IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Transcription

1 IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6

2 DOCUMENT REVIEW Document Information Document Title : Document Reference : Document Version : Document Date : Last updated: Sub-discipline 605 Information Security Testing and Information Assurance Methodologies /12/ /01/2013 Draft Version 0.6

3 Sub-discipline 605 Information Security Testing and Information Assurance Methodologies Sub discipline 3 assist 4 perform 5 manage 6 set strategy Information Security Testing Assist information security testing, under supervision Conduct information security testing, under supervision Manage information security testing Direct information security testing Information Assurance Methodologies Assist information assurance, under supervision Implement information assurance, under supervision Manage Information assurance methodologies Direct information assurance methodologies Information Security Testing Level 3 Competence ( ): Assist information security testing, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Able to assist in determining responses to a range of standard security scans and tests on network devices and information systems and components b) Use a range of appropriate methods, tools and techniques, as directed by superiors, to conduct information security testing c) Undertake a range of basic penetration tests, under controlled conditions, to assess vulnerabilities and compliance against information assurance criteria and standards d) Assist with the development of accurate and clear security test scripts to ensure that information assurance requirements can be tested against relevant standards e) Objectively assess the results of information security testing and vulnerability assessment against the acceptance criteria f) Accurately collate and clearly document the outcomes from information security tests and vulnerability assessment providing prioritised rudimentary mitigation information and advice g) Report potential issues and risks arising from information security testing to superiors Competent performance requires Knowledge ( K) of: a) The range of threats and vulnerabilities that need to be considered within information security testing design and development activities b) When and how to schedule information security testing c) The range of formal testing methods/standards that are available d) What are acceptable results from information security testing Draft Version 0.6 Page 1 of 10

4 e) How to use and apply specified penetration testing techniques under supervision f) How to develop information security test plans and schedules g) How to design and apply a range of tests to ensure compliance with the information assurance standards used by the organisation h) The need to ensure that information security tests are carried out under controlled conditions i) How to assess the results from information security testing objectively j) The need to accurately record and store relevant information and data relating to the results of information security tests Competent performance requires Understanding ( U) of: a) What is meant by information security testing b) What are the different types of information security testing that can be conducted and their purpose c) What is the role of penetration testing in information security testing d) That the purpose of information security testing is about attaining levels of confidence in the resilience properties of information systems e) How to apply a few conventional, accepted penetration testing techniques f) That information security testing does not guarantee information security, simply that a device, information systems or component meets a minimum threshold of security robustness g) That there are a range of different testing methods and standards that can be associated with and applied to each stage of software or hardware life cycle h) How to apply an established testing method to assure information systems i) The need to ensure that compliance with information security standards is tested prior to the launch of any developed information system or solution j) The importance of conducting information security tests routinely on existing services within the organisation Level 4 Competence ( ): Conduct information security testing under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Undertake information security tests, under controlled conditions, to assess vulnerabilities and compliance against relevant internal and/or external standards b) Use a range of appropriate methods, tools and techniques to conduct penetration testing c) Clearly and accurately scope and plan the information security test approach, prioritising testing activity to proactively target the most significant threats and vulnerabilities first d) Interpret information assurance requirements to produce information security test acceptance criteria e) Carefully plan a context driven test approach to systematically test a system in order to validate its information security status f) Design and develop accurate and clear test scripts, plans and acceptance criteria to ensure that information assurance requirements can be tested against relevant internal and/or external standards Draft Version 0.6 Page 2 of 10

5 g) Critically review the results of penetration testing and accurately identify specific vulnerabilities within any Information system h) Prioritise outcomes and recommend specific and timely action to address vulnerabilities identified as a result of information security testing i) Clearly report on and communicate the results of information security testing, recommending mitigation actions j) Ensure information security testing reports are high quality and relevant to the audience Competent performance requires Knowledge ( K) of: a) The specific threats that may be of particular importance to any particular information system b) How to organise an information security testing approach following standard procedures c) How to use the range of tools and techniques that can be applied for penetration testing d) Relevant UK legislation and its impact on penetration testing, including but not limited to: Computer Misuse Act 1990 Human Rights Act 1998 Data Protection Act 1998 Police and Justice Act 2006 e) The latest information and data on a wide range of information security vulnerabilities Competent performance requires Understanding ( U) of: a) The importance of ensuring that security testing is designed to ensure testing of all aspects of information systems across the core principles: confidentiality integrity availability authorisation authentication non repudiation b) The potential impact of the vulnerabilities identified on any information system and on the organisation c) What are the different types of information security testing that can be conducted and their purpose d) What are the benefits of penetration testing e) The detailed steps involved in undertaking a full penetration testing assessment f) How to analyse detailed penetration testing results and assess vulnerabilities in order to provide advice on how to respond g) The interests of relevant stakeholders for information security testing h) The need to ensure that the design of tests incorporates the range of threats that may present themselves to the organisation i) How to scope, plan and manage the security testing activities conducted on any particular Information system or solution j) The need to identify and prioritise specific vulnerabilities for an Information system or solution k) The need to communicate the business implications of the limitations of information security testing programmes effectively Draft Version 0.6 Page 3 of 10

6 l) How to develop and implement test programmes to assess information effectiveness through the life of a system Level 5 Competence ( ): Manage information security testing This competence will be demonstrated by the following Performance Criteria ( C): a) Be responsible for penetration testing in own area of work b) Design, Implement and maintain the standards processes, procedures, methods, tools and techniques to conduct information security assessments c) Design, simulate, and execute controlled attacks on networks and systems as part of a comprehensive penetration testing approach d) Apply existing and emerging methods to test and identify vulnerabilities to network and information systems e) Select and specify the most appropriate tools to be used during penetration testing f) Clearly and accurately define the scope of any penetration testing assignment aligned to the context of the test scenario g) Lead and manage a penetration testing team, prioritising resource allocation and capability management ensuring that appropriate ongoing training and development is in place h) Source, gather and collate information and data about the vulnerabilities identified as a result of penetration testing and the potential impact on the organisation s information systems and assets i) Critically review the results of penetration testing, identifying priorities for action where appropriate j) Communicate the results of information security testing to a range of audiences justifying and evidencing any recommendations on security failures and non compliance k) Review and update information security testing processes and standards where appropriate to reflect the changing nature of security threats and risks l) Make decisions to implement improvements to the organisation s information systems and assets to reduce the risks associated with identified vulnerabilities Competent performance requires Understanding ( U) of: a) What information security testing can test for and the limitations b) How to use the range of tools and techniques that can be applied for information security testing c) The role and importance of proactive activities, such as penetration testing to identify vulnerabilities within the organisation s network and information systems infrastructure and assets d) How to translate the target vulnerabilities into test plans and scripts e) The results and outcomes of information security testing activities in identifying security issues and iinforming and directing f) The importance in ensuring that information security testing is conducted proactively and routinely/regularly through the lifecycle and lifetime of network and information systems Draft Version 0.6 Page 4 of 10

7 Competent performance requires Knowledge ( K) of: How to: a) The range of scanning and testing activities that can be used to identify vulnerabilities in an organisation s network and information system b) The range of current, identified vulnerabilities that exist and need to be tested for c) The external standards, best practice frameworks and codes of conduct that an organisation s information systems infrastructure assets should comply with d) Ensure that processes and procedures are implemented and followed to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available e) Distribute warning material relating to information security vulnerabilities in a timely manner and suitable for the target audience f) Design, develop and implement metrics for monitoring the level of vulnerabilities through penetration testing g) Identify the potential business impacts if vulnerabilities are exploited h) Maintain lists of authorised or banned applications or devices for use on protective monitoring systems Level 6 Competence ( ): Direct information security testing This competence will be demonstrated by the following Performance Criteria ( C): a) Be fully accountable for all penetration and information security testing activities, results and recommendations for mitigation b) Design, develop, implement and maintain the policy and standards to provide a detailed information security testing framework for use within the organisation c) Review, improve and update penetration testing methods and tools to continue to provide effective testing services d) Ensure penetration testing activities and reports are clearly documented e) Design, develop, implement and maintain resourcing and training strategy and plans to retain and develop appropriate penetration and information security testing expertise within the organisation f) Continually monitor information security threat trends and keep aware of the latest information providing informed guidance to penetration testing activities g) Monitor the quality and effectiveness of penetration testing activities, critically reviewing the approach and process and making recommendations for improvement where appropriate h) Provide timely and objective advice and guidance to others on all aspects of information security testing activities including penetration testing best practice and the application of lessons learned i) Maintain an authoritative position on proactive information security testing to identify and disseminate new threats to contribute to the body of knowledge j) Develop communication processes for internal and external parties (e.g. customers) relating to penetration testing activities and results k) Authorise the issue of formal reports to management on the effectiveness and efficiency of information security testing Draft Version 0.6 Page 5 of 10

8 l) Provide thought leadership on the discipline of information security testing, contributing to internal best practice and to externally recognised publications, white papers etc m) Take timely and decisive action in the event of information security testing activities and their deliverables not complying with relevant legislation, regulations, and internal and external standards Competent performance requires Understanding ( U) of: a) The scope of information assurance governance within the organisation b) The importance of establishing effective capabilities for the assurance of information assets with the organisation c) The need to have effective and coordinated governance of a range of activities, including risk management, information security, vulnerability assessments, security education and awareness training d) The need to ensure that timely and effective independent review of information security testing activities takes place e) How to objectively analyse the findings from independent review of information security testing activities and report recommendations to sponsors and stakeholders f) How to design and develop strategy, policies plans and standards to ensure the alignment with all relevant legislation, regulations and external standards g) The importance of using lessons learned in order to inform future information security testing Competent performance requires Knowledge ( K) of: a) Who are the executive sponsors and stakeholder of information security testing activities within the organisation b) The need to advise and guide others on all aspects of information security testing activities c) How to manage the implications and consequences: o o of failure to identify and mitigate/control risks that arise of information security testing activities failing to meet the expectations of the business d) Sources of best practice in information security testing activities e) The importance of analysing the results gained from monitoring the alignment of information security testing activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards Draft Version 0.6 Page 6 of 10

9 Information assurance methodologies Level 3 Competence ( ): Assist information assurance, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Correctly follow the strategy, policies, plans and standards relating information assurance activities b) Follow an appropriate information assurance methodology under supervision c) Use a range of appropriate tools and techniques, as directed by superiors, to conduct information assurance activities d) Operate with integrity and confidentiality during information assurance activities e) Identify when and how to seek advice and guidance from other individuals during information assurance activities f) Complete, to defined standards and timelines, own assigned tasks and activities during information assurance activities Competent performance requires Knowledge ( K) of: a) The processes, tools and techniques relating to information assurance and their deliverables b) The legislation, regulations, strategy, policies and internal and external standards that are relevant to information assurance activities c) The fact that information assurance includes the following core information security principles: confidentiality integrity availability authorisation authentication non repudiation d) The range of information assurance methodologies that are available e) How to interpret policy and standards that apply to information assurance activities Competent performance requires Understanding ( U) of: a) What is meant by information assurance b) Why the assurance and security of information assets is critical for the organisation c) How an information assurance methodology can be applied to assure information systems d) What are the roles and responsibilities of the information assurance and information security functions within the organisation e) How information assurance activities fit within the development lifecycle f) How information assurance activities fit within the service lifecycle g) What are the processes, procedures, methods, tools and techniques used to conduct information assurance activities within the organisation Draft Version 0.6 Page 7 of 10

10 Level 4 h) The need for information assurance activities to be carried out in accordance with any codes of conduct and organisational standards Competence ( ): Implement information assurance, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Clearly identify and accurately document the organisation requirements with respect to information assurance methodology implementation b) Clearly scope and plan the approach for introducing an information assurance methodology, including any impacts internally and on third parties c) Accurately source, gather and collate information and data relating to the implementation of information assurance methodologies d) Implement and apply an information assurance methodology to own and extended business enterprise assurance under direction e) Critically assess the implementation of information assurance methodologies and/or approaches against the requirements of the organisation f) Communicate effectively the outcomes and deliverables of information assurance methodologies g) Ensure that all necessary processes, procedures, tools and techniques supporting the methodology are documented Competent performance requires Understanding ( U) of: a) The importance of having clear and understandable methodologies for information assurance b) The importance of ensuring that methodologies for information assurance are aligned with the development lifecycle and service lifecycle c) The internal and external factors that may impact on the effectiveness of any information assurance methodology Competent performance requires Knowledge ( K) of: a) The range of information assurance approaches and methodologies that may be available and their suitability to the needs of the organisation b) What is contained within any information assurance methodology c) What the advantages and limitation of adopting an information assurance methodology within an organisation d) How to identify and select the most appropriate information assurance methodology for any particular organisation to verify that information assurance risks are mitigated to acceptable levels Level 5 Competence ( ): Manage information assurance methodologies This competence will be demonstrated by the following Performance Criteria ( C): a) Be responsible for information assurance on all types of information systems Draft Version 0.6 Page 8 of 10

11 b) Provide leadership on information assurance for the organisation, working effectively with strategic organisational functions to provide authoritative advice and guidance c) Clearly align the scope of information assurance to the context of the business d) Plan, schedule and manage information assurance of the organisation s information systems and assets e) Select and apply the most appropriate methodology for information assurance f) Accurately identify, document and communicate the selection of the most appropriate information assurance methodology to verify that information assurance risks are mitigated to acceptable levels g) Clearly identify and accurately document roles and responsibilities for information assurance h) Rigorously monitor the implementation and adoption of the information assurance methodology within the organisation i) Monitor the quality and effectiveness of information assurance activities, making recommendations for improvement where appropriate m) Identify, source and secure the most appropriate resources and skills from within the organisation to conduct information assurance activities Competent performance requires Understanding ( U) of: a) Why the quality and effectiveness of information assurance activities need to be managed and monitored b) What are the limitations of information assurance and the capabilities of an information assurance methodology c) What the results and outcomes of information assurance mean to the organisation in terms of the confidence in information security d) The latest external standards, best practice frameworks and codes of conduct for information assurance that an organisation s IT/Technology infrastructure assets should comply with Competent performance requires Knowledge ( K) of: a) The range information assurance methodologies and their strengths and weaknesses b) The latest information on and developments in information assurance methodologies c) How to analyse and assess internal problem reports for signs of anomalous information security issues that impact information assurance d) The need to monitor and assess information in external reports for relevance to the organisation, ensuring that information assurance activities are updated through formal change processes e) How to conduct reviews of information assurance policies and procedures Level 6 Competence ( ): Direct information assurance methodologies This competence will be demonstrated by the following Performance Criteria ( C): a) Be fully accountable for the information assurance methodology b) Design, implement and maintain the information assurance governance mechanisms for the organisation Draft Version 0.6 Page 9 of 10

12 c) Design and develop, improved information assurance methodologies to reflect changing requirements d) Design, develop, implement and maintain the policy and standards for information assurance within the organisation e) Monitor the alignment of information assurance activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards f) Take timely and decisive action in the event of information assurance activities and their deliverables not complying with relevant legislation, regulations, and internal and external standards g) Create and maintain an information risk awareness culture within the organisation, ensuring everyone understands their role and responsibilities in maintaining information assurance throughout the organisation h) Advise and support others on all aspects of information assurance methodology including best practice and the application of lessons learned i) Provide thought leadership on the discipline of information assurance, contributing to internal best practice and to externally recognised publications, white papers etc Competent performance requires Understanding ( U) of: a) The scope of information assurance governance within the organisation b) The importance of establishing effective governance bodies for the assurance of information assets with the organisation Competent performance requires Knowledge ( K) of: a) The role and responsibilities of information assurance governance bodies b) The executive sponsors and stakeholder of information assurance activities within the organisation c) How to analyse the results gained from monitoring the alignment of information assurance activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards Draft Version 0.6 Page 10 of 10