Certification of Integrated Master s Degrees in Computer Science and Cyber Security

Certified Master s in Cyber Security Certification of Integrated Master s Degrees in Computer Science and Cyber Security Call for Applications Closing Date: 15 January 2016, 16:00 Briefing Meeting: 05 November 2015, 13:00 Portions of this work are copyright The Institute of Information Security Professionals. All rights reserved. Portions of this work are copyright The Association of Computing Machinery and The Institute of Electrical and Electronics Engineers. All rights reserved. The copyright of this document is reserved and vested in the Crown. The information contained within Appendix B of this Call Document about GCHQ s recommended content of degrees involving cyber security is aimed at all Higher Education Institutions (HEIs) who receive funding from HEFCE (England), HEFCW (Wales), SFC (Scotland) or Department for Employment and Learning (Northern Ireland) who may wish to seek GCHQ s certification of the relevant degrees taught in the UK. The information has been made available on GCHQ s web site for the sole purpose of making it easily accessible to this intended audience. Page 1 of 63

Document History Issue Date Comment Issue 1.0 18 August 2015 First issue Page 2 of 63

1 Introduction Reflecting the aims of the National Cyber Security Programme, UK Government and its delivery partners are working to increase the UK s academic capability in all fields of Cyber Security. Together BIS, EPSRC, GCHQ, CPNI and OCSIA have developed a joint approach and strategy for reaching this goal. As part of that strategy, GCHQ has initiated a programme to certify Master s degrees in cyber security subjects taught at UK Higher Education Institutions (HEIs). This Call for Applications is for the certification of Integrated Master s degrees in computer science which provide a general, broad foundation in cyber security please see section 3 for more details. Master s degrees in cyber security subjects can provide a number of benefits, providing for example: a deeper understanding of cyber security concepts, principles, technologies and practices a bridge between undergraduate STEM degrees and careers in cyber security a platform for further research at Doctoral level an effective way for people in mid-career to enhance their knowledge of the subject or to move into cyber security as a change of career path There are now a significant number of Master s degrees run by UK HEIs with cyber security content. However, it can be difficult for students and employers alike to navigate the variety of Master s that is available in order to: understand the extent to which such degrees really have cyber security as their main or sole focus assess the quality of the degrees on offer identify which degrees best suit someone s career path. This Call (and any subsequent calls) will enable HEIs, should they wish, to apply to have their cyber security Integrated Master s degrees considered for certification. There are two types of certification (please see section 3 for further details): Full Certification and Provisional Certification. Certifications of individual Integrated Master s degrees by GCHQ will be subject to a set of terms and conditions (T&Cs). A copy of the T&Cs for Full and Provisional certification can be obtained by emailing MastersCertification@gchq.gsi.gov.uk. Although applications for certification in response to this Call will be made directly to GCHQ, it is envisaged that future calls may require applications to be made to a third party appointed by GCHQ to certify individual degrees against the GCHQ criteria for Integrated Master s certification. HEIs should note that Master s certification (Full or Provisional) is anticipated to be one of the requirements for future recognition as an Academic Centre of Excellence in Cyber Security Education please see section 2.3. Page 3 of 63

1.1 Organisation of this document The remainder of this document is organised as follows: Section 2: General background information Section 3: Guidance on the scope of the Call Section 4: Eligibility of applicants Section 5: How to apply Section 6: Assessment process Section 7: Key dates Appendix A: Cyber terminology the National Technical Authority view Appendix B: Topics to be covered in Integrated Master s degrees in Computer Science and Cyber Security Appendix C: Required structure of application for Full certification Appendix D: Required structure of application for Provisional certification Appendix E: Guidance on writing and submitting applications 2 Background 2.1 UK Cyber Security Strategy Objective 4 The vision of the UK Cyber Security Strategy is 1 : for the UK in 2015 to derive huge economic and social value from a vibrant, resilient and secure cyberspace, where our actions, guided by our core values of liberty, fairness and transparency and the rule of law, enhance prosperity, national security and a strong society Objective 4 of the UK Cyber Security Strategy requires: the UK to have the cross-cutting knowledge, skills and capability it needs to underpin all our cyber security objectives Working in partnership over the past few years, BIS, EPSRC, GCHQ, CPNI and OCSIA have initiated a number of programmes across academia designed to address the knowledge, skills and capability requirements for cyber security research in Objective 4, including: Academic Centres of Excellence in Cyber Security Research Academic Research Institutes in Cyber Security Centres for Doctoral Training in Cyber Security Research 1 https://www.gov.uk/government/publications/cyber-security-strategy Page 4 of 63

In the next two steps of the academic programme under Objective 4, GCHQ has initiated a programme to certify Master s degrees in Cyber Security and intends to identify Academic Centres of Excellence in Cyber Security Education. 2.2 Aims, benefits and vision of Certified Master s in Cyber Security The overall aim is to identify and recognise Master s degrees run by UK HEIs that provide well defined and appropriate content and that are delivered to an appropriate standard. This Call for Integrated Master s in Computer Science and Cyber Security is complementary to other calls for the certification of one-year postgraduate Master s degrees in general cyber security and other specialised topics. The anticipated key benefits of the Certified Master s programme include: providing guidance to prospective students and employers on the content and quality of Master s degrees providing Master s students who have completed their certified degree with an additional form of recognition i.e., that they have successfully completed a GCHQ certified degree helping to further enhance the quality, focus and relevance of Master s degrees helping universities with certified Master s degrees to attract additional numbers / higher quality students both from the UK and abroad helping employers (in industry, government and academia) during the recruitment process to better understand, and distinguish between, the Master s qualifications of job applicants 2.3 Academic Centres of Excellence in Cyber Security Education (ACEs-CSE) GCHQ and its government partners intend to set up a separate application process to recognise ACEs-CSE. It is anticipated that invitations for ACE-CSE applications will be issued to the academic community in summer 2016. It is likely that one of the assessment criteria that will have to be met for an HEI to become a recognised ACE-CSE is that it has, and continues to have, at least one GCHQ certified (Full or Provisional) Master s degree. Further details will be issued in due course. 3 Scope of this Call for applications This Call for Applications is for the certification of Integrated Master s degrees in computer science which provide a general, broad foundation in cyber security see Appendices A, B, C and D. This Call is for Integrated Master s degrees that are delivered, examined and awarded in the UK by UK HEIs. Page 5 of 63

3.1 Integrated Master s terminology used in this Call Throughout this document, the terms level and credit are taken from the Higher Education Credit Framework for England 2. If an HEI uses a different framework, it should describe what it uses and map its framework to the QAA framework. The QAA describes Integrated Master s degrees as follows 3 : Integrated Master's degrees are delivered through a programme that combines study at the level of a Bachelor's degree with honours with study at Master's level. As such, a student usually graduates with a Master's degree after a single four-year, or five-year in Scotland, programme of study. If a work placement is included, the time taken to complete the programme may be extended. The QAA subject benchmark statement for computer science further states 4 : Integrated master s degrees (MComp, MEng and MSci) include the outcomes of Bachelor's degrees with honours and go beyond them to provide a greater range and depth of specialist knowledge, often within a research and industrial environment, as well as a broader and more general academic base. Such programmes provide a foundation for leadership. Integrated Master s programmes of study are designed as an integrated whole from entry to completion, although earlier parts may be delivered in common with a parallel Bachelor's degree with honours. For the purposes of this Call document, Integrated Master s degrees are assumed to typically take four years of study (or equivalent for part-time students) leading to the award of Master s degrees such as MComp, MEng, MSci, etc. Intermediate Bachelor s degrees are not awarded. Typically, Integrated Master s degrees comprise 480 credits with a minimum of 120 credits at level 7. Typically for a 4-year Integrated Master s: year 1 would be at level 4; year 2 at level 5; year 3 at level 6; and year 4 at level 7. 3.2 Integrated Master s different structures The structure of Integrated Master s degrees does vary from university to university. By way of example only, during the first three years students might undertake a Bachelor s level programme with the fourth year being at Master s level. Students would only be able to enter the fourth year if they have achieved a good overall mark during their first three years. In other Integrated Master s degrees, students might undertake a common programme during the first two years before undertaking Integrated Master s modules during years 3 and 4. In Scotland, Integrated Master s 2 http://www.qaa.ac.uk/publications/information-and-guidance/publication?pubid=2730 3 QAA Master s Degrees Characteristics draft for consultation (December 2014): http://www.qaa.ac.uk/publications/information-and-guidance/publication?pubid=2869 4 http://www.qaa.ac.uk/en/publications/documents/sbs-computing-consultation-15.pdf Page 6 of 63

degrees typically take 5 years. Some universities might offer 5-year Integrated Master s with one year spent working in industry. Thus, in its application it is important that an HEI clearly describes the structure of its Integrated Master s degree. This Call is open to any variants of Integrated Master s degrees that meet the scope requirements below. 3.3 Indicative Integrated Master s structure Table 1 below shows an indicative Integrated Master s structure across the four years of the degree. Page 7 of 63

Year Level Taught computer science credits Individual computer science project and dissertation credits Group computer science project credits Taught cyber security credits Individual cyber security project and dissertation credits Group cyber security project credits Total credits 1 4 105 15 120 2 5 90 15 15 120 3 6 50 40 30 120 4 7 15 60 30 15 120 Total credits 260 40 15 120 30 15 480 Table 1: by way of example only, this table provides an indication of credit allocation across the 4 years of an Integrated Master s degree in computer science and cyber security under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 8 of 63

It is not expected that the credit allocation shown in Table 1 should be rigidly adhered to. Rather the credit allocation should broadly follow the trends below: the number of taught computer science credits would be expected to steadily decrease as the Integrated Master s progresses the number of taught cyber security credits would be expected to steadily increase as students move through the levels it would be expected that students should undertake a fairly substantial individual cyber security project and dissertation at level 6 or 7 3.4 In scope For an Integrated Master s degree to be in scope for this Call, the requirements shown in Tables 2 and 3 below for the computer science and cyber security elements must be met. Computer Science Requirements Description ComSci 1 there must be a minimum of 240 taught computer science credits across levels 4 to 7 ComSci 2 either: at least 180 of the taught computer science credits can be mapped to computer science Subject Areas 1 to 10 shown in Appendix B or: for degrees that comprise a broad set of computer science optional modules from which students can choose, it must be the case that students can select a set of taught modules in which at least 180 of the computer science credits can be mapped to computer science Subject Areas 1 to 10 shown in Appendix B ComSci 3 the computer science taught credits provide coverage of all of the computer science Subject Areas 1 to 10 at the levels indicated in Appendix B Table 2: computer science requirements for an Integrated Master s degree to be in scope Page 9 of 63

Cyber Security Requirements Description CySec 1 there must be a minimum of 105 taught cyber security credits across levels 4 to 7 CySec 2 there must be a minimum of 75 taught cyber security credits across levels 6 and 7 CySec 3 the taught cyber security credits must cover at least 8 of the Skills Groups i to xiii shown in Appendix B at the following levels: level 4 or higher: minimum of 8 Skills Groups covered level 6 or higher: minimum of 5 Skills Groups covered CySec 4 there must be an individual cyber security project and dissertation at level 6 or 7 accounting for between 20 and 50 credits Table 3: cyber security requirements for an Integrated Master s degree to be in scope If the number of credits associated with the individual cyber security project and dissertation at level 6 or 7 is less than 20 then an HEI will need to clarify how students are able to gain sufficient understanding and experience of undertaking individual project work in cyber security. If the number of credits associated with the individual cyber security project and dissertation at level 6 or 7 is greater than 50 then an HEI will need to justify the value of having such a large individual project and dissertation. 3.4.1 Full certification To be in scope, applications for Full certification require: a cohort of students to have successfully completed the Integrated Master s degree in academic year 2014 2015 the external examiner s report 5 to be available for academic year 2014 2015 the Integrated Master s degree to be running in academic year 2015 2016 3.4.2 Provisional certification GCHQ recognises that an HEI may prefer to apply for Provisional certification of its Integrated Master s degree even though a Full application would be within scope. To be in scope, applications for Provisional certification require either Option p1 or Option p2 to be met: 5 Where the external examiner s report for 2014 2015 is not available by the submission deadline please provide the most recent report and the HEI s response. Please state when the 2014 2015 report and response will be available and submit them as soon as they are available. Page 10 of 63

Option p1: the Master s degree to be running in academic year 2015 2016, though a cohort of students did not complete the degree in academic year 2014 2015 or the new/revised Master s degree has not yet started but will start by (up to and including) October 2017 Option p2: although the Master s degree meets the requirements for a Full certification to be applied for, an HEI may if it so wishes apply for Provisional certification 3.5 Out of scope The following Master s degrees are out of scope for this Call: post-graduate Master s degrees which typically take one year of study (or equivalent for part-time students) these are addressed in other calls Integrated Master s degrees with very little computer science or cyber security content Integrated Master s degrees with a narrow focus on a particular area of cyber security such as, by way of example only, digital forensics Integrated Master s degrees that are planned to start later than October 2017 4 Eligibility This Call is open to all UK Higher Education Institutions. Applicants should note that there will be no funding associated with successful certification of Integrated Master s degrees. 5 How to apply 5.1 Submitting applications Applications should be emailed to MastersCertification@gchq.gsi.gov.uk by 16:00 on 15 January 2016. Applicants are solely responsible for ensuring that any application that they submit reaches GCHQ and for all costs of preparation of their applications. To help with the administration of submissions, please put Integrated Master s Certification application - <Name of your HEI><Email n of m> on the subject line. Please also ensure that each file that is sent as part of the application is named in the order it is to be printed: <Name of your HEI><Integrated Master s><file n of m>. Page 11 of 63

5.2 Guidance on writing applications Although applicants will be solely responsible for the content and accuracy of their applications, applicants are strongly encouraged to refer to the overall guidance on writing and submitting applications provided in Appendix E. 5.2.1 Applications for Full certification Applicants should note that their applications should be structured to follow the guidance in Appendix C. Applicants should also refer to Appendices A, B and E. If successful, Full applications will be awarded Certified status for a period of five years, subject to the HEI agreeing the T&Cs which will document the ongoing requirements for the HEI and GCHQ. 5.2.2 Applications for Provisional certification Applicants should note that their applications should be structured to follow the guidance in Appendix D. Applicants should also refer to Appendices A, B and E. If successful, Provisional applications will be awarded a Certification Pending status. This will be conditional on the applicant agreeing the T&Cs associated with Provisional applications, which will include a limit on the length of time a Certification Pending status can be held without obtaining Full Certification. 5.3 Briefing meeting and points of clarification A briefing meeting is planned for potential applicants on the afternoon of 05 November 2015 in Cheltenham 6. Please email MastersCertification@gchq.gsi.gov.uk by 16:00 on 30 October 2015 to register attendance. To help with administration, please put Integrated Master s Certification briefing day - <Name of your HEI> on the subject line. Please include the names and contact details of those wishing to attend the briefing meeting maximum of 3 per HEI. GCHQ will acknowledge emails within two working days. Please contact Catherine Harkness on 01242 221491 xtn 35921 if an acknowledgement has not been received. Call documents and a list of points of clarification regarding the application process will be maintained at: http://www.cesg.gov.uk/awarenesstraining/academia/pages/masters-degrees.aspx Applicants are advised to check this Web page regularly for any updates to the application process or changes to the version of the Call document. 6 Briefing meeting to be held at Cheltenham Civil Service Club, Tewkesbury Road, Uckington, Cheltenham, Gloucestershire, GL51 9SL. http://www.cacssa.co.uk/ Page 12 of 63

6 Assessment Applications within scope will be assessed by an Assessment Panel that will include representatives from GCHQ, wider government, industry, professional bodies and academia. Each application will be read and scored independently by a minimum of three members of the Assessment Panel. At the Assessment Panel meeting, Panel members will present their scores and the rationale for their scores. The Assessment Panel will agree a consensus score for each application. The Panel s decision is final. There is no maximum number of successful applications for certification. 6.1 Full certification Each application will be assessed within the six areas shown below, and further described in Appendix C, against the set of assessment criteria also shown in Appendix C. i. HEI s letter of support for the application ii. Description of the applicant iii. Description of the Integrated Master s degree in Computer Science and Cyber Security iv. Assessment materials and external examiner s report v. Individual cyber security projects and dissertations vi. Student numbers and grades achieved 6.2 Provisional certification Each application will be assessed within the five areas shown below, and further described in Appendix D, against the set of assessment criteria also shown in Appendix D. i. HEI s letter of support for the application ii. Description of the applicant iii. Description of the Integrated Master s degree in Computer Science and Cyber Security iv. Assessment materials v. Individual cyber security projects and dissertations: process description 6.3 Applications with a borderline fail on only one criterion If an application (Provisional or Full) is a borderline fail on only one criterion namely, a score of 2.9 is achieved on one criterion with all other criteria scoring 3.0 or higher then at the discretion of the Assessment Panel the HEI will be contacted by GCHQ after the Panel meeting and given 20 working days to re-submit a revised version of the relevant section. The Panel will then consider the new information provided by the HEI with the aim of responding to the HEI with the Panel s decision within a further 30 working days. It must be stressed that the Panel s decision is final and there will be no further opportunity to consider the application until the next Call for applications is issued. Page 13 of 63

7 Moving forwards 7.1 Key dates Activity Proposed Date Call issued 20 August 2015 Briefing meeting 05 November 2015 Proposals due to be submitted 15 January 2016 Assessment of proposals January March 2016 Announcement of results by 31 March 2016 7.2 After the assessment process All applicants will be notified individually whether their applications have been successful. 7.3 Successful applications The certification (whether Full or Provisional) of each individual Integrated Master s degree is conditional upon the HEI agreeing to the T&Cs of certification provided by GCHQ. The T&Cs describe the terms of use of the branding associated with certification such as in advertising/promotional material and the award documents given to students who have successfully completed the degree. The T&Cs also describe the ongoing requirements that the HEI must satisfy in order for the certification to remain valid. 7.4 Unsuccessful applications Applications that are not successful in this Call will be given feedback and, where appropriate, such applicants will be encouraged to submit in future calls. 8 Contact details Catherine Harkness GCHQ Hubble Road Cheltenham GL51 0AX Tel: 01242 221491 xtn 35921 Email: MastersCertification@gchq.gsi.gov.uk Page 14 of 63

Appendix A: Cyber terminology the National Technical Authority view 1 Introduction Today the term Cyber is used by everyone, and everyone has a different understanding as to what it means. This is causing confusion, inefficiency and misunderstanding. Whilst you can never control how others use this term, in this Appendix GCHQ as the National Technical Authority (NTA) for Information Assurance 7 clarifies the use of cyber terminology and the scope of cyber security both for the UK and this Call. In particular, the terms Information Assurance, Cyber Space, Cyber Security are described and a working definition of Cyber Security is presented that sets the scene for the Cyber Security Indicative Topic Coverage of Integrated Master s degrees described in Appendix B. 2 Information Assurance Information Assurance (IA) is a discipline that seeks to manage (e.g. reduce as necessary) the risks and impacts to information and information-based systems. It is also known as Information Security. IA is carried out by the owner of the information or information system supported by organisations such as GCHQ and CPNI that provide many of the tools they need. The term Information Assurance was coined to emphasise the need for confidence (or assurance) that risks are being effectively managed. IA considers the full set of risks to information and information-based systems and includes the following activities: Protect reduces information risk through the reduction of vulnerabilities (whether physical, personnel, process or technical) Prepare enables the harm to be reduced when a risk is realised, i.e. contingency planning Detect identifies when a risk changes (new vulnerability discovered, change in threat level, etc.) or is realised, i.e. situation awareness Respond reduces the impact when a risk is realised, e.g. incident management GCHQ provides the overall framework for managing risks to information and information systems, as well as guidance on how technical risks can be mitigated. CPNI is responsible for providing guidance on mitigating physical and personnel vulnerabilities. All three aspects have to be addressed if an organisation is to effectively manage its information risks, even in cyber space. 7 Technical areas within the scope of the NTA include: cryptography, key management and security protocols; information risk management; IA Science; hardware engineering and security analysis; information assurance methodologies; operational assurance techniques; strategic technologies and products; control systems; electromagnetic physics and security. Page 15 of 63

3 Cyber Space The Cyber Security Strategy of the United Kingdom 8, dated June 2009, describes cyber space as encompassing all forms of networked, digital activities; this includes the content of and actions conducted through digital networks. It also states that the physical building blocks of cyber space are individual computers and communication systems [which] fundamentally support much of our national infrastructure and information. Cyber space is a key enabler for the UK and therefore a critical asset. In The UK Cyber Security Strategy 9, dated November 2011, this is picked up as a Tier 1 threat: namely, hostile attacks upon UK cyberspace by other states and large scale crime. These strategies effectively say that we need to put in place measures to reduce the risk and impact of such attacks, i.e. we need to defend ourselves in cyber space. 4 Cyber Security 4.1 General description The Cyber Security Strategy of the United Kingdom 10, dated June 2009, states that Cyber security embraces both the protection of UK interests in Cyber Space and also the pursuit of wider UK security policy through exploitation of the many opportunities that cyber space offers. Cyber security should be considered as an activity covering all aspects of UK well-being as they relate to cyber space. The complexity of cyber space and its relationship to the well-being of the UK means that cyber security includes a number of inter-related activities. At a general level, for the purposes of this Call, cyber security refers to those activities that relate to the defence of UK cyber space and are largely carried out by information and system owners in order to defend (reduce risk and impact) UK cyber space. Organisations operating in cyber space are responsible for managing their risks and impacts by undertaking Protect, Prepare, Detect and Respond through applying the discipline of Information Assurance. Part of GCHQ s role as the National Technical Authority for Information Assurance is to provide definitive, authoritative and expert-based guidance on all aspects of IA. However, it is absolutely clear that raising cyber security levels in the UK has to be a joint effort between government, industry and academia. Establishing Certified Master s degrees in cyber security is an example of this joint effort aimed at supporting the goals of the UK s Cyber Security Strategy. 8 https://www.gov.uk/government/publications/cyber-security-strategy-of-the-united-kingdom 9 https://www.gov.uk/government/publications/cyber-security-strategy 10 https://www.gov.uk/government/publications/cyber-security-strategy-of-the-united-kingdom Page 16 of 63

It should be noted that the Cyber Security Strategy considers national level risks that largely stem from malicious action or environmental hazard. Information risks also stem from accidental actions such as the loss of a laptop, inappropriate email or loss of storage devices (as in recent well publicised security breaches). This is the broader scope of Information Assurance. 4.2 Specific working definition of cyber security to be used for this Call The International Telecommunication Union has produced a definition of cyber security 11 which is consistent with the general descriptions above and which provides specific and itemised detail that links into the Security Disciplines, Skills Groups and Indicative Topic Coverage in Appendix B. Thus more specifically, for the purposes of this Call document, cyber security should be taken to mean: The collection of tools, policies, security concepts, security safeguards, guidelines, risk management approaches, actions, training, best practices, assurance and technologies that can be used to protect the cyber environment and the assets of organisations and users. The assets of organisations and users include connected computing devices, personnel, infrastructure, applications, services, telecommunications systems, and the totality of transmitted and/or stored information in the cyber environment. Cyber security strives to ensure the attainment and maintenance of the security properties of the assets of organisations and users against relevant security risks in the cyber environment. 11 http://www.itu.int/en/itu-t/studygroups/com17/pages/cybersecurity.aspx Page 17 of 63

Appendix B: Topics to be covered in Integrated Master s degrees in Computer Science and Cyber Security The Computer Science Subject Areas that form part of the tables in this Appendix are derived from the Computer Science Curricula 12 2013 and are copyright ACM and IEEE. All rights reserved. The Security Discipline Principles and Skills Groups that form part of the tables in this Appendix are derived from the IISP Information Security Skills Framework and are copyright The Institute of Information Security Professionals. All rights reserved. 1 Introduction This Appendix presents a number of tables showing the Computer Science Subject Areas and Cyber Security Disciplines to be covered in Integrated Master s degrees in Computer Science and Cyber Security. Throughout this document, the terms level and credit are taken from the Higher Education Credit Framework for England 13. If an HEI uses a different framework, it should describe what it uses and map its framework to the QAA framework. Typically for a 4-year Integrated Master s: year 1 would be at level 4; year 2 at level 5; year 3 at level 6; and year 4 at level 7. 2 Computer Science The set of tables in section 4 of this Appendix shows the Computer Science Subject Areas (numbered 1 to 11) and associated Indicative Topics that would be expected to be covered in Integrated Master s degrees in Computer Science and Cyber Security. Given that they are Indicative Topics, programmes would not be required to cover all of them explicitly (and indeed other topics may additionally be relevant), but there would be expected to be sufficient weight of coverage at the level indicated within each area for the Computer Science Subject Area to be satisfactorily addressed. In the computer science tables, levels should be interpreted as follows: indicative level m/n it would be expected that some coverage of the topics would take place at level m or level n indicative level m to n it would be expected that some (more introductory) topics are covered at a lower level, m, as well as coverage of more advanced topics at a higher level, n 12 http://www.acm.org/education/curricula-recommendations 13 http://www.qaa.ac.uk/publications/information-and-guidance/publication?pubid=2730 Page 18 of 63

3 Cyber Security The information within the set of tables in section 5 of this Appendix is intended to provide an indicative mapping of Cyber Security topic coverage in Integrated Master s to the IISP Skills Framework 14. The tables are structured on the basis of Security Disciplines that lead to a series of Indicative Topics: a. The set of Security Disciplines and Principles has been taken from the IISP Skills Framework, along with summary versions of the associated Knowledge Requirements expressed in CESG s document on Certification for IA Professionals 15 16. b. The Skills Groups are based upon those expressed in the IISP framework, but with some of the groups having been merged together where appropriate (e.g., where Integrated Master s programmes would be unlikely to be focusing their coverage or where the treatment of the Skills Groups would essentially encompass the same topics). A new Skills Group on Control Systems has been added to reflect the growing importance of this subject area. c. To help with later referral, the Skills Groups have been numbered i to xiv. The IISP Skills Groups to which they refer are also shown (e.g., A2, A5, etc.). d. The Indicative Topic Coverage highlights examples of the specific topics that one would expect to see represented within the syllabi of Integrated Master s modules in order for broad coverage of the related Skills Group to be achieved. Given that they are Indicative Topics, programmes would not be required to cover all of them explicitly (and indeed other topics may additionally be relevant), but there would be expected to be sufficient weight of coverage within each area for the Skills Group to be satisfactorily addressed. 14 IISP Skills Framework: https://www.iisp.org/imis15/iisp/accreditation/our_skills_framework/iisp/about_us/our_skills_framework.aspx?hkey=e 77a6f03-9498-423e-aa7b-585381290ec4 15 CESG is the Information Security arm of GCHQ: http://www.cesg.gov.uk 16 CESG Certification for IA Professionals: http://www.cesg.gov.uk/awarenesstraining/certifiedprofessionals/pages/index.aspx Page 19 of 63

4 Computer Science Subject Areas and Indicative Topics Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 1. Algorithms and Complexity defines the central concepts and skills required to design, implement and analyse algorithms for solving problems indicative level: 4/5 basic analysis algorithmic strategies fundamental data structures and algorithms basic automata, computability and complexity Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 2. Architecture and organisation develops an understanding of the hardware environment upon which all computing is based and the interface it provides to higher software layers indicative level: 4/5 digital logic and digital systems machine level representation of data assembly level machine organisation memory system organisation and architecture interfacing and communication under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 20 of 63

Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 3. Discrete structures provide a foundation for many areas of computing indicative level: 4/5 sets, relations and functions basic logic proof techniques basics of counting graphs and trees discrete probability Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 4. Information management concerned with concepts ranging from the capture and representation of information through to effective access and data modelling indicative level: 4/5 information management concepts database systems data modelling under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 21 of 63

Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 5. Networking and communication the Internet and computer networks are now ubiquitous and fundamental to computer systems indicative level: 4 to 6 networked applications reliable data delivery routing and forwarding local area networks resource allocation mobility Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 6. Operating systems (OSs) an OS defines an abstraction of hardware and manages resource sharing among a computer s users indicative level: 4 to 6 overview of OSs OS principles concurrency and synchronisation scheduling and dispatch memory management security and protection file systems I/O system kernel security and reliability network file system network layer and transport layer protocols under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 22 of 63

Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 7. Programming languages are the medium through which programmers precisely describe concepts, formulate algorithms, and reason about solutions indicative level: 4 to 6 object-oriented programming functional programming event-driven and reactive programming type systems program representation language translation and execution syntax analysis compiler semantic analysis code generation Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 8. Software development fundamentals provides a foundation for other softwareoriented knowledge areas programming languages, algorithms and complexity, and software engineering indicative level: 4/5 algorithms and design fundamental programming concepts fundamental data structures secure software development development methods under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 23 of 63

Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 9. Software engineering the application of theory, knowledge and practice to effectively build reliable software systems that meet the requirements of customers and users indicative level: 5/6 software processes software project management tools and environments requirements engineering software design software construction software verification and validation software evolution software reliability secure software development Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 10. Systems fundamentals the underlying hardware and software infrastructure upon which applications are constructed is collectively described as computer systems indicative level: 4/5 computational paradigms cross-layer communications state and state machines parallelism evaluation resource allocation and scheduling proximity virtualisation and isolation reliability through redundancy under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 24 of 63

Computer Science Subject Area Description and Indicative Level Indicative Topic Coverage 11. Social issues and professional practice students need to develop an understanding of the relevant social, ethical, legal and professional issues indicative level: not specified social context analytical tools professional ethics intellectual property privacy professional communication sustainability under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 25 of 63

5 Cyber Security Disciplines, Skills Groups and Indicative Topics Security Discipline Skills Group Indicative Topic Coverage A. Information Security Management Principle: Capable of determining, establishing and maintaining appropriate governance of (including processes, roles, awareness strategies, legal environment and responsibilities), delivery of (including polices, standards and guidelines), and cost-effective solutions (including impact of third parties) for information security within a given organisation). CESG Knowledge Requirements include: i. Policy, Strategy, Awareness and Audit (A1, A2, A3, A5, G1) The role and function of security policy Types of security policy Security standards (e.g. ISO/IEC 27000) Security concepts and fundamentals Security roles and responsibilities Security professionalism Governance and compliance requirements in law Third party management Security culture Awareness raising methods Acceptable use policies Security certifications Understanding auditability The internal audit process Management frameworks such as ISO 27000 series Legislation such as Data Protection Act Common management Frameworks such as ISO 9000 ii. Legal & Regulatory Environment (A6) Computer Misuse legislation Data Protection law Intellectual property and copyright Employment issues Regulation of security technologies under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 26 of 63

Security Discipline Skills Group Indicative Topic Coverage B. Information Risk Management Principle: Capable of articulating the different forms of threat to, and vulnerabilities of, information systems and assets. Comprehending and managing the risks relating to information systems and assets. CESG Knowledge Requirements include: Information risk management methodologies such as ISO 27005 - Information Security Risk Management Generic risk management methodologies such as ISO 31000 Risk Management; Principles & Guidelines Key concepts such as threats, vulnerabilities, business impacts, and risk tolerance iii. Risk Assessment and Management (B1, B2) Threat, vulnerability and risk concepts Threat landscape, adversarial thinking Asset valuation and management Risk analysis methodologies Handling risk and selecting countermeasures/controls to mitigate risk Understanding impacts and consequences Security economics under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 27 of 63

Security Discipline Skills Group Indicative Topic Coverage C. Implementing Secure Systems Principle: Comprehends the common technical security controls available to prevent, detect and recover from security incidents and to mitigate risk. Capable of articulating security architectures relating to business needs and commercial product development that can be realised using available tools, products, standards and protocols, delivering systems assured to have met their security profile using accepted methods CESG Knowledge Requirements include: Security Architectures and Patterns Secure Development processes Business requirements Skills frameworks (e.g. SFIA) Architectural frameworks (e.g. The Open Group Architecture Framework TOGAF) Range of core security technologies (e.g. Access control models, encryption, Authentication techniques) and how to apply them iv. Security Architecture (C1) v. Secure Development (C2) vi. Control Systems Design and development considerations: trusted computing base, security architecture and patterns, security models and design principles (e.g., principle of least privilege, fail-safe defaults), software (program) security, emission security Selecting and applying core technologies: authentication, access control, privacy controls, security protocols Recognising security needs across platforms: operating system security, Web security, embedded security, cloud and virtualisation security, security as a service Cryptography: cipher and algorithm types, applications to confidentiality, integrity and authentication, PKI Network security: Internet security protocols, tunnelling, VPNs, network attack and defence, TLS Human factors: usable security, psychology of security, insider threat Security systems development: managing secure systems development, principles of secure programming, formal approaches, understanding implementation errors and exploits. SCADA and SMART Systems, cyber system of systems (from abstract to physical effect), non-ip protocols and standards (e.g., WiFi, Bluetooth, GSM, CAN, MODBUS), cyber-physical systems analysis, embedded systems, assurance of control systems hardware and software, design/implementation methodologies to minimise the risk of vulnerabilities, risk modelling and risk-based decision making under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 28 of 63

Security Discipline Skills Group Indicative Topic Coverage D. Information Assurance Methodologies and Testing Principle: Develops and applies standards and strategies for verifying that measures taken mitigate identified risks. CESG Knowledge Requirements include: Assessment Methodologies (e.g. Common Criteria) Information Risk Management Frameworks Assessment services or standards (e.g. CHECK) Governance aspects and Management responsibilities Testing strategies and methodologies (e.g., TEMPEST testing) vii. Information Assurance Methodologies (D1) viii. Security Testing (D2) Assessment methodologies (e.g. 27000 series and Common Criteria) Understanding security vulnerabilities and related mitigation measures System and software testing Penetration testing Security metrics Static and dynamic analysis of products and systems under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 29 of 63

Security Discipline Skills Group Indicative Topic Coverage E. Operational Security Management Principle: Capable of managing all aspects of a security programme, including reacting to new threats and vulnerabilities, secure operational and service delivery consistent with security polices, standards and procedures, and handling security incidents of all types according to common principles and practices, consistent with legal constraints and obligations. CESG Knowledge Requirements include: Governance and Management responsibilities IT Service Management processes (e.g. ITIL) Existing and Emerging Vulnerabilities Use of penetration testing and vulnerability testing Risk Assessment and Monitoring Operating Procedures and accountability Continuous improvement ix. Secure Operations Management and Service Delivery (E1, E2) x. Vulnerability Assessment (E3) Internet threats: common attacks (human and technical), malicious code, situational awareness, threat trends, threat landscape, CERTs, adversarial thinking Cryptography: AES and RSA, key management, digital signatures Network security: networking fundamentals, firewalls and traffic filtering, intrusion detection and prevention systems, intrusion analysis, network monitoring, mobile and wireless network security System security: authentication (secrets, tokens, biometrics), access control (MAC, DAC, RBAC) and privilege management, mobile device security and BYOD, anti-virus technologies Application security: email, Web, social networks, DRM, database security, big data security, identity management Physical security: physical and environmental controls, physical protection of IT assets Malware analysis: static and dynamic analysis, detection techniques, host-based intrusion detection, kernel rootkits System and network-level vulnerabilities and their exploitation Vulnerability analysis and management Penetration testing Social Engineering Dependable/resilient/survivable systems under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 30 of 63

Security Discipline Skills Group Indicative Topic Coverage F. Incident Management Principle: Capable of managing or investigating an information security incident at all levels. CESG Knowledge Requirements include: xi. Incident Management (F1) Intrusion detection methods Intrusion response Intrusion management Incident handling Intrusion analysis, monitoring and logging Secure Information Management (stakeholder management within organisational context) Incident detection techniques Incident response management (internal and external) Audit log management Forensics (e.g. Evidential standards, Tools, Impact assessment) xii. Forensics (F3) Collecting, processing and preserving digital evidence Device forensics Memory forensics Network forensics Anti-forensic techniques Forensic report writing and expert testimony under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 31 of 63

Security Discipline Skills Group Indicative Topic Coverage G. Audit, Assurance & Review Principle: Capable of defining and implementing the processes and techniques used in verifying compliance against security policies, standards, legal and regulatory requirements. CESG Knowledge Requirements include: Audit methodologies (e.g., Certified Information Systems Auditor - CISA) Vertical/horizontal auditing techniques Audit processes and techniques (e.g. HMG IA Maturity Model) The Audit and Review Skills Group (G1) has been incorporated into Skills Group i above The indicative topic coverage has been included in Skills Group i above under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 32 of 63

Security Discipline Skills Group Indicative Topic Coverage H. Business Continuity Management Principle: Capable of defining the need for, and of implementing processes for, establishing business continuity. CESG Knowledge Requirements include: Business continuity management lifecycle Business Impact Analysis process Related standards (e.g. ISO 22301, ISO 27001, BS 25999, BS 27031) xiii. Business Continuity Planning and Management (H1, H2) Continuity planning Backup Disaster recovery under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 33 of 63

Security Discipline Skills Group Indicative Topic Coverage I. Information Systems Research Principle: Original investigation in order to gain knowledge and understanding relating to information security, including the invention and generation of ideas, performances and artefacts where these lead to new or substantially improved insights; and the use of existing knowledge in experimental development to produce new or substantially improved devices, products and processes. xiv. Research (I2) This aspect is likely to be reflected via the inclusion of a substantial individual project and dissertation component within the Integrated Master s degree. Students would be expected to conduct research that is clearly focused upon one or more of the Security Disciplines (A to H) listed above. under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 34 of 63

Security Discipline Skills Group Indicative Topic Coverage J. Professional Skills These aspects are likely to be crosscutting within a programme and/or represented by a dedicated skills module. Overall, there should be evidence of the programme giving attention towards: teamworking, leadership, communication skills, decision making. under other UK information legislation. Refer disclosure requests to GCHQ on 01242 221491 x30306, email Page 35 of 63

Appendix C: Required structure of application for Full certification This appendix provides details of the information that applicants should provide with their application for Full certification along with the criteria that will be applied. Applicants should refer to sections 3.4 (page 9) and 3.4.1 (page10) which describe the requirements for an application for Full certification to be in scope. Applicants should also refer to Appendix E which provides advice and guidance on writing and submitting applications. Please note that an HEI should submit one application per Integrated Master s degree against this Call. An HEI can submit more than one Integrated Master s degree for certification against this Call if the HEI believes that more than one of its Integrated Master s degrees meets the criteria below. Each application for Full certification should comprise the following six sections: 1. Institution s letter of support for the application (up to one side of A4). 2. Description of the applicant (up to seven sides of A4, excluding CVs). 3. Description of the Integrated Master s degree in Computer Science and Cyber Security (up to fifteen sides of A4, excluding the module descriptions). 4. Assessment materials and external examiner s report (up to ten sides of A4, excluding copies of examination papers, copies of information provided for coursework and copy of external examiner s report). 5. Individual cyber security projects and dissertations (up to five sides of A4, excluding list of dissertation titles and copies of dissertations). 6. Student numbers and grades achieved (up to five sides of A4). Documents should be in Word or pdf format with the font size no smaller than 10pt. Unless specifically asked for, additional pages and other material in addition to that outlined above will not be read and will not therefore form part of the assessment for certification. All information provided will be treated confidentially and used only for the purposes of assessing applications. 1 HEI s letter of support for the application Please provide a signed letter from the Vice Chancellor (or equivalent) showing support for the HEI s application to have an Integrated Master s degree in Computer Science and Cyber Security considered for certification by GCHQ. Page 36 of 63

2 Description of the applicant Please ensure that you cover the following points: a. The names and structure of the department(s)/group(s)/school(s) responsible for the Integrated Master s degree together with the names, seniority and roles of the members of staff responsible for delivering the degree content, setting and marking examinations, supervising dissertations, etc. It would be helpful to identify those members of staff responsible for delivering the computer science part of the Integrated Master s, those staff responsible for the cyber security part, and those staff who straddle both areas. b. Please describe any recent investments from the HEI, government, industry etc. in the groups running the Integrated Master s degree programme. c. Please describe any external linkages that add value to the Integrated Master s degree: e.g., visiting lecturers with specialist knowledge from other academic departments, government or industry; projects suggested, and monitored, by industry; etc. d. Please describe the process used to review and re-new the course content in order to keep it up to date, for example: how often is the course content reviewed, by whom, and what external advice is taken (e.g., industrial advisory boards). e. Please describe the facilities available to Integrated Master s students in general and those dedicated to students undertaking the Integrated Master s degree specifically, for example: computer laboratories, dedicated equipment, library (access to text-books), on-line journal subscription (for research dissertations), etc. f. For each member of staff named above please provide a CV (up to 2 pages in length) which provides details of: academic background knowledge and expertise in computer science and/or cyber security e.g., references to recent publications, working with industry and/or government esteem indicators e.g., editorships, invited talks, membership of national and international advisory groups etc. CVs should go in an appendix to section 2. 2.1 Criteria to be applied i. There should be a coherent team responsible for delivering the Integrated Master s, with clear roles and responsibilities. ii. The team members delivering the modules, setting the examinations and marking papers should have the appropriate technical knowledge and skills. iii. The team should be well supported by the HEI. It would be desirable to see that the Integrated Master s degree programme has valuable external linkages. Page 37 of 63

iv. There should be a well-defined process for keeping the Integrated Master s degree up to date that takes account of appropriate internal and external advice. v. Students undertaking the Integrated Master s should have access to well-equipped modern computer laboratories with easy access to information on the latest developments in computer science and cyber security. 3 Description of the Integrated Master s degree in Computer Science and Cyber Security Please ensure that you cover all of the points in sections 3.1 to 3.3. 3.1 Overall structure of the Integrated Master s a. Please provide a high-level description of the Integrated Master s degree. This should include, for example: the name of the degree and the specific degree awarded (e.g., MComp, MEng, MSc etc.) the objectives and expected learning outcomes of the degree as a grounding for an Integrated Master s qualification how the degree satisfies the QAA qualification framework for Master s level how the degree satisfies the QAA credit framework for Integrated Master s for example, minimum 480 credits overall with a minimum of 120 credits at level 7 the number of academic years the degree has been running and whether it is being delivered in academic year 2015 2016 the overall structure of the degree e.g., the set of taught modules, which modules are core and which are optional, the number of credits awarded for each module, the number of credits awarded for individual project(s) and dissertation(s) a table similar to Table 1 on page 8 that shows the credit allocation to computer science and cyber security across the years of the degree a description of how the degree is structured to accommodate part-time students, if applicable 3.2 Structure of the computer science component a. For the computer science part of the Integrated Master s, please provide a table (Table 3.1) that shows for each taught module: whether the module is core or optional the member(s) of staff delivering the module Page 38 of 63

which Computer Science Subject Areas (1 to 10, Appendix B) the module covers if it does not cover a Subject Area please state NONE the number of credits in the module and its level the percentage of the module addressing the Subject Areas 1 to 10 the number of credits in the module that can be considered to be addressing the Subject Areas 1 to 10 obtained from the product of the 3 rd and 4 th bullet points Module (core/optional) Member(s) of staff Computer Science Subject Area(s) covered (1 to 10) Number of credits in module and level Estimated percentage of module addressing Subject Area(s) Estimated number of credits in module addressing Subject Area(s) Module 1.. Module n Table 3.1 b. Based on the above information, please provide: the total number of computer science taught credits in the degree the total number of computer science taught credits addressing Subject Areas 1 to 10 Where students have a choice of optional modules (e.g., any 2 modules from a set of 5), please do not sum the credits from all of the optional modules but only the number that students would actually choose. It may help to refer to point 3.2e below regarding pathways. c. For each module that addresses a Computer Science Subject Area, please provide a module description to include the syllabus/topics covered and the expected learning outcomes. Please include in each module description a list of the Subject Areas and Indicative Topics (Appendix B) that the module covers and the level(s) at which they are covered. The module descriptions should be placed in an appendix to section 3. d. With reference to Subject Areas 1 to 10 in Appendix B, please provide an overview of how the topic coverage required for the Computer Science part of the Integrated Master s is achieved by completing a table (Table 3.2) of the following form: Page 39 of 63

Computer Science Subject Area Indicative Level Module(s) in which topics in Subject Area are covered Level at which Subject Area is covered 1. Algorithms and Complexity 4/5 2. Architecture and organisation 4/5 3. Discrete structures 4/5 4. Information management 4/5 5. Networking and communication 4 to 6 6. Operating systems 4 to 6 7. Programming languages 4 to 6 8. Software development fundamentals 4/5 9. Software engineering 5/6 10. Systems fundamentals 4/5 Table 3.2 e. For the Computer Science component of Integrated Master s degrees with core and optional modules please identify the permitted combinations of core and optional taught modules that DO cover all of the Subject Areas at the required level. 3.3 Structure of the cyber security component a. For the Cyber Security part of the Integrated Master s, please provide a table (Table 3.3) that shows for each taught module: whether the module is core or optional the member(s) of staff delivering the module Page 40 of 63

which Security Discipline(s) (Appendix B) the module covers if it does not cover a Security Discipline please state NONE the number of credits in the module and its level the percentage of the module addressing the Security Disciplines the number of credits in the module that can be considered to be addressing the Security Disciplines obtained from the product of the 3 rd and 4 th bullet points Module (core/optional) Member(s) of staff Security Discipline(s) covered (A to H) Number of credits in module and level Estimated percentage of module addressing Security Disciplines Estimated number of credits in module addressing Security Disciplines Module 1.. Module n Table 3.3 b. Based on the above information, please provide: the total number of cyber security taught credits in the degree the total number of cyber security taught credits addressing the Security Disciplines A to H Where students have a choice of optional modules (e.g., any 2 modules from a set of 5), please do not sum the credits from all of the optional modules but only the number that students would actually choose. It may help to refer to point 3k below regarding pathways. c. For each module that addresses a Security Discipline, please provide a module description to include the syllabus/topics covered and the expected learning outcomes. Please include in each module description a list of the Skills Groups (Appendix B) that the module covers and the level(s) at which they are covered. The module descriptions should be placed in an appendix to section 3. d. With reference to Appendix B, please provide an overview of how the Cyber Security topic coverage for the Integrated Master s degree is achieved by completing a table (Table 3.4) of the following form covering Security Disciplines A to H and Skills Groups i to xiii: Page 41 of 63

Security Discipline Skills Group Module(s) in which topics in Skills Group are covered Level at which Skills Group is covered A. Information Security Management i. Policy, Strategy, Awareness and Audit ii. Legal and Regulatory Environment B. Information Risk Management iii. Risk Assessment and Management iv. Security Architecture C. Implementing Secure Systems v. Secure Development vi. Control Systems D. Information Assurance Methodologies and Testing vii. Information Assurance Methodologies viii. Secure Testing E. Operational Security Management ix. Secure Operations Management and Service Delivery x. Vulnerability Assessment F. Incident Management xi. Incident Management xii. Forensics G. Audit, Assurance and Review Audit and Review Included in Skills Group i above Please provide information under Skills Group i above H. Business Continuity Management xiii. Business Continuity Planning and Management Table 3.4 Page 42 of 63

e. For the Cyber Security component of Integrated Master s degrees with core and optional modules please identify the permitted combinations of core and optional taught modules that DO cover at least 8 of the Skills Groups in Table 3.2 at the required level. 3.4 Social issues, professional practice and professional skills a. Please describe how computer science Subject Area 11 (social issues and professional practice) is covered in the Integrated Master s degree. By way of example, this may be through lectures, individual/group projects, coursework, etc. b. Please describe how Security Discipline J, Professional Skills (Appendix B), is addressed in the Integrated Master s degree. By way of example, describe how team-working, communication skills etc. are covered within the degree programme as a whole it is not a requirement to have a separate dedicated module covering Professional Skills. 3.5 Criteria to be applied 3.5.1 General criteria i. The objectives and anticipated learning outcomes for students undertaking the Integrated Master s should be clearly articulated. ii. The degree must have had a cohort of students successfully complete the degree in academic year 2014 2015 and it must be currently active in academic year 2015 2016. iii. The degree satisfies the QAA qualification framework for Master s level. iv. The degree satisfies the QAA credit framework for Integrated Master s. v. Part-time students should cover the same breadth and depth of content as full time students. 3.5.2 Computer science criteria i. ComSci 1: there must be a minimum of 240 taught computer science credits across levels 4 to 7. ii. ComSci 2: there must be at least 180 taught credits that can be mapped to computer science Subject Areas 1 to 10. iii. ComSci 3: all of the computer science Subject Areas listed in Table3.2 are covered at the appropriate levels. iv. Permitted combinations of core and optional modules that DO cover all of computer science Subject Areas listed in Table 3.2 must be clearly identified; there must be at least one combination of core and optional modules that covers all of the Subject Areas listed in Table 3.2 at the appropriate level. 3.5.3 Cyber security criteria i. CySec 1: there must be a minimum of 105 taught cyber security credits across levels 4 to 7 ii. CySec 2: there must be a minimum of 75 taught cyber security credits cross levels 6 and 7. Page 43 of 63

iii. iv. CySec 3: the taught cyber security credits must cover at least 8 of the Skills Groups i to xiii shown in Table 3.4 at the following levels: level 4 or higher: minimum of 8 Skills Groups covered level 6 or higher: minimum of 5 Skills Groups covered Permitted combinations of core and optional modules that DO cover at least 8 Skills Groups at the required levels must be clearly identified; there must be at least one combination of core and optional modules that covers at least 8 Skills Groups at the required levels. 3.5.4 Social issues, professional practice and professional skills criteria i. The Integrated Master s degree should cover relevant social, ethical, legal and professional issues. ii. The Integrated Master s degree should address topics such as team-working, communication skills, leadership and decision making. 4 Assessment materials and external examiner s report Please ensure you cover the following: a. Please describe the overall approach to assessment of the taught modules on the Integrated Master s degree. This should include: assessment methodology marking scheme the pass mark for individual modules and the taught part of the degree overall b. Please describe how the overall mark for the degree as a whole is worked out from the taught component and the individual project and dissertation. Please describe the mark required to achieve first, 2/1, 2/2, 3 rd (or equivalent) of the overall degree. c. For academic year 2014 2015, for each of the modules identified in section 3 that addresses Computer Science Subject Areas 1 to 10 and Cyber Security Disciplines A to H please describe the process used for assessment (e.g., examination, coursework, practical exercises, etc.). Please provide a copy of the examination paper(s) that students sat. For assessed coursework, please provide copies of the information provided to students and the assessment criteria used by the HEI. This information should be placed in an appendix to section 4. d. For academic year 2014 2015, please provide a copy of the external examiner s report. Please describe the process for engagement with the external examiner. Please describe the technical background and experience of the external examiner. e. For academic year 2014 2015, please provide a copy of the HEI s response to the external examiner s report and any follow up actions that have been undertaken in response to the report. Page 44 of 63

4.1 Criteria to be applied i. The overall approach to the assessment of the taught component to the Integrated Master s should be clear and coherent. The marking scheme should make it clear what students have to demonstrate in their work in order to be awarded the relevant marks/grades. ii. The examination and assessment process must rigorously test students understanding of the topics shown in Appendix B. iii. The external examiner should have the appropriate technical background and his/her report must provide a positive picture of the Integrated Master s Degree under assessment. iv. The progress to any follow-on actions suggested by the external examiner should be made clear. 5 Individual cyber security projects and dissertations This section applies to the individual cyber security project and dissertation undertaken by students at level 6 or level 7. Please ensure that you cover the following points: a. Please confirm the level and credit value of the individual cyber security project and dissertation. If the credit value is less than 20 credits, please describe how students are able to gain sufficient understanding and experience of undertaking individual project work in cyber security. If the credit value is more than 50 credits, please clarify the value of having such a large individual project and dissertation in cyber security. b. Please describe the guidance the HEI provides to Integrated Master s students before they embark on their projects, for example: research methods, undertaking literature reviews, etc. c. Please describe the process for allocation of project topics to students, for example: is it up to students to come up with topic ideas? do members of staff identify possible topics? does the HEI have links with industry partners who suggest topics? d. Please describe the process for monitoring the progress of students on their projects. e. Please describe the process for assessing projects and dissertations. Please indicate whether the HEI provides students with guidance on what is expected in a project and dissertation to achieve first, 2/1, 2/2 etc. 17 f. For each of academic years 2014 2015 and 2013 2014 (if any), please provide a list of Master s dissertations undertaken by students. This should include the dissertation title, a short (one paragraph) abstract, an identification of the Security Disciplines in Appendix B to which the dissertation applies, and if appropriate whether there was any external involvement in the dissertation (e.g., from industry). 17 Where these classifications of dissertations are not used please refer to the grades that are used by the HEI. Page 45 of 63

Where there were more than 20 students undertaking individual projects and dissertations in an academic year, please provide information for a representative sample of 20 dissertations only. g. For academic year 2013 2014, please provide one anonymised and representative copy 18 of a dissertation for each of: a dissertation that achieved a first (if none in 2014 2015, try 2013 2014; else state none) a dissertation that achieved a 2/1 (if none in 2014 2015, try 2013 2014; else state none) a dissertation that achieved a 2/2 (if none in 2014 2015, try 2013 2014; else state none) a dissertation that achieved a 3 rd (if none in 2014 2015, try 2013 2014; else state none) Because of their length, the dissertations themselves should be placed in an appendix at the end of the application. h. For each of the dissertations in point g above, please provide: the overall mark awarded the components of the overall mark, for example: o mark awarded to viva (including any demonstration) o mark awarded to dissertation plan o mark awarded to dissertation key comments from the internal examiners any additional information that you feel would be helpful for the Assessment Panel to be made aware of as part of its job to determine whether the grade awarded to each dissertation is appropriate 5.1 Criteria to be applied i. The individual project and dissertation should be undertaken at level 6 or level 7. If the number of credits is less than 20, it should be clear that students are still able to gain sufficient understanding and experience of undertaking individual project work in cyber security. If the number of credits is more than 50, then the value of having such a large individual project in cyber security should be clear. ii. There needs to be a well-defined process for the allocation of individual project and dissertation topics to students and for monitoring the progress of students. iii. There needs to be a well-defined and rigorous process for the assessment of projects and dissertations. 18 Please include electronic versions of the dissertations as part of the email submission. It is not possible to download dissertations from external web sites. Page 46 of 63

iv. It should be clear that the individual project and dissertation topics are within the scope of Security Disciplines A to H listed in Appendix B. v. The grade awarded to the representative dissertations should be appropriate. 6 Student numbers and grades achieved Where the data are available, for academic year 2014 2015 please provide the following information: a. for students with UK nationality the qualifications required to enter the Integrated Master s by way of example, ABB at A level (or the equivalent number of tariff points) the number of UK students in all four years of the degree please indicate the number of full-time and part-time students for UK students in year 4 (final year), the distribution of their qualifications at A level and, where applicable, at the end of the year before they entered the Integrated Master s (usually at the end of year 2 or year 3) for UK students in year 4, the distribution of their final Integrated Master s degree classification b. for students with EU nationality (excluding UK nationals) the qualifications required to enter the Integrated Master s the number of EU students in all four years of the degree please indicate the number of full-time and part-time students for EU students in year 4, the distribution of their qualifications at A level (or equivalent) and, where applicable, at the end of the year before they entered the Integrated Master s (usually at the end of year 2 or year 3) for EU students in year 4, the distribution of their final Integrated Master s degree classification c. for students without EU nationality the qualifications required to enter the Integrated Master s the number of non-eu students please indicate the number of full-time and parttime students for non-eu students in year 4, the distribution of their qualifications at A level (or equivalent) and, where appropriate, at the end of the year before they entered the Integrated Master s (usually at the end of year 2 or year 3) Page 47 of 63

for non-eu students in year 4, the distribution of their final Integrated Master s degree classification d. the results of the National Student Survey and any actions that have been taken by the HEI as a result 6.1 Criteria to be applied i. It would be expected that the majority of UK students should have the equivalent of a tariff points score of 300 points or above at A Level in 3 STEM subjects. ii. It would be expected that the majority of EU (excluding UK) and non-eu students should have the equivalent of a tariff points score of 300 points or above at A Level in 3 STEM subjects. iii. It would be expected that the majority of students formally entering the Integrated Master s degree would have achieved a minimum of the equivalent of a 2/1 at level 5 or level 6. iv. It would be expected that the distribution of first, 2/1, 2/2 etc. achieved at Integrated Master s level should to some extent reflect the entry qualifications of the student intake at A Level and the grades achieved at level 5 or level 6. In this regard, the external examiner s report will be referred to in case she/he has raised any concerns. v. The HEI should encourage its students to participate in the National Student Survey. The results of the survey should paint a largely positive picture of students learning experience on the Integrated Master s and the HEI should be able to demonstrate progress on any key issues raised. 7 Assessment of Applications 7.1 Assessment Panel process Each application will be read and scored independently by a minimum of three members of the Assessment Panel using the criteria above; as far as possible, there will be one representative from each of GCHQ, academia, industry/government/professional bodies. At the Assessment Panel meeting, the relevant Panel members will present their scores and the rationale for their scores. The Assessment Panel will agree a consensus score for each application. Each application must include document 1) (Institution s Letter of Support) without it, the application will be rejected as non-compliant. In terms of providing evidence to meet the criteria, each of sections 2) to 6) of each application will be scored using the following scale: Page 48 of 63

0: no evidence 1: very little evidence 2: some evidence 3: good evidence 4: excellent evidence Each of the sections 2) to 6) must achieve a threshold score of 3. If the application includes a letter of support and the consensus score is at threshold or above in each of sections 2) to 6) then the application will be deemed to be successful overall. 7.2 Applications with a borderline fail on only one criterion If an application is a borderline fail on only one criterion namely, a score of 2.9 is achieved on one criterion with all other criteria scoring 3.0 or higher then at the discretion of the Assessment Panel the HEI will be contacted by GCHQ after the Panel meeting and given 20 working days to re-submit a revised version of the relevant section. The Panel will then consider the new information provided by the HEI with the aim of responding to the HEI with the Panel s decision within a further 30 working days. It must be stressed that the Panel s decision is final and there will be no further opportunity to consider the application until the next Call for applications is issued. Page 49 of 63

Appendix D: Required structure of application for Provisional certification This appendix provides details of the information that applicants should provide with their application for Provisional certification along with the criteria that will be applied. Applicants should refer to sections 3.4 (page 9) and 3.4.2 (page10) which describe the requirements for an application for Provisional certification to be in scope. Applicants should also refer to Appendix E which provides advice and guidance on writing and submitting applications. Please note that an HEI should submit one application per Integrated Master s degree against this Call. An HEI can submit more than one Integrated Master s degree for certification against this Call if the HEI believes that more than one of its Integrated Master s degrees meets the criteria below. Each application for Provisional certification should comprise the following five sections: 1. Institution s letter of support for the application (up to one side of A4). 2. Description of the applicant (up to seven sides of A4, excluding CVs) 3. Description of the Integrated Master s degree in Cyber Security (up to fifteen sides of A4, excluding the module descriptions) 4. Assessment materials (up to ten sides of A4, excluding copies of examination papers and copies of information provided for coursework) 5. Individual cyber security projects and dissertations: process description (up to five sides of A4) Documents should be in Word or pdf format with the font size no smaller than 10pt. Unless specifically asked for, additional pages and other material in addition to that outlined above will not be read and will not therefore form part of the assessment for certification. All information provided will be treated confidentially and used only for the purposes of assessing applications. 1 HEI s letter of support for the application Please provide a signed letter from the Vice Chancellor (or equivalent) showing support for the HEI s application to have an Integrated Master s degree in Computer Science and Cyber Security considered for certification by GCHQ. For those Integrated Master s degrees that have not yet started, it is important that the HEI confirms the start date for the Integrated Master s degree and that the degree will start by (up to and including) October 2017. Page 50 of 63

For those Integrated Master s degrees that meet the requirements for Full certification to be applied for, it is important that the HEI confirms that it has chosen to submit an application for Provisional certification and also provides its reasons for making a Provisional application. 2 Description of the applicant Please ensure that you cover the following points: a. The names and structure of the department(s)/group(s)/school(s) responsible for the Integrated Master s degree together with the names, seniority and roles of the members of staff responsible for delivering the degree content, setting and marking examinations, supervising projects, etc. It would be helpful to identify those members of staff responsible for delivering the computer science part of the Integrated Master s, those staff responsible for the cyber security part, and those staff who straddle both areas. b. Please describe any recent investments from the HEI, government, industry etc. in the groups running the Integrated Master s degree programme. c. Please describe any external linkages that add value to the Integrated Master s degree: e.g., visiting lecturers with specialist knowledge from other academic departments, government or industry; projects suggested, and monitored, by industry; etc. d. Please describe the process used to review and re-new the course content in order to keep it up to date, for example: how often is the course content reviewed, by whom, and what external advice is taken (e.g., industrial advisory boards). e. Please describe the facilities available to Integrated Master s students in general and those dedicated to students undertaking the Integrated Master s degree specifically, for example: computer laboratories, dedicated equipment, library (access to text-books), on-line journal subscription (for research dissertations), etc. e. For each member of staff named above please provide a CV (up to 2 pages in length) which provides details of: academic background knowledge and expertise in computer science and/or cyber security e.g., references to recent publications, working with industry and/or government esteem indicators e.g., editorships, invited talks, membership of national and international advisory groups etc. CVs should go in an appendix to section 2. 2.1 Criteria to be applied i. There should be a coherent team responsible for delivering the Integrated Master s, with clear roles and responsibilities. Page 51 of 63

ii. The team members delivering the modules, setting the examinations and marking papers should have the appropriate technical knowledge and skills. iii. The team should be well supported by the HEI. It would be desirable to see that the Integrated Master s has valuable external linkages. iv. There should be a well-defined process for keeping the Integrated Master s degree up to date which takes account of appropriate internal and external advice. v. Students undertaking the Integrated Master s should have access to well-equipped modern computer laboratories with easy access to information on the latest developments in computer science and cyber security. 3 Description of the Integrated Master s degree in Cyber Security Please ensure that you cover all of the points in sections 3.1 to 3.3. 3.1 Overall structure of the Integrated Master s Please provide a high-level description of the Integrated Master s degree. This should include, for example: the name of the degree and the specific degree awarded (e.g., MComp, MEng, MSc etc.) the objectives and expected learning outcomes of the degree as a grounding for an Integrated Master s qualification how the degree satisfies the QAA qualification framework for Master s level how the degree satisfies the QAA credit framework for Integrated Master s for example, minimum 480 credits overall with a minimum of 120 credits at level 7 the number of academic years the degree has been running and whether it is being delivered in academic year 2015 2016 the overall structure of the degree e.g., the set of taught modules, which modules are core and which are optional, the number of credits awarded for each module, the number of credits awarded for individual project(s) and dissertation(s) a table similar to Table 1 on page 8 that shows the credit allocation to computer science and cyber security across the years of the degree a description of how the degree is structured to accommodate part-time students, if applicable 3.2 Structure of the computer science component a. For the computer science part of the Integrated Master s, please provide a table (Table 3.1) that shows for each taught module: whether the module is core or optional Page 52 of 63

the member(s) of staff delivering the module which Computer Science Subject Areas (1 to 10, Appendix B) the module covers if it does not cover a Subject Area please state NONE the number of credits in the module and its level the percentage of the module addressing the Subject Areas the number of credits in the module that can be considered to be addressing the Subject Areas obtained from the product of the 3 rd and 4 th bullet points Module (core/optional) Member(s) of staff Computer Science Subject Area(s) covered (1 to 10) Number of credits in module and level Estimated percentage of module addressing Subject Area(s) Estimated number of credits in module addressing Subject Area(s) Module 1.. Module n Table 3.1 b. Based on the above information, please provide: the total number of computer science taught credits in the degree the total number of computer science taught credits addressing Subject Areas 1 to 10 Where students have a choice of optional modules (e.g., any 2 modules from a set of 5), please do not sum the credits from all of the optional modules but only the number that students would actually choose. It may help to refer to point 3.2e below regarding pathways. c. For each module that addresses a Computer Science Subject Area, please provide a module description to include the syllabus/topics covered and the expected learning outcomes. Please include in each module description a list of the Subject Areas and Indicative Topics (Appendix B) that the module covers and the level(s) at which they are covered. The module descriptions should be placed in an appendix to section 3. d. With reference to Subject Areas 1 to 10 in Appendix B, please provide an overview of how the topic coverage required for the Computer Science part of the Integrated Master s is achieved by completing a table (Table 3.2) of the following form covering Subject Areas 1 to 10. Page 53 of 63

Computer Science Subject Area Indicative Level Module(s) in which topics in Subject Area are covered Level at which Subject Area is covered 1. Algorithms and Complexity 4/5 2. Architecture and organisation 4/5 3. Discrete structures 4/5 4. Information management 4/5 5. Networking and communication 4 to 6 6. Operating systems 4 to 6 7. Programming languages 4 to 6 8. Software development fundamentals 4/5 9. Software engineering 5/6 10. Systems fundamentals 4/5 Table 3.2 e. For the Computer Science component of Integrated Master s degrees with core and optional modules please identify the permitted combinations of core and optional taught modules that DO cover all of the Subject Areas at the required level. 3.3 Structure of the cyber security component a. For the Cyber Security part of the Integrated Master s, please provide a table (Table 3.3) that shows for each taught module: whether the module is core or optional the member(s) of staff delivering the module Page 54 of 63

which Security Discipline(s) (Appendix B) the module covers if it does not cover a Security Discipline please state NONE the number of credits in the module and its level the percentage of the module addressing the Security Disciplines the number of credits in the module that can be considered to be addressing the Security Disciplines obtained from the product of the 3 rd and 4 th bullet points Module (core/optional) Member(s) of staff Security Discipline(s) covered (A to H) Number of credits in module and level Estimated percentage of module addressing Security Disciplines Estimated number of credits in module addressing Security Disciplines Module 1.. Module n Table 3.3 b. Based on the above information, please provide: the total number of cyber security taught credits in the degree the total number of cyber security taught credits addressing the Security Disciplines A to H Where students have a choice of optional modules (e.g., any 2 modules from a set of 5), please do not sum the credits from all of the optional modules but only the number that students would actually choose. It may help to refer to point 3k below regarding pathways. c. For each module that addresses a Security Discipline, please provide a module description to include the syllabus/topics covered and the expected learning outcomes. Please include in each module description a list of the Skills Groups (Appendix B) that the module covers and the level(s) at which they are covered. The module descriptions should be placed in an appendix to section 3. d. With reference to Appendix B, please provide an overview of how the Cyber Security topic coverage for the Integrated Master s degree is achieved by completing a table (Table 3.4) of the following form covering Security Disciplines A to H and Skills Groups i to xiii: Page 55 of 63

Security Discipline Skills Group Module(s) in which topics in Skills Group are covered Level at which Skills Group is covered A. Information Security Management i. Policy, Strategy, Awareness and Audit ii. Legal and Regulatory Environment B. Information Risk Management iii. Risk Assessment and Management iv. Security Architecture C. Implementing Secure Systems v. Secure Development vi. Control Systems D. Information Assurance Methodologies and Testing vii. Information Assurance Methodologies viii. Secure Testing E. Operational Security Management ix. Secure Operations Management and Service Delivery x. Vulnerability Assessment F. Incident Management xi. Incident Management xii. Forensics G. Audit, Assurance and Review Audit and Review Included in Skills Group i above Please provide information under Skills Group i above H. Business Continuity Management xiii. Business Continuity Planning and Management Table 3.4 Page 56 of 63

e. For the Cyber Security component of Integrated Master s degrees with core and optional modules please identify the permitted combinations of core and optional taught modules that DO cover at least 8 of the Skills Groups in Table 3.2 at the required level. 3.4 Social issues, professional practice and professional skills a. Please describe how computer science Subject Area 11 (social issues and professional practice) is covered in the Integrated Master s degree. By way of example, this may be through lectures, individual/group projects, coursework, etc. b. Please describe how Security Discipline J, Professional Skills (Appendix B), is addressed in the Integrated Master s degree. By way of example, describe how team-working, communication skills etc. are covered within the degree programme as a whole it is not a requirement to have a separate dedicated module covering Professional Skills. 3.5 Criteria to be applied 3.5.1 General criteria i. The objectives and anticipated learning outcomes for students undertaking the Integrated Master s should be clearly articulated. ii. The degree satisfies the QAA qualification framework for Master s level. iii. The degree satisfies the QAA credit framework for Integrated Master s. iv. Part-time students should cover the same breadth and depth of content as full time students. 3.5.2 Computer science criteria i. ComSci 1: there must be a minimum of 240 taught computer science credits across levels 4 to 7. ii. ComSci 2: there must be at least 180 taught credits that can be mapped to computer science Subject Areas 1 to 10. iii. ComSci 3: all of the computer science Subject Areas listed in Table3.2 are covered at the appropriate levels. iv. Permitted combinations of core and optional modules that DO cover all of computer science Subject Areas listed in Table 3.2 must be clearly identified; there must be at least one combination of core and optional modules that covers all of the Subject Areas listed in Table 3.2 at the required level. 3.5.3 Cyber security criteria i. CySec 1: there must be a minimum of 105 taught cyber security credits across levels 4 to 7 ii. CySec 2: there must be a minimum of 75 taught cyber security credits across levels 6 and 7. iii. CySec 3: the taught cyber security credits must cover at least 8 of the Skills Groups i to xiii shown in Table 3.4 at the following levels: level 4 or higher: minimum of 8 Skills Groups covered Page 57 of 63

iv. level 6 or higher: minimum of 5 Skills Groups covered Permitted combinations of core and optional modules that DO cover at least 8 Skills Groups at the required levels must be clearly identified; there must be at least one combination of core and optional modules that covers at least 8 Skills Groups at the required levels. 3.5.4 Social issues, professional practice and professional skills criteria i. The Integrated Master s degree should cover relevant social, ethical, legal and professional issues. ii. The Integrated Master s degree should address topics such as team-working, communication skills, leadership and decision making. 4 Assessment materials Please ensure you cover the following: a. Please describe the overall approach to assessment of the taught modules on the Integrated Master s degree. This should include: assessment methodology marking scheme the pass mark for individual modules and the taught part of the degree overall b. Please describe how the overall mark for the degree as a whole is worked out from the taught component and the individual project and dissertation. Please describe the mark required to achieve first, 2/1, 2/2, 3 rd (or equivalent) of the overall degree. c. For each of the modules identified in section 3 that addresses Computer Science Subject Areas 1 to 10 and Cyber Security Disciplines A to H, please describe the process (to be) used for assessment (e.g., examination, coursework, practical exercises, etc.). Please provide a copy of examination paper(s) that students have sat or specimen paper(s) of the examinations they will sit. For assessed coursework, please provide copies of the information (to be) provided to students and the assessment criteria used by the HEI. This information should be placed in an appendix to section 4. 4.1 Criteria to be applied i. The overall approach to the assessment of the taught component to the Integrated Master s should be clear and coherent. The marking scheme should make it clear what students have to demonstrate in their work in order to be awarded the relevant marks/grades. ii. The examination and assessment process must rigorously test students understanding of the topics shown in Appendix B. Page 58 of 63

5 Individual cyber security projects and dissertations: process description This section applies to the individual cyber security project and dissertation undertaken by students at level 6 or 7. Please ensure that you cover the following points: a. Please confirm the level and credit value of the individual cyber security project and dissertation. If the credit value is less than 20 credits, please describe how students are able to gain sufficient understanding and experience of undertaking individual project work in cyber security. If the credit value is more than 50 credits, please clarify the value of having such a large individual project in cyber security. b. Please describe the guidance the HEI provides, or will provide, to Integrated Master s students before they embark on their projects, for example: research methods, undertaking literature reviews, etc. c. Please describe the process for allocation of project topics to students, for example: is it up to students to come up with topic ideas? do members of staff identify possible topics? does the HEI have links with industry partners who suggest topics? d. Please describe the process for monitoring the progress of students on their projects. e. Please describe the process for assessing dissertations. Please indicate whether the HEI provides students with guidance on what is expected in a dissertation to achieve first, 2/1, 2/2 etc. 19 5.1 Criteria to be applied i. The individual project and dissertation should be undertaken at level 6 or level 7. If the number of credits is less than 20, it should be clear that students are still able to gain sufficient understanding and experience of undertaking individual project work in cyber security. If the number of credits is more than 50, then the value of having such a large project in cyber security should be clear. ii. There needs to be a well-defined process for the allocation of individual project and dissertation topics to students and for monitoring the progress of students. iii. It should be clear that project and dissertation topics will be within the scope of Security Disciplines A to H listed in Appendix B iv. There needs to be a well-defined and rigorous process for the assessment of projects and dissertations. 19 Where these classifications of dissertations are not used please refer to the grades that are used by the HEI. Page 59 of 63

6 Assessment of Applications 6.1 Assessment Panel process Each application will be read and scored independently by a minimum of three members of the Assessment Panel using the criteria above; as far as possible, there will be one representative from each of GCHQ, academia, industry/government/professional bodies. At the Assessment Panel meeting, the relevant Panel members will present their scores and the rationale for their scores. The Assessment Panel will agree a consensus score for each application. Each application must include document 1) (Institution s Letter of Support) without it, the application will be rejected as non-compliant. In terms of providing evidence to meet the criteria, each of sections 2) to 5) of each application will be scored using the following scale: 0: no evidence 1: very little evidence 2: some evidence 3: good evidence 4: excellent evidence Each of the sections 2) to 5) must achieve a threshold score of 3. If the application includes a letter of support and the consensus score is at threshold or above in each of sections 2) to 5) then the application will be deemed to be successful overall. 6.2 Applications with a borderline fail on only one criterion If an application is a borderline fail on only one criterion namely, a score of 2.9 is achieved on one criterion with all the others being 3.0 or higher then at the discretion of the Assessment Panel the HEI will be contacted by GCHQ after the Panel meeting and given 20 working days to re-submit a revised version of the relevant section. The Panel will then consider the new information provided by the HEI with the aim of responding to the HEI with the Panel s decision within a further 30 working days. It must be stressed that the Panel s decision is final and there will be no further opportunity to consider the application until the next Call for applications is issued. Page 60 of 63

Appendix E: Guidance on writing and submitting applications 1 Introduction Based on the experience of assessing applications submitted to previous calls for the certification of Master s degrees, it is hoped that the information in this Appendix will be of benefit to those considering submitting applications to this Call and future calls. 2 General guidance Applicants should note that their electronic submissions will be printed and bound by GCHQ prior to being sent to members of the Assessment Panel. Thus, if electronic submissions comprise a number of files spread across several emails please label each email and file as follows: Email please put Integrated Master s Certification application - <Name of your HEI><Email n of m> on the subject line File please ensure that each file that is sent as part of the submission is named in the order that it is to be printed: <Name of HEI><Integrated Master s><file n of m> Experience from previous calls shows that it is possible for a submission to comprise 3 or so emails and 6 or so files. GCHQ strongly discourages more than 10 emails and 10 files per submission since this makes the process of printing and binding increasingly complex and time consuming. For Full applications, please include electronic versions of the dissertations as part of the email submission. It is not possible to download dissertations from external web sites. Where it is possible to do so, dissertations should be anonymised. It is recommended that applicants begin the writing of their application early. Amongst other things, it is likely that existing material (CVs, module descriptions, etc.) will require significant tailoring in order to meet the requirements of the Call. Applicants should also note that once printed full applications are likely to be about 300 pages (including dissertations) and provisional applications up to 80 pages. Thus, applicants should structure their application to make it easy for assessors to find the information they require. In a nutshell, applicants should signpost the information requested in the Call. In this respect, please find below some suggestions: provide a contents list number pages sequentially this does not need to apply to dissertations which will already have their own numbers use headers and footers to signpost the section of an application to which a page belongs CVs should be placed in an appendix to section 2 module descriptions should be placed in an appendix to section 3 Page 61 of 63

examination papers should be placed in an appendix to section 4 because of their length, original research dissertations are best placed in an appendix at the end of the application 3 Specific guidance 3.1 Layout It is advised to structure applications with sub-headings such that text clearly follows the structure of the Call document, for example: Section 2: Description of the applicant o 2a: Structure of team delivering the Integrated Master s o 2b: Recent investments o 2c: External linkages o 2d: Review and update process o 2e: Facilities o 2f: CVs 3.2 Page limits and additional information Applicants should bear the following points in mind: do not exceed the page limits set for the individual sections of applications and information such as CVs do not include information that has not been asked for e.g., examples of coursework submitted by Integrated Master s students 3.3 HEI s letter of support The letter of support is not scored and as long as it is present that is sufficient. However, applicants may want to consider using it as an opportunity for the HEI s senior management to: demonstrate commitment to the Integrated Master s programme specifically and cyber security more generally highlight recent HEI investment in the area and any future planned investment describe the importance of the area in the HEI s future strategy etc. 3.4 Section 3 of application A key aspect of section 3 is for applicants to demonstrate to the Assessment Panel that their Master s degree meets the requirements for coverage. This requires tables 3.1 and 3.2 to identify which Computer Science Subject Areas modules cover and tables 3.3 and 3.4 to identify which Security Disciplines modules cover and which modules cover which Skills Groups. Amongst other Page 62 of 63

things, Assessment Panel members have to determine whether the module descriptions are consistent with the information provided in the Tables. It is advised that applicants make it as easy as possible for Assessment Panel members to get at the information they require by, for example, providing very clear descriptions of what is covered in modules. In this respect, it may be advisable to tailor the text in the module descriptions so it meets the needs of the Call rather than re-using existing material. In each of the module descriptions, applicants should list the Computer Science Subject Areas or Cyber Security Skills Groups that a module covers. However, it is inadvisable to make claims for coverage that are not backed up by evidence in the module descriptions. 3.5 CVs CVs must not exceed 2 pages. Use the space available wisely to signpost the experience and expertise of an individual in computer science and/or cyber security. For example, using a significant proportion of the 2 pages to list publications that are not relevant to computer science or cyber security is not advised. Applicants may want to consider having a standard template for all the CVs in their application to ensure that experience and expertise are highlighted clearly and consistently across the team. Page 63 of 63