School of Computing and Engineering

Park Campus, Cheltenham

www.glos.ac.uk

CT6033 Cyber Security

Management
Module Guide 2021/2022

Module Leader | Jordan Allison | jallison1@glos.ac.uk

University of Gloucestershire 2021

All rights reserved. No part of this publication may be reproduced, stored or transmitted in any form or by any

means, including – but not limited to – photocopy, recording, or any information storage and retrieval system,

without the specific prior written permission of University of Gloucestershire.

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 1
an unstoppable team
TABLE OF CONTENTS

TABLE OF CONTENTS .......................................................................................... 2

1) MODULE OVERVIEW ......................................................................................... 3
2) MODULE LEARNING OUTCOMES .................................................................... 3
3) MODULE EVALUATION ..................................................................................... 4
3.1) Evaluation for 2020/2021 ......................................................................................... 4
3.2) Evaluation for Current Year .................................................................................... 4
4) SCHEME OF WORK ........................................................................................... 5
5) ASSESSMENT 1 ................................................................................................. 6

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 2
an unstoppable team
1) MODULE OVERVIEW
This module aims to critically evaluate and synthesise cyber security management. This is
a multi-faceted subject addressing the socio-technical elements of cyber security. Students
will learn the strategic components of cyber security; governance, aligning cyber security
strategy with business requirements, goals and objectives. Protecting organisations, threat
identification, risk assessment and management, security context, breach management,
cyber security roadmaps and frameworks. The module will allow student to understand how
to design a cyber-intelligence framework for organisations.
Location: Park Campus, Cheltenham
Scheduled learning and teaching activities: 24 hours

2) MODULE LEARNING OUTCOMES

A student passing this module should be able to:

1 Critically evaluate and synthesise cyber security management components to

understand and develop a cyber-intelligence framework for organisations.
2 Critically analyse and evaluate the components of cyber security governance to
sustain and improve the security posture of an organisation.

3 Analyse and evaluate the legal, ethical and privacy concerns and frameworks of
cyber security management.

4 Critically evaluate cyber security policies, standards, processes, guidelines, and

baselines.
5 Evaluate and synthesise the components of risk management, operational
security, auditing, assurance, and review.

6 Effectively communicate the various areas and topics of cyber security

management, present arguments, and analysis in a clear and concise manner to
stakeholders and management.

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 3
an unstoppable team
3) MODULE EVALUATION
3.1) Evaluation for 2020/2021

There were some interesting evaluations from the students given that this was the first time
this module was being delivered. Positive comments from the feedback indicted a successful
run of the module. Some interesting feedback received in the areas of standards and policies
as students were not aware of some of the standards that are currently being used. Most
students found the module interesting and challenging.

3.2) Evaluation for Current Year

In this current academic year 2021/22, you will be given the opportunity to undertake a mid-module
evaluation. This will contribute to the course board of studies meeting and will inform the module
design for the following year. In addition, there will be an independent end of year level evaluation
distributed by the University known as the Annual Course Evaluation (ACE).

Additionally, you will be given the opportunity to give continual feedback anonymously via Padlet:
https://padlet.com/jrallison1/az6py80n7mv3zkjj

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 4
an unstoppable team
4) SCHEME OF WORK
Detailed in the table below are the commencing dates, lecture sessions and discussion
sessions, with the associated lecturer. This is an indicative scheme of work and subject to
change.

Week Commencing Topic

25 17/01/2022 Introduction to Cyber Security Management

26 24/01/2022 Risk Analysis
27 31/01/2022 Risk Assessment
28 07/02/2022 Cyber and Technical Computing YFP Week
29 14/02/2022 Misperception of Risk
30 21/02/2022 Understanding your Organisation / Assignment Workshop 1
31 28/02/2022 University YFP Week
32 07/03/2022 Approaching Organisations / Interview Guidance
33 14/03/2022 Policy
34 21/03/2022 Managing Risks with Controls
35 28/03/2022 Network Controls
36 04/04/2022 Physical Security Controls
37 11/04/2022 Easter Holidays
38 18/04/2022 Easter Holidays
39 25/04/2022 Easter Holidays
40 02/05/2022 People and Culture / Assignment Workshop 2
41 09/05/2022 Feedback Presentations / Module Review
Assignment due on 16th May 2022

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 5
an unstoppable team
5) ASSESSMENT 1
1. Module Code and Title: CT6033 Cyber Security Management.

2. Module Tutor: Jordan Allison

3. Tutor with Responsibility for

Jordan Allison. This is your first point of contact.
this Assessment:

001: 100% Coursework: 001: 100% Coursework: Individual,

4. Assignment: standard written: 3000 words or equivalent : Individual based
on the written assignment.

Monday 16th May 2022 - Report submission

5. Submission Deadline: Your attention is drawn to the penalties for late submission;
see Academic Regulations for Taught Provision.

6. Arrangements for
MOODLE
Submission:

7. Date and Location for Return Written feedback and a provisional mark should be within 20
of Work: working days.

Alternative assessment arrangements may be made, where

appropriate, for disabled students. However, these will only
be implemented upon the advice of the disability advisor.
8. Students with Disabilities: Disabled students wishing to be considered for alternative
assessment arrangements must give notification of the
disability (with evidence) to the Disability Advisor by the
published deadlines.

All assessments are subject to the Academic Regulations

for Taught Provision. These include regulations relating to
errors of attribution and assessment Offences. In exercising
9. University Regulations for their judgement, examiners may penalise any work if the
standard of English, numeracy or presentation adversely
Assessment: affects the quality of the work, or where the work submitted
exceeds the published size or time limits, or where the work
fails to follow normal academic conventions for
acknowledging sources.

Scenario:
10. The Requirements for the
Assessment: Based on a real mid-size SME in UK, provide a full Cyber
Security management report which analyses the current stage

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 6
an unstoppable team
 of the company and provides policies and guidelines to
address and manage security risks in the company. You can
lay-down assumptions, if some information is not available
about the company. The report should be in detail rather than
general discussion about cyber security management. I
encourage you to have some interviews with the company to
make your report as real as possible. However, this is not
compulsory for the assignment.
A template for the report could be (but not limited to) follows:
1. Introduction
2. Organization: Introducing the company and current
stage the company is in.
3. Cyber Security Management Plan: Describing your
management plan in detail considering physical, cyber
and social aspect of cyber security.
4. Conclusion
5. References
6. Appendices

11. Special Instructions: None

1 Critically evaluate and synthesise cyber security

management components to understand and
develop a cyber-intelligence framework for
organisations;
2 Critically analyse and evaluate the components of
13. Associated Learning cyber security governance to sustain and improve
Outcomes: the security posture of an organisation;

3 Analyse and evaluate the legal, ethical and privacy

concerns and frameworks of cyber security
management;

4 Critically evaluate cyber security policies, standards,

processes, guidelines and baselines;

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 7
an unstoppable team
 5 Evaluate and synthesise the components of risk
management, operational security, auditing,
assurance and review;
6 Effectively communicate the various areas and
topics of cyber security management, present
arguments and analysis in a clear and concise
manner to stakeholders and management.

Please note, your overall grade will be determined in accordance with the School of
Computing and Engineering assessment criteria grid as detailed below.

Mar Grade & Theory & Practice &

k
Characteristics Academic Approach Deliverables
%

0 Fail plagiarism, collusion, non- as theory

pres., name only

1- Reassess: no understanding, very short, poor effective deliverables,

39 inadequate, factual but little requirements not met,
inadequate but
interpretation, lacks deliverables partially
recoverable
coherence, short, errors, complete, limited response
with effort
misconceptions, coherent but to brief.
mechanical notes, partial -
rudimentary answer, limited
interpretation, lack of
knowledge of topic, no
evidence of background
reading, weak English but
some appropriate use of
language of topic.

Provides very limited

information on this.

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 8
an unstoppable team
40- 3rd, D adequate response, deliverables meet basic
49 demonstration of basic requirement correctly but
Pass: Sufficient knowledge, relevant content, limited, just adequate but not
for award of clear intention communicated, innovative, interesting or
credit
evidence of reading, exciting, for higher marks,
adequate acceptable minimum level of 45+ just exceeds minimum
mainly English for business specification, might be good
descriptive presentation but may lack in some areas but not
approach, fair, precision, some limited consistent
limited analysis / application of
conceptual or knowledge / theory / weighting
theoretical of evidence, inconsistent
ability

Provides good summary into

the following
- The report
- Justifies why report
has been written
based on key findings,
current security
posture of SME and
identification of
stakeholders of the
SME, assumptions
about this SME and its
current security
posture. By security
posture, it is important
that you discuss why it
is important that the
SME has a good
security posture.
For example, you can ideally
look at the challenges this
SME may face based on its
current security posture face.

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make 9
an unstoppable team
50- 2ii, C good response to task, good deliverables, some
59 collates info, satisfactory evidence of good design or
Satisfactory analysis & judgement, execution, coherent and
Satisfactory constructs generalisations organised product, some
with some based on evidence & opinion, limited evidence of self-
conceptual argues clearly, logically & criticism concerning
ability but lacks constructs a case, some deliverable, some
good evaluation limited ability to state a independence, initiative,
or synthesis of personal position, correct autonomy, appropriate
ideas English with few imprecise techniques, integration of
statements knowledge for task

Provides detailed information

on:
- assets, security
issues,cyber security
management
components and
framework
- You are able to
provide the
relationship that exists
between the
organisation’s security
posture and security
risk.
- Provides relevant and
well-laid out
assumptions on staff,
assets, policies,
For example, you can use
examples/scenarios providing
information about the assets
that exist within this
organisation. Avoid the use of
generic discussion. This
should be relevant to the SME
and the assumptions that you
have laid out.

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make10
an unstoppable team
60- 2i, B evaluates info. & synthesises all criteria met to good
69 generalisations, good ability to standard, evidence of good
Good. state & defend personal design or execution, good
Good analysis, position, good analysis & integration of academic &
evaluation, judgement, applies knowledge practical issues, solid
synthesis, to new situations, sound on evidence of self-
integration & theory, critical, understands critique/evaluation of
argument. limitations of methods, deliverables, products well
selective coherent & logical organised - documented -
approach, well written with coherent. Evidence of
clear, correct and precise independence, initiative,
English autonomy, creativity,
adaptability,
resourcefulness. Integration
You are able to provide of knowledge,
relevant and detailed
discussion on a relevant
solution and a Robust Cyber
Security Management Plan
suited to the SME by
providing the following
- Cyber Intelligence
framework or a variety
of Cyber Intelligence
Frameworks might
help in solving the
problems (risks,
threats, vulnerabilities)
that you have identified
and improve the
security of the SME.
No generic discussion.

- Relevant discussion
provided on different
aspects of cyber
security e.g. physical,
social, cyber security
management
frameworks

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make11
an unstoppable team
70- First class, A, very strong ability to state & most criteria met to high
79 defend position, uses criteria standard, strong evidence of
Excellent. & weighting in judgements, evaluation of deliverables,
as above but wide knowledge and 75+: deliverables excellent -
also stronger theoretical ability, full all criteria met in clear and
evidence of understanding of possibilities definite manner, evidence of
excellent, and limitations of methods & excellent design or
original, theories, 75+ more original, execution, elegance,
innovative, innovative approach, innovation, very good
articulate work command of critical positions, evaluation of deliverables,
lively articulate writing,
excellent grasp of material -
synthesis of ideas

You are able to critically

explain and evaluate with
good use of examples the
following

- the evolving landscape

of cybersecurity.
For example, addressing this
from the point that threats and
threat actors are likely to
change and that your cyber
management report plan
makes use of frameworks that
are reassessed regularly

- A robust explanation
on the value the
relevant solution
provides and show
how the proposed plan
improves the security
posture of the
organisation

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make12
an unstoppable team
80- Outstanding. as above but also: - as above but also: -
89
as above but seen all possibilities in task, all aspects of deliverables
also gone beyond accepted superlative
conceptual/critical positions,
authoritative, beyond 80% emphasis on
evidence of creative,
superlative, theory rather than
intelligent, innovative
practice/deliverables
creative approach consistently &
forcefully expressed.

You are able to critically

explain the following:

• The laws, standards,

policies and guidelines
that will be used to
address the security
risks you have
identified and why.
For example, a medical
research organisation will
need to protect its data
(asset). It is important that you
identify why it is important this
data is protected in the
context of the medical
research organisation. You
can explore the different types
of data processed by this
organisation such as Sensitive
information, Personal
Information, Private
information and provide a
management plan in terms of
security controls and what
data protection laws may be
used to improve the privacy of
data e.g. GDPR

90- Faultless as for 80-89 but also: - as for 80-89

100

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make13
an unstoppable team
 all work superlative & without
fault

The University of Gloucestershire is a company limited by guarantee registered

in England & Wales. Registered office: The Park, Cheltenham, GL50 2RH.
Together we make14
an unstoppable team