ESKISP Manage security testing

Transcription

1 Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting on comprehensive penetration testing approaches, as well as designing and implementing organisational policies, standards and processes. ESKISP

2 Performance criteria You must be able to: P1 be responsible for penetration testing in own area of work P2 P3 P4 P5 P6 P7 P8 P9 design, implement and maintain the standards processes, procedures, methods, tools and techniques to conduct information security assessments design, simulate, and execute controlled attacks on networks and systems as part of a comprehensive penetration testing approach apply existing and emerging methods to test and identify vulnerabilities to network and information systems select and specify the most appropriate tools to be used during penetration testing clearly and accurately define the scope of any penetration testing assignment aligned to the context of the test scenario lead and manage a penetration testing team, prioritising resource allocation and capability management ensuring that appropriate ongoing training and development is in place source, gather and collate information and data about the vulnerabilities identified as a result of penetration testing and the potential impact on the organisation s information systems and assets critically review the results of penetration testing, identifying priorities for action where appropriate P10 communicate the results of information security testing to a range of audiences justifying and evidencing any recommendations on security failures and non compliance P11 review and update information security testing processes and standards where appropriate to reflect the changing nature of security threats and risks P12 make decisions to implement improvements to the organisation s information systems and assets to reduce the risks associated with ESKISP

3 identified vulnerabilities, documenting such changes ESKISP

4 Knowledge and understanding You need to know and understand: K1 K2 K3 K4 K5 K6 K7 K8 K9 what information security testing can test for and the limitations how to use the range of tools and techniques that can be applied for information security testing the role and importance of proactive activities, such as penetration testing to identify vulnerabilities within the organisation s network and information systems infrastructure and assets how to translate the target systems into test plans and scripts the results and outcomes of information security testing activities in identifying security issues and iinforming and directing the importance in ensuring that information security testing is conducted proactively and routinely/regularly through the lifecycle and lifetime of network and information systems the range of scanning and testing activities that can be used to identify vulnerabilities in an organisation s network and information system the range of current, identified vulnerabilities that exist and need to be tested for the external standards, best practice frameworks and codes of conduct that an organisation s information systems infrastructure assets should comply with K10 how to: K10.1 ensure that processes and procedures are implemented and followed to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available K10.2 distribute warning material relating to information security vulnerabilities in a timely manner and suitable for the target ESKISP

5 audience K10.3 design, develop and implement metrics for monitoring the level of vulnerabilities through penetration testing K10.4 identify the potential business impacts if vulnerabilities are exploited K10.5 maintain lists of authorised or banned applications or devices for use on protective monitoring systems ESKISP

6 Developed by e-skills UK Version number 1 Date approved February 2013 Indicative review date Validity Status Originating organisation Original URN Relevant occupations Suite Key words December 2015 Current Original e-skills UK ESKISP Information and Communication Technology; Information and Communication Technology Professionals; Information and Communication Technology Officer; IT Service Delivery Occupations; Software Development Information Security Cyber Security; Information Security ESKISP