607 - Word doc - The Tech Partnership

advertisement
Contribute to audit, compliance and assurance activities
TECHIS60731
This standard covers the competencies required for assisting with auditing information systems security
robustness. This includes checking for and verifying compliance with security policies and standards as well
as external legal and regulatory requirements.
Verifying that information systems meet the security criteria, including policy, standards and procedures.
Undertaking security compliance audits in accordance with an appropriate methodology.
Performance Criteria
1. record assets in an asset management and tracking system in line with organisational standards
2. conduct a range of information security audit activities accurately and in a timely manner, under
the direction of others
3. assist verification of on-going conformance to security polices and requirements in line with
organisational standards
4. verify compliance with security policies in line with organisational standards
5. accurately gather and collate the findings from security audit activities, assisting seniors with the
identification and prioritisation of issues and risks arising
6. clearly and objectively report the results and findings from audit activities to supervisors work with
senior auditors to perform audits in line with organisational standards
7. assist with the review and communication of the audit results and findings from with accountable
owners and other stakeholders
8. assist others with the action planning resulting from any particular information security audit
Knowledge and Understanding
1. what is meant by information security audit
2. the benefits and requirements of conducting information security audits
3. the approach to be taken during any particular information security audit and/or review, including
the importance of operating with integrity, objectivity, confidentiality and competency
4. the common audit methodologies in use and how to apply these
5. the organisational policies, processes, and standards together with legislation and regulatory
requirements that exist for information security audit
6. who are the individuals who need to be communicated with as part of any particular information
security audit and/or review
7. which processes and documents need to be assessed as part of an information security review for
any particular it/technology system or solution
8. the fact that information security audits may be required as part of the regulatory and legal
governance framework of the organisation
9. how to correctly use the most appropriate processes, procedures, methods, tools and techniques
to conduct information security audit and review activities
10. how to accurately identify and prioritise issues and risks arising from information security audits
11. the importance of information security audits in maintaining appropriate levels of compliance to
internal and/or external standards
12. the importance of information security reviews in ensuring that compliance to internal and/or
external standards is built into information systems and solutions
13. the fact that external conditions and threats to information security are changing constantly
14. the importance of ensuring that audit processes, procedures and approaches are maintained in line
with emerging information security threats
15. the role of information security audits within the wider framework of information risk management
16. the value of information security audits in the detection of threats to information systems and
information assets and the prevention of their impact on the organisation
17. the fact that information security audits may be required as part of the regulatory and legal
governance framework of the organisation
Carry out audit, compliance and assurance activities
TECHIS60741
This standard covers the competencies required for conducting information security audits and assurance
activities.
This includes verifying that information systems and processes meet the security criteria (requirements or
policy, standards and procedures). Also conducting compliance monitoring and security controls testing.
Performance Criteria
1. define and implement processes to verify on-going conformance to security and/or regulatory
requirements in line with organisational requirements
2. perform security compliance checks using a specified methodology and in line with organisational
standards
3. plan and schedule information security audits and reviews in line with organisational standards
4. conduct information security audits to assess security compliance within the organisation's
networked information system environment under supervision
5. implement and follow organisational policies, processes, and standards that exist for information
security audit
6. objectively review the findings from information security audit activities, identifying and prioritising
of issues and risks arising
7. clearly and objectively report the results and findings from information security audit activities to
seniors
8. clearly record, report and communicate the results and findings from information security audits
with accountable owners
9. develop clear and accurate action plans resulting from any particular information security audit
Knowledge and Understanding
1. how the internal and/or external information security controls should be built into any information
system or solution
2. the internal and/or external standards against which an information security audit is assessing
compliance
3. the range of vulnerabilities that are being audited within any particular information security audit
4. the range of risks that have been identified for a particular information system or solution
5. the professional certifications that can or must be achieved in the security audit discipline for the
business
6. the importance of scheduling regular information security audits
7. the importance of ensuring that information security audits and reviews are clearly scoped
8. the internal and external factors that may impact upon the effectiveness of information security
audits and reviews
9. the fact that information security audits need to consider not only the effectiveness of controls
against identified risks but also other threats that may not have been assessed
10. the fact that information security reviews consider the effectiveness of the current security status
and make recommendations to allow for evolving internal and external drivers, to ensure 'fit-forpurpose'
Manage audit, compliance and assurance activities
TECHIS60751
This standard covers the competencies concerning with managing information security audit activities.
Including managing resources activities and deliverables.
This includes checking for and verifying compliance with security policies and standards as well as external
legal and regulatory requirements. Planning, conducting and reporting on comprehensive security audit
approaches, as well as designing and implementing organisational policies, standards and processes.
Performance Criteria
1. be fully accountable for undertaking complex, accurate information security audits on all types of
information systems
2. develop, implement and maintain audit plans, processes, procedures, methods, tools and
techniques for information security activities and their deliverables
3. lead and manage an audit team to execute technical audit projects in line with organisational
requirements
4. evaluate the effectiveness of information security governance, tools and operations
5. Evaluate the design, effectiveness and efficiency of information technology and security processes,
procedures, and technical controls in line with organisational standards
6. use the results from risk and vulnerability assessments to inform audit activities
7. implement organisational logging and documentation standards to comply with audit requirements
8. clearly and accurately define the scope of information security audit activities
9. advise and guide others on all aspects of information security audit activities and their deliverables
10. clearly and effectively communicate information security audit results to a wide range of sponsors,
stakeholders and other individuals
Knowledge and Understanding
1. what are the available methods, tools and techniques used to conduct information security audit
activities
2. how to use and apply information and data from risk, threat and vulnerability assessments, into
information security audit activities
3. how to set the levels of resources allocated to information security audit activities and prioritises
their work
4. how to conduct peer reviews of information security audit policies and procedures
5. the range of information security audit methodologies that may be in terms of usability, flexibility,
and the outputs they produce
6. how to analyse, document and present surety audit outcomes
7. the importance of monitoring the quality and effectiveness of information security audit activities
8. how to identify and implement improvements to information security audit processes and
procedures
9. the need to ensure that information security audits are undertaken professionally
10. the relevance of existing and new methods, tools and techniques used to support information
security audit activities
Download