Unit convenor and teaching staff |
Unit convenor and teaching staff
Unit Convenor
Milton Baar
Contact via milton.baar@mq.edu.au
|
---|---|
Credit points |
Credit points
4
|
Prerequisites |
Prerequisites
Admission to MInfoTech or MEng or MSc
|
Corequisites |
Corequisites
|
Co-badged status |
Co-badged status
|
Unit description |
Unit description
The intent of this unit is to provide students with a working knowledge of commercial information security governance requirements, tools and techniques. The unit has a practical focus with tutorial and laboratory work that will include aspects of physical security and hacking, information security architectures and the creation of a dummy company on which the tools and techniques will be developed and tested. Topics include an introduction to information security, standard and governance, risk management concepts, security threats, controls, practical hacking, server hardening, evidence collection, business community planning and DRP, creating an enterprise information security framework, and EISF/ISMS certification.
|
Information about important academic dates including deadlines for withdrawing from units are available at https://www.mq.edu.au/study/calendar-of-dates
On successful completion of this unit, you will be able to:
Name | Weighting | Hurdle | Due |
---|---|---|---|
Quiz 1 | 10% | No | 22/8/2017 |
Lab work review | 20% | No | 3/10/2017 |
Quiz 2 | 10% | No | 3/10/2017 |
Assignment | 20% | No | 7/11/2017 |
Quiz 3 | 10% | No | 31/10/2017 |
Industry presentation | 30% | No | 7/11/2017 |
Due: 22/8/2017
Weighting: 10%
The multiple choice quiz has a time limit of 30 minutes and is conducted online using iLearn. It will cover the material in lectures from weeks 1-4 inclusive.
Due: 3/10/2017
Weighting: 20%
This is due to be handed in at the end of the last week of the mid-semester break. It is an assessment of your group work in the labs and every group member will receive an individual mark combined with a group mark.
Due: 3/10/2017
Weighting: 10%
The short answer quiz has a time limit of 45 minutes and is conducted online using iLearn. It will cover the material in lectures from weeks 5-8 inclusive.
Due: 7/11/2017
Weighting: 20%
This is an individual assignment, the details of which will be posted on iLearn in week 1.
Due: 31/10/2017
Weighting: 10%
The short essay quiz has a time limit of 30 minutes and is conducted online using iLearn. It will cover the material in lectures from weeks 1-11 inclusive.
Due: 7/11/2017
Weighting: 30%
Presentation to industry experts!
This unit does not rely on any particular technology. However, there is a lot of reading and lab work to be undertaken, this may be don on-campus or off-campus.
Students may find that using their own devices capable of accessing the internet and for reading PDFs whilst off-campus may assist in their group activities.
Week/ Date/ Lecturer |
Lecture Topic |
Reading material |
Week 1
|
Introduction and Course Outline
|
Senior Executives Commitment to Information Security - from Motivation to Responsibility |
Week 2
|
Standards & Governance
|
ISO/IEC27001, ISO/IEC27002, PCIDSS, Sarbanes Oxley Act, COBIT |
Week 3
|
Information Risk Management Concepts
|
ISO/IEC27005 and ISO/IEC31000, A Novel Security Risk Evaluation for Information Systems, Measuring the risk based value of IT Security solutions, Quantitative assessment of enterprise security system |
Week 4
|
Threat Workshop
|
ISO/IEC27005 and ISO/IEC31000, A Novel Security Risk Evaluation for Information Systems, BSI Handbook, Security Usability Principles for Vulnerability Analysis and Risk Assessment |
Week 5
|
Controls Workshop
|
ISO/IEC27005 and ISO/IEC31000, A Novel Security Risk Evaluation for Information Systems, BSI Handbook |
Week 6 |
Business Continuity Planning and DRP
|
ISO/IEC27001, ISO/IEC27005 and ISO/IEC31000, BSI Handbook |
Week 7
|
Creating an Enterprise Information Security Framework
|
|
Week 8 |
Information Classification and Exposures
|
ISO/IEC27001, Senior Executives Commitment to Information Security - from Motivation to Responsibility |
Week 9 |
Practical Hacking
|
Open Source Security Testing Methodology Manual |
Week 10
|
Incident Response & Server Hardening
|
ISO/IEC27001, Combining ITIL, COBIT and ISO/IEC27002 in Order to Design a Comprehensive IT Framework in Organisations |
Week 11
|
Evidence Collection
|
HB171 Guidelines for the management of evidence, Computer Forensics for Lawyers |
Week 12
|
Physical Security Reviews | |
Week 13 |
Industry presentation |
Macquarie University policies and procedures are accessible from Policy Central. Students should be aware of the following policies in particular with regard to Learning and Teaching:
Academic Honesty Policy http://mq.edu.au/policy/docs/academic_honesty/policy.html
Assessment Policy http://mq.edu.au/policy/docs/assessment/policy_2016.html
Grade Appeal Policy http://mq.edu.au/policy/docs/gradeappeal/policy.html
Complaint Management Procedure for Students and Members of the Public http://www.mq.edu.au/policy/docs/complaint_management/procedure.html
Disruption to Studies Policy (in effect until Dec 4th, 2017): http://www.mq.edu.au/policy/docs/disruption_studies/policy.html
Special Consideration Policy (in effect from Dec 4th, 2017): https://staff.mq.edu.au/work/strategy-planning-and-governance/university-policies-and-procedures/policies/special-consideration
In addition, a number of other policies can be found in the Learning and Teaching Category of Policy Central.
Macquarie University students have a responsibility to be familiar with the Student Code of Conduct: https://students.mq.edu.au/support/student_conduct/
Results shown in iLearn, or released directly by your Unit Convenor, are not confirmed as they are subject to final approval by the University. Once approved, final results will be sent to your student email address and will be made available in eStudent. For more information visit ask.mq.edu.au.
If you cannot complete a piece of work please see the convenor before the due date. Check also the special consideration policy. A more detailed description of each task is given below.
As the table under assessment tasks indicates, there will be 6 assessment tasks.
Your final grade will depend on your performance in each part separately. In particular, to pass this unit you must achieve an overall score of 50%, and achieve at least 40% in the quizzes.
Failure to appear at the industry presentation (without a very good reason) will count as a score of 0 for that component.
All assignments should be handed in via the online system at http://learn.mq.edu.au/ by the time specified in the assignment description.
All work submitted should be readable and well presented.
Late work will be accepted with a penalty of 10% of the marks for the assignment per day submitted late. Hence, an assignment submitted five days late will get at most half the marks. If you cannot submit on time because of illness or other circumstances, please contact the lecturer before the due date.
Macquarie University provides a range of support services for students. For details, visit http://students.mq.edu.au/support/
Learning Skills (mq.edu.au/learningskills) provides academic writing resources and study strategies to improve your marks and take control of your study.
Students with a disability are encouraged to contact the Disability Service who can provide appropriate help with any issues that arise during their studies.
For all student enquiries, visit Student Connect at ask.mq.edu.au
For help with University computer systems and technology, visit http://www.mq.edu.au/about_us/offices_and_units/information_technology/help/.
When using the University's IT, you must adhere to the Acceptable Use of IT Resources Policy. The policy applies to all who connect to the MQ network including students.
Our postgraduates will demonstrate a high standard of discernment and common sense in their professional and personal judgment. They will have the ability to make informed choices and decisions that reflect both the nature of their professional work and their personal perspectives.
This graduate capability is supported by:
Our postgraduates will be able to demonstrate a significantly enhanced depth and breadth of knowledge, scholarly understanding, and specific subject content knowledge in their chosen fields.
This graduate capability is supported by:
Our postgraduates will be capable of utilising and reflecting on prior knowledge and experience, of applying higher level critical thinking skills, and of integrating and synthesising learning and knowledge from a range of sources and environments. A characteristic of this form of thinking is the generation of new, professionally oriented knowledge through personal or group-based critique of practice and theory.
This graduate capability is supported by:
Our postgraduates will be capable of systematic enquiry; able to use research skills to create new knowledge that can be applied to real world issues, or contribute to a field of study or practice to enhance society. They will be capable of creative questioning, problem finding and problem solving.
This graduate capability is supported by:
Our postgraduates will be able to communicate effectively and convey their views to different social, cultural, and professional audiences. They will be able to use a variety of technologically supported media to communicate with empathy using a range of written, spoken or visual formats.
This graduate capability is supported by:
Our postgraduates will be ethically aware and capable of confident transformative action in relation to their professional responsibilities and the wider community. They will have a sense of connectedness with others and country and have a sense of mutual obligation. They will be able to appreciate the impact of their professional roles for social justice and inclusion related to national and global issues
This graduate capability is supported by:
Four standards, namely HD, D, CR, P summarise as many different levels of achievement. Each standard is precisely defined to help students know what kind of performance is expected to deserve a certain mark.
Grade |
LO 1 |
LO 2 |
LO 3 |
LO 4 |
|
Architectures |
Risks |
Threats |
Controls |
HD |
Detailed understanding of the differences between architectures, standards, legislation and industry regulations. Can apply the correct architecture to meet different requirements. Can manage the design and implementation process of a project to use one of the architectures. |
Detailed understanding of information security risks and risk management. Can demonstrate the correct approach to risk identification and information gathering. Can produce a correct Risk Register and Risk Treatment Plan. Can demonstrate a sound understanding of personnel related information security risk processes. Can produce a detailed BIA and understand management response to risk. |
Detailed understanding of threats, threat vectors, likelihood an impact. Can manage complex scenario-based information gathering to produce a business-oriented threat matrix. Can demonstrate the selection process for metrics and identify novel approaches to selection in complex scenarios. |
Can demonstrate and manage a process to identify and select appropriate controls. Can demonstrate an understanding of the different classes of controls, their limitations and how to choose and implement the most appropriate controls. |
D |
Some understanding of the differences between architectures, standards, legislation and industry regulations. Can identify the correct architecture to meet different requirements. Can create the design and implementation process of a project to use one of the architectures. |
Some understanding of information security risks and risk management. Can demonstrate the correct approach to risk identification and information gathering with assistance. Can produce either a correct Risk Register or a correct Risk Treatment Plan. Can demonstrate a sound understanding of personnel related information security risk processes. Can produce a partial BIA and understand management response to risk. |
Some understanding of threats, threat vectors, likelihood an impact. Can manage simple scenario-based information gathering to produce a business-oriented threat matrix. Can demonstrate the selection process for metrics. |
Can demonstrate and manage a process to identify and select appropriate controls. Can demonstrate an understanding of most of the different classes of controls, their limitations and how to choose and implement the most appropriate controls |
CR |
Some understanding of the differences between architectures, standards, legislation and industry regulations. Can identify the correct architecture to meet different requirements. Can manage the design and implementation process of a project to use one of the architectures. |
Some understanding of information security risks and risk management. Can demonstrate the correct approach to risk identification and information gathering with assistance. Can produce a partial Risk Register and a partial Risk Treatment Plan. Can demonstrate some understanding of personnel related information security risk processes. Can produce a partial BIA or demonstrate the principles behind management response to risk. |
Some understanding of threats, threat vectors, likelihood an impact. With assistance, can manage simple scenario-based information gathering to produce a business-oriented threat matrix. With assistance, can demonstrate the selection process for metrics. |
Can explain processes to identify and select appropriate controls. Can demonstrate an understanding of the different classes of controls, their limitations and how to choose and implement the most appropriate controls |
P |
Some understanding of the differences between architectures, standards, legislation and industry regulations. May not always apply the correct architecture to meet different requirements. Cannot identify the design and implementation process of a project to use one of the architectures without assistance. |
Some understanding of information security risks and risk management. Can demonstrate the correct approach to risk identification and information gathering with assistance. Can produce a partial Risk Register and a partial Risk Treatment Plan with assistance. Can demonstrate some understanding of personnel related information security risk processes. With assistance, can produce a partial BIA or demonstrate the principles behind management response to risk. |
Some understanding of threats, threat vectors, likelihood an impact. With assistance, can explain simple scenario-based information gathering to produce a business-oriented threat matrix. With assistance, can explain the selection process for metrics. |
With assistance, can explain processes to identify and select appropriate controls. With assistance, can explain some of the different classes of controls and their limitations. |
Grading
At the end of the semester, you will receive a grade that reflects your achievement in the unit
In this unit, your final grade depends on your performance in each part of the assessment. For each task, you receive a mark that combines your standard of performance regarding each learning outcome assessed by this task. Then the different component marks are added up to determine your total mark out of 100. Your grade then depends on this total mark and your overall standards of performance.
Your final grade will depend on your performance in each part separately. In particular, to pass this unit you must achieve an overall score of 50%, and achieve at least 40% in the quizzes.
Failure to appear at the industry presentation (without a very good reason) will count as a score of 0 for that component.
Obtaining a grade higher than a Pass (P) in this unit will require a student to obtain (in addition to the above):