Certification of Master s Degrees in Digital Forensics

Transcription

1 Certified Master s in Cyber Security Certification of Master s Degrees in Digital Forensics Call for Applications Closing Date: 27 February 2015, 16:00 Briefing Meeting: 14 January 2015, 13:00 Portions of this work are copyright The Institute of Information Security Professionals. All rights reserved. The copyright of this document is reserved and vested in the Crown. Document History Issue Date Comment Issue December 2014 First issue Page 1 of 44

2 1 Introduction Reflecting the aims of the National Cyber Security Programme, UK Government and its delivery partners are working to increase the UK s academic capability in all fields of Cyber Security. Together BIS, EPSRC, GCHQ, CPNI and OCSIA have developed a joint approach and strategy for reaching this goal. As part of that strategy, GCHQ has initiated a programme to certify Master s degrees in cyber security subjects taught at UK Higher Education Institutions (HEIs). This Call for Applications is for the certification of Master's degrees in Digital Forensics that are addressing Digital Forensics in law enforcement and intrusion analysis, with an emphasis on law enforcement please see section 3 for more details. Master s degrees in cyber security subjects can provide a number of benefits, providing for example: a deeper understanding of cyber security concepts, principles, technologies and practices a bridge between undergraduate degrees and careers in cyber security a platform for further research at Doctoral level an effective way for people in mid-career to enhance their knowledge of the subject or to move into cyber security as a change of career path There are now a significant number of Master s degrees run by UK HEIs with cyber security content. However, it can be difficult for students and employers alike to navigate the variety of Master s that is available in order to: understand the extent to which such degrees really have cyber security as their main or sole focus assess the quality of the degrees on offer identify which degrees best suit someone s career path. This Call (and any subsequent calls) will enable HEIs, should they wish, to apply to have their cyber security Master s degrees considered for certification. There are two types of certification (please see section 3 for further details): Full Certification and Provisional Certification. Certifications of individual Master s degrees by GCHQ will be subject to a set of terms and conditions (T&Cs). A copy of the T&Cs for Full and Provisional certification can be obtained by ing ACE-CSE_project@gchq.gsi.gov.uk. Although applications for certification in response to this Call will be made directly to GCHQ, it is envisaged that future Calls may require applications to be made to a third party appointed by GCHQ to certify individual degrees against the GCHQ criteria for Master s certification. HEIs should note that Master s certification (Full or Provisional) is anticipated to be one of the requirements for future recognition as an Academic Centre of Excellence in Cyber Security Education please see section 2.3. Page 2 of 44

3 1.1 Organisation of this document The remainder of this document is organised as follows: Section 2: General background information Section 3: Guidance on the scope of the Call Section 4: Eligibility of applicants Section 5: How to apply Section 6: Assessment process Section 7: Key dates Appendix A: Cyber terminology the National Technical Authority view Appendix B: Subject Areas and Topics to be covered in Master s degrees in Digital Forensics Appendix C: Required structure of application for Full certification Appendix D: Required structure of application for Provisional certification Appendix E: Guidance on writing and submitting applications 2 Background 2.1 UK Cyber Security Strategy Objective 4 The vision of the UK Cyber Security Strategy is 1 : for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness and transparency and the rule of law, enhance prosperity, national security and a strong society Objective 4 of the UK Cyber Security Strategy requires: the UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives Working in partnership over the past few years, BIS, EPSRC, GCHQ, CPNI and OCSIA have initiated a number of programmes across academia designed to address the knowledge, skills and capability requirements for cyber security research in Objective 4, including: Academic Centres of Excellence in Cyber Security Research Academic Research Institutes in Cyber Security Centres for Doctoral Training in Cyber Security Research In the next two steps of the academic programme under Objective 4, GCHQ has initiated a programme to certify Master s degrees in Cyber Security and intends to identify Academic Centres of Excellence in Cyber Security Education. 1 Page 3 of 44

4 2.2 Aims, benefits and vision of Certified Master s in Cyber Security The overall aim is to identify and recognise Master s degrees run by UK HEIs that provide well defined and appropriate content and that are delivered to an appropriate standard. This Call for Digital Forensics is complementary to other calls for the certification of Master s degrees in general cyber security and other specialised topics. The anticipated key benefits include: providing guidance to prospective students and employers on the content and quality of such degrees providing Master s students who have completed their certified degree with an additional form of recognition i.e., that they have successfully completed a GCHQ certified degree helping to further enhance the quality, focus and relevance of Master s degrees helping universities with certified Master s degrees to attract additional numbers / higher quality students both from the UK and abroad helping employers (in industry, government and academia) during the recruitment process to better understand, and distinguish between, the Master s qualifications of job applicants 2.3 Academic Centres of Excellence in Cyber Security Education (ACE-CSEs) GCHQ and its government partners intend to set up a separate application process to recognise ACE- CSEs. It is anticipated that invitations for ACE-CSE applications will be issued to the academic community in summer It is likely that one of the assessment criteria that will have to be met for an HEI to become a recognised ACE-CSE is that it has, and continues to have, at least one GCHQ certified (Full or Provisional) Master s degree in cyber security. Further details will be issued in due course. 3 Scope of this Call for applications This Call for Applications is for the certification of Master's degrees in Digital Forensics that are addressing Digital Forensics in law enforcement and intrusion analysis, with an emphasis on law enforcement see Appendices A, B, C and D. This Call is for post-graduate Digital Forensics Master s degrees (including distance learning degrees) delivered, examined and awarded in the UK by UK HEIs and which typically take one year of full-time study (or equivalent for part-time students). 3.1 Digital Forensics For the purposes of this Call, Digital Forensics 2 should be taken to mean: The use of scientifically derived and proven methods 3 toward the preservation, collection, validation, identification, analysis, interpretation, documentation and presentation of digital 2 Taken from DFRWS 2001 available at: Archive 2001 Page 4 of 44

5 evidence derived from digital sources for the purpose of facilitating or furthering the reconstruction of events found to be criminal, or helping to anticipate unauthorized actions shown to be disruptive to planned operations. In line with the above, Digital Forensics as a field can generally be broken down into a number of distinct elements: identification identify the type of incident that has taken place acquisition the methodology, technology and governance around the capture of data stored on digital media analysis broad term reflecting the application of the technical theory behind the working of an exhibit to extract pertinent information evaluation determining whether the components identified are relevant to the case being investigated and can be considered as legitimate evidence reporting translation of highly specialised material to relevant, understood facts and communicated in a compliant fashion 3.2 In scope For a Master s degree to be in scope for this Call, each of the requirements i, ii and iii below must be met: i. at least one of options a and b must be met: a. at least 70% of the taught modules in the Master s must be able to be mapped to Digital Forensics Subject Areas 1 to 7 shown in Appendix B b. for Master s degrees that comprise a broad set of optional modules from which students can choose, it must be the case that students can select a set of taught modules in which at least 70% of the modules in the set can be mapped to Digital Forensics Subject Areas 1 to 7 shown in Appendix B 4 ii. for a Master s in Digital Forensics, the taught modules must cover all of the Core Topics shown in Appendix B iii. there must be a substantial original research component and associated dissertation (corresponding to Security Discipline I, Appendix B) expected to account for 25% to 45% of the available credits. If the percentage of credits associated with the original research dissertation is higher than 45%, then an HEI will need to clarify how the taught modules of the degree adequately cover all of the Digital Forensics Core Topics. If the percentage is less than 25% then an HEI will need to clarify how students are able to gain sufficient understanding and experience of undertaking original research. 3 It should be noted that rapidly changing technology will frequently require the development of scientific proofs rather than the use of proven methods. 4 If option b is chosen, then the T&Cs associated with certification will require that the set of modules for which certification applies is identified. It will be the responsibility of the HEI to inform students that this is the set of modules for which the Master s degree is certified and that other combinations of modules are not certified. Page 5 of 44

6 3.2.1 Full certification To be in scope, applications for Full certification require: a cohort of students to have successfully completed the Master s degree in academic year the external examiner s report to be available 5 for academic year the Master s degree to be running in academic year Provisional certification To be in scope, applications for Provisional certification require one of the following to be met: the Master s degree to be running in academic year , though a cohort of students did not complete the degree in academic year the new/revised Master s degree has not yet started but will start by (up to and including) October Out of scope The following Master s degrees are out of scope for this Call: Integrated Master s degrees which typically take 4 years of study starting at undergraduate level Master s degrees which are predominantly carried out by research leading to MRes degrees Master s degrees focusing on, for example, computer science or software engineering where Digital Forensics is covered in only a small percentage of modules Master s degrees that are planned to start later than October Eligibility This Call is open to all UK Higher Education Institutions. Applicants should note that there will be no funding associated with successful certification of Master s degrees. 5 How to apply 5.1 Submitting applications Applications should be ed to ACE-CSE_Project@gchq.gsi.gov.uk by 16:00 on 27 February Applicants are solely responsible for ensuring that any application that they submit reaches GCHQ and for all costs of preparation of their applications. To help with the administration of submissions, please put Master s Digital Forensics Certification application - <Name of your HEI>< n of m> 5 Where the external examiner s report for is not available by the submission deadline please provide the most recent report and the HEI s response. Please state when the report and response will be available and submit them as soon as they are available. Page 6 of 44

7 on the subject line. Please also ensure that each file that is sent as part of the submission is named in the order that it is to be printed: <Name of HEI><Digital Forensics><File n of m>. 5.2 Guidance on writing applications Although applicants will be solely responsible for the content and accuracy of their applications, applicants are strongly encouraged to refer to the overall guidance on writing and submitting applications provided in Appendix E Applications for Full certification Applicants should note that their applications should be structured to follow the guidance in Appendix C. Applicants should also refer to Appendices A, B and E. If successful, Full applications will be awarded Certified status for a period of five years, subject to the HEI agreeing the T&Cs which will document the ongoing requirements for the HEI and GCHQ Applications for Provisional certification Applicants should note that their applications should be structured to follow the guidance in Appendix D. Applicants should also refer to Appendices A, B and E. If successful, Provisional applications will be awarded a Certification Pending status. This will be conditional on the applicant agreeing the T&Cs associated with Provisional applications, which will include a limit on the length of time a Certification Pending status can be held without obtaining Full Certification. 5.3 Briefing meeting and points of clarification A briefing meeting is planned for potential applicants on the afternoon of 14 January 2015 at The Defence Academy of the United Kingdom 6, Shrivenham, Swindon, SN6 8LA. Please ACE- CSE_Project@gchq.gsi.gov.uk by 16:00 on 08 January 2015 to register attendance. To help with administration, please put Master s in Digital Forensics Certification briefing day - <Name of your HEI> on the subject line. Please include the names and contact details of those wishing to attend the briefing meeting maximum of 3 per HEI. GCHQ will acknowledge s within two working days. Please contact Graeme Dykes on xtn if an acknowledgement has not been received. Call documents and a list of points of clarification regarding the application process will be maintained at: Applicants are advised to check this Web page regularly for any updates to the application process or changes to the version of the Call document. 6 Defence Academy web page: Page 7 of 44

8 6 Assessment Applications within scope will be assessed by an Assessment Panel that will include representatives from GCHQ, wider government, industry, professional bodies and academia. Each application will be read and scored independently by a minimum of three members of the Assessment Panel. At the Assessment Panel meeting, Panel members will present their scores and the rationale for their scores. The Assessment Panel will agree a consensus score for each application. The Panel s decision is final. There is no maximum number of successful applications for certification. 6.1 Full certification Each application will be assessed within the six areas shown below, and further described in Appendix C, against the set of assessment criteria also shown in Appendix C. i. HEI s letter of support for the application ii. Description of the applicant iii. Description of the Master s degree in Digital Forensics iv. Assessment materials and external examiner s report v. Original research dissertations vi. Student numbers and grades achieved 6.2 Provisional certification Each application will be assessed within the five areas shown below, and further described in Appendix D, against the set of assessment criteria also shown in Appendix D. i. HEI s letter of support for the application ii. Description of the applicant iii. Description of the Master s degree in Digital Forensics iv. Assessment materials v. Original research dissertations Page 8 of 44

9 7 Moving forwards 7.1 Key dates Activity Proposed Date Call issued 08 December 2014 Briefing meeting 14 January 2015 Proposals due to be submitted 27 February2015 Assessment of proposals March April 2015 Announcement of results by 30 April After the assessment process All applicants will be notified individually whether their applications have been successful. 7.3 Successful applications The certification (whether Full or Provisional) of each individual Master s degree is conditional upon the HEI agreeing to the T&Cs of certification provided by GCHQ. The T&Cs describe the terms of use of the branding associated with certification such as in advertising/promotional material and the award documents given to students who have successfully completed the degree. The T&Cs also describe the ongoing requirements that the HEI must satisfy in order for the certification to remain valid. 7.4 Unsuccessful applications Applications that are not successful in this Call will be given feedback and, where appropriate, such applicants will be encouraged to submit in future calls. 8 Contact details Graeme Dykes GCHQ Hubble Road Cheltenham GL51 0AX Tel: xtn ACE-CSE_Project@gchq.gsi.gov.uk Page 9 of 44

10 Appendix A: Cyber terminology the National Technical Authority view 1 Introduction Today the term Cyber is used by everyone, and everyone has a different understanding as to what it means. This is causing confusion, inefficiency and misunderstanding. Whilst you can never control how others use this term, in this Appendix GCHQ as the National Technical Authority (NTA) for Information Assurance 7 clarifies the use of cyber terminology and the scope of cyber security both for the UK and this Call. In particular, the terms Information Assurance, Cyber Space, Cyber Security are described and a working definition of Cyber Security is presented. 2 Information Assurance Information Assurance (IA) is a discipline that seeks to manage (e.g. reduce as necessary) the risks and impacts to information and information-based systems. It is also known as Information Security. IA is carried out by the owner of the information or information system supported by organisations such as GCHQ and CPNI that provide many of the tools they need. The term Information Assurance was coined to emphasise the need for confidence (or assurance) that risks are being effectively managed. IA considers the full set of risks to information and information-based systems and includes the following activities: Protect reduces information risk through the reduction of vulnerabilities (whether physical, personnel, process or technical) Prepare enables the harm to be reduced when a risk is realised, i.e. contingency planning Detect identifies when a risk changes (new vulnerability discovered, change in threat level, etc.) or is realised, i.e. situation awareness Respond reduces the impact when a risk is realised, e.g. incident management GCHQ provides the overall framework for managing risks to information and information systems, as well as guidance on how technical risks can be mitigated. CPNI is responsible for providing guidance on mitigating physical and personnel vulnerabilities. All three aspects have to be addressed if an organisation is to effectively manage its information risks, even in cyber space. 3 Cyber Space The Cyber Security Strategy of the United Kingdom 8, dated June 2009, describes cyber space as encompassing all forms of networked, digital activities; this includes the content of and actions conducted through digital networks. It also states that the physical building blocks of cyber space 7 Technical areas within the scope of the NTA include: cryptography, key management and security protocols; information risk management; IA Science; hardware engineering and security analysis; information assurance methodologies; operational assurance techniques; strategic technologies and products; control systems; electromagnetic physics and security. 8 Page 10 of 44

11 are individual computers and communication systems [which] fundamentally support much of our national infrastructure and information. Cyber space is a key enabler for the UK and therefore a critical asset. In The UK Cyber Security Strategy 9, dated November 2011, this is picked up as a Tier 1 risk: namely, hostile attacks upon UK cyberspace by other states and large scale crime. These strategies effectively say that we need to put in place measures to reduce the risk and impact of such attacks, i.e. we need to defend ourselves in cyber space. 4 Cyber Security 4.1 General description The Cyber Security Strategy of the United Kingdom 10, dated June 2009, states that Cyber security embraces both the protection of UK interests in Cyber Space and also the pursuit of wider UK security policy through exploitation of the many opportunities that cyber space offers. Cyber security should be considered as an activity covering all aspects of UK well-being as they relate to cyber space. The complexity of cyber space and its relationship to the well-being of the UK means that cyber security includes a number of inter-related activities. At a general level, for the purposes of this Call, cyber security refers to those activities that relate to the defence of UK cyber space and are largely carried out by information and system owners in order to defend (reduce risk and impact) UK cyber space. Organisations operating in cyber space are responsible for managing their risks and impacts by undertaking Protect, Prepare, Detect and Respond through applying the discipline of Information Assurance. Part of GCHQ s role as the National Technical Authority for Information Assurance is to provide definitive, authoritative and expert-based guidance on all aspects of IA. However, it is absolutely clear that raising cyber security levels in the UK has to be a joint effort between government, industry and academia. Establishing Certified Master s degrees in cyber security is an example of this joint effort aimed at supporting the goals of the UK s Cyber Security Strategy. It should be noted that the Cyber Security Strategy considers national level risks that largely stem from malicious action or environmental hazard. Information risks also stem from accidental actions such as the loss of a laptop, inappropriate or loss of storage devices (as in recent well publicised security breaches). This is the broader scope of Information Assurance Page 11 of 44

12 4.2 Specific working definition of cyber security to be used for this Call The International Telecommunication Union has produced a definition of cyber security 11 which is consistent with the general descriptions above. For the purposes of this Call document, cyber security should be taken to mean: The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and the assets of organisations and users. The assets of organisations and users include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cyber security strives to ensure the attainment and maintenance of the security properties of the assets of organisations and users against relevant security risks in the cyber environment Page 12 of 44

13 Appendix B: Subject Areas and Topics to be covered in Master s degrees in Digital Forensics The Security Discipline Principles and Skills Groups that form part of the tables in this Appendix A are derived from the IISP Information Security Skills Framework and are copyright The Institute of Information Security Professionals. All rights reserved. The tables in this Appendix show the Subject Areas to be covered in Master s degrees in Digital Forensics. Lists of Core and Other Indicative Topics are shown for each Subject Area. Reference is made to Security Disciplines (A, B, C,.., F1, F2, etc.) and Principles from the IISP Skills Framework 12. Applicants may also find it useful to refer to CESG s documentation on the Certification for IA Professionals which includes further discussion of the IISP Skills Framework. The Information Systems Research and Professional Skills Security Disciplines are presented in more detail since they are referred to explicitly in Appendices C and D. 12 IISP Skills Framework: 77a6f e-aa7b ec4 13 CESG is the Information Security arm of GCHQ: 14 CESG Certification for IA Professionals: Page 13 of 44

14 Subject Area Core Topics coverage (required) Other Indicative Topics coverage 1. Foundations of Digital Forensics (F3) the scope of digital forensics a forensic perspective on device architectures principles of data storage media foundations of data structures and algorithms principles of operating systems (OSs) and OS forensics principles of networks and network forensics mobile device forensics file system analysis OS-specific forensics, for example: o Windows forensics o Linux forensics o Mac OS forensics o mobile OS forensics o cloud-based forensics o embedded systems forensics Subject Area Core Topics coverage (required) Other Indicative Topics coverage 2. Digital Forensic analysis (F3) methodologies for the acquisition of digital media understanding information, file and data formats on data storage and network devices, for example: o on-disk data structures o memory analysis o file metadata o network traffic analysis understanding the effect of OS, application and hardware interactions upon digital evidence investigative techniques, for example: o time lining o data reduction anti-forensic techniques malicious code reverse engineering intrusion investigation heuristics-based analysis under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 14 of 44

15 Subject Area Core Topics coverage (required) Other Indicative Topics coverage 3. Digital Forensic practice (B2, F2, F3) the investigation process evidence collection using digital forensic tools ethics and good practice evidence reporting forensic readiness managing forensic capabilities forensics case studies investigation methods risk management testing and verification e.g. tools, processes, ISO Subject Area Core Topics coverage (required) Other Indicative Topics coverage 4. An application of Digital Forensics (F) One or more of: investigations, for example: o evidence gathering o intrusion analysis data discovery data recovery information assurance e-discovery incident response under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 15 of 44

16 Subject Area Core Topics coverage (required) Other Indicative Topics coverage 5. Legal process (A6, F2) understanding relevant law and appropriate use of powers (e.g., RIPA, CPIA) rules of evidence giving evidence evidential integrity trial process presenting evidence courtroom role play expert witness role understanding legal frameworks Subject Area Core Topics coverage (required) Other Indicative Topics coverage 6. Information security (A1, A2, B2, C) principles and practice of securing sensitive information including risk management standards rules and procedures under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 16 of 44

17 Subject Area Core Topics coverage (required) Other Indicative Topics coverage 7. Evidence handling and management (E1, F) ACPO good practice guide for digital evidence Police and Criminal Evidence Act 1984 crime scene management chain of evidence evidence archiving under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 17 of 44

18 Security Discipline Skills Group Indicative Topics Coverage I. Information Systems Research Principle: Original investigation in order to gain knowledge and understanding relating to information security, including the invention and generation of ideas, performances and artefacts where these lead to new or substantially improved insights; and the use of existing knowledge in experimental development to produce new or substantially improved devices, products and processes. Research (I2) This aspect is likely to be reflected via the inclusion of a substantial research dissertation component within the Masters degree. Students would be expected to conduct research that is clearly focused upon one or more of the Subject Areas (1 to 7) listed above. Security Discipline Skills Group Indicative Topics Coverage J. Professional Skills These aspects are likely to be crosscutting within a programme and/or represented by a dedicated skills module. Overall, there should be evidence of the programme giving attention towards: teamworking, leadership, communication skills, decision making. under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 18 of 44

19 Appendix C: Required structure of application for Full certification This appendix provides details of the information that applicants should provide with their application along with the criteria that will be applied. Applicants should refer to section (page 6) which describes the requirements for an application for Full certification to be in scope. Applicants should also refer to Appendix E which provides advice and guidance on writing and submitting applications. Please note that an HEI should submit one application per Master s degree against this Call. An HEI can submit more than one Master s degree for certification against this Call if the HEI believes that more than one of its Master s degrees meets the criteria below. Each application for Full certification should comprise the following six sections: 1. Institution s letter of support for the application (up to one side of A4). 2. Description of the applicant (up to five sides of A4, excluding CVs) 3. Description of the Master s degree in Digital Forensics (up to ten sides of A4, excluding the module descriptions) 4. Assessment materials and external examiner s report (up to five sides of A4, excluding copies of examination papers, copies of information provided for coursework and copy of external examiner s report) 5. Original research dissertations (up to five sides of A4, excluding list of dissertation titles and copies of dissertations) 6. Student numbers and grades achieved (up to five sides of A4) Documents should be in Word or pdf format with the font size no smaller than 10pt. Unless specifically asked for, additional pages and other material in addition to that outlined above will not be read and will not therefore form part of the assessment for certification. All information provided will be treated confidentially and used only for the purposes of assessing applications. 1 HEI s letter of support for the application Please provide a signed letter from the Vice Chancellor (or equivalent) showing support for the HEI s application to have a Master s degree in Digital Forensics considered for certification by GCHQ. 2 Description of the applicant Please ensure that you cover the following points: a. The names and structure of the department(s)/group(s)/school(s) responsible for the Master s degree together with the names, seniority and roles of the members of staff Page 19 of 44

20 responsible for delivering the degree content, setting and marking examinations, supervising dissertations, etc. b. Please describe any recent investments from the HEI, government, industry etc. in the groups running the Master s degree programme. c. Please describe any external linkages that add value to the Master s degree: e.g., visiting lecturers with specialist knowledge from other academic departments, government or industry; projects suggested, and monitored, by industry; etc. d. Please describe the process used to review and re-new the course content in order to keep it up to date, for example: how often is the course content reviewed, by whom, and what external advice is taken (e.g., industrial advisory boards). e. Please describe the facilities available to Master s students in general and those dedicated to students undertaking the Master s degree specifically, for example: computer laboratories, dedicated equipment, library (access to text-books), on-line journal subscription (for research dissertations), etc. f. For each member of staff named above please provide a CV (up to 2 pages in length) which provides details of: academic background knowledge and expertise in Digital Forensics and cyber security e.g., references to recent publications, working with industry and/or government esteem indicators e.g., editorships, invited talks, membership of national and international advisory groups relevant professional certifications etc. CVs should go in an appendix to section Criteria to be applied i. There should be a coherent team responsible for delivering the Master s, with clear roles and responsibilities. ii. The team members delivering the modules, setting the examinations and marking papers should have the appropriate technical knowledge and skills in Digital Forensics and cyber security. iii. The team should be well supported by the HEI. It would be desirable to see that the Master s degree programme has valuable external linkages. iv. There should be a well-defined process for keeping the Master s degree up to date that takes account of appropriate internal and external advice. v. Students undertaking the Master s should have access to well-equipped modern computer laboratories with easy access to information on the latest developments in Digital Forensics and cyber security. Page 20 of 44

21 3 Description of the Master s degree in Digital Forensics Please ensure that you cover the following points: a. Please provide a high-level description of the Master s degree. This should include: the name of the degree and the specific degree awarded (e.g., MSc etc.) the objectives and expected learning outcomes of the degree as a grounding for a Master s qualification how the degree satisfies the QAA qualification framework for Master s level the number of academic years the degree has been running and whether it is being delivered in academic year the overall structure of the degree e.g., the set of taught modules, which modules are core and which are optional, the number of credits awarded for each module, the number of credits awarded for the original research dissertation any professional certifications attained as part of the degree, if applicable a description of how the degree is structured to accommodate part-time students, if applicable b. Please provide a table (Table 3.1) that shows for each taught module 15 : the member(s) of staff delivering the module which Subject Area(s) (Appendix B) the module covers if it does not cover a Subject Area please state NONE the number of credits in the module the percentage of the module addressing the Subject Areas the number of credits in the module that can be considered to be addressing the Subject Areas obtained from the product of the answers to the 3 rd and 4 th bullet points c. In Table 3.1, please also clarify the estimated total number of credits addressing the Subject Areas and the total number of credits in the taught component of the degree. Please express the ratio of these figures as your estimate of the percentage of the taught component of the Master s degree that can be mapped to the Subject Areas. 15 Applicants may find it helpful to refer to the document Certification General Masters QandAs 01 May 2014 available at The document describes the process to be used for determining the percentage of the taught modules addressing the Subject Areas. Page 21 of 44

22 Module Member(s) of staff Subject Area(s) covered Number of credits in module Estimated percentage of module addressing Subject Areas Estimated number of credits in module addressing Subject Areas Module 1.. Module n Total Table 3.1 d. For each module that addresses a Subject Area, please provide a module description to include the syllabus/topics covered and the expected learning outcomes. Please include in each module description a list of the Core Topics and Other Indicative Topics (Appendix B) that the module covers. The module descriptions should be placed in an appendix to section 3. e. With reference to Appendix B, please provide an overview of how the topic coverage required for a Master s degree in Digital Forensics is achieved by completing Table 3.2 of the following form covering Subject Areas 1 to 7: Page 22 of 44

23 Other Indicative Topics Modules covering Subject Area Core Topics 16 Modules covering Core Topics 17 Other Indicative Topics 1. Foundations of Digital Forensics scope of digital forensics forensic perspective device architectures principles of data storage media foundations data structures and algorithms principles of OSs and OS forensics principles of networks and NW forensics m2 m3 m4 m5 m6 OS-specific forensics, e.g.: o Windows o Linux o Mac OS o mobile OS o cloud based o embedded systems mobile device forensics m7 file system analysis m8 methodologies acquisition digital media anti-forensic techniques 2. Digital Forensic analysis understanding file and data formats understanding effect of OS, applications and hardware m2 m3 malicious code reverse engineering intrusion investigation m2 m3 m4 investigative techniques m4 heuristics-based analysis m5 16 For brevity some of the descriptions of Topics have been shortened. In case of doubt, please refer to Appendix B for the full description. 17 For this column and the final column, please replace, m2, etc. with the appropriate module names/identifiers from the Master s degree. If none, please state NONE. under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 23 of 44

24 Subject Area Core Topics Modules covering Core Topics Other Indicative Topics Modules covering Other Indicative Topics 3. Digital Forensic practice investigation process evidence collection m2 forensics case studies investigation methods m2 using digital forensic tools m3 risk management m3 ethics and good practice m4 testing and verification m4 evidence reporting m5 forensic readiness m6 managing forensic capabilities m7 4. An application of Digital Forensics one or more of: o investigations o data discovery o data recovery o information assurance o e-discovery o incident response under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 24 of 44

25 Subject Area Core Topics Modules covering Core Topics Other Indicative Topics Modules covering Other Indicative Topics understanding relevant law trial process rules of evidence m2 presenting evidence m2 5. Legal process giving evidence evidential integrity m3 m4 courtroom role play expert witness role m3 m4 understanding legal frameworks m5 6. Information security principles and practice of securing sensitive information standards rules and procedures m2 7. Evidence handling and management ACPO good practice guide Police and Criminal Evidence Act crime scene management m2 m3 evidence archiving chain of evidence m4 Table 3.2 under other UK information legislation. Refer disclosure requests to GCHQ on x30306, Page 25 of 44

26 f. For Master s degrees with core and optional modules please identify the permitted combinations of core and optional taught modules that DO cover all of the Core Topics in Table 3.2. g. For Master s degrees in which the original research dissertation accounts for more than 45% of the credits available, please clarify how the remainder of the degree adequately covers all of the Core Topics. h. Please describe how Security Discipline J, Professional Skills (Appendix B), is addressed in the Master s degree. By way of example, describe how team-working, communication skills etc. are covered within the degree programme as a whole it is not a requirement to have a separate dedicated module covering Professional Skills. 3.1 Criteria to be applied i. The objectives and anticipated learning outcomes for students undertaking the Master s should be clearly articulated. ii. The degree must have had a cohort of students successfully complete the degree in academic year and it must be currently active in academic year iii. The degree satisfies the QAA qualification framework for Master s level. iv. Part-time students should cover the same breadth and depth of content as one-year, full time students. v. The completed Table 3.1 must show that at least one of the following options is met: vi. vii. viii. ix. at least 70% of the taught modules in the Master s must be able to be mapped to Subject Areas 1 to 7 for Master s degrees that comprise a broad set of optional modules from which students can choose, it must be the case that students can select a set of taught modules in which at least 70% of the modules in the set can be mapped to Subject Areas 1 to 7 The completed Table 3.2 must show that the taught modules provide coverage of all the Core Topics. Permitted combinations of core and optional modules that DO cover all the Core Topics in Table 3.2 must be clearly identified. There must be at least one combination of core and optional modules that covers all the Core Topics listed in Table 3.2. For the case of Master s degrees where the original research dissertation accounts for more than 45% of the credits available, it must be clear that the remainder of the degree is able to adequately cover the all of the Core Topics. Under the Professional Skills Security Discipline (Discipline J, Appendix B), the Master s degree should address the following topics: team-working, communication skills, leadership and decision making. Page 26 of 44

27 4 Assessment materials and external examiner s report Please ensure you cover the following: a. Please describe the overall approach to assessment of the taught modules on the Master s degree. This should include: assessment methodology marking scheme the pass mark for individual modules and the taught part of the degree overall b. Please describe how the overall mark for the degree as a whole is worked out from the taught component and research dissertation component. Please describe the mark required to achieve pass, merit and distinction (or equivalent) of the overall degree. c. For academic year , for each of the modules identified in section 3 that addresses Subject Areas 1 to 7 please describe the process used for assessment (e.g., examination, coursework, practical exercises, etc.). Please provide a copy of the examination paper(s) that students sat. For assessed coursework, please provide copies of the information provided to students and the assessment criteria used by the HEI. This information should be placed in an appendix to section 4. d. For academic year , please provide a copy of the external examiner s report 18. Please describe the process for engagement with the external examiner. Please describe the technical background and experience of the external examiner. e. For academic year , please provide a copy of the HEI s response to the external examiner s report and any follow up actions that have been undertaken in response to the report. 4.1 Criteria to be applied i. The overall approach to the assessment of the taught component to the Master s should be clear and coherent. The marking scheme should make it clear what students have to demonstrate in their work in order to be awarded the relevant marks/grades. ii. The examination and assessment process must rigorously test students understanding of the Subject Areas and Core Topics shown in Appendix B. iii. The external examiner should have the appropriate technical background and his/her report must provide a positive picture of the Master s Degree under assessment. iv. The progress to any follow-on actions suggested by the external examiner should be made clear. 18 Where the external examiner s report for is not available by the submission deadline please provide the most recent report and the HEI s response. Please state when the report and response will be available and submit them as soon as they are available. Page 27 of 44

28 5 Original research dissertations Please ensure that you cover the following points: a. Please describe the guidance the HEI provides to Master s students before they embark on their dissertations, for example: research methods, undertaking literature reviews, etc. b. Please describe the process for allocation of dissertation topics to students, for example: is it up to students to come up with topic ideas? do members of staff identify possible topics? does the HEI have links with industry partners who suggest topics? c. Please describe the process for monitoring the progress of students on their dissertations. d. Please describe the process for assessing dissertations. Please indicate whether the HEI provides students with guidance on what is expected in a dissertation to achieve distinction, merit or pass 19. e. For Master s degrees in which the original research dissertation accounts for less than 25% of the available credits, please describe how students are able to gain sufficient understanding and experience of undertaking original research. f. For each of academic years and (if any), please provide a list of Master s dissertations undertaken by students. This should include the dissertation title, a short (one paragraph) abstract, an identification of the Subject Area(s) in Appendix B to which the dissertation applies, and if appropriate whether there was any external involvement in the dissertation (e.g., from industry). Where there were more than 20 students undertaking dissertations in an academic year, please provide information for a representative sample of 20 dissertations only. g. For academic year , please provide one anonymised and representative copy 20 of a dissertation for each of 21 : a dissertation that achieved a distinction (if none in , try ; else state none) a dissertation that achieved a merit (if none in , try ; else state none) a dissertation that achieved a pass (if none in , try ; else state none) h. For each of the dissertations in point g above, please provide: the overall mark awarded the components of the overall mark, for example: o mark awarded to viva (including any demonstration) o mark awarded to dissertation plan 19 Where the classifications of distinction / merit / pass are not used, please refer to the grades that are used by the HEI. 20 Please include electronic versions of the dissertations as part of the submission. It is not possible to download dissertations from external web sites. 21 Where the classifications of distinction / merit / pass are not used, please provide representative dissertations for each of the classifications that are used by the HEI. Page 28 of 44

29 o mark awarded to dissertation key comments from the internal examiners any additional information that you feel would be helpful for the Assessment Panel to be made aware of as part of its job to determine whether the grade awarded to each dissertation is appropriate 5.1 Criteria to be applied i. There needs to be a well-defined process for the allocation of dissertation topics to students and for monitoring the progress of students. ii. There needs to be a well-defined and rigorous process for the assessment of dissertations. iii. For Master s degrees in which the original research dissertation accounts for less than 25% of the available credits, it should be clear that students are still able to gain sufficient understanding and experience of undertaking original research. iv. It should be clear that the dissertation topics are within the scope of Subject Areas 1 to 7 listed in Appendix B. v. The award of distinction, merit or pass for the representative dissertations should be appropriate. 6 Student numbers and grades achieved Where the data are available, for each of academic years and please provide the following information: a. for students with UK nationality the required entry qualifications the number of UK students please indicate the number of full-time and part-time students the number with an upper-second class (or higher) degree in a STEM subject the number without the degree qualification above but who have relevant experience e.g., people from industry/government undertaking the course the number without a STEM background or relevant experience b. for students with EU nationality (excluding UK nationals) the required entry qualifications the number of EU students please indicate the number of full-time and part-time students the number with an upper-second class (or higher) degree in a STEM subject from a UK HEI the number with the equivalent of an upper-second class (or higher) degree in a STEM subject from a non-uk HEI Page 29 of 44