Study Guide

Objective

After completing the course, the student can take an adversarial view of the organization’s own information systems and identify the attack surface. Student is able to find and exploit vulnerabilities in the system using common offensive tools. Student understands the effect the vulnerabilities have to the security of the organization’s information systems and is able to communicate it effectively to all stakeholders.

Content

- Penetration testing methods and processes
- Ethical and legal considerations
- Testing tools and techniques
- Reporting

Materials

We are using the TryHackMe.com training platform in addition to ItsLearning. Licenses for the duration of the course will be provided for the first attempt of the course.

Exam schedules

There is a compulsory exam about the legal aspects.

Completion alternatives

-

Student workload

Lectures 8h
Laboratory assignments 80h
Testing project 45h
Exam 2h

Content scheduling

Course begins with introductory lecture. In laboratory exercises student learns to use the tools of trade. Finally, students perform a penetration testing engagement and report the results.

Further information

All communication will be through ItsLearning

Evaluation scale

H-5

Assessment methods and criteria

Grade will be determined by laboratory assignments and report.
Laboratory assignments 50%, scale:
90% – 5
80% – 4
70% – 3
60% – 2
50% – 1
Report 50%
Report includes penetration testing two target machines. Report is graded on scale 0-5.
To pass the course, student must obtain a passing grade from laboratory assignments, exam and report.

Assessment criteria, fail (0)

Student is unable to perform and report a penetration testing engagement independently.

Assessment criteria, satisfactory (1-2)

Student understands the basics of penetration testing and is able to perform a penetration test against a web application independently. Student can write an understandable and actionable report about the test results.

Assessment criteria, good (3-4)

Student has a good grasp of information security testing methodologies and tools. Student can independently test various types of internet connected applications. Student can write an understandable and actionable report about the test results that contains guidance for both the management and the developers responsible for the application.

Assessment criteria, excellent (5)

Student has knowledge and is able to select the best suited tool and methodology for the engagement. Student can independently test most types of internet connected applications. Student can write a clear, concise and actionable report about the test results that effectively guides management decisions and provides the software developers with detailed guidance on both fixing to found issues and methods for avoiding similar issues in the future.

Objective

The student will
• Understand the administrative and technical basics of information and cybersecurity
• Recognize the operational environment and threats, and be able to assess the impact of information and cybersecurity on organizational operations
• Understand the significance of a security culture for information and cybersecurity
• Be capable of planning, drafting, and implementing an information security policy for the organization
• Recognize the importance of information classification for safeguarding organizational information and be able to classify information and information systems
• Grasp the importance of competence and awareness in achieving information and cybersecurity
• Be able to assess the organization's level of cybersecurity competence (maturity) and plan and implement an organizational cybersecurity awareness program/training (awareness)
• Identify the importance of risk management in achieving information and cybersecurity
• Understand the significance of assessments and audits for continuous improvement

Content

• Operational environment and threats
• Impact and influence
• Competence and awareness
• Information security culture
• Information security policy, guidelines, models, frameworks
• Information classification
• Risk management and controls
• Auditing

SUMMARY
Upon completing the course, the student will possess a comprehensive understanding of information and cybersecurity concepts, as well as practical skills to assess and enhance the level of information and cybersecurity competence within an organization. The student will be capable of contributing to the planning and implementation of effective administrative controls, trainings, and policies related to information and cybersecurity. They will have the capability to assess the security situation and plan development measures.

Materials

The learning environment used is the It’s Learning platform provided by Turku University of Applied Sciences. All course materials and remote assignments are distributed through the platform. Any peer assessments will also be conducted within the system.

International connections

The pedagogical models and practices include applied problem-based learning, collaborative learning, and collaboration with work life. Peer learning during on-site days, through experience sharing and discussions, is an essential part of the content of these sessions.

Student workload

The course includes both group and individual assignments. As a rule, all assignments must be submitted.
Failure to submit an assignment will lower the grade.

Content scheduling

TOPICS
• Operational environment and threats
• Impact and influence
• Competence and awareness
• Information security culture
• Information security policy, guidelines, models, frameworks
• Information classification
• Risk management and controls
• Auditing

LEARNING OBJECTIVES
The student will
• Understand the administrative and technical basics of information and cybersecurity
• Recognize the operational environment and threats, and be able to assess the impact of information and cybersecurity on organizational operations
• Understand the significance of a security culture for information and cybersecurity
• Be capable of planning, drafting, and implementing an information security policy for the organization
• Recognize the importance of information classification for safeguarding organizational information and be able to classify information and information systems
• Grasp the importance of competence and awareness in achieving information and cybersecurity
• Be able to assess the organization's level of cybersecurity competence (maturity) and plan and implement an organizational cybersecurity awareness program/training (awareness)
• Identify the importance of risk management in achieving information and cybersecurity
• Understand the significance of assessments and audits for continuous improvement

SUMMARY
Upon completing the course, the student will possess a comprehensive understanding of information and cybersecurity concepts, as well as practical skills to assess and enhance the level of information and cybersecurity competence within an organization. The student will be capable of contributing to the planning and implementation of effective administrative controls, trainings, and policies related to information and cybersecurity. They will have the capability to assess the security situation and plan development measures.

Further information

The It’s Learning platform used by Turku University of Applied Sciences serves as the communication channel for the course.

Evaluation scale

H-5

Assessment methods and criteria

The course performance is assessed through individual and group assignments completed between on-site sessions. The assignments are essay-based and may include peer assessment. The key focus of the assignments is to critically reflect on the organization's current state and evaluate potential areas for improvement.

Assessment criteria, fail (0)

The student has not participated in on-site teaching or group work. The required written assignments are incomplete, and/or the student's skills are seriously lacking.

Assessment criteria, satisfactory (1-2)

The student has participated poorly in on-site teaching and group assignments. Based on the assessed written outputs, the student has difficulty understanding the fundamentals of information and cybersecurity.

Assessment criteria, good (3-4)

The student has actively participated in on-site teaching, group assignments, and discussions. The student is able to apply their learning to their own job role or work environment. They are capable of comprehensively and critically evaluating what they have learned through the assignments from the perspective of business and their own organization.

Assessment criteria, excellent (5)

The student's thinking is independent and comprehensive. They demonstrate a broad understanding of information and cybersecurity as part of business operations. The student has produced excellent written outputs, showcasing their ability to apply their learning to the needs of different organizations. They exhibit versatile and creative thinking as well as a holistic understanding of the importance of information and cybersecurity for organizational operations.

Objective

Students will be able to:
• Comprehend the basics of information and cyber security management
• Recognize management's responsibility for information and cyber security
• Identify the significance of information and cyber security for organizational business operations
• Evaluate the organization's competency level in information and cyber security and design and implement training programs
• Understand processes, management tools, and personnel and supply chain-related aspects of information and cyber security management
• Effectively assess risks in the cyber operational environment
• Appreciate the importance of situational awareness in crisis management
• Comprehend the content and significance of an Information and Cyber Security Management and Governance System (ISMS) for the organization
• Design and implement an ISMS and tailor it to the organization's specific needs
• Understand the importance of supply chain and contract management for the organization's information and cyber security
• Plan business preparedness and understand its alignment with the organization's strategy and business processes
• Recognize the importance of crisis management plans, crisis communication, and leadership training

SUMMARY
This course provides students with a comprehensive understanding of information and cyber security management and leadership, covering topics such as risk management, preparedness, continuity management, recovery, supply chain, and contract management, and the implementation of an Information and Cyber Security Management and Governance System (ISMS). Students will also understand the importance of situational awareness in crisis management and will be equipped to plan and implement effective strategies. By the end of the course, students will have the skills to design and implement an ISMS, evaluate risks, develop preparedness plans, and comprehend the significance of these practices in maintaining a secure organizational environment.

Content

• Fundamentals of Information and Cyber Security Management
• Risk Management as a Part of Leadership
• Preparedness, Continuity Management, and Recovery
• Supply Chain and Contract Management
• Information and Cyber Security Management and Governance System (ISMS)
• Leadership Situational Awareness
• Training as a Component of Management and Governance

Materials

The learning environment used is the It’s Learning platform provided by Turku University of Applied Sciences. All course materials and remote assignments are distributed through the platform. Any peer assessments will also be conducted within the system

International connections

The pedagogical model and practices are based on problem-based learning, collaborative learning, and cooperation with the working life. Assigning remote tasks to the students' own employer organization benefits both the employer and the student. Peer learning during in-person sessions, through sharing experiences and discussions, is an essential part of the content of the on-site days. The course may also feature guest lecturers, providing students with the opportunity to ask questions to industry experts and deepen their own learning.

Content scheduling

TOPICS
• Fundamentals of Information and Cyber Security Management
• Risk Management as a Part of Leadership
• Supply Chain and Contract Management
• Information and Cyber Security Management and Governance System (ISMS)
• Leadership Situational Awareness
• Training as a Component of Management and Governance

LEARNING OBJECTIVES
Students will be able to:
• Comprehend the basics of information and cyber security management
• Recognize management's responsibility for information and cyber security
• Identify the significance of information and cyber security for organizational business operations
• Evaluate the organization's competency level in information and cyber security and design and implement training programs
• Understand processes, management tools, and personnel and supply chain-related aspects of information and cyber security management
• Effectively assess risks in the cyber operational environment
• Appreciate the importance of situational awareness in crisis management
• Comprehend the content and significance of an Information and Cyber Security Management and Governance System (ISMS) for the organization
• Design and implement an ISMS and tailor it to the organization's specific needs
• Understand the importance of supply chain and contract management for the organization's information and cyber security
• Plan business preparedness and understand its alignment with the organization's strategy and business processes
• Recognize the importance of crisis management plans, crisis communication, and leadership training

SUMMARY
This course provides students with a comprehensive understanding of information and cyber security management and leadership, covering topics such as risk management, preparedness, continuity management, recovery, supply chain and contract management, and the implementation of an Information and Cyber Security Management and Governance System (ISMS). Students will also understand the importance of situational awareness in crisis management and will be equipped to plan and implement effective strategies. By the end of the course, students will have the skills to design and implement an ISMS, evaluate risks, develop preparedness plans, and comprehend the significance of these practices in maintaining a secure organizational environment.

Further information

The It’s Learning platform used by Turku University of Applied Sciences serves as the communication channel for the course.

Evaluation scale

H-5

Assessment methods and criteria

The course performance is assessed through individual and group tasks completed between in-person sessions. These tasks are in the form of essays or other types of peer-reviewed deliverables, related to the methods and maturity level of the student's own organization, where possible. The tasks focus on information and cybersecurity management, risk management, and information security management systems. A key aspect of the tasks is critically analyzing the organization's current state and evaluating potential areas for development.

The goal of peer assessments is to provide students with an understanding of how information and cybersecurity are addressed at different levels in organizations and to offer ideas for improving their own organization. Peer reviews focus on constructive and analytical feedback. Participation in in-person sessions is recommended, but there is no mandatory attendance. However, attending the in-person session provides better preparation for succeeding in the remote tasks. If a student is absent from an in-person session, an alternative assignment can be given.

Assessment criteria, fail (0)

The student has not participated in on-site teaching or group work. The required written assignments are incomplete, and/or the student's skills are seriously lacking.

Assessment criteria, satisfactory (1-2)

The student has participated poorly in on-site teaching and group assignments. Based on the assessed written outputs, the student has difficulty understanding the management and leadership of information security and cybersecurity.

Assessment criteria, good (3-4)

The student has actively participated in on-site teaching, group assignments, and discussions. The student is able to apply their learning to their own job role or work environment. They are capable of comprehensively and critically evaluating what they have learned through the assignments from the perspective of business and their own organization.

Assessment criteria, excellent (5)

The student's thinking is independent and broad. The student is able to understand information and cybersecurity management as part of business and strategy. The student has produced commendable written work, demonstrating the ability to apply what they have learned to the needs of different organizations. The student shows diverse and creative thinking, as well as a comprehensive understanding of the significance of information and cybersecurity management for the organization's operations.

Objective

After completing the course, the student can take an adversarial view of the organization’s own information systems and identify the attack surface. Student is able to find and exploit vulnerabilities in the system using common offensive tools. Student understands the effect the vulnerabilities have to the security of the organization’s information systems and is able to communicate it effectively to all stakeholders.

Content

- Penetration testing methods and processes
- Ethical and legal considerations
- Testing tools and techniques
- Reporting

Materials

We are using the TryHackMe.com training platform in addition to ItsLearning. Licenses for the duration of the course will be provided for the first attempt of the course.

Exam schedules

There is a compulsory exam about the legal aspects.

Completion alternatives

-

Student workload

Lectures 8h
Laboratory assignments 80h
Testing project 45h
Exam 2h

Content scheduling

Course begins with introductory lecture. In laboratory exercises student learns to use the tools of trade. Finally, students perform a penetration testing engagement and report the results.

Further information

All communication will be through ItsLearning

Evaluation scale

H-5

Assessment methods and criteria

Grade will be determined by laboratory assignments and report.
Laboratory assignments 50%, scale:
90% – 5
80% – 4
70% – 3
60% – 2
50% – 1
Report 50%
Report includes penetration testing two target machines. Report is graded on scale 0-5.
To pass the course, student must obtain a passing grade from laboratory assignments, exam and report.

Assessment criteria, fail (0)

Student is unable to perform and report a penetration testing engagement independently.

Assessment criteria, satisfactory (1-2)

Student understands the basics of penetration testing and is able to perform a penetration test against a web application independently. Student can write an understandable and actionable report about the test results.

Assessment criteria, good (3-4)

Student has a good grasp of information security testing methodologies and tools. Student can independently test various types of internet connected applications. Student can write an understandable and actionable report about the test results that contains guidance for both the management and the developers responsible for the application.

Assessment criteria, excellent (5)

Student has knowledge and is able to select the best suited tool and methodology for the engagement. Student can independently test most types of internet connected applications. Student can write a clear, concise and actionable report about the test results that effectively guides management decisions and provides the software developers with detailed guidance on both fixing to found issues and methods for avoiding similar issues in the future.

Objective

The student will
• Understand the administrative and technical basics of information and cybersecurity
• Recognize the operational environment and threats, and be able to assess the impact of information and cybersecurity on organizational operations
• Understand the significance of a security culture for information and cybersecurity
• Be capable of planning, drafting, and implementing an information security policy for the organization
• Recognize the importance of information classification for safeguarding organizational information and be able to classify information and information systems
• Grasp the importance of competence and awareness in achieving information and cybersecurity
• Be able to assess the organization's level of cybersecurity competence (maturity) and plan and implement an organizational cybersecurity awareness program/training (awareness)
• Identify the importance of risk management in achieving information and cybersecurity
• Understand the significance of assessments and audits for continuous improvement

Content

• Operational environment and threats
• Impact and influence
• Competence and awareness
• Information security culture
• Information security policy, guidelines, models, frameworks
• Information classification
• Risk management and controls
• Auditing

SUMMARY
Upon completing the course, the student will possess a comprehensive understanding of information and cybersecurity concepts, as well as practical skills to assess and enhance the level of information and cybersecurity competence within an organization. The student will be capable of contributing to the planning and implementation of effective administrative controls, trainings, and policies related to information and cybersecurity. They will have the capability to assess the security situation and plan development measures.

Materials

The learning environment used is the It’s Learning platform provided by Turku University of Applied Sciences. All course materials and remote assignments are distributed through the platform. Any peer assessments will also be conducted within the system.

International connections

The pedagogical models and practices include applied problem-based learning, collaborative learning, and collaboration with work life. Peer learning during on-site days, through experience sharing and discussions, is an essential part of the content of these sessions.

Student workload

The course includes both group and individual assignments. As a rule, all assignments must be submitted.
Failure to submit an assignment will lower the grade.

Content scheduling

TOPICS
• Operational environment and threats
• Impact and influence
• Competence and awareness
• Information security culture
• Information security policy, guidelines, models, frameworks
• Information classification
• Risk management and controls
• Auditing

LEARNING OBJECTIVES
The student will
• Understand the administrative and technical basics of information and cybersecurity
• Recognize the operational environment and threats, and be able to assess the impact of information and cybersecurity on organizational operations
• Understand the significance of a security culture for information and cybersecurity
• Be capable of planning, drafting, and implementing an information security policy for the organization
• Recognize the importance of information classification for safeguarding organizational information and be able to classify information and information systems
• Grasp the importance of competence and awareness in achieving information and cybersecurity
• Be able to assess the organization's level of cybersecurity competence (maturity) and plan and implement an organizational cybersecurity awareness program/training (awareness)
• Identify the importance of risk management in achieving information and cybersecurity
• Understand the significance of assessments and audits for continuous improvement

SUMMARY
Upon completing the course, the student will possess a comprehensive understanding of information and cybersecurity concepts, as well as practical skills to assess and enhance the level of information and cybersecurity competence within an organization. The student will be capable of contributing to the planning and implementation of effective administrative controls, trainings, and policies related to information and cybersecurity. They will have the capability to assess the security situation and plan development measures.

Further information

The It’s Learning platform used by Turku University of Applied Sciences serves as the communication channel for the course.

Evaluation scale

H-5

Assessment methods and criteria

The course performance is assessed through individual and group assignments completed between on-site sessions. The assignments are essay-based and may include peer assessment. The key focus of the assignments is to critically reflect on the organization's current state and evaluate potential areas for improvement.

Assessment criteria, fail (0)

The student has not participated in on-site teaching or group work. The required written assignments are incomplete, and/or the student's skills are seriously lacking.

Assessment criteria, satisfactory (1-2)

The student has participated poorly in on-site teaching and group assignments. Based on the assessed written outputs, the student has difficulty understanding the fundamentals of information and cybersecurity.

Assessment criteria, good (3-4)

The student has actively participated in on-site teaching, group assignments, and discussions. The student is able to apply their learning to their own job role or work environment. They are capable of comprehensively and critically evaluating what they have learned through the assignments from the perspective of business and their own organization.

Assessment criteria, excellent (5)

The student's thinking is independent and comprehensive. They demonstrate a broad understanding of information and cybersecurity as part of business operations. The student has produced excellent written outputs, showcasing their ability to apply their learning to the needs of different organizations. They exhibit versatile and creative thinking as well as a holistic understanding of the importance of information and cybersecurity for organizational operations.

Objective

Students will be able to:
• Comprehend the basics of information and cyber security management
• Recognize management's responsibility for information and cyber security
• Identify the significance of information and cyber security for organizational business operations
• Evaluate the organization's competency level in information and cyber security and design and implement training programs
• Understand processes, management tools, and personnel and supply chain-related aspects of information and cyber security management
• Effectively assess risks in the cyber operational environment
• Appreciate the importance of situational awareness in crisis management
• Comprehend the content and significance of an Information and Cyber Security Management and Governance System (ISMS) for the organization
• Design and implement an ISMS and tailor it to the organization's specific needs
• Understand the importance of supply chain and contract management for the organization's information and cyber security
• Plan business preparedness and understand its alignment with the organization's strategy and business processes
• Recognize the importance of crisis management plans, crisis communication, and leadership training

SUMMARY
This course provides students with a comprehensive understanding of information and cyber security management and leadership, covering topics such as risk management, preparedness, continuity management, recovery, supply chain, and contract management, and the implementation of an Information and Cyber Security Management and Governance System (ISMS). Students will also understand the importance of situational awareness in crisis management and will be equipped to plan and implement effective strategies. By the end of the course, students will have the skills to design and implement an ISMS, evaluate risks, develop preparedness plans, and comprehend the significance of these practices in maintaining a secure organizational environment.

Content

• Fundamentals of Information and Cyber Security Management
• Risk Management as a Part of Leadership
• Preparedness, Continuity Management, and Recovery
• Supply Chain and Contract Management
• Information and Cyber Security Management and Governance System (ISMS)
• Leadership Situational Awareness
• Training as a Component of Management and Governance

Materials

The learning environment used is the It’s Learning platform provided by Turku University of Applied Sciences. All course materials and remote assignments are distributed through the platform. Any peer assessments will also be conducted within the system

International connections

The pedagogical model and practices are based on problem-based learning, collaborative learning, and cooperation with the working life. Assigning remote tasks to the students' own employer organization benefits both the employer and the student. Peer learning during in-person sessions, through sharing experiences and discussions, is an essential part of the content of the on-site days. The course may also feature guest lecturers, providing students with the opportunity to ask questions to industry experts and deepen their own learning.

Content scheduling

TOPICS
• Fundamentals of Information and Cyber Security Management
• Risk Management as a Part of Leadership
• Supply Chain and Contract Management
• Information and Cyber Security Management and Governance System (ISMS)
• Leadership Situational Awareness
• Training as a Component of Management and Governance

LEARNING OBJECTIVES
Students will be able to:
• Comprehend the basics of information and cyber security management
• Recognize management's responsibility for information and cyber security
• Identify the significance of information and cyber security for organizational business operations
• Evaluate the organization's competency level in information and cyber security and design and implement training programs
• Understand processes, management tools, and personnel and supply chain-related aspects of information and cyber security management
• Effectively assess risks in the cyber operational environment
• Appreciate the importance of situational awareness in crisis management
• Comprehend the content and significance of an Information and Cyber Security Management and Governance System (ISMS) for the organization
• Design and implement an ISMS and tailor it to the organization's specific needs
• Understand the importance of supply chain and contract management for the organization's information and cyber security
• Plan business preparedness and understand its alignment with the organization's strategy and business processes
• Recognize the importance of crisis management plans, crisis communication, and leadership training

SUMMARY
This course provides students with a comprehensive understanding of information and cyber security management and leadership, covering topics such as risk management, preparedness, continuity management, recovery, supply chain and contract management, and the implementation of an Information and Cyber Security Management and Governance System (ISMS). Students will also understand the importance of situational awareness in crisis management and will be equipped to plan and implement effective strategies. By the end of the course, students will have the skills to design and implement an ISMS, evaluate risks, develop preparedness plans, and comprehend the significance of these practices in maintaining a secure organizational environment.

Further information

The It’s Learning platform used by Turku University of Applied Sciences serves as the communication channel for the course.

Evaluation scale

H-5

Assessment methods and criteria

The course performance is assessed through individual and group tasks completed between in-person sessions. These tasks are in the form of essays or other types of peer-reviewed deliverables, related to the methods and maturity level of the student's own organization, where possible. The tasks focus on information and cybersecurity management, risk management, and information security management systems. A key aspect of the tasks is critically analyzing the organization's current state and evaluating potential areas for development.

The goal of peer assessments is to provide students with an understanding of how information and cybersecurity are addressed at different levels in organizations and to offer ideas for improving their own organization. Peer reviews focus on constructive and analytical feedback. Participation in in-person sessions is recommended, but there is no mandatory attendance. However, attending the in-person session provides better preparation for succeeding in the remote tasks. If a student is absent from an in-person session, an alternative assignment can be given.

Assessment criteria, fail (0)

The student has not participated in on-site teaching or group work. The required written assignments are incomplete, and/or the student's skills are seriously lacking.

Assessment criteria, satisfactory (1-2)

The student has participated poorly in on-site teaching and group assignments. Based on the assessed written outputs, the student has difficulty understanding the management and leadership of information security and cybersecurity.

Assessment criteria, good (3-4)

The student has actively participated in on-site teaching, group assignments, and discussions. The student is able to apply their learning to their own job role or work environment. They are capable of comprehensively and critically evaluating what they have learned through the assignments from the perspective of business and their own organization.

Assessment criteria, excellent (5)

The student's thinking is independent and broad. The student is able to understand information and cybersecurity management as part of business and strategy. The student has produced commendable written work, demonstrating the ability to apply what they have learned to the needs of different organizations. The student shows diverse and creative thinking, as well as a comprehensive understanding of the significance of information and cybersecurity management for the organization's operations.