Site Navigation

COMP9079 - Security Risk & Compliance

Title:Security Risk & Compliance
Long Title:Security Risk & Compliance
Module Code:COMP9079
Duration:1 Semester
Credits: 10
NFQ Level:Expert
Field of Study: Computer Science
Valid From: Semester 1 - 2020/21 ( September 2020 )
Module Delivered in 4 programme(s)
Module Coordinator: Sean McSweeney
Module Author: Sean McSweeney
Module Description: Cybersecurity governance and compliance ensures that companies achieve their security objectives by providing oversight and accountability with the aim of ensuring risks are adequately mitigated and that the organisation is compliant with laws and regulations. This module examines governance, risk and compliance and how these elements work together enabling the alignment of security architecture, engineering and operations to meet business goals.
Learning Outcomes
On successful completion of this module the learner will be able to:
LO1 Appraise cybersecurity governance procedures and mechanisms for different operational contexts.
LO2 Discriminate between different cybersecurity threats and their impact on business operational elements.
LO3 Review and adapt policy and standards with the aim of developing a security program.
LO4 Develop a cybersecurity risk management plan with the aim of ensuring an organisation is adequately protected against a range of security vulnerabilities and threats.
LO5 Evaluate various risk scenarios with the aim of preparing an organisation against likely attacks.
LO6 Analyse cybersecurity compliance standards and frameworks with the aim of providing recommendations on implementing and managing various aspects of a security program.
LO7 Analyse the main Irish and EU Data Protection Laws in relation to protecting EU citizens data and their respective security.
Pre-requisite learning
Module Recommendations
This is prior learning (or a practical skill) that is strongly recommended before enrolment in this module. You may enrol in this module if you have not acquired the recommended learning but you will have considerable difficulty in passing (i.e. achieving the learning outcomes of) the module. While the prior learning is expressed as named CIT module(s) it also allows for learning (in another module or modules) which is equivalent to the learning specified in the named module(s).
Incompatible Modules
These are modules which have learning outcomes that are too similar to the learning outcomes of this module. You may not earn additional credit for the same learning and therefore you may not enrol in this module if you have successfully completed any modules in the incompatible list.
No incompatible modules listed
Co-requisite Modules
No Co-requisite modules listed

This is prior learning (or a practical skill) that is mandatory before enrolment in this module is allowed. You may not enrol on this module if you have not acquired the learning specified in this section.

No requirements listed

Module Content & Assessment

Indicative Content
Cybersecurity governance & Strategic Planning
Role and responsibilities in governance i.e. executive management, steering committee, Chief Information Security Officer. ISO/IEC 38500:2015. Calder-Moir IT Governance Framework. ISO/IEC 27014. Relationship between different governance models. Establishing information security governance – strategy development. Information Security Governance versus information security management. Outcomes and best practices to information security governance. Monitoring and managing governance. ISACA standards, guidelines, tools and techniques. Financial considerations in governance and strategic planning.
Threat landscape
ENISA threat landscape i.e. malware, insider threats, web based attacks, botnets, information leakage, cyber espionage, identity theft, ransomware, data breaches, denial of service, spam, phishing, crypto jacking. Structure of threat landscape. Threat actors, agents and trends – attack vectors, misinformation, disinformation, fileless and memory attacks, multi staged and modular threats etc. Threat intelligence and sharing. CIA Triad.
Security Policy & Programs
Policy, standards and practices. Developing and implementing a security policy. Elements to a policy. Security programs in small, medium and large organisations. Components of a security program.
Cybersecurity Risk Management
NIST Risk Management Framework. Risk assessment and risk cost. NIST Risk Management Process. Conducting a risk assessment. Communicating and sharing risk assessment information. Cybersecurity Risk Management plan – identify company assets, cyber threats, impact and ranking of threats. Risk mitigation. The human element. Risk Management Process. Treating risk. Third party risk assessments. Understanding the differences in terms of who owns what. Appreciating the importance of NDAs and Contracts. The impact of auditing on risk evaluation.
Risk metric scenarios
Risk management metrics for cybersecurity. Capturing risk and measuring risk correctly. Reducing, avoiding and transferring risk. Baselines, benchmarks, return on investment and cost-benefit analysis. Review of existing security. Risk mitigation strategies. Risk scenarios and responses.
Cybersecurity Compliance
Access privileges, application security, multi factor authentication, penalties for non-compliance. PCI DSS. NIST. SSAE-16. AT-101. FedRAMP. ISO. HIPAA. Regulatory Compliance. Reputational damage. Code of Connection G-Cloud, PSN, IG Toolkit, Gambling Commission, Auditing.
Cyber Laws and Regulations
Ireland and EU : EU Cybersecurity Act, GDPR, NIS. Criminal Justice (Offences Relating to Information Systems) Act 2017. USA : CFA Act, CSA Act, ECPA, HIPAA, GLB Act, SOX, DMCA, CCPA
Assessment Breakdown%
Course Work100.00%
Course Work
Assessment Type Assessment Description Outcome addressed % of total Assessment Date
Written Report This report will assess the student's theoretical knowledge of cybersecurity governance frameworks and the application of these frameworks in mitigating various threats. 1,2 30.0 Week 6
Project This project will evaluate the student's capacity to develop and apply a cybersecurity risk management plan to a range of risk scenarios and evaluate the efficacy of the developed plan. 3,4,5 40.0 Week 10
Project In this project the student will be assessed on their ability to decide on the appropriate compliance, legal and governance mechanisms to implement and adhere to in a defined scenario. 3,6,7 30.0 Sem End
No End of Module Formal Examination
Reassessment Requirement
Coursework Only
This module is reassessed solely on the basis of re-submitted coursework. There is no repeat written examination.

The institute reserves the right to alter the nature and timings of assessment


Module Workload

Workload: Full Time
Workload Type Workload Description Hours Frequency Average Weekly Learner Workload
Lecture Lecture delivering theory underpinning learning outcomes. 4.0 Every Week 4.00
Lab Lab to support learning outcomes. 2.0 Every Week 2.00
Independent & Directed Learning (Non-contact) Independent study. 8.0 Every Week 8.00
Total Hours 14.00
Total Weekly Learner Workload 14.00
Total Weekly Contact Hours 6.00
Workload: Part Time
Workload Type Workload Description Hours Frequency Average Weekly Learner Workload
Lecture Lecture delivering theory underpinning learning outcomes. 4.0 Every Week 4.00
Lab Lab to support learning outcomes. 2.0 Every Week 2.00
Independent & Directed Learning (Non-contact) Independent study. 8.0 Every Week 8.00
Total Hours 14.00
Total Weekly Learner Workload 14.00
Total Weekly Contact Hours 6.00

Module Resources

Recommended Book Resources
  • Paul Hopkin 2018, Fundamentals of Risk Management: Understanding, Evaluating and Implementing Effective Risk Management, 5th Edition Ed., IRM Press [ISBN: 0749483075]
  • Richard M. Steinberg 2011, Governance, Risk Management, and Compliance: It Can't Happen to Us--Avoiding Corporate Disaster While Driving Success, Wiley Corporate F&A [ISBN: 1118024303]
  • Peter Trim 2014, Cyber Security Management: A Governance, Risk and Compliance Framework, 1st Edition Ed., Routledge [ISBN: 1472432096]
Supplementary Book Resources
  • Christopher J Hodson 2019, Cyber Risk Management: Prioritize Threats, Identify Vulnerabilities and Apply Controls, 1st Edition Ed., Kogan Page [ISBN: 0749484128]
  • Mike Chapple 2018, CISSP Certified Information Systems Security Professional Official Study Guide, 2nd Edition Ed., Sybex [ISBN: 1119523265]
Recommended Article/Paper Resources
  • McBride, Maranda, Lemuria Carter, and Merrill Warkentin 2012, Exploring the role of individual employee characteristics and personality on employee compliance with cybersecurity policies, RTI International-Institute for Homeland Security Solutions, 5(1)
Supplementary Article/Paper Resources
  • Nicole M. Radziwill, Morgan C. Benton 2017, Cybersecurity Cost of Quality: Managing the Costs of Cybersecurity Risk Management., Software Quality Professional, Vol. 19 No. 3
  • von Solms, Basie, and Rossouw von Solms 2018, Cybersecurity and information security–what goes where?, Information & Computer Security [ISSN: 2056-4961]
Other Resources

Module Delivered in

Programme Code Programme Semester Delivery
CR_KINSE_9 Master of Science in Cybersecurity 2 Mandatory
CR_KCYMN_9 Master of Science in Cybersecurity Management 1 Mandatory
CR_KINSY_9 Postgraduate Diploma in Science in Cybersecurity 2 Mandatory
CR_KCYMT_9 Postgraduate Diploma in Science in Cybersecurity Management 1 Mandatory

Cork Institute of Technology
Rossa Avenue, Bishopstown, Cork

Tel: 021-4326100     Fax: 021-4545343
Email: help@cit.edu.ie