Practitioner Certificate in Information Assurance Architecture (PCiIAA)



Similar documents
CESG Certification of Cyber Security Training Courses

Application Guidance CCP Penetration Tester Role, Practitioner Level

April 2015 Issue No:1.0. Application Guidance - CCP Security and Information Risk Advisor Role, Practitioner Level

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

February 2015 Issue No: 5.2. CESG Certification for IA Professionals

CREST EXAMINATIONS. CREST (GB) Ltd 2016 All Rights Reserved

BCS Certificate in Information Security Management Principles Syllabus

Logical Operations CyberSec First Responder: Threat Detection and Response (CFR) Exam CFR-110

A Guide to the Cyber Essentials Scheme

AUSTRALIAN GOVERNMENT INFORMATION MANAGEMENT OFFICE CYBER SECURITY CAPABILITY FRAMEWORK & MAPPING OF ISM ROLES

INTERMEDIATE QUALIFICATION

Information security controls. Briefing for clients on Experian information security controls

Growth Through Excellence

Service Definition Document

CYBER SECURITY AND RISK MANAGEMENT. An Executive level responsibility

BCS Specialist Certificate in Business Relationship Management Syllabus. Version 1.9 March 2015

We are Passionate about Total Security Management Architecture & Infrastructure Optimisation Review

Information Technology Engineers Examination. Information Security Specialist Examination. (Level 4) Syllabus

Build (develop) and document Acceptance Transition to production (installation) Operations and maintenance support (postinstallation)

CESG Certified Professional

IT Heath Check Scoping guidance ALPHA DRAFT

January 2015 Issue No: 2.1. Guidance to CESG Certification for IA Professionals

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

ISSECO Syllabus Public Version v1.0

IT Security. Securing Your Business Investments

ARCHITECTURE SERVICES. G-CLOUD SERVICE DEFINITION.

Practitioner Certificate Software Asset Management Syllabus. Version 2.0

CESG CIR SCHEME AND CREST CSIR SCHEME FREQUENTLY ASKED QUESTIONS

SRA International Managed Information Systems Internal Audit Report

G-Cloud III Services Service Definition Accenture Cloud Security Services

A Decision Maker s Guide to Securing an IT Infrastructure

Cloud Security Specialist Certification Self-Study Kit Bundle

Sytorus Information Security Assessment Overview

BCS Specialist Certificate in Service Desk & Incident Management Syllabus

Head of Information & Communications Technology Responsible work team: ICT Security. Key point summary... 2

CBEST FAQ February 2015

Effective Software Security Management

ICT and Information Security Resources

ESKISP Conduct security testing, under supervision

DIGITAL FORENSICS AND CYBER INCIDENT RESPONSE SERVICES

Developing the Corporate Security Architecture. Alex Woda July 22, 2009

The International Institute for Business Analysis

Enterprise Security Architecture for Cyber Security. M.M.Veeraragaloo 5 th September 2013

Procuring Penetration Testing Services

CYBER SECURITY TRAINING SAFE AND SECURE

developing your potential Cyber Security Training

IT Security Testing Services

Specialist Certificate in Business Relationship Management Syllabus. Version 1.2

ISO Information Security Management Services (Lot 4)

Thales Service Definition for PSN Secure Gateway Service for Cloud Services

Committees Date: Subject: Public Report of: For Information Summary

G-Cloud IV Services Service Definition Accenture Cloud Security Services

Career Paths in Information Security v6.0

IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

FedVTE Training Catalog SPRING advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

How To Help Your Business Succeed

UKAS Guidance for bodies operating certification of Trust Service Providers seeking approval under tscheme

EA-ISP-012-Network Management Policy

CYBER SECURITY Audit, Test & Compliance

G-CLOUD SPECIALIST CLOUD SERVICES

Information Technology Engineers Examination

Specialist Cloud Services. Acumin Cloud Security Resourcing

PENETRATION TESTING GUIDE. 1

Ensuring security the last barrier to Cloud adoption

Domain 1 The Process of Auditing Information Systems

SOA: The missing link between Enterprise Architecture and Solution Architecture

HP Certified Professional

Procurement Policy Note Use of Cyber Essentials Scheme certification

Cyber Resilience Implementing the Right Strategy. Grant Brown Security specialist,

ITIL V3 Service Operation Certification Program

ISEB MANAGER S CERTIFICATE IN ITIL INFRASTRUCTURE MANAGEMENT. Guidelines for candidates who are taking the ICT Infrastructure Examination

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

C015 Certification Report

Data Protection Act Guidance on the use of cloud computing

Cisco Advanced Services for Network Security

UK Government IA Recent Changes and Update

FedVTE Training Catalog SUMMER advance. Free cybersecurity training for government personnel. fedvte.usalearning.gov

Reducing the Cyber Risk in 10 Critical Areas

Business Operations. Module Db. Capita s Combined Offer for Business & Enforcement Operations delivers many overarching benefits for TfL:

G-Cloud Definition of Services Security Penetration Testing

THE EVOLUTION OF INFORMATION SECURITY GOALS

Cloud Virtualization Specialist Certification Self-Study Kit Bundle

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

The Information Assurance Process: Charting a Path Towards Compliance

LINUX / INFORMATION SECURITY

HP Cyber Security Control Cyber Insight & Defence

JOB DESCRIPTION CONTRACTUAL POSITION

Enterprise Security Architecture Concepts and Practice

DCA metrics for the approval of Auditing Firms for Certifications Scheme VERSION 1.0

Cyber Essentials Scheme. Summary

Transcription:

Practitioner Certificate in Information Assurance Architecture (PCiIAA) 15 th August, 2015 v2.1

Course Introduction 1.1. Overview A Security Architect (SA) is a senior-level enterprise architect role, either within a dedicated security team or as part of a more general Enterprise Architecture (EA) team. This course prepares the student to challenge either the British Computer Society s Practitioner Certificate in Information Assurance Architecture (PCiIAA) exam or the CREST Registered Technical Security Architect (CRTSA) exam for Senior or Lead Practitioners. It has been designed to cover all learning objectives required of all domains covered in both certifications. PCiIAA explains what the role of a Security Architect is, covering responsibilities, as well as the business, technical, procedural and administrative requirements of the role. The role of the SA originates from a modern approach to IT in business, known as Enterprise Architecture, as explained by a variety of frameworks in use today, such as TOGAF, MODAF, DODAF and Zachman, all of which have their own views pertaining to security architecture. Definition: The term architecture is defined as, The fundamental organization of a system, embodied in its components, their relationships to each other and the environment, and the principles governing its design and evolution, (ISO/IEC 42010:2007). When attempting to build an architecture that is considered secure, the architect must first understand the business environment the systems need to provide for, as well as the technical controls that are available to the architect that can be called upon to address the threats against confidentiality, integrity and availability. These three main tenets of security confidentiality, integrity and availability sit at the heart of all IT security work, however, the job of the architect is as much aligned to the needs of the business as it is to the technical aspects of architecture. This is not suggesting that the SA should not be technical, as a technical person can often discharge the responsibilities of an SA, however, that person must first be aware of the bigger business picture prior to developing a technical solution. This is exactly what the PCiIAA course is all about explaining to the student what it takes to be an SA and how that differs from being a technical or administrative (non-technical, such as policy writing, risk assessments, etc.) security subject matter expert. Security architecture is not just about preventing specific attacks. Instead it is about providing a multi-layered set of defences against different kinds of attack by implementing the most appropriate and cost-effective security controls. This course is aimed at the following staff: Students who wish to gain the BCS PCiIAA or CREST's CRTSA certificate and qualify as a Practitioner, Senior Practitioner or Lead Practitioner in Security Architecture under the CESG Certified Professional (CCP) scheme. System administrators who wish to become security architects. Technical architects looking to move into the field of security architecture. Security professionals wanting to gain an appreciation of the technical and business aspects of their profession, or move into a more senior architecture role. The award of the PCiIAA or CRTSA Certificate provides part of the demonstration of competence at Practitioner, Senior or Lead Practitioner level of the CESG Certified Professional Scheme as outlined InfoSec Skills Limited 2015. All rights reserved. Page 2 of 8

in the Certification Framework for Information Assurance specialists developed by CESG, the UK National Technical Authority for Information Assurance. Certification as a CESG recognised IA Practitioner or Senior Practitioner against this framework requires demonstration of core skills equivalent to those covered by this syllabus, together with some specialist knowledge of UK Government security policies and procedures. To be certified as a CESG Certified Professional you will also need to complete a Written Submission and attend an Expert Interview with one of the accrediting bodies, the British Computer Society (BCS) or the Institute of Information Security Professionals (IISP). 1.2. The Security Architect Role Based on a set of skills defined by the Institute of Information Security Professionals (IISP) the UK Government s GCHQ department, CESG, has defined a number of Information Assurance (IA) roles most commonly used across the UK public sector. One such job role is the IA Architect, which is also referred to in industry as the Security Architect (SA). CESG has developed a framework for certifying IA professionals who meet competency and skill requirements for these specified IA roles (http://certifications.bcs.org/upload/pdf/cesg-certification-for-ia-specialists.pdf). The British Computer Society (BCS) and CREST have worked closely with CESG to produce syllabi that reflect the learning objectives in support of training and certification of IA Architects. Achievement of this certificate demonstrates the candidate s competence to fulfil the role as a Practitioner, Senior Practitioner or Lead Practitioner Information Assurance Architect ( IA Architect ) under the CESG Certified Professional Scheme (CCP). An IA Architect must be able to drive beneficial security change into an organisation through the development or review of security architectures so that they: Fit business requirements for security. Mitigate identified risks and conform to relevant corporate security policies. Balance information risk against the cost of countermeasures. The Senior Security Architect role corresponds broadly to SFIA Responsibility Level 4 (enable) and Knowledge Level K4 (analyse). This course aligns to Level 3 (Skilful Application) competence as defined in the Skills Framework developed by the IISP. Note: This Practitioner Level Certificate is one of a series of certificates available from BCS or CREST in the area of Information Security and Information Assurance. A Foundation Level certificate, the Certificate in Information Security Management Principles (CISMP), is also available. Details of these other certifications are available from the BCS or CREST Web Sites: www.bcs.org/infosecurity & www.crest-approved.org. 1.3. Certification in Security Architecture Students that have successfully completed the final PCiIAA will be able to: Describe the business environment and the information risks that apply to systems. Describe and apply security design principles. Identify information risks that arise from potential solution architectures. Design alternate architectures or countermeasures to mitigate identified information risks. Ensure that proposed architectures and countermeasures adequately mitigate identified information risks. Apply standard ' security techniques and architectures to mitigate security risks. Develop new architectures that mitigate the risks posed by new technologies and business InfoSec Skills Limited 2015. All rights reserved. Page 3 of 8

practices. Provide consultancy and advice to explain Information Assurance and architectural problems. Securely configure ICT systems in compliance with their approved security architectures. 1.4. Prerequisites There are no formal entry requirements for candidates taking the examination for the Practitioner Certificate in Information Assurance Architecture. However, candidates will require a broad understanding of all aspects of Information Security and Information Assurance equivalent to the BCS Certificate in Information Security Management Principles (CISMP). Candidates will also need practical experience of the areas of expertise covered within the syllabus. Table 1 - Course Summary Module Number of Topics Time in Hours Module 1 The Basics of Security Architecture 4 6 Module 2 Advanced Security Architecture Concepts 3 14 Module 3 Information Assurance Methodologies 4 8 Module 4 Innovation and Business Improvement 4 6 Module 5 Security Across the Lifecycle 1 4 Module 6 Preparation for the PCiIAA and CRTSA Exams and Mock Exam 2 2 Totals 18 40 1.5. Assessment At the end of each module the student is encouraged to undertake an assessment to assess their knowledge of the material provided in that module and to see if the objectives of the module have been met. Throughout the course quizzes are undertaken that enables a student to test their knowledge of the information covered in that topic. Both the BCS and CREST exam are based on the syllabus in this document. Both are closed book examination (no materials can be taken into the examination room) and consist of: A number of multiple choice single answer questions based on technical aspects of the syllabus. Scenario-based questions. Each scenario will be based around describing the threats, vulnerabilities and mitigations for that scenario. Candidates will need to read all scenarios carefully, and read and consider all questions and their implications before selecting answers. All aspects of the syllabus may be questioned. InfoSec Skills Limited 2015. All rights reserved. Page 4 of 8

Module 1 The Basics of Security Architecture This module takes 6 hours. 1.6. Introduction What is Security Architecture? This module lays down the foundation of understanding of what it means to be a security architect and what the basic principles of architecture are. It describes the relationship to Enterprise Architecture Frameworks and how some of these frameworks address security. Security architecture is at the heart of what it is to be a security architect. However, unlike technical architecture work, where components are added together to create an end-solution based on technical know-how, security architecture adopts a framework approach for deploying patterns of risk-reducing technology that provide varying levels of assurance depending on the underlying security requirements. Being an SA is a technical job, without doubt, but the key to success in these areas comes from detailed knowledge of what comprises security technology in terms of product assurance, network and technical design/development work (using secure development principles) and the trade off between physical, logical and procedural controls. 1.7. Module Learning Outcomes: Describe the role of the security architect and the concept of security architectures in context of enterprise architectures. Explain the skills, especially soft skills, an SA must possess. Explain the concepts and design principles used by security architects when designing systems. Design principles such as least privilege, segregation of duties are described. Describe security architectures at a high level using appropriate contextual terms and have enough knowledge to describe architectural concepts related to security concerns. Explain the importance of design patterns and conceptual architectures. Recognise separation of systems as a way to reduce risk. 1.8. Topics What is Security Architecture? The Role of a Security Architect. Security Design Principles. Conceptual Architectures. 2. Module 2 Advanced Security Architecture Concepts This module takes 14 hours. 2.1. Introduction This module builds on the Module 1, laying down the next level of detail for a variety of architectural concepts. It starts by describing security mechanisms, such as cryptographic mechanisms. It then goes on to describe a wide range of security services. Finally the module describes how the security services can be applied within a system and how design patterns are an important tool for a SA. 2.2. Module Learning Outcomes: Describe common methods for identification and authentication. Describe common methods for access control. Describe requirements and methods for auditing and alerting. Describe common methods for content control, such as anti-virus and data loss prevention. Describe common cryptographic based services, such as a public key infrastructure. InfoSec Skills Limited 2015. All rights reserved. Page 5 of 8

Describe intruder detection and prevention services and their placement in systems. Describe the role of directories in a system. Describe the functions of security management within a system. Describe a wide range of network security controls and the threats they counter. This includes layer 2 controls and the use of packet filtering and firewalls. Identify common methods for resilience and recognise different recovery capabilities and techniques, including back-up and audit trails. Identify security aspects of virtualisation. Describes the threats to Industrial Control Systems and appropriate countmeasures. Appreciate practicality as an issue in the selection of security mechanisms. Appreciate the need for correctness of input and on-going correctness of all stored data including parameters for all generalised software. Distinguish between different cryptographic mechanisms and techniques. Appreciate the use of threat modelling techniques to establish where security services should be positioned within a system. Describe a number of design patterns being able to explain the threats and security controls used to counter the threats. 2.3. Topics Core Security Mechanisms. Security Services, Part 1, Part 2 and Part 3. Security Design. 3. Module 3 Information Assurance Methodologies This module takes 8 hours. 3.1. Introduction This module goes into the various methodologies and techniques that can be used to assure the implementation of a system or a product. This includes the purpose of vulnerability and penetration testing. 3.2. Module Learning Outcomes: Explain a wide range of Information Assurance methodologies. Compare the benefits of using different methodologies. Describe how Information Assurance methodologies can reduce risk. Employ methods, tools and techniques for identifying potential vulnerabilities. Apply different testing strategies depending on the risk profile of a system. Recognise that business processes need to be tested and not just the ICT elements. Explain the role of vulnerability and penetration testing. Plan and manage a penetration test. Explain the typical structure of a penetration test report. Describe the typical findings of a penetration test report. 3.3. Topics Information Assurance Frameworks. Product and Service Assurance. Cryptographic Assurance. Vulnerability and Penetration Testing. InfoSec Skills Limited 2015. All rights reserved. Page 6 of 8

Module 4 Innovation and Business Improvement This module takes 6 hours. 3.4. Introduction This module explains how security can drive change and improve business functions when done properly. Different business scenarios and sectors can drive a wide variety of security architecture innovations and changes and it s important that the accomplished security architect has a good understanding of business practices, such as mergers, outsourcing and SaaS solutions. 3.5. Module Learning Outcomes: Discuss the security implications of business transition (mergers, de-mergers, in-sourcing and out-sourcing, etc.). Describe the nature of organisational risk culture and exposure. Recognise security as a business enabler. Describe continuous improvement as a philosophy. Propose security metrics. Describe a number of different IA maturity models. 3.6. Topics Business Change, Security Metrics and ROI. Risk, Security Postures and Security Culture. Security as a Business Enabler. IA Maturity Models. 4. Module 5 Security Across the Lifecycle This module takes 4 hours. 4.1. Introduction This final module introduces the Security Architect to the various security concerns and considerations when embarking on a new development project all the way to in-service support. It pulls together many of the previous points in the course. This module looks at auditing and traceability of solutions, building systems using COTS or bespoke code (and the complications of each choice), some aspects related to the business matters needing consideration when embarking on a secure development programme, and how systems are accepted as fit for purpose and put into an operational capacity. 4.2. Module Learning Outcomes: Describe the typical Terms of Reference of a SA. Explain why it is important to brief engineering teams at the start of a development process. Describe the concepts of audit and traceability. Describe the different types of design artefacts at the conceptual, logical and physical layers. Recognise the security issues associated with commercial off-the-shelf / outsourced / off shore systems / applications / products. Describe the role of hardening and coding standards in the development of a system and sources of guidance. Discuss the importance of links with the whole business process. Identify the benefits of separation of development, test and support from operational systems. Describe the processes for authorising business systems for use. InfoSec Skills Limited 2015. All rights reserved. Page 7 of 8

Recognise the benefits of independent certification that new or modified systems meet their security policy. Recognise the need for change control for systems under development to maintain software integrity. Describe procedures for the handling of security patches. Identify the reasons for escrow of source code. Identify common programming vulnerabilities. Describe the OWASP top ten risks. Discuss the need for development environment integrity. 4.3. Topics Security across the lifecycle. Module 6 Preparation for the PCiIAA and CRTSA Exams and Mock Exam This module takes 2 hours. 4.4. Introduction This final module will prepare the student for the PCiIAA or the CRTSA examinations to be undertaken during one of the public examinations conducted by the BCS or CREST. 4.5. Module Learning Outcomes: At the end of this module the student will: Understand the format and scoring of the examination Be prepared to take the PCiIAA examination and pass! Be prepared to take the CRTSA examination and pass! 4.6. Topics Format, structure and scoring of the PCiIAA examination Format, structure and scoring of the CRTSA examination Mock Examination, using the BCS sample paper InfoSec Skills Limited 2015. All rights reserved. Page 8 of 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information