Advanced Information Security Risk ManagementLaajuus (5 cr)
Code: TE00CP91
Credits
5 op
Enrollment
02.12.2023 - 11.01.2024
Timing
11.01.2024 - 30.04.2024
Number of ECTS credits allocated
5 op
Mode of delivery
Contact teaching
Unit
Engineering and Business
Campus
Kupittaa Campus
Teaching languages
- English
Seats
30 - 70
Degree programmes
- Degree Programme in Information and Communication Technology
- Degree Programme in Business Information Technology
- Degree Programme in Information and Communications Technology
Teachers
- Mika Koivunen
Teacher in charge
Pia Satopää
Groups
-
PTIVIS21TData Networks and Cybersecurity
-
PTIETS21dncsPTIETS21 Data Networks and Cybersecurity
Materials
Materials used in the course:
1. ISO27005 standardi
2. Sutton, David (2021): Information security risk management : a practitioner's guide: https://ebookcentral.proquest.com/lib/turkuamk-ebooks/detail.action?docID=6733537
3. Ilmonen, I. & al. (2022): Johda riskejä: käytännön opas yrityksen riskienhallintaan: https://turkuamk.finna.fi/Record/turkuamk.995697291505970?sid=3091696371
4. https://www.enisa.europa.eu/publications/interoperable-eu-risk-management-framework
5. Enisa Threat Landscape 2023 https://www.enisa.europa.eu/publications/enisa-threat-landscape-2023
And potentially other relevant materials
Teaching methods
Theoretical part through lectures and independent study. Guidance through remote meetings as needed. Practical risk assessment work requires acquiring the target company and maintaining communication with the responsible party. On site meetings for guidance, peer support, sharing experiences, project presentations, and evaluations in the upcoming days
International connections
Active project-based learning and problem-solving
Completion alternatives
-
Student workload
Review of the theory section of the information security risk management course and an extensive risk management project
Content scheduling
Information and Cybersecurity are critical areas in modern organizations, and the importance of risk management has been further emphasized. This practical project-based course in risk management provides students with an opportunity to apply the principles and methods of information and cybersecurity risk management in practice. The course aims to develop students' skills in risk identification, assessment, and management, preparing them for future careers in the field of information and cybersecurity.
Course Content:
Prerequisite for this course is a course in information security risk management, covering the ISO 27005 standard risk management process. Students should have a good understanding of the stages of the information and cybersecurity risk management process, including risk identification, assessment, management, and monitoring. The process and stages are reviewed at the beginning of this course.
The student acquires a small or medium-sized organization for which they will conduct a risk assessment. The student is responsible for contacting the organization's representatives. The work can be done individually or in pairs
Students will apply the ISO 27005 standard, along with other risk management frameworks and best practices, to their selected target organization. They will perform the risk assessment and document the results. At the end of the course, students will compile a final report, including the risk assessment findings and recommendations for the target organization. They will present their findings to the class and possibly to representatives from the chosen organization.
Requirements:
Participation in this course requires prior knowledge of information and cybersecurity risk management. Students must also select a target organization for the risk assessment.
This course offers students a unique opportunity to apply their knowledge of risk management to a real-world project and prepares them for careers in the field of information and cybersecurity.
Timeframe:
Spring 2024. Bi-weekly in-person meetings and bi-weekly online meetings based on separate reservations
Evaluation scale
H-5
Assessment methods and criteria
Review task for the theory section 10%
Implementation, documentation, and feedback from the organization for the risk assessment 90%
Assessment criteria, fail (0)
No risk assessment has been conducted
Assessment criteria, satisfactory (1-2)
A brief risk assessment and satisfactory feedback from the organization.
Assessment criteria, good (3-4)
A fairly comprehensive risk assessment and positive feedback from the organization
Assessment criteria, excellent (5)
A comprehensive risk assessment and excellent feedback from the organization