The amount of personal data processed and stored by today's data scientists seems to be forever increasing. An example of this would be the data produced by customers engaging with digital marketing channels. This provides data scientists with very large data sets, which in turn afford opportunities for application of analytics leading to improved business opportunities.
However, recent changes in European data privacy laws, i.e. the GDPR, include the possibility of heavy fines if the data you have collected, processed or stored is not securely stored leading to accidental or deliberate access by unauthorised parties. GDPR has widened the scope of personal data, e.g. an Internet Protocol (IP) address and Media Access Control address (MAC address) are now both considered personal data.
The course starts with demonstrating how to conduct a cyber risk assessment, walking you through each stage of the process and emphasising the types of controls and why they are recommended.
Moving on, as much of the data we use is accessed through web applications, we examine common web vulnerabilities. Locating these vulnerabilities is initially demonstrated using tools that are free and commonly available before introducing more complex tools that are of industry standard.
You will gain a better understanding of the risk associated with an IT system used for data collection and processing. We will take a technical approach, learning the different aspects of the security risk assessment, such as:
Management issues in security
Technical aspects to security
Humans in the loop, social engineering and attack cycles
Conducting a risk assessment
Development of mitigation strategies
Common vulnerabilities found in web applications
Using tools to find web application vulnerabilities
You will be assessing the vulnerabilities and threat to components (laptops, server, databases, etc.) in your information systems, to understand the role these play in exposing your confidential data, standard operating procedures and other intellectual property. You will learn how to provide approached controls, in terms of the risk to the information asset and the cost of the control and how to combine these two activities to conduct a risk assessment of a system.
Throughout the course, you will also be asked to consider how you would use the risk assessment approach in your own organisations and reflect on the use of risk assessments to apply appropriate cost-effective controls.
To assess course progress, you will be asked to complete activities each week and submit three pieces of graded coursework. For the first graded coursework you will identify possible security risks within a fictional ‘University Fees Office’. The second coursework consists of applying skills developed in ‘attacking’ a commercial website to identify security risks then suggest mitigation strategies for a supposedly secure ‘Bank’ website. For the final graded assignment, you will employ the skills and knowledge you have developed to conduct and report a risk assessment based within your own organisation.
Whilst you will complete all of these assignments individually, you will also work in small groups with the dedicated supervision of a course tutor who will be available to provide in-depth assistance if you have any problems.