Information Security & Data Governance Practicum

Organizations of every size, industry, sophistication, and footprint traffic in data. Whether that data includes personally identifiable information, protected health information, trade secrets, intellectual property, or otherwise regulated data, legal and market demands require that all organizations develop and maintain governance over data. This course takes an interdisciplinary, interactive, global, and practical approach to introduce students to the practice of privacy and security within organizations. Rather than merely lecture on the importance of data mapping, policy development, and incident response planning, this course aims to teach you how to strategically approach these challenges while balancing both legal and business considerations.

Although it includes nascent legal issues in these fields including United States and international cybersecurity law and policy, the course is primarily concerned with the challenges of addressing those issues strategically within public- and private-sector institutions. Such challenges include managing regulatory governance across multi-national and multi-industrial organizations; best practices for mitigating security risks through administrative, technical, and physical safeguards; communicating effectively with executive leadership; motivating employees while managing insider threats; identifying and responding to security incidents and government investigations; navigating due diligence concerns relating to cybersecurity in a given transaction or venture.

This class will explore these issues through hands-on experiential learning. Over the course of the semester, students will participate in interviewing client representatives relating to issues surrounding policy development, data mapping and classification, insurance negotiations, and incident response. In other situations, students will be assigned roles (such as Chief Financial Officer, Director of IT, Chief Operational Officer, in-house counsel, etc) in a fictional organization, to navigate the trials and tribulations of the decision-making process through those roles.

One prior course in Information Privacy Law I or II, or Cybersecurity Law I or II, is desirable, but not required.

Grading

Substantive grades will be based on performance through practical exercises as well as successful completion of a take-home exam comprised of essay prompts to be presented to the class by November 23, 2022.

The grade distribution for each assignment will be as follow:

Privacy Policy: 50 points

Mapping and Classification: 125 points

Information Security Policy/Incident Response Plan: 125 points

Incident Response Exercises: 100 points

Take Home Exam: 400 points