SSC/ N 0904 Contribute to information security audits - Amazon Web ...
SSC/ N 0904
Contribute to information security audits
Overview This unit is about carrying out specific audit tasks as part of information security audits.
24
Applicable NOS Unit
SSC/ N 0904 Unit Code Unit Title (Task) Description Scope
Contribute to information security audits SSC/ N 0904 Contribute to information security audits This unit is about carrying out specific audit tasks as part of information security audits. This unit/task covers the following: Appropriate people: line manager members of the security team subject matter experts Information security audits may cover: Identify and Access Management (IdAM) networks (wired and wireless) devices endpoints/edge devices storage devices servers software application hosting application security application support application penetration application testing content management messaging web security security of infrastructure infrastructure devices (e.g. routers, firewall services) computer assets, server s and storage networks messaging intrusion detection/prevention security incident management third party security management personnel security requirements physical security risk assessment business continuity 25
SSC/ N 0904
Contribute to information security audits
disaster recovery planning Performance Criteria (PC) w.r.t. the Scope To be competent, you must be able to: PC1. establish the nature and scope of information security audits and your role and responsibilities within them PC2. identify the procedures/guidelines/checklists for the audit tasks you are required to carry out PC3. identify any issues with procedures/guidelines/checklists for carrying out audit tasks and clarify these with appropriate people PC4. collate information, evidence and artifacts when carrying out audits PC5. carry out required audit tasks using standard tools and following established procedures/guidelines/checklists PC6. refer to appropriate people where audit tasks are beyond your levels of knowledge, skills and competence PC7. record and document audit tasks and audit results using standard tools and templates PC8. review results of audit tasks with appropriate people and incorporate their inputs PC9. comply with you organization’s policies, standards, procedures, guidelines and checklists when contributing to information security audits Knowledge and Understanding (K) A. Organizational You need to know and understand: Context KA1. your organization’s policies, standards, procedures, guidelines, systems and (Knowledge of the checklists for information security testing and auditing and your role in company/ applying these organization and KA2. scope of work to be carried out and the importance of keeping within these boundaries its processes) KA3. limits of your knowledge, skills and competence and who to seek guidance from KA4. different types of information/security audits KA5. who to involve when carrying out information security audits KA6. how to record and report audit tasks KA7. the importance of recording the results of audit tasks KA8. how to obtain and use input from others when carrying out information security audit tasks KA9. the purpose of information security audits and importance of taking part in these KA10. how to improve the process and outcomes of future audits 26
SSC/ N 0904
Contribute to information security audits
B. Technical Knowledge
Skills (S) A. Core Skills/ Generic Skills
B. Professional Skills
KA11. the range of standard tools, templates and checklists available and how to use these KA12. the role of teams in information security audits KA13. methods and techniques used when working with others You need to know and understand: KB1. common issues that may affect carrying out audit tasks and how to deal with these KB2. different systems and structures that may need information security audits and how they operate, including: servers and storage devices infrastructure and networks application hosting and content management communication routes such as messaging KB3. features, configuration and specifications of information security systems and devices and associated processes and architecture KB4. the importance of auditing and the key principles and rules of conduct that apply when auditing KB5. common audit techniques and how to record and report audit tasks KB6. methods and techniques for testing compliance against your organizations security criteria, legal and regulatory requirements Writing Skills You need to know and understand how to: SA1. complete accurate well written work with attention to detail SA2. communicate with others in writing Reading Skills You need to know and understand how to: SA3. follow guidelines, procedures, rules and service level agreements Oral Communication (Listening and Speaking skills) You need to know and understand how to: SA4. listen effectively and orally communicate information accurately SA5. ask for clarification and advice from others Decision Making You need to know and understand how to: SB1. make decisions on suitable courses of action Plan and Organize You need to know and understand how to: SB2. plan and organize your work to achieve targets and deadlines 27
SSC/ N 0904
C. Technical Skills
Contribute to information security audits Customer Centricity You need to know and understand how to: SB3. check your own work meets customer requirements Problem Solving You need to know and understand how to: SB4. apply problem-solving approaches in different situations SB5. seek clarification on problems from others Analytical Thinking You need to know and understand how to: SB6. analyze data and activities SB7. pass on relevant information to others Critical Thinking You need to know and understand how to: SB8. apply balanced judgments to different situations Attention to Detail You need to know and understand how to: SB9. check your work is complete and free from errors SB10. get your work checked by others Team Working You need to know and understand how to: SB11. work effectively in a team environment You need to know and understand how to: SC1. agree objectives and work requirements SC2. use information technology effectively to input and/or extract data accurately SC3. store and retrieve information SC4. keep up to date with changes, procedures and practices in your role
28
SSC/ N 0904
Contribute to information security audits
NOS Version Control
NOS Code Credits(NVEQF/NVQF/NSQF) [OPTIONAL] Industry IT-ITeS Industry Sub-sector IT Services
SSC/ N 0904 Version number
0.1
Drafted on Last reviewed on
30/04/2013 30/04/2013
Next review date
30/06/2014
29
Contribute to information security audits
Overview This unit is about carrying out specific audit tasks as part of information security audits.
24
Applicable NOS Unit
SSC/ N 0904 Unit Code Unit Title (Task) Description Scope
Contribute to information security audits SSC/ N 0904 Contribute to information security audits This unit is about carrying out specific audit tasks as part of information security audits. This unit/task covers the following: Appropriate people: line manager members of the security team subject matter experts Information security audits may cover: Identify and Access Management (IdAM) networks (wired and wireless) devices endpoints/edge devices storage devices servers software application hosting application security application support application penetration application testing content management messaging web security security of infrastructure infrastructure devices (e.g. routers, firewall services) computer assets, server s and storage networks messaging intrusion detection/prevention security incident management third party security management personnel security requirements physical security risk assessment business continuity 25
SSC/ N 0904
Contribute to information security audits
disaster recovery planning Performance Criteria (PC) w.r.t. the Scope To be competent, you must be able to: PC1. establish the nature and scope of information security audits and your role and responsibilities within them PC2. identify the procedures/guidelines/checklists for the audit tasks you are required to carry out PC3. identify any issues with procedures/guidelines/checklists for carrying out audit tasks and clarify these with appropriate people PC4. collate information, evidence and artifacts when carrying out audits PC5. carry out required audit tasks using standard tools and following established procedures/guidelines/checklists PC6. refer to appropriate people where audit tasks are beyond your levels of knowledge, skills and competence PC7. record and document audit tasks and audit results using standard tools and templates PC8. review results of audit tasks with appropriate people and incorporate their inputs PC9. comply with you organization’s policies, standards, procedures, guidelines and checklists when contributing to information security audits Knowledge and Understanding (K) A. Organizational You need to know and understand: Context KA1. your organization’s policies, standards, procedures, guidelines, systems and (Knowledge of the checklists for information security testing and auditing and your role in company/ applying these organization and KA2. scope of work to be carried out and the importance of keeping within these boundaries its processes) KA3. limits of your knowledge, skills and competence and who to seek guidance from KA4. different types of information/security audits KA5. who to involve when carrying out information security audits KA6. how to record and report audit tasks KA7. the importance of recording the results of audit tasks KA8. how to obtain and use input from others when carrying out information security audit tasks KA9. the purpose of information security audits and importance of taking part in these KA10. how to improve the process and outcomes of future audits 26
SSC/ N 0904
Contribute to information security audits
B. Technical Knowledge
Skills (S) A. Core Skills/ Generic Skills
B. Professional Skills
KA11. the range of standard tools, templates and checklists available and how to use these KA12. the role of teams in information security audits KA13. methods and techniques used when working with others You need to know and understand: KB1. common issues that may affect carrying out audit tasks and how to deal with these KB2. different systems and structures that may need information security audits and how they operate, including: servers and storage devices infrastructure and networks application hosting and content management communication routes such as messaging KB3. features, configuration and specifications of information security systems and devices and associated processes and architecture KB4. the importance of auditing and the key principles and rules of conduct that apply when auditing KB5. common audit techniques and how to record and report audit tasks KB6. methods and techniques for testing compliance against your organizations security criteria, legal and regulatory requirements Writing Skills You need to know and understand how to: SA1. complete accurate well written work with attention to detail SA2. communicate with others in writing Reading Skills You need to know and understand how to: SA3. follow guidelines, procedures, rules and service level agreements Oral Communication (Listening and Speaking skills) You need to know and understand how to: SA4. listen effectively and orally communicate information accurately SA5. ask for clarification and advice from others Decision Making You need to know and understand how to: SB1. make decisions on suitable courses of action Plan and Organize You need to know and understand how to: SB2. plan and organize your work to achieve targets and deadlines 27
SSC/ N 0904
C. Technical Skills
Contribute to information security audits Customer Centricity You need to know and understand how to: SB3. check your own work meets customer requirements Problem Solving You need to know and understand how to: SB4. apply problem-solving approaches in different situations SB5. seek clarification on problems from others Analytical Thinking You need to know and understand how to: SB6. analyze data and activities SB7. pass on relevant information to others Critical Thinking You need to know and understand how to: SB8. apply balanced judgments to different situations Attention to Detail You need to know and understand how to: SB9. check your work is complete and free from errors SB10. get your work checked by others Team Working You need to know and understand how to: SB11. work effectively in a team environment You need to know and understand how to: SC1. agree objectives and work requirements SC2. use information technology effectively to input and/or extract data accurately SC3. store and retrieve information SC4. keep up to date with changes, procedures and practices in your role
28
SSC/ N 0904
Contribute to information security audits
NOS Version Control
NOS Code Credits(NVEQF/NVQF/NSQF) [OPTIONAL] Industry IT-ITeS Industry Sub-sector IT Services
SSC/ N 0904 Version number
0.1
Drafted on Last reviewed on
30/04/2013 30/04/2013
Next review date
30/06/2014
29
