Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being able to protect against attacks This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to information security threats and vulnerabilities. Assisting applying testing methods, including penetration testing, assessing the robustness of an information system, against a coordinated attack. TECHIS60441 1
Performance criteria You must be able to: 1. be responsible for penetration testing in own area of work 2. develop and maintain security testing standards and procedures in line with organisational standards 3. tailor the scope of testing to meet business requirements 4. undertake information security tests, under controlled conditions, to assess vulnerabilities and compliance against relevant internal and/or external standards 5. use a range of appropriate methods, tools and techniques to conduct penetration testing for the systematic identification of vulnerabilities across multiple information systems 6. select and specify the most appropriate tools to be used during penetration testing 7. design and implement tests plans for networks and information systems in line with organisationalstandards 8. develop through life test programmes to assess whether security is maintained 9. lead and manage a penetration testing team, prioritising resource allocation and capability management ensuring that appropriate ongoing training and development is in place 10. scan information systems and networks for public domain vulnerabilities and assesses the potential for exploitation, where appropriate by conducting exploits. Reports potential issues and mitigation options 11. scan web applications and services for public domain vulnerabilities and assesses the potential for exploitation, where appropriate by conducting exploits. Reports potential issues and mitigation options 12. scan Wi-Fi networks for public domain vulnerabilities and assesses the potential for exploitation, where appropriate by conducting exploits 13. scan control systems and networks for public domain vulnerabilities and assesses the potential for exploitation, where appropriate by conducting exploits. Reports potential issues and mitigation options 14. report potential issues and mitigation options for security scanning operations 15. plan and execute social engineering attack exercises within an organisation or part thereof to assess the security awareness and culture 16. clearly and accurately scope and plan the information security test approach, prioritising testing activity to proactively target the most significant threats and vulnerabilities first 17. interpret information assurance requirements to produce information security test acceptance criteria TECHIS60441 2
18. 19. 20. 21. 22. 23. 24. carefully plan a context driven test approach to systematically test a system in order to validate its information security status design and develop accurate and clear test scripts, plans and acceptance criteria to ensure that information assurance requirements can be tested against relevant internal and/or external standards critically review the results of penetration testing and accurately identify specific vulnerabilities within any specified information system prioritise outcomes and recommend specific and timely action to address vulnerabilities identified as a result of information security testing clearly report on and communicate the results of information security testing, recommending mitigation actions ensure information security testing reports are high quality and relevant to the audience communicate the results of information security testing to a range of audiences justifying and evidencing any recommendations on security failures and non compliance TECHIS60441 3
Knowledge and understanding You need to know and understand: 1. 2. 3. 4. 5. 6. 7. 8. the specific threats that may be of particular importance to any particular information system how to organise a information security testing approach following standard procedures how to use the range of tools and techniques that can be applied for penetration testing relevant UK legislation and its impact on penetration testing (including computer misuse act 1990; human rights act 1998 data protection act 1998 police and justice act 2006 the latest information and data on a wide range of information security vulnerabilities the importance of ensuring that information security testing is designed to ensure testing of all aspects of information systems across the core principles: ( including confidentiality integrity availability authorisation authentication non repudiation ) the potential impact of the vulnerabilities identified on any information system and on the organisation where to find the latest information on vulnerabilities or exploits and can design tests to identify them TECHIS60441 4
Developed by e-skills Version Number 1 Date Approved January 2016 Indicative Review Date Validity Status Originating Organisation Original URN Relevant Occupations Suite Keywords April 2019 Current Original The Tech Partnership TECHIS60441 Information and Communication Technology; Information and Communication Technology Officer; Information and Communication Technology Professionals Information Security Information security, cyber security, penetration testing TECHIS60441 5