Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Manage security architecture activities

advertisement 
Contribute to implementing secure systems
TECHIS60331
This standard covers the competencies required to assist secure operations management activities under
supervision. This includes reacting to new threats and vulnerabilities.
Establish processes for maintaining the security of information throughout its lifespan. Develop,
implement and maintains Security Operating Procedures in accordance with security policies and
standards. Manage the implementation of information security programmes, and co-ordinate information
security activities across the organisation.
Performance Criteria
1. carry out secure system operations in line with organisational standards
2. assist in developing architectural solutions for information systems which minimise risk exposure
3. contribute to the development of information systems architectures which include infrastructure
applications and cloud based solutions
4. take account of relevant security policies and threat/risk profiles while contributing to the
development of secure architectural solutions in order to mitigate risks and conform to legislation
5. advise information system designers on how to incorporate the security architecture into the
overall system design
6. review security requirements and assist in the development of the enterprise security architecture
7. review information systems designs for compliance with the security architecture in line with
organisational standards
8. maintain own awareness of the security advantages and vulnerabilities of common products and
technologies
Knowledge and Understanding
1. what is meant by information security architecture and secure systems
2. the processes, procedures, methods, tools and techniques relating to identifying information
systems vulnerabilities
3. what are the main security architectures and frameworks and how to apply them
4. how to interpret organisational information security policies and standards that apply to
information systems operations and apply them
5. the advantages and disadvantages of a range of commonly used components and security products
with respect to their vulnerabilities and protection capabilities
6. the most appropriate information security product and protocols to use in meeting the
organisation's security requirements
7. range of processes, procedures, methods, tools and techniques applicable to secure architecture
development activities and their deliverables
8. commonly used architectural frameworks including TOGAF and Zachman
9. a range of core security technologies including access control models, public and private
encryption, authentication techniques, intrusion detection
Carry out security architecture activities
TECHIS60341
The protection of information, services and systems relies on a range of technical and procedural activities,
often grouped in a framework. The framework will contain technical and logical, physical and process
controls that can be implemented across an organisation to reduce information and systems risk, identify
and mitigate vulnerability, and satisfy compliance obligations.
This role involves determining appropriate types of security controls and access management and network
security devices, and how they work.
Performance Criteria
1. interpret organisational security policies and threat/risk profiles
2. incorporate organisational security policies and threat/risk profiles into secure architectural
solutions that mitigate the risks and conform to legislation in line with business needs.
3. present technical security architecture solutions for network security, infrastructure security, and
application security
4. select security products and technologies based upon their security characteristics
5. design robust and fault-tolerant security mechanisms and components appropriate to the
identified risks
6. propose security architecture solutions which contribute to overall information
systems architectures in line with organisational standards
7. develop and implement appropriate methodologies, templates, patterns and frameworks to
support security architecture development
8. apply security architecture principles to networks, information systems, control systems,
infrastructures and products in line with organisational requirements
9. maintain own awareness of the security advantages and vulnerabilities of common security
products and technologies
Knowledge and Understanding
1. that security controls can be categorised and selected on the basis of that categorisation
2. where technical controls cannot be used, other controls can be selected
3. how technical controls (examples include cryptography, access management, firewalls, anti-virus
software and intrusion prevention systems) work in detail/at an advanced level of understanding
how the technical controls can be deployed in practice – and associated strengths and weaknesses
4. the need for security architecture and its relevance to systems, service continuity and reliability
5. the application of techniques such as defence in depth to demonstrate how controls can be
selected, deployed and tested to minimise risk and impact
6. how to differentiate between controls to protect systems availability and reliability; controls to
protect information; and controls to manage human behaviour
7. the trade-offs for functionality, usability and security
8. the role of operations in monitoring, maintaining and evolving controls
9. what is meant by information security architecture
10. how implementing a security architecture can improve mitigate risk for information system design
11. where to find information on the existing information systems architectures used within the
organisation
12. the relationship of information security architecture to IT and enterprise architectures
13. sources of recognised external security architectures and frameworks
14. the advantages and disadvantages of implementing a range of commonly used IT components and
security products Has knowledge of a range of core security technologies; e.g. access control
models, public and private encryption, authentication techniques, intrusion detection
15. the most appropriate information security product and protocols to use in meeting the
organisation's security requirements
16. the range of processes, procedures, methods, tools and techniques applicable to secure
architecture development activities and their deliverables
17. the role of architecture in information and network security
18. the fact that the organisation's network and information security architecture needs to align with
wider systems architecture development
19. the importance of using security standards, architectures and frameworks
20. how to represent security architecture designs and models
Manage security architecture activities
TECHIS60351
The protection of information, services and systems relies on a range of technical and procedural activities,
often grouped in a framework. The framework will contain technical and logical, physical and process
controls that can be implemented across an organisation to reduce information and systems risk, identify
and mitigate vulnerability, and satisfy compliance obligations.
This standard covers the competencies concerning with managing information security architecture
activities. This includes establishing a culture of designing and maintaining effective security architectures
that can be incorporated into information systems and networks through defining and implementing
organisational policies, standards and processes.
Performance Criteria
1. align security architectures to business needs in order that information systems conform to their
security profile
2. design and develop comprehensive information security architectures for complex network and
information systems in line with organisational requirements
3. design, implement and maintain the standards and techniques for information security
architectures in line with organisational procedures
4. ensure information systems are compliant with approved information security architectures and
recommend changes to them where they do not comply
5. ensure that existing information systems (including legacy systems) are migrated and/or integrated
to current secure architectures
6. justify to stakeholders the adoption of defined security architectures to reduce information risk
exposure for the organisation
7. advise others on all aspects of the development and implementation of information security
architectures
8. lead teams to implement standard security architecture models and roadmaps in line with
organisational requirements
9. modify security architectures to reflect new products and processes and align to changing business
needs
10. correctly identify the vulnerabilities and risks of existing and new information security architectures
and make recommendations to improve and update them
11. monitor the alignment of network and information systems with information security architecture
models and roadmaps
12. report the progress of information security architecture assignments to senior management and
other stakeholders
Knowledge and Understanding
1. what information is required to update and maintain information security architectures, models
and roadmaps
2. the sources of all current information that will be used during information security architecture
activities
3. the potential vulnerabilities and threats that may impact on the organisation's information assets
4. how to identify and select the most appropriate information security architecture models to
support the security requirements of a particular information system
5. the processes, tools and techniques for conducting information security architecture work
6. the range of issues associated with information security architecture activities
7. the impact of any legislation, regulation, internal and external standards relevant to the
organisation on information security architecture models and roadmaps
8. the implications of business change on information security architecture models and roadmaps
9. the relationship between security architecture and enterprise architecture
10. what are the issues associated with undertaking information security architecture work
11. the potential implications of information security architecture activities on the design and
development of information systems
12. the fact that information security architecture models and roadmaps are used to monitor the
effective alignment of information systems with the business security strategy and operating model
13. who are the sponsors of and stakeholders for information security architecture activities within the
organisation
14. who needs to authorize changes to information security architecture models and roadmaps
Direct secure development activities
TECHIS60361
The protection of information, services and systems relies on a range of technical and procedural activities,
often grouped in a framework. The framework will contain technical and logical, physical and process
controls that can be implemented across an organisation to reduce information and systems risk, identify
and mitigate vulnerability, and satisfy compliance obligations.
This standard covers the competencies concerned with directing security architecture activities. It includes
setting the strategy and policies for security architecture, and being fully accountable for successful
security architecture development activities and deliverables.
Performance Criteria
1. be fully accountable for information security architecture development in line with organisational
requirements
2. set the strategy, policies and standards relating to information security architecture
3. implement and update the procedures, tools and techniques relating to information security
architecture development activities as required
4. communicate with sponsors and stakeholders on the implications of information security
architecture activities for the wider business
5. set the resourcing strategy and correctly source appropriately skilled internal/external individuals
where necessary to undertake and/or manage information security architecture and roadmap
activities
6. effectively conduct security risk analysis as part of information systems scenario planning by
applying information security architecture models and roadmaps
7. advise others on all aspects of information security architectures including best practice and the
application of lessons learned
8. provide thought leadership on information security architecture, contributing to internal best
practice and to externally recognised publications, white papers
Knowledge and Understanding
1. how to source appropriately skilled individuals where necessary to undertake information security
architecture work
2. the most appropriate approaches and best practice to undertake architecture work
3. the processes tools and techniques to monitor the alignment of information security architecture
activities with all relevant legislation, regulations and external standards
4. how to assess the skills of internal/external individuals necessary to undertake information security
architecture and roadmap work
5. the range of existing and new information security models and roadmaps that influence strategic
business decision making and security planning
6. how to audit the outcomes of the information security requirements to ensure the security
architecture is proportional to the risks associated with a particular system
7. how to implement information security design reviews to validate the designs and architectures for
new information systems projects
8. the fact that individuals involved in information security architecture and roadmap activities need
to remain aware of the 'real life' business and technology operational activities to ensure their
work remains relevant
9. who needs to lead information security architecture assignments
10. how threat modelling can be applied to preventive information security design and architecture
practices
11. the design principles required that support embedding security into information security
architectures that are used to inform secure development activities
12. how to apply the lessons learned from prior and/or others' experience in
13. how to establish information security architecture models and roadmaps as a means of proactively
identifying opportunities for improvement
Contribute to secure software development activities
TECHIS60332
Developing secure software is a key element in defending applications against security risks.
This standard covers the application of secure development standards and practices. It also includes embedding of
preventative security measures into software development to reduce the risk of threats and vulnerabilities on
information systems and ensuring that testing demonstrates that security requirements are met.
Performance Criteria
1. follow the organisations secure software development lifecycle for embedding security controls
into software development
2. design software that avoids application coding security vulnerabilities
3. design and code strong authentication protections with secure software development in line with
organizational standards
4. utilise secure HTTP headers to prevent potential attacks in web applications in line with
organisational standards
5. review and incorporate security requirements into software development projects in line with
organisational standards
6. use and apply the approved tools and techniques for secure software development to line with
organisational standards
7. use appropriate security tools to test software applications and identify security defects in software
code, in line with organisational standards
8. resolve security related defects using secure coding techniques in line with organisational
standards
Knowledge and Understanding
1. what is meant by secure software development
2. why security needs to be built into software and information systems solutions
3. the secure development lifecycle and how to apply it
4. the types of application can be susceptible to security weaknesses
5. the attack types and software vulnerabilities that a software developer may encounter and need to
protect against
6. what are the common security controls available in secure software development to prevent
security incidents and to mitigate risk
7. the role of security testing in verifying the integrity of information systems solutions during
development
8. the tools and techniques that are required during secure development activities and how to apply
them
9. how to source and review the information security requirements for an information system or
software solution in development
10. the policies, internal/external standards and external certifications relating to information
assurance that any particular solution needs to comply with
11. the security artefacts and documentation that are required to evidence conformance to standards
and by internal and external auditors and certifiers of secure systems
12. the importance of ensuring that information assurance needs are considered as part of any
information system or solution at the earliest stages of the development lifecycle
13. the fact that building security into information systems or software solutions after the design and
development phases is expensive and time consuming
Carry out secure software development activities
TECHIS60342
Developing secure software is a key element in defending applications against security risks.
This standard covers the competencies concerned with conducting secure software development. This
includes implementing secure development standards and practices, translating information security
requirements into secure software. Also to recommend and implement a range of standard technical
security controls to make software solutions more resilient. And reducing the through the use of
"standard" security architectures which support secure software development activities.
Performance Criteria
1. apply the organisation's secure software development architecture to any particular software
development projects in line with organisational requirements
2. apply secure software development tools and techniques in line with organisational procedures
3. select and implement appropriate secure software test strategies in line with organisational
requirements
4. accurately identify information security requirements for software solution development
5. clearly communicate how security requirements need to be built into software solutions to
relevant stakeholders
6. verify that a software product or system meets its security criteria (requirements, policy, standards
& procedures)
7. critically review software solutions to ensure that they comply with any necessary internal and
external information security standards
8. conduct rigorous testing of all aspects of a new software solutions to identify information security
issues or risks
9. review secure software development techniques and implement any identified improvements
Knowledge and Understanding
1. the range of information security architectures that can be applied to secure information system
development
2. the internal and external security standards that need to be applied during secure software
development
3. how to implement secure software controls into secure software development using an
appropriate methodology
4. the appropriate information security testing that can be used to validate information system
security requirements are met
5. the approaches used to conduct a formal security assessment on a new software product or
information system
6. the benefits of „"designing in‟ security into software applications and information systems
7. the potential threats and vulnerabilities that may need to be considered within any software design
8. how to use and apply information security standards, architectures and frameworks
9. the importance of minimising the risk to information assets or systems through the use of standard
security architectures and models in secure software development
10. the potential issues and risks arising from a failure to comply with secure software development
requirements
11. the importance of ensuring that any secure software design and development work undertaken
aligns with the specified information security architecture
12. the importance of analysing potential threats associated with the software development approach
being taken prior to design work being undertaken
13. the internal and external factors that may impact on the effectiveness of secure software
development activities
14. the importance of educating system and solution developers, including third parties, in the need
for secure software development
Manage secure software development activities
TECHIS60352
Developing secure software is a key element in defending applications against security risks.
This standard covers the competencies concerning with managing secure development activities. This
includes establishing a culture of designing security aspects into software development through
implementing organisational policies, and defining and/or implementing secure development standards
and practices for embedding preventative security measures into software development practice.
Including managing resources activities and deliverables. Clear security standards will also contribute to an
organisational culture for secure software development and organisation-wide security awareness.
Performance Criteria
1. manage secure software development resources, activities and deliverables in line with
organisational requirements
2. define and maintain secure software development standards and practices to ensure the continued
protection of software against changing threats and risks
3. ensure that all software development activities are carried out as part of a secure software
development lifecycle
4. implement secure development practices to complex security requirements in line with
organisational requirements
5. ensure that software development teams understand the information security standards with
which they need to comply
6. develop and maintain secure software development tools and techniques in line with
organisational requirements
7. develop and maintain the organisation's secure software development architecture in line with
organizational requirements
8. review secure software designs to assess their security resilience in line with organisational
standards
9. perform formal security assessments on new software products to verify that they meet their
security requirements in line with organisational standards
10. review and improve secure design patterns for software development
11. define appropriate secure software change and error management processes in line with
organisational standards
12. clearly communicate to software developers how information security requirements need to be
built into particular software solutions or information systems being developed
13. select and implement appropriate software security test strategies to ensure compliance to
security requirements
14. develop and implement processes that maintain the required level of security of a software
product, or information system through its lifecycle
15. present information on secure software development processes and deliverables to a wide range
of sponsors, stakeholders and other individuals
16. advise others both internally and externally on all aspects of secure development activities
Knowledge and Understanding
1. how to manage secure software development activities
2. the range of appropriate security controls that can be incorporated into the development of
information systems
3. the policies and standards that relate to secure software development
4. how to develop standards and guidelines for secure software development
5. the need to communicate the importance of secure software development to ensure software
resilience to a wide range of sponsors and stakeholders
6. the need to review the standard software designs used in secure development
7. the range tools and techniques available to support secure software development activities and
how to apply them
8. how to respond to new threats and vulnerabilities through improved secure software development
tools and techniques
9. what is meant by a formal security assessment and how to perform them
10. the benefits of building security into software solutions and information systems
11. the potential issues and risks arising from a failure to comply with security requirements in
software development
12. what the internal and external factors that may impact on the effectiveness of secure development
activities are
13. the importance of ensuring that any secure design and development work undertaken aligns with
the security software development and wider security architectures
14. the need to communicate the deliverables produced by secure development activities to others
15. who needs to be provided with the deliverables for software development activities and when this
needs to happen
16. the need for monitoring the alignment of secure software development work with security
architecture models and roadmaps
Related documents
114(i)_BOD_Trust OLD Strategy
114(i)_BOD_Trust OLD Strategy
Lecture 06
Lecture 06
LEARNING OUTCOMES
LEARNING OUTCOMES
StratChange Consulting OCM Change Services 2015
StratChange Consulting OCM Change Services 2015
Organisation Restructuring and Rightsizing
Organisation Restructuring and Rightsizing
Powerpoint8
Powerpoint8
ABEF Template - Leadership
ABEF Template - Leadership
Eleanor Schooling - Walking the walk - Islington`s digital
Eleanor Schooling - Walking the walk - Islington`s digital
IIE-Slides_ph2_gen - The Pacific Institute
IIE-Slides_ph2_gen - The Pacific Institute
Download
advertisement