Developing an Information Governance Policy for UEH - Assignment

Learning Outcomes tested in this assessment

Learning Outcomes tested in this assessment

This assignment will assess the following learning outcomes:   

1.Critically evaluate the key information governance principles, practices and security frameworks to demonstrate your understanding in the design, development, implementation and monitoring of information security management system of an organisation.

2.Ability to critically evaluate the risk assessment methodology to determine appropriate control objectives for a given organisational scenario

3.Demonstrate ability to work as a member of a team and make contributions to team success and effectiveness

4.Critically appraise, social, ethical and legal responsibilities of an Information security auditor to comply with.

This assignment consists of two parts;

·Part A – Individual (70%) – 2500 words submitted individually

·Part B – Group work (30%) – 2500 words submitted as a group

Any queries relating to this assignment should be directed to module tutor:

Blackbaud is the world’s largest provider of education administration, fundraising and financial management software. In July 2020, it was reported in the media that Blackbaud was held to ransom by hackers, this resulted in more than 20 universities and charities in the UK, US and Canada have confirmed they are victims of this Cyber-attack. The news further mentioned that Blackbaud paid the ransom, although this is not illegal however it was against the advice of law enforcement agencies. The correct scale of breach is not confirmed yet, however affected UK Universities have reported this incident to UK’s Information Commissioner’s Office (ICO).

After this news, University of Higher Education (UHE), which is a private University located in the suburb of London borough of Sutton decided to review its Information Security Management System. The University management acknowledge the significance of reliable information security to its assets and responsibility to ensure students and staff personal data and research data, maintain Confidentiality, Integrity and Availability against cyber security attacks. The UHE wants to adopt robust Information Security policy to adhere with legal and regulatory compliance and understand that Information Governance can play a vital role in its day to day operations as it establishes policies, procedures and accountability, which is imperative for an effective management lifecycle of student/staff personal data and can maximise data privacy and confidentiality. The aim of Information governance is to provide data confidentiality and protection assurance to UHE management, individual students and help staff to understand the importance of data handling procedures to adhere with information assurance, corporate information assurance, information security assurance and perform their duties ethically to demonstrate duty of care as well as respecting data subjects rights while processing their personal data.

Your task is to develop an information governance policy for UEH and write an accompanying report, which provides justification of policy contents, chosen framework, risk assessment methodologies and strategy to implement strong information governance for the given organisation.

The work will be marked out of 100 in line with the University’s marking grades and according to the following assessment criteria:

Part A: Individual Task

Task 1: Information Governance Need & Cyber Security Threats

Critically appraise understanding of latest cyber security threats to information assets and demonstrate requirements of Information Governance need in the context of given scenario. The role of Information Security auditors to comply with social, ethical and legal requirements to assess the effectiveness of Information Security Management System. Report should include appropriate language, referencing, clarity of expression style, format and length.

Task 2: Framework  

Justification of the approach taken and rationale for the scope and content of the Information Security Management Systems (ISMS) based on a critical evaluation and understanding of the organisation, and reference to principles and best practice. This could include critical evaluation of Information governance frameworks and rationale of the choice considered for a given context. Presentation should include appropriate language, referencing, clarity of expression style, format and length.

Task 3: Risk Assessment

Justification of the importance of information governance to the organisation based on a critical evaluation of the organisational context. This should include risk assessment methodologies either qualitative or quantitative. Identify information assets, identify threats, vulnerabilities and risks associated with assets. Presentation should include appropriate language, referencing, clarity of expression style, format and length.

Task 4: Policy -

The information security policies should include Introduction, purpose, scope, roles and responsibilities, Information Governance Policy Framework, implementation plan and monitoring mechanisms to address security threats and mitigate security vulnerabilities in the context of given scenario. Presentation should include appropriate language, referencing, clarity of expression style, format and length.