Overview The protection of information, services and systems relies on a range of technical and procedural activities, often grouped in a framework. The framework will contain technical and logical, physical and process controls that can be implemented across an organisation to reduce information and systems risk, identify and mitigate vulnerability, and satisfy compliance obligations. This role involves determining appropriate types of security controls and access management and network security devices, and how they work. TECHIS60341 1
Performance criteria You must be able to: 1. interpret organisational security policies and threat/risk profiles 2. incorporate organisational security policies and threat/risk profiles into secure architectural solutions that mitigate the risks and conform to legislation in line with business needs. 3. present technical security architecture solutions for the three different types of architecture including: network security architecture, infrastructure security architecture, and application security architecture 4. select security products and technologies based upon their security characteristics 5. design robust and fault-tolerant security mechanisms and components appropriate to the identified risks 6. propose security architecture solutions as a view within broader IT architectures in line with organisational standards 7. develop and implement appropriate methodologies, templates, patterns and frameworks to support security architecture development 8. apply security architecture principles to networks, information systems, control systems, infrastructures and products in line with organisational requirements 9. devise standard solutions that address requirements delivering specific security functionality whether for a business solution or for a product 10. maintain awareness of the security advantages and vulnerabilities of common products and technologies 11. design robust and fault-tolerant security mechanisms and components appropriate to the perceived risks in line with organisational standards TECHIS60341 2
Knowledge and understanding You need to know and understand: 1. that security controls can be categorised and selected on the basis of that categorisation 2. where technical controls cannot be used, other controls can be selected 3. how technical controls (examples include cryptography, access management, firewalls, anti-virus software and intrusion prevention systems) work in detail/at an advanced level of understanding how the technical controls can be deployed in practice and associated strengths and weaknesses 4. the need for security architecture and its relevance to systems, service continuity and reliability 5. the application of techniques such as defence in depth to demonstrate how controls can be selected, deployed and tested to minimise risk and impact 6. how to differentiate between controls to protect systems availability and reliability; controls to protect information; and controls to manage human behaviour 7. the trade-offs for functionality, usability and security 8. the role of operations in monitoring, maintaining and evolving controls 9. what is meant by information security architecture 10. how implementing a security architecture can improve mitigate risk for information system design 11. where to find information on the existing information systems architectures used within the organisation 12. the relationship of information security architecture to IT and enterprise architectures 13. sources of recognised external security architectures and frameworks 14. the advantages and disadvantages of implementing a range of commonly used IT components and security products Has knowledge of a range of core security technologies; e.g. access control models, public and private encryption, authentication techniques, intrusion detection 15. the most appropriate information security product and protocols to use in meeting the organisation's security requirements 16. the range of processes, procedures, methods, tools and techniques applicable to secure architecture development activities and their deliverables 17. he role of architecture in information and network security 18. the fact that the organisation's network and information security architecture needs to align with wider systems architecture development 19. the importance of using security standards, architectures and frameworks TECHIS60341 3
20. 21. how to represent security architecture designs and models industry standard architectural frameworks commonly used e.g. TOGAF and Zachman TECHIS60341 4
Developed by e-skills Version Number 1 Date Approved January 2016 Indicative Review Date Validity Status Originating Organisation Original URN Relevant Occupations Suite Keywords April 2019 Current Original The Tech Partnership TECHIS60341 Information and Communication Technology; Information and Communication Technology Officer; Information and Communication Technology Professionals Information Security Information security, cyber security; security architecture, secure systems TECHIS60341 5