92779 - CYBERSECURITY AZIENDALE E PROTEZIONE DEI DATI

Learning outcomes

The objective of  "Corporate Cybersecurity and Data Protection" Course is to guide the student to the integration of the knowledge acquired during the course of studies through shared teaching methods, in order to provide skills in the application of the knowledge acquired to specific contexts of the legal-corporate reality. In order to pursue this objective, the Course develops a strongly multidisciplinary path on the topic of information security and data protection in the company, which is addressed in the seven modules from different angles: documentation management and protection of company information, technological control, protection of the worker's digital life, criminal protection, whistleblowing and data ethics, training in the conscious use of technology in the workplace and the analysis and testing of methods and tools for information security. At the end of the Laboratory students will be able both to know the fundamental institutes of security and data protection and to understand the solution of concrete cases. The didactic objectives are pursued through the analysis of application scenarios, practical questions, case law material offered by the current legal reality of the company and leaving appropriate space for the resolution of doubts and the analysis of issues directly raised by the students, in order to encourage their active participation and critical reflection. All this ensures that students can orient themselves with knowledge of legal and IT issues, also developing operational skills in identifying the specific rules applicable to the resolution of the concrete cases exemplified, and to relate competently to the IT systems of companies and public bodies.

Course contents

The didactic activity is organized in nine didactic modules and takes place in the Computer Science Laboratory or online. Each teaching module has specific objectives within the general framework of Cybersecurity and data protection.
Each module devotes two hours to the main issues and two hours to practical exercises (see Teaching methods section).

Module 1 - Cybersecurity: information security and data protection.
The module introduces the principles and methodologies to protect the company's information assets (infrastructure, strategic information, personal data) with organisational and technical measures and to react correctly to data breaches.
Main issues
Attackers, attack methodologies, vulnerability scenarios
Analysis and statistics of computer incidents in the corporate environment
Organisational and technical measures for the prevention, detection and recovery of computer systems
Cyber risk assessment and management
Proper management of data breaches and ransomware and cryptolocker attacks.

Practical exercises

Experimenting with security tools: encryption, secure deletion, antivirus, firwall, backup, data recovery. Approach to a concrete case of data breach reporting

Module 2 - Digital life: rights and protections of the person concerned.

The module provides students with a general overview of privacy regulations, from the point of view of the person to whom the personal data belong and the person processing the data. The module opens by reviewing and deepening the basic notions, already covered in the Legal Informatics course, and then examines their application in privacy obligations in companies.

Main issues

What personal data are and why they are protected; what data processing is
The rights of the subjects to whom the data belong: access, information, 'control' of the data; the legal bases of processing; the conditions under which processing is lawful
Tasks, duties and responsibilities of those who process personal data; the figures involved
Sanctions and consequences: the "different measures" and the impact on business activity; compensation for damages
Privacy obligations in the company

Practical exercises

Case study identification, comment and analysisExamples of checklists, policies, disclosures

Module 3 - Technology control in the company and data protection
The module deals with the analysis of the legal-applicative framework regarding the exercise of the power of technological control in the company and the processing of workers' personal data and analyzes the problems related to the different technological devices used in the company for work purposes.
Main issues
The employer's power of remote control and its limits. The prohibition of covert control;
The technological control by means of work tools and instruments of access and presence registration. Geolocation systems, wearable devices and biometric surveys;
The company monitoring of the use of digital resources: internet and e-mail at work;
Employer control over the use of social networks by the worker;
The processing of the worker's personal data collected through technological control.
Practical exercises

Case study identification, comment and analysisExamples of checklists, policies, disclosures

Module 4 - Fundamentals of technological management of company documentation.
The module provides an introduction to archive documentation and its computer processing, through the examination of methods and tools for the training, management and preservation of documents in the light of the GDPR data management for data protection.
Main issues
Models and tools for the management and maintenance of the digital archive; Functional requirements for the training and maintenance of the document management system in an IT environment; Methods for storage and access to computer documents.
Practical exercises
Consultation of a digital archive of a company;
Creating a basic archive for a company.

Module 5 - Data security and criminal protection.
The module carries out a reconnaissance of the tools provided by the criminal law for the protection of the fundamental interests potentially offended by the distorted use or abuse of information technology means: from crimes relating to the remote control of the worker, to crimes to protect the economic interests of the company (embezzlement) to computer crimes to protect confidential information.
Main issues
The employer's power of remote control and its limits. Criminal profiles
personal use of digital resources: the internet at work;
abusive access to computer systems.
Practical exercises
Selection of case studies and student's approach to solving a concrete case.
Examination of the main application issues

Module 6 - Whistleblowing and employee protection.
The module illustrates the essential points of the current whistleblowing regulations, the protection guaranteed by the law to the employee who reports offences or irregularities of which he has become aware for work reasons (protection against any retaliatory acts, nullity of discriminatory dismissal, etc.) and the disciplinary system.
Main issues
Concept of whistleblowing and main protections guaranteed to the employee reporting the irregularity (Law 179/2017)
Application problems: e.g. right of defence of the accused, guarantee of anonymity of the complainant, etc.
Practical exercises
Selection of cases related to the application of the discipline of whistleblowing and the guided resolution of a concrete case by the students.

Module 7 - Data Ethics
The module provides the essential tools to manage the most relevant profiles and critical issues of big data ethics and strengthen the ability to analyze and evaluate ethical issues in the professional field.
Main issues
Big data and business ethics
Responsibilities and moral obligations
Moral conflicts between public and private interests
Management of decision-making processes between stakeholders, society and the current regulatory framework
Analysis and discussion of ethical cases
Practical exercises
Analysis of case studies and discussion of the resolution strategies to be applied.
Examination of the criticality of the solutions adopted using the main moral constructs.

Module 8 - Protection of business information and digital technologies
The module provides an overview of the notions of confidential business information, business secret and know-how and protection requirements in the light of the recent Legislative Decree 63/2018 (implementation of EU Directive 2016/943) which requires the entrepreneur who wants to invoke the legal protection of confidentiality to take "appropriate security measures.
Main issues
The legal concept of secret information and know-how
the concept of "adequate protection"
the main forms of technological and organizational protection in business practice
Practical exercises
Selection of case studies taken from Italian case law on the subject and a student's approach to solving a concrete case.



***
At the end of the Laboratory students will be able both to know the fundamental institutes of information security and data protection and to understand the solution of concrete cases, acquiring the fundamental knowledge and skills for:

• 
  Approach IT security in the company in a correct way and prepare to respond to databreach as legal practitioners
  properly manage the protection of personal data processed by and for the company
• to manage in a correct way the remote control of the work organization and the problems related to the different technological devices used in the company for work purposes
• properly manage company documentation in the digital environment
• address issues with criminal implications related to the different technological devices used in the company for work purposes
• understand the impact of whistleblowing discipline, including in terms of sanctions, and put in place the necessary protections for the dependant
• identify and manage ethical issues related to the use of data in the exercise of the profession
• address technological issues related to the protection of business secrets.

Readings/Bibliography

Teaching materials uploaded on the Virtuale platform.

Teaching methods

The course joins the a.y. 2022/23 trial for teaching innovation.
The teaching objectives are pursued through the analysis of application scenarios, practical questions, and case law material offered by the current legal reality and by leaving appropriate space for the resolution of doubts and the analysis of issues directly raised by students, in order to encourage their active participation and critical reflection. All this ensures that students are able to orient themselves with knowledge in the face of legal and IT issues, also developing operational skills in the identification of the specific rules applicable to the resolution of the concrete cases exemplified, and to relate competently to the IT systems of companies and public bodies.
Each teaching module includes not only the framing of the main issues but also practical exercises, which concern in particular: the analysis of case studies and the discussion of resolution strategies, the drafting of information on how to use technological tools and how to carry out controls in the company, the drafting of company privacy notices and databreach notifications, individual IT security measures (encryption, secure deletion, phishing beware, etc.). (See the section Programmes/Contents).

Assessment methods

The final examination takes place in written form and consists of a multiple-choice test comprising four questions for each module.
Registration for the test must be carried out via the Almaesami application (https://almaesami.unibo.it/almaesami/welcome.htm).
Prior registration on Almaesami is required and, in the event of withdrawal, cancellation in due time to allow for proper organisation of the exam.
Attending examinations
Attending students will be involved in group and individual exercises, analysis and discussion of cases, for which participation in the lectures is strongly recommended.
Those who have participated in the exercises and obtained a pass in at least five of the eight modules, successfully carrying out the activities proposed by the lecturer, have the possibility of taking a simplified final examination with a reduced number of questions.

Teaching tools

Slides to support the lessons, articles, general utility software, links to public web resources and diagrams will be available online

Office hours

See the website of Raffaella Brighi

See the website of Annalisa Atti

See the website of Patrizia Tullini

See the website of Francesco Di Tano

See the website of Silvia Tordini Cagli

See the website of Chiara Bologna

See the website of Silvia Zullo

See the website of Anna Maria Toni