Coronavirus (Covid-19): Latest updates and information
Skip to main content Skip to navigation

Managing Cyber Risk, Audit and Compliance

Introduction

Cyber security consultants are often tasked with:

  • Providing advice regarding establishing and maintaining an information risk assessment and management framework.
  • Aiding clients in determining which risk assessment approach is the most appropriate for the business outcomes they wish to achieve.
  • Providing guidance on how identified risks can be strategically managed.

This module exposes participants to various approaches to information risk assessment and management. There is an emphasis on the practical nature of this process, the issues that face managers in the real world, and the importance of assessing information risk management within the corporate context to ensure that information security and assurance strategies are aligned with business objectives and consistent with legal and regulatory obligations.
This module equips participants with a detailed applied knowledge of how to establish and maintain a risk management framework. A strong focus will be placed on cost effectiveness and value to the objectives of the business or enterprise. The module also covers business continuity and resilience.
Participants will gain a detailed understanding of relevant cyber law, ethics, principles and rules of cyber security, data protection, consent and privacy. There is an emphasis on domestic legislation and cross-boundary issues and international efforts as well as an examination of legal issues relating to the authorised conduct of cyber operations such as ethical (as opposed to unethical) hacking.

Objectives

  • Demonstrate a critical awareness of the key attributes of an information governance and compliance framework and of legal, regulatory, and good practice guidelines and regulations which govern information/data compliance for delivery in a range of organisational settings.
  • Apply an appropriate risk management approach to a given scenario to identify risk, determine risk probability, and identify mitigation strategies.
  • Provide original and creative critical responses to the task of developing an appropriate business continuity and disaster recovery plan for an organisation.
  • Demonstrate a critical awareness of the process of auditing information systems.

Syllabus

  • Risk assessment and management approaches and frameworks. International Standards - ISO27001 & ISO3100; certification; the risk assessment and accreditation process; organisational life-cycle methodologies and processes; interpreting and implementing a security policy as an organisational Information Security Management System (ISMS) Programme.
  • Information Governance. Strategic planning and best practices; policy development; business consideration and legal functions; E-discovery; standardisation and accepted practices; auditing and enforcement; monitoring; records management and inventorying; information governance in the Cloud; social media and mobile devices; maintaining an Information governance programme; capability maturity models.
  • Business continuity planning. Relating risks to mitigating safeguards and procedures; developing, reviewing and enacting business continuity plans.
  • Compliance and auditing. Regulation and compliance including: GDPR, The Data Protection Act, PCI DSS; Understanding auditing standards such as: the International Standards on Auditing (UK) (ISAs (UK)) and International Standard on Quality Control (UK) (ISQC (UK)); security certifications; understanding auditability; the internal audit process.
  • Culture and Communication. Techniques and controls; culture and awareness; communicating risk and developing uptake.

Assessment

  • Risk Management Report (3,500 words, 100% weighting)

Duration

2 weeks including 23 hours of lectures, 17 hours of tutorials