University of Surrey - Guildford
Registry
  
 

  
 
Registry > Module Catalogue
View Module List by A.O.U. and Level  Alphabetical Module Code List  Alphabetical Module Title List  Alphabetical Old Short Name List  View Menu 
2010/1 Module Catalogue
 Module Code: COM3010 Module Title: INFORMATION ASSET MANAGEMENT
Module Provider: Computing Short Name: CS390
Level: HE3 Module Co-ordinator: SECCOMBE A Mr (Computing)
Number of credits: 15 Number of ECTS credits: 7.5
 
Module Availability
 Semester 2
Assessment Pattern

Unit(s) of Assessment

 

Weighting Towards Module Mark( %)

 

2 hour unseen examination

 

50%

 

Phase 1            Deadline: Week 2        Form Groups

 

 

Phase 2           Deadline: Week 4      Individual Report

 

Key Elements of Risk Management Frameworks

 

Identify and document the key aspects of 2 different formal high-level risk management frameworks, selected from the list provided.  For the two frameworks you have selected, in addition to identifying and documenting the scope of normal use, key attributes and elements, you are expected to conduct a literature review in order to establish the current usage trends of the two frameworks, paying particular attention to finding and discussing recent publications on the frameworks concerned.

 

Addresses the following learning outcomes:

 

·         Understand the different types of information threats and vulnerabilities that an information system may experience, and how they may impact businesses.

 

·         Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.

 

10%

 

Phase 3           Deadline: Week 6         Individual Report     

 

Major Information Asset Incident Research

 

Identify and research 2 major incidents directly impacting information assets.

 

In this case, incidents refer to an activity or activities that resulted in significant business impact to the organisation concerned, that was caused by the failure to properly manage one or more of the COBIT Information Criteria. You should each research and document the critical aspects of the incidents paying particular attention to the; actors involved, the impact of the incident on the organisation concerned, and the threats, vulnerabilities, and control or process failures involved in the incident. Where possible it will also valuable to document the corrective actions taken by the organisation subsequent to the incident. While it is acceptable for individuals within the group to select the same incident to research, great care should be taken, in such situations, to avoid copying / plagiarism. Hint: Selection of well-publicised incidents will make this an easier task.

 

Addresses the following learning outcomes:

 

·         Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.

 

 

10%

 

Phase 4           Deadline: Week 11    Group Report

 

Evaluate risk management elements (30%)

 

Critically evaluate the relative merits of elements of the risk management frameworks previously identified, as they relate to a specific incident. 

 

Create an Information Risk Glossary and Concept Map, and then critically evaluate the relative merits of different elements of the risk management frameworks previously identified, as they relate to a specific incident.  Identify the different elements involved in the risk management frameworks that you individually documented in Phase 2. (Choice of the depth of decomposition will be key to how well you are able to accomplish this phase, too high a level (limited detail) and the resultant evaluation will be hard to accomplish, versus too detailed and you will not have time to complete the assignment.) Each group will be expected to determine how the work is divided for this phase; you are expected to demonstrate the contribution of each group member to the work.

 

 

Select one of the incidents documented by the members of your group, and then critically compare the various elements implications to this incident. This aspect of critical evaluation can be shared across the group.  Identify the 3 primary elements that would have been most critical to managing the information assets involved. Additionally recommend the appropriate controls that would be most critical to avoiding or mitigating the incident. State the reasons for your conclusions.

 

 

To address the following learning outcomes:

 

·       Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.

 

·       Select appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level.

 

 

30%

 

Qualifying Condition(s) 

 

A weighted aggregate mark of 40% is required to pass the module.

 

 

Module Overview

In a world where Collaboration is increasingly the norm, Information Assets are increasingly critical to the creation and protection of business value.  Information Systems are used to store and disseminate these information assets within and between organisations.  This module will explore the role of information professionals within organisations of Information Asset Management (IAM).  Opening with the framing and history of IAM.  The module will use key industry resources, including but not limited to ISO 27005, ITIL, COBIT, VALIT, NIST 800, FAIR.  In particular, the module will use knowledge of business information systems to approach the analysis of business risk and planning of information risk management, realised through a real-life case study.  The results will be developed and presented in groups, and will detail a proposed solution, including policy development, benefit and risk analysis and comparison of control and mitigation options.

Prerequisites/Co-requisites
None
Module Aims

This module will focus on the importance of managing information assets to maximise value and mange risk to an appropriate level in the real world.  It will explore the various agencies, roles, policies, processes and technologies involved, while highlighting the importance of the role Information Professionals, and others, need to play in managing information assets. To assist in  this external guest speakers will be used from different areas of government and industry.

Learning Outcomes

By the end of the module the student will be expected to be able to:

 

·         Understand the different types of information threats and vulnerabilities that an information system may experience, and how they may impact businesses.

 

·         Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.

 

·         Select appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level.

 

·         Ensure the security of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity, and availability of data and information.

 

·         Show their understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.

 

Demonstrate their understanding of the techniques used to manage data and information within an organisation and as it crosses into and out of an organisation.  This includes the IT and information management processes involved in the acquisition, creation, categorisation, storage, transfer and disposal of data and information. 

 

Module Content

The module is divided into the following areas:

 

·         Introduction : Framing and History

 

·         Information Risk Management

 

o        Awareness

 

o        Assessment

 

o        Control/Mitigation

 

·         Information Security

 

·         Governance, Compliance & Regulations

 

·         Data and Information Management Processes

 

 

 

Methods of Teaching/Learning

30 contact hours in weeks 1-10, consisting of:

 

·         21 hours of lectures, including at least 3 hours of guest lectures from industrial representatives.

 

·         9 hours of case study classes.

 

 

 

Selected Texts/Journals

Required Reading :
https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/247-BSI.html

 

 

Recommended Reading :

 

http://www.isaca.org/Template.cfm?Section=COBIT6 Download the Executive Guide

 

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk.html

 

https://buildsecurityin.us-cert.gov/daisy/bsi/articles/best-practices/risk/248-BSI.html

 

 

Other Relevant Sources:

 

http://delicious.com/adrius42/iamrisk

 

http://delicious.com/adrius42/iamcourse

 

 

 

 

Last Updated

Revised version uploaded 11 feb 2011 jg