93241 - LABORATORIO INTEGRATO IN CYBERSECURITY AZIENDALE E PROTEZIONE DEI DATI

Academic Year 2020/2021

  • Moduli: Raffaella Brighi (Modulo 1) Annalisa Atti (Modulo 2) Patrizia Tullini (Modulo 3) Simona Tarozzi (Modulo 4) Silvia Tordini Cagli (Modulo 5) Chiara Bologna (Modulo 6) Silvia Zullo (Modulo 7) Anna Maria Toni (Modulo 8) Raffaella Brighi (Modulo 9)
  • Teaching Mode: Traditional lectures (Modulo 1) Traditional lectures (Modulo 2) Traditional lectures (Modulo 3) Traditional lectures (Modulo 4) Traditional lectures (Modulo 5) Traditional lectures (Modulo 6) Traditional lectures (Modulo 7) Traditional lectures (Modulo 8) Traditional lectures (Modulo 9)
  • Campus: Bologna
  • Corso: First cycle degree programme (L) in Employment and Business Relations Consultant (cod. 9230)

Learning outcomes

The objective of the Integrated Laboratory "Corporate Cybersecurity and Data Protection" is to guide the student to the integration of the knowledge acquired during the course of studies through shared teaching methods, in order to provide skills in the application of the knowledge acquired to specific contexts of the legal-corporate reality. In order to pursue this objective, the Laboratory develops a strongly multidisciplinary path on the topic of information security and data protection in the company, which is addressed in the seven modules from different angles: documentation management and protection of company information, technological control, protection of the worker's digital life, criminal protection, whistleblowing and data ethics, training in the conscious use of technology in the workplace and the analysis and testing of methods and tools for information security. At the end of the Laboratory students will be able both to know the fundamental institutes of security and data protection and to understand the solution of concrete cases. The didactic objectives are pursued through the analysis of application scenarios, practical questions, case law material offered by the current legal reality of the company and leaving appropriate space for the resolution of doubts and the analysis of issues directly raised by the students, in order to encourage their active participation and critical reflection. All this ensures that students can orient themselves with knowledge of legal and IT issues, also developing operational skills in identifying the specific rules applicable to the resolution of the concrete cases exemplified, and to relate competently to the IT systems of companies and public bodies.

Course contents

The didactic activity is organized in nine didactic modules and takes place in the Computer Science Laboratory or online. Each teaching module has specific objectives within the general framework of Cybersecurity and data protection.
Each module devotes two hours to the main issues and two hours to practical exercises (see Teaching methods section).

Module 1 - Cybersecurity: information security and data protection.
The module introduces the principles and methodologies to protect the company's information assets (infrastructure, strategic information, personal data) with organisational and technical measures and to react correctly to data breaches.
Main issues
Attackers, attack methodologies, vulnerability scenarios
Organisational and technical measures
Database notification
Practical exercises
Experimenting with security tools: encryption, secure deletion, antivirus, firwall, backup, data recovery

Module 2 - Digital life: rights and protections of the person concerned.
The module offers the student a general overview of the privacy discipline, from the point of view of the person to whom the personal data belong and the person who processes the data.
Main issues
Data protection and protected personal data
The rights of data subjects: access, information, "control" of data
Tasks, limits and responsibilities in the processing of personal data; the figures involved
Sanctions and consequences: the "different measures" and the impact on the business activity, compensation for damages
Practical exercises
Drafting of a corporate privacy policy for the processing of third party data
Drafting of a professional privacy policy for the processing of data as an external consultant
Privacy & cookie policy

Module 3 - Technology control in the company and data protection
The module deals with the analysis of the legal-applicative framework regarding the exercise of the power of technological control in the company and the processing of workers' personal data and analyzes the problems related to the different technological devices used in the company for work purposes.
Main issues
The employer's power of remote control and its limits. The prohibition of covert control;
The technological control by means of work tools and instruments of access and presence registration. Geolocation systems, wearable devices and biometric surveys;
The company monitoring of the use of digital resources: internet and e-mail at work;
Employer control over the use of social networks by the worker;
The processing of the worker's personal data collected through technological control.
Practical exercises
Selection of case studies and student's approach to solving a concrete case;
Drafting of individual information on how to use technological tools and how to carry out controls in the company.

Module 4 - Fundamentals of technological management of company documentation.
The module provides an introduction to archive documentation and its computer processing, through the examination of methods and tools for the training, management and preservation of documents in the light of the GDPR data management for data protection.
Main issues
Models and tools for the management and maintenance of the digital archive;
Functional requirements for the training and maintenance of the document management system in an IT environment;
Methods for storage and access to computer documents.
Practical exercises
Consultation of a digital archive of a company;
Creating a basic archive for a company.

Module 5 - Data security and criminal protection.
The module carries out a reconnaissance of the tools provided by the criminal law for the protection of the fundamental interests potentially offended by the distorted use or abuse of information technology means: from crimes relating to the remote control of the worker, to crimes to protect the economic interests of the company (embezzlement) to computer crimes to protect confidential information.
Main issues
The employer's power of remote control and its limits. Criminal profiles
personal use of digital resources: the internet at work;
abusive access to computer systems.
Practical exercises
Selection of case studies and student's approach to solving a concrete case.
Examination of the main application issues

Module 6 - Whistleblowing and employee protection.
The module illustrates the essential points of the current whistleblowing regulations, the protection guaranteed by the law to the employee who reports offences or irregularities of which he has become aware for work reasons (protection against any retaliatory acts, nullity of discriminatory dismissal, etc.) and the disciplinary system.
Main issues
Concept of whistleblowing and main protections guaranteed to the employee reporting the irregularity (Law 179/2017)
Application problems: e.g. right of defence of the accused, guarantee of anonymity of the complainant, etc.
Practical exercises
Selection of cases related to the application of the discipline of whistleblowing and the guided resolution of a concrete case by the students.

Module 7 - Data Ethics
The module provides the essential tools to manage the most relevant profiles and critical issues of big data ethics and strengthen the ability to analyze and evaluate ethical issues in the professional field.
Main issues
Big data and business ethics
Responsibilities and moral obligations
Moral conflicts between public and private interests
Management of decision-making processes between stakeholders, society and the current regulatory framework
Analysis and discussion of ethical cases
Practical exercises
Analysis of case studies and discussion of the resolution strategies to be applied.
Examination of the criticality of the solutions adopted using the main moral constructs.

Module 8 - Protection of business information and digital technologies
The module provides an overview of the notions of confidential business information, business secret and know-how and protection requirements in the light of the recent Legislative Decree 63/2018 (implementation of EU Directive 2016/943) which requires the entrepreneur who wants to invoke the legal protection of confidentiality to take "appropriate security measures.
Main issues
The legal concept of secret information and know-how
the concept of "adequate protection"
the main forms of technological and organizational protection in business practice
Practical exercises
Selection of case studies taken from Italian case law on the subject and a student's approach to solving a concrete case.

Module 9 - Laboratory and self-evaluation.
The final module allows students to verify the skills acquired through simulation and the solution of a concrete problem concerning the company.

***
At the end of the Laboratory students will be able both to know the fundamental institutes of information security and data protection and to understand the solution of concrete cases, acquiring the fundamental knowledge and skills for:


  • Approach IT security in the company in a correct way and prepare to respond to databreach as legal practitioners
    properly manage the protection of personal data processed by and for the company
  • to manage in a correct way the remote control of the work organization and the problems related to the different technological devices used in the company for work purposes
  • properly manage company documentation in the digital environment
  • address issues with criminal implications related to the different technological devices used in the company for work purposes
  • understand the impact of whistleblowing discipline, including in terms of sanctions, and put in place the necessary protections for the dependant
  • identify and manage ethical issues related to the use of data in the exercise of the profession
  • address technological issues related to the protection of business secrets.

Readings/Bibliography

Teaching materials uploaded on the IOL platform.

Teaching methods

The teaching objectives are pursued through the analysis of application scenarios, practical questions, case law material offered by the current legal reality of the company and leaving appropriate space for the resolution of doubts and the analysis of issues directly raised by students, in order to encourage their active participation and critical reflection. All this ensures that students can orient themselves with knowledge of legal and IT issues, also developing operational skills in identifying the specific rules applicable to the resolution of the concrete cases exemplified, and to relate competently to the IT systems of companies and public bodies.
Each teaching module includes, in addition to the framework of the main issues, laboratory activities and practical exercises, which concern in particular: the analysis of case studies and the discussion of resolution strategies, the drafting of information on the use of technological tools and the implementation of controls in the company, the drafting of corporate privacy policy and databreach notifications, individual computer security measures (encryption, secure deletion, attention to phishing, etc.), the creation of an archive of corporate documentation (See the section Programs/Contents).

Assessment methods

As for all seminar activities (https://corsi.unibo.it/laurea/ConsulenteLavoroRelazioniAziendali/attivita-seminariali ), attendance at the Laboratory is compulsory: during lessons, signatures will be collected from teachers.
Students will be involved in group and individual exercises, analysis and discussion of legal cases during lessons and, in order to obtain credits, they will have to pass a test at the end of the course.
The CFU of the laboratory will be assigned only after registration to one of the appeals provided for the seminar through the Almaesami application. (https://almaesami.unibo.it/almaesami/welcome.htm )
In order to access the above mentioned enrolment, the student must have previously entered the laboratory in the study plan. The insertion is possible only in certain periods, indicated in the following page http://www.giurisprudenza.unibo.it/it/piani-di-studio

Teaching tools

Slides to support the lessons, articles, general utility software, links to public web resources and diagrams will be available online (https://iol.unibo.it/).

Office hours

See the website of Raffaella Brighi

See the website of Annalisa Atti

See the website of Patrizia Tullini

See the website of Simona Tarozzi

See the website of Silvia Tordini Cagli

See the website of Chiara Bologna

See the website of Silvia Zullo

See the website of Anna Maria Toni

SDGs

Quality education Industry, innovation and infrastructure Reduced inequalities

This teaching activity contributes to the achievement of the Sustainable Development Goals of the UN 2030 Agenda.