Overview
This unit provides you with a thorough understanding of the managerial aspects of information security in a business organisation. You will complement your existing knowledge of information and communication technologies by studying the organisational and management issues relevant to information security. You will learn about the importance of information security plans, security risk management and compliance monitoring, and develop and apply security policies and best practices. Through case studies, you will consider information security strategies that support business objectives while being aware of legal and ethical obligations. As a result, you will have the knowledge and skills to contribute to information security governance in accordance with standards set by governments, professional bodies and industry.
Details
Pre-requisites or Co-requisites
Prerequisite: COIT20261 Network Routing and Switching
Important note: Students enrolled in a subsequent unit who failed their pre-requisite unit, should drop the subsequent unit before the census date or within 10 working days of Fail grade notification. Students who do not drop the unit in this timeframe cannot later drop the unit without academic and financial liability. See details in the Assessment Policy and Procedure (Higher Education Coursework).
Offerings For Term 3 - 2025
Attendance Requirements
All on-campus students are expected to attend scheduled classes - in some units, these classes are identified as a mandatory (pass/fail) component and attendance is compulsory. International students, on a student visa, must maintain a full time study load and meet both attendance and academic progress requirements in each study period (satisfactory attendance for International students is defined as maintaining at least an 80% attendance record).
Recommended Student Time Commitment
Each 6-credit Postgraduate unit at CQUniversity requires an overall time commitment of an average of 12.5 hours of study per week, making a total of 150 hours for the unit.
Class Timetable
Assessment Overview
Assessment Grading
This is a graded unit: your overall grade will be calculated from the marks or grades for each assessment task, based on the relative weightings shown in the table above. You must obtain an overall mark for the unit of at least 50%, or an overall grade of 'pass' in order to pass the unit. If any 'pass/fail' tasks are shown in the table above they must also be completed successfully ('pass' grade). You must also meet any minimum mark requirements specified for a particular assessment task, as detailed in the 'assessment task' section (note that in some instances, the minimum mark for a task may be greater than 50%). Consult the University's Grades and Results Policy for more details of interim results and final grades.
All University policies are available on the CQUniversity Policy site.
You may wish to view these policies:
- Grades and Results Policy
- Assessment Policy and Procedure (Higher Education Coursework)
- Review of Grade Procedure
- Student Academic Integrity Policy and Procedure
- Monitoring Academic Progress (MAP) Policy and Procedure - Domestic Students
- Monitoring Academic Progress (MAP) Policy and Procedure - International Students
- Student Refund and Credit Balance Policy and Procedure
- Student Feedback - Compliments and Complaints Policy and Procedure
- Information and Communications Technology Acceptable Use Policy and Procedure
This list is not an exhaustive list of all University policies. The full list of University policies are available on the CQUniversity Policy site.
Feedback, Recommendations and Responses
Every unit is reviewed for enhancement each year. At the most recent review, the following staff and student feedback items were identified and recommendations were made.
Feedback from Unit coordinator's reflection
The introduction of in-class tests, spread throughout the term, encouraged students to review and understand their unit topics consistently
Continue administering in-class tests and refine them as needed.
Feedback from Unit coordinator's reflection
Student may resort to GenAI to develop content for their presentation and report.
Develop and implement strategies to mitigate the impacts of GenAI on the assessments.
- Develop security policies and program for an organisations based on national and international standards and industry's best practice
- Apply appropriate security control mechanism to protect critical infrastructure
- Assess security risks and develop risk management strategies for an organisation
- Justify appropriate risk treatment options
- Integrate laws and ethics of information security management into the organisation's security framework.
- Information Management (IRMG)
- Information Security (SCTY)
- Risk Management (BURM);
- Continuity Management (COPL)
- Methods and Tools (METL)
The National Initiative for Cybersecurity Education (NICE) Framework defines knowledge, skills and tasks needed to perform various cyber security roles. Developed by the National Institute of Standards and Technology (NIST), the NICE Framework is used by organisations to plan their workforce, including recruit into cyber security positions.
This unit helps prepare you for roles such as Systems Security Analyst, Network Operations Specialist and Systems Administrator, contributing to the following knowledge and skills:
- K0002 Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
- K0003 Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
- K0004 Knowledge of cybersecurity and privacy principles.
- K0038 Knowledge of cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
- K0040 Knowledge of vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
- K0263 Knowledge of information technology (IT) risk management policies, requirements, and procedures.
- K0267 Knowledge of laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
- K0276 Knowledge of security management.
Alignment of Assessment Tasks to Learning Outcomes
| Assessment Tasks | Learning Outcomes | ||||
|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | |
| 1 - In-class Test(s) - 30% | |||||
| 2 - Presentation - 30% | |||||
| 3 - Written Assessment - 40% | |||||
Alignment of Graduate Attributes to Learning Outcomes
| Graduate Attributes | Learning Outcomes | ||||
|---|---|---|---|---|---|
| 1 | 2 | 3 | 4 | 5 | |
| 1 - Knowledge | |||||
| 2 - Communication | |||||
| 3 - Cognitive, technical and creative skills | |||||
| 4 - Research | |||||
| 5 - Self-management | |||||
| 6 - Ethical and Professional Responsibility | |||||
| 7 - Leadership | |||||
| 8 - Aboriginal and Torres Strait Islander Cultures | |||||
Textbooks
Management of Cybersecurity
Edition: 7 (2025)
Authors: Michael E. Whitman/Herbert J. Mattord
Cengage Learning
ISBN: Michael E. Whitman/Herbert J. Mattord
IT Resources
- CQUniversity Student Email
- Internet
- Unit Website (Moodle)
All submissions for this unit must use the referencing style: Harvard (author-date)
For further information, see the Assessment Tasks.
m.elkhodr@cqu.edu.au
Module/Topic
Introduction to the Management of Cybersecurity
Chapter
Book: Management of Cybersecurity 7th Edition
Chapter 1
Events and Submissions/Topic
Module/Topic
Governance and Strategic Planning for Cybersecurity
Chapter
Chapter 2
Events and Submissions/Topic
Module/Topic
Risk Management: Assessing Risk
Chapter
Chapter 3
Events and Submissions/Topic
Module/Topic
Risk Management: Treating Risk
Chapter
Chapter 4
Events and Submissions/Topic
Start preparing for your quiz
Module/Topic
Compliance: Law and Ethics
Chapter
Chapter 5
Events and Submissions/Topic
Start preparing for your quiz and check your quiz progress and due dates
Module/Topic
Cybersecurity Policy
Chapter
Chapter 6
Events and Submissions/Topic
Module/Topic
Chapter
Events and Submissions/Topic
Module/Topic
Chapter
Events and Submissions/Topic
Module/Topic
Developing the Cybersecurity Program
Chapter
Chapter 7
Events and Submissions/Topic
Start preparing for your presentation
Module/Topic
Cybersecurity Management Models
Chapter
Chapter 8
Events and Submissions/Topic
Module/Topic
Cybersecurity Management Practices
Chapter
Chapter 9
Events and Submissions/Topic
Module/Topic
Planning for Contingencies
Chapter
Chapter 10
Events and Submissions/Topic
Module/Topic
Cybersecurity Protection Mechanisms
Chapter
Chapter 12
Events and Submissions/Topic
Module/Topic
Cybersecurity Maintenance
Chapter
Chapter 11
Events and Submissions/Topic
Group report happening this week
Group Due: Week 12 Friday (13 Feb 2026) 12:00 pm AEST
Module/Topic
Chapter
Events and Submissions/Topic
Module/Topic
Chapter
Events and Submissions/Topic
Textbook use and standards alignment.
Weekly lectures and tutorials draw on Management of Cybersecurity (7th ed., 2025) by Michael E. Whitman and Herbert J. Mattord to scaffold governance, risk, policy, contingency planning, and protection mechanisms.
Unit coordination and contact.
Unit Coordinator: Dr Mahmoud Elkhodr. Email: m.elkhodr@cqu.edu.au
Check Moodle 'Unit Contact' Tab for contact details of your campus-based lecturer and tutors.
Expected response time is within two working days during teaching weeks.
1 In-class Test(s)
Due: In your tutorial class or as advised by the Unit Coordinator.
Format: Invigilated online quiz in Moodle.
Coverage: Weeks 1–5 (introduction; governance and strategic planning; risk assessment; risk treatment; compliance).
What you do:
You will complete a time-limited quiz consisting of auto-marked items (for example, multiple choice, matching, short interpretation/calculation). The quiz checks your grasp of core concepts and their practical application so that you are ready for the later assessments.
Conditions: Individual work, invigilated, closed book, no collaboration or external aids unless specified in an approved Accessibility plan.
Week 6 Monday (15 Dec 2025) 11:45 pm AEST
In your tutorial class or as advised by the Unit Coordinator
Week 7 Friday (9 Jan 2026)
Within two weeks of submissions
Marking guide:
- Accuracy of responses to knowledge and application items.
- Correct interpretation of short scenarios (risk/policy/treatment).
- Completion within the time limit and adherence to instructions.
No submission method provided.
- Develop security policies and program for an organisations based on national and international standards and industry's best practice
- Assess security risks and develop risk management strategies for an organisation
- Justify appropriate risk treatment options
- Integrate laws and ethics of information security management into the organisation's security framework.
2 Presentation
Due: Week 8 (in your tutorial class or as advised by the Unit Coordinator).
Format: Team presentation (8–10 minutes plus 2 minutes for questions).
Task details:
In group of up to 4 students, you will present an Information Systems Security Policy (ISSP) based on Chapter 6 and informed by governance objectives (Chapter 2) and risk analysis (Chapters 3–4). Your presentation should explain the policy’s purpose and audience, justify key clauses with reference to standards, and show how the policy supports risk treatment decisions.
The ISSP must include elements such as:
- Title, purpose, and rationale: a short statement of the policy’s aim, business need, and alignment to organisational governance and risk priorities.
- Scope: Systems, data types, business units, locations, and roles to which the policy applies, including any third parties.
- Acceptable use policy: Permitted behaviours and explicitly prohibited actions for organisational IT assets and data
- Protection requirements for common services: Baseline technical and administrative controls for devices
Note. The complete ISSP template, exemplar, marking rubric, and submission instructions will be provided on the unit’s Moodle site.
Conditions: All team members must contribute. Citations must be shown on slides where external sources or textbook content is referenced.
Submission: PPT Slide uploaded to Moodle before your tutorial; delivery in class unless an online session is advised.
Feedback: Verbal summary in class plus rubric with brief comments in Moodle.
Week 8 Monday (12 Jan 2026) 11:45 pm AEST
During your scheduled tutorial in week 8 or online as advised by the UC
Within 2 weeks of submission
Marking guide:
- Policy quality and alignment (clear scope, roles, and enforceable clauses).
- Standards-informed justification (e.g., NIST/ISO mapping) and correct citation.
- Coherence and professionalism of delivery (structure, time management, slide clarity).
- Team contribution and ability to respond to questions.
The complete marking rubric, and submission instructions will be provided on the unit’s Moodle site.
No submission method provided.
- Develop security policies and program for an organisations based on national and international standards and industry's best practice
- Apply appropriate security control mechanism to protect critical infrastructure
- Integrate laws and ethics of information security management into the organisation's security framework.
3 Written Assessment
Due: Week 12 (submit via Moodle by the published deadline).
Length/format: 2,500–3,000 words (excluding references and appendices), professional report style with headings.
Coverage: Weeks 1–11.
Task details:
Working in the same group, you will produce an integrated risk-management report for a given scenario. The report must include:
- Risk assessment (methods, risk statements, likelihood/impact)
- Risk treatment plan (options and rationale)
- Contingency/response planning,
- and a protection plan that maps selected controls to the identified risks.
Briefly indicate how the policy elements from Assessment 2 provide authority and governance for your proposed controls and processes.
Note. The complete Risk management template, marking rubric, and submission instructions will be provided on the unit’s Moodle site.
Conditions: Original group work; use proper citation where needed; submit to Turnitin via Moodle.
Feedback: Rubric with one per criterion-level comment and an overall summary may be provided if deemed necessary by the marker.
Week 12 Friday (13 Feb 2026) 12:00 pm AEST
Online via Moodle
On grade certification date
Marking guide:
- Problem definition and risk assessment quality (clear risk statements; appropriate method; correct prioritisation).
- Risk treatment and planning (defensible choices; traceability from risks to treatments; feasibility and resourcing).
- Protection mechanisms and assurance (controls mapped to risks; basic metrics/monitoring; linkage to policy/governance).
- Professional communication (structure, clarity, correct citation and referencing).
The complete marking rubric, and submission instructions will be provided on the unit’s Moodle site.
No submission method provided.
- Apply appropriate security control mechanism to protect critical infrastructure
- Assess security risks and develop risk management strategies for an organisation
- Justify appropriate risk treatment options
As a CQUniversity student you are expected to act honestly in all aspects of your academic work.
Any assessable work undertaken or submitted for review or assessment must be your own work. Assessable work is any type of work you do to meet the assessment requirements in the unit, including draft work submitted for review and feedback and final work to be assessed.
When you use the ideas, words or data of others in your assessment, you must thoroughly and clearly acknowledge the source of this information by using the correct referencing style for your unit. Using others’ work without proper acknowledgement may be considered a form of intellectual dishonesty.
Participating honestly, respectfully, responsibly, and fairly in your university study ensures the CQUniversity qualification you earn will be valued as a true indication of your individual academic achievement and will continue to receive the respect and recognition it deserves.
As a student, you are responsible for reading and following CQUniversity’s policies, including the Student Academic Integrity Policy and Procedure. This policy sets out CQUniversity’s expectations of you to act with integrity, examples of academic integrity breaches to avoid, the processes used to address alleged breaches of academic integrity, and potential penalties.
What is a breach of academic integrity?
A breach of academic integrity includes but is not limited to plagiarism, self-plagiarism, collusion, cheating, contract cheating, and academic misconduct. The Student Academic Integrity Policy and Procedure defines what these terms mean and gives examples.
Why is academic integrity important?
A breach of academic integrity may result in one or more penalties, including suspension or even expulsion from the University. It can also have negative implications for student visas and future enrolment at CQUniversity or elsewhere. Students who engage in contract cheating also risk being blackmailed by contract cheating services.
Where can I get assistance?
For academic advice and guidance, the Academic Learning Centre (ALC) can support you in becoming confident in completing assessments with integrity and of high standard.
What can you do to act with integrity?
