Monday, August 18, 2008

Information Asset Management: Draft Learning Objectives

I am starting on the journey of module development... lecturing on Information Asset Management to third year computing students at a UK University.

I have the passion for the subject, I know that they really need to know this stuff, especially in the collaborative "cloud" world we have racing at us fast! My challenge is that there are apparently few courses out there for me to build upon, and even less reading material written on the subject. I am excited at the opportunity to help prepare information professionals in this way. So given the nudge I had this morning on Twitter from @gblnetwkr, I decided to start to call upon the wisdom of the crowds!!!

Draft Module Aims
This module will focus on the importance of managing information assets to maximise value and mange risk to an appropriate level. It will explore the various agencies, roles, policies, processes and technologies involved, while highlighting the importance of the role Information Professionals, and others, need to play in managing information assets.

I am using the e-skills PROCOM work as a guide, though that is still in draft, and is not too strong in the area of Information Security. I will also be using PROCOM, COBIT and ITIL more formally when I figure out the appropriate approvals and copyright implications.

My first ever "initial" draft set of Learning Outcomes !!!

By the end of the module the student will be expected to be able to:
• Understand the different types of information threats and vulnerabilities that an information system may experience, and how they may impact businesses.
• Evaluate the information risks an information system may bring to a business and communicate the potential business impact of those risks.
• Develop appropriate controls and/or mitigations to maximise the business value of an information asset, while ensuring the risk is kept to an appropriate level.
• Ensure the security of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity, and availability of data and information.
• Show their understanding of the various aspects of information asset governance, including policy development and related regulations, compliance practises and issues.
• Demonstrate their understanding of the techniques used to manage data and information within an organisation and as it crosses into and out of an organisation. This includes the IT and information management processes involved in the acquisition, creation, categorisation, storage, transfer and disposal of data and information.

All that draft language should give you the clue, feedback welcome.

...on three counts
1) If you were a student would you want to come to the lectures?
2) Is the content right?
3) Any other perspective you might have....?

2 comments:

  1. @mortman and @alexhutton pointed me to your post. I am currently developing a 'computer security' class myself, so I have some interest in this topic. Here are some comments that came to mind after a cursory glance of the post:

    Computing students tend to be fairly technically oriented. Using phrases such as "managing information assets" might not be the best verbiage to choose.

    When defining goals, make sure you can measure them. Statements like "Understand the different types of information threats..." are very hard to measure objectively.

    "Ensure the security of information technology services, systems and assets within an organisation. This also covers the competencies required to manage the confidentiality, integrity, and availability of data and information." The way it is phrased (use of the word 'also') makes me thing that "security of IT services" and "C-I-A" are different things.

    Minor things as:
    "By the end of the module the student will be expected to be able to:
    [...]
    Show their understanding of"

    If I were a technology student, I would stay away from this class as much as I could. However, if I were more business-oriented, I might take an interest in it. The content seems a little advanced.

    Do students understand what information security is, and why it is done? What kind of background knowledge do they have when they initially take this class? How long does the class run for?

    ReplyDelete
  2. This is a pretty challenging topic, in a number of ways, but one that I would love to see popularized in the school system.

    You really can't protect systems unless you know they exist and this is still a challenge in today's organizations.

    I once taught a course along these same lines on Threat Modeling - one of the big challenges, of course, was keeping the class engaged and interested in a topic that is not inherently exciting. Something that helped (and this may be obvious) is using real-world examples to engage the students and get their brains moving as opposed to static content they might have difficulty relating to.

    I would advertise this as a challenging and widespread problem with a field of possibilities for those that are able to master the topic. :)

    ReplyDelete

Thanks in advance for sharing your thoughts...