ESKISP Assist security testing, under supervision

Transcription

1 Overview This standard covers the competencies required to assist security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to information security threats and vulnerabilities. Assisting applying testing methods, including penetration testing, assessing the robustness of an information system, against a coordinated attack. ESKISP

2 Performance criteria You must be able to: P1 P2 P3 P4 P5 P6 P7 able to assist in determining responses to a range of standard security scans and tests on network devices and information systems and components use a range of appropriate methods, tools and techniques, as directed by supervisors/senior staff, to conduct information security testing undertake a range of basic penetration tests, under controlled conditions, to assess vulnerabilities and compliance against information assurance criteria and standards under supervision assist with the development of accurate and clear security test scripts to ensure that information assurance requirements can be tested against relevant standards objectively assess the results of information security testing and vulnerability assessment against the acceptance criteria accurately collate and clearly document the outcomes from information security tests and vulnerability assessment providing prioritised rudimentary mitigation information and advice report potential issues and risks arising from security testing to supervisors ESKISP

3 Knowledge and understanding You need to know and understand: K1 K2 K3 K4 the range of threats and vulnerabilities that need to be considered within information security testing design and development activities when and how to schedule information security testing the range of formal testing methods/standards that are available what are acceptable results from information security testing K5 K6 K7 K8 K9 how to: K5.1 use and apply specified penetration testing techniques under supervision K5.2 develop information security test plans and schedules K5.3 design and apply a range of tests to ensure compliance with the information assurance standards used by the organisation K5.4 ensure that information security tests are carried out under controlled conditions K5.5 assess the results from information security testing objectively K5.6 accurately record and store relevant information and data relating to the results of information security tests what is meant by information security testing what are the different types of information security testing that can be conducted and their purpose what is the role of penetration testing in information security testing what are the legal requirements for penetration testing K10 that the purpose of information security testing is about attaining levels of confidence in the resilience properties of information systems ESKISP

4 K11 how to apply a few conventional, accepted penetration testing techniques K12 that information security testing does not guarantee security, simply that a device, information systems or component meets a minimum threshold of security robustness K13 that there are a range of different testing methods and standards that can be associated with and applied to each stage of software or hardware life cycle K14 how to apply an established testing method to assure information systems K15 the need to ensure that compliance with information security standards is tested prior to the launch of any developed information system or solution K16 the importance of conducting information security tests routinely on existing services within the organisation ESKISP

5 Developed by e-skills UK Version number 1 Date approved February 2013 Indicative review date Validity Status Originating organisation Original URN Relevant occupations Suite Key words December 2015 Current Original e-skills UK ESKISP Information and Communication Technology; Information and Communication Technology Professionals; Information and Communication Technology Officer; IT Service Delivery Occupations; Software Development Information Security Cyber Security; Information Security ESKISP