose, and the context (eg the sector and region being addressed if relevant).
• Context: An overview of the area under discussion, making use of relevant academic and professional sources, explaining key terms and concepts. Relevant frameworks and laws should be identified and evaluated.
• Current issues: An evaluation of current issues in the selected area, illustrated using examples from relevant and current news stories. It should explain how they relate to the topic that you have selected and identify the challenges they create for management.
• Implications for management: Should identify and evaluate
o Any ethical, governance and compliance challenges raised
o The professional roles involved
o The relationship with other information security processes (for example risk management, incident response)
• The Conclusion should wrap up the discussion, identify key points and recommendations to management, and consideration of the impact of any likely developments in next few years.
• References: All sources, formatted as described in the next section
• Optionally: Appendices.

Information Security issues are now regularly in the news and well reported, so you should have no problems finding examples to illustrate your report.

Remember, professional presentation and use of diagrams are a key part of getting your message across in this type of report.