Information Security and Risk

Advertisement

Concerns about cyber security and information risk have led to a growing market for technical specialists, but there is also a need for more senior professionals with an awareness of both the technical and the business issues who can bridge the gap between IT security and business risk. Such professionals would be responsible for drawing up organisation strategies for managing risk, identifying trade-offs between multiple risks and the cost of protection, and advising higher management on these issues. Typical roles might include Security Architect, Chief Information Risk Manager, or Chief Security Officer.

This Masters course is aimed at IT professionals with about 5 years experience and is intended to provide them with the skills that they need to progress to a management role in information security and risk. It covers both technical issues such as information security, quantitative risk assessment, and assurance, as well as more business oriented issues such as information leadership and executive development. It will be led from academics by the School of Informatics, with input from Cass Business School and experts from industry.

Why you should study for the MSc in Information Security and Risk (MISR) at City University London:

* Learn about both the technical and the business issues that can bridge the gap between IT security and business risk.
* Understand how to communicate these risks to both the technical staff and the executive business team (CEO, CIO, CFO and COO) in a language they share.
* Focus on human-machine interaction and decision making within today's increasingly complex Political-Economical-Socio-Technical (PEST) systems.
* Find out about latest industry and government standards, legislation and best practice from leading technical experts.
* Network with your peers to compare and contrast best practices from different industries.

The course supports the extra breadth of knowledge required by people with professional experience to progress towards target roles in management or consulting on security, assurance and risk. This extra breadth is in the directions of:

* principles of security and resilience
* understanding of risk as a socio-technical rather than technical issue
* a common framework for considering risks with technical and human, accidental and malicious causes
* analysis of assurance (systems and policies) beyond mere compliance with standards and rules
* as well as professional development and leadership

Course Structure
Modules providing Professional Skills:

Information Leadership
* The role of the CIO/information leader past, present and future
* Relationships with key executive posts such as CEO, COO, CFO
* Talent management: the information leader's team, key IT functional roles and technology specific issues
* Financial context: budgeting, corporate/public sector financial reporting, balance sheets, cash flow, income/expenditure, etc. Management accounting issues
* Purchasing, third-party and customer/supplier management
* Introduction to IT governance, legal/regulatory issues and the role of policy and standards
* Information as a source of competitive advantage: when IT does and doesn't matter.

Executive Development
* Competency frameworks, qualifications and CPD, including; IISP, SFIA, ITIL, BCS and industry certifications
* Personal SWOT analyses and action planning
* Developing behavioural competencies in an organisational context; leadership, team working, communication, negotiation, and influencing
* Reflection, performance appraisal, mentoring and coaching
* Project, programme and change management in uncertain environments
* Communities of practice and professional identity.

Socio-technical Systems
* The concept of socio-technical system; examples of errors caused by technical-only analysis of IT based systems
* Introduction to Human Factors, cognitive processes, assessment of human performance and human error
* Unexpected effects of automation on work organisation, behaviour and performance
* The psychology of risk perception and communication
* Models and empirical studies of responsibility, trust and trustworthiness
* Psychology of security and social engineering attacks
* Organisational factors: roles of culture and incentives
* Approaches to the study of risk and risk management in socio-technical systems: "Normal accidents", "High reliability organisations", "Resilience engineering".

IT Risk Management for effective performance and the prevention of fraud, error and disaster
* The assurance gap - how to identify the black hole between the Board's understanding of the governance of the organisation and the operational reality
* IT Risk Management - how to ensure that IT risks are part of the enterprise risk management process
* IT Audit - the multi-layered approach to identifying the effectiveness of controls over the systems life cycle, the operational efficacy and the security of the IT resource
* IT Governance - demonstrating the need for transparency and integration of the IT resource
* Continuous Monitoring and Continuous Audit - the new dynamic - providing assurance that events - specifically IT related events - are controlled in real time - or close to real time
* Best Practice IT workshop including case studies showing the causes of major IT failures
* Prevention of Fraud, denial of service.

Specialized Security and Risk Modules:

Information Security Management
* Information Security in the 21st century, evolving threats and defences
* Security policies and governance; Role of standards, guidelines and legislation
* Communicating security and risk issues to general and executive audiences
* Selecting and evaluating strategies and technologies for organization wide security.

IT Risk and Resilience
* Basic concepts, definitions and types of requirements in dependability, security, resilience including reference to the relevant international standards and adopted good practices
* Systematic methods for identifying vulnerabilities and threats; basic concepts and examples about means for achieving resilience and security: avoidance, prevention, removal, mitigation and recovery at the technical and at the organisational levels
* Fundamental design trade-offs in formulating information security/resilience strategies; introduction to the means for assessing dependability and resilience and information assurance methodologies
* Basic concept of the risks due to the interdependencies between critical infrastructures (i.e. power grid reliance on telecommunication and vice versa, etc.) and methods of its quantification and management (interdependency analysis).

Quantitative Risk Analysis
* Quantifying risk. Probabilistic models. Statistical inference
* Subjective probabilities and Bayesian inference
* Dependent events. Dependent random values
* Worst / best case estimates of probabilities and random values
* Models of defence / protection
* Presenting results of risk analysis

Assurance Cases
* The nature of the assurance and evaluation problem for computer based systems
* Deriving and structuring of claims in an assurance case; claim expansion from architecture; from dependability attributes.
* The role of standards, policies and regulations in deriving claims and argument strategies
* Evidence and arguments for different attributes
* Reviewing and assessing cases; improving communication. Developing cases for a range of stakeholders - from "boardroom to back office"
* Cases for specific classes of systems. Issues of scalability
* The use of tools for assurance cases (e.g. ASCE).

Students also take an independent individual project, which applies the technical contents of the course to a concrete problem. The project may be executed during an internship in an outside organisation, within a successful internship scheme.

2013/14, Semester 1 (October-December)IT Risk and Resilience

IT Risk Management for effective performance and the prevention of fraud, error and disaster

2013/14, Semester 2 (January- April)

Quantitative Risk Analysis

Executive Development

2014/15, Semester 1 (October-December)Information Security Management

Information Leadership

2014/15, Semester 2 (January- April)

Socio-Technical Systems

Assurance Cases

You should have a first or second class BSc Honours Degree (or equivalent non-UK qualification). You should also have approximately 5 years of relevant professional experience (absolute minimum of 2 years in exceptional circumstances).You should also have basic competence and familiarity with mathematics and good professional English.For students whose first language is not English, one of the following qualifications is also required: * IELTS: 7 * TOEFL (internet-based): 107 English Language Requirements IELTS band: 7 TOEFL iBT® test: 107 IMPORTANT NOTE: Since April 2014 the ETS tests (including TOEFL and TOEIC) are no longer accepted for Tier 4 visa applications to the United Kingdom. The university might still accept these tests to admit you to the university, but if you require a Tier 4 visa to enter the UK and begin your degree programme, these tests will not be sufficient to obtain your Visa. The IELTS test is most widely accepted by universities and is also accepted for Tier 4 visas to the UK- learn more.

Scholarships and Bursaries

* UK/EU applicants - up to £2,000
* International (Non-EU) applicants - up to £2,000
* Loyalty Bursary Scheme for City University London graduates - up to £2,500