ESKISP Conduct security testing, under supervision

Transcription

1 Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to information security threats and vulnerabilities. Assisting applying testing methods, including penetration testing, assessing the robustness of an information system, against a coordinated attack. ESKISP

2 Performance criteria You must be able to: P1 undertake information security tests, under controlled conditions, to assess vulnerabilities and compliance against relevant internal and/or external standards P2 P3 P4 P5 P6 P7 P8 P9 use a range of appropriate methods, tools and techniques to conduct penetration testing clearly and accurately scope and plan the information security test approach, prioritising testing activity to proactively target the most significant threats and vulnerabilities first interpret information assurance requirements to produce information security test acceptance criteria carefully plan a context driven test approach to systematically test a system in order to validate its information security status design and develop accurate and clear test scripts, plans and acceptance criteria to ensure that information assurance requirements can be tested against relevant internal and/or external standards critically review the results of penetration testing and accurately identify specific vulnerabilities within any specified information system prioritise outcomes and recommend specific and timely action to address vulnerabilities identified as a result of information security testing clearly report on and communicate the results of information security testing, recommending mitigation actions P10 ensure information security testing reports are high quality and relevant to the audience ESKISP

3 Knowledge and understanding You need to know and understand: K1 K2 K3 K4 K5 K6 K7 the specific threats that may be of particular importance to any particular information system how to organise a information security testing approach following standard procedures how to use the range of tools and techniques that can be applied for penetration testing relevant UK legislation and its impact on penetration testing: K4.1 computer misuse act 1990 K4.2 human rights act 1998 K4.3 data protection act 1998 K4.4 police and justice act 2006 the latest information and data on a wide range of information security vulnerabilities the importance of ensuring that information security testing is designed to ensure testing of all aspects of information systems across the core principles: K6.1 confidentiality K6.2 integrity K6.3 availability K6.4 authorisation K6.5 authentication K6.6 non repudiation the potential impact of the vulnerabilities identified on any information system and on the organisation ESKISP

4 K8 K9 what are the different types of information security testing that can be conducted and their purpose what are the benefits of penetration testing K10 the detailed steps involved in undertaking a full penetration testing assessment K11 the legal requirements relating to penetration testing K12 how to analyse detailed penetration testing results and assess vulnerabilities in order to provide advice on how to respond K13 the interests of relevant stakeholders for information security testing K14 how to: K14.1 ensure that the design of tests incorporates the range of threats that may present themselves to the organisation K14.2 scope, plan and manage the information security testing activities conducted on any particular information system or solution K14.3 identify and prioritise specific vulnerabilities for any information system or solution K14.4 communicate the business implications of the limitations of information security testing programmes K14.5 develop and implement test programmes to assess information effectiveness through the life of a system ESKISP

5 Developed by e-skills UK Version number 1 Date approved February 2013 Indicative review date Validity Status Originating organisation Original URN Relevant occupations Suite Key words December 2015 Current Original e-skills UK ESKISP Information and Communication Technology; Information and Communication Technology Professionals; Information and Communication Technology Officer; IT Service Delivery Occupations; Software Development Information Security Cyber Security; Information Security ESKISP