ESKISP Direct security testing

Transcription

1 Direct security testing Overview This standard covers the competencies concerning with directing security testing activities. It includes setting the strategy and policies for security testing, and being fully accountable for successful security testing activities and deliverables. This includes developing and implementing methodologies for assessing the level of assurance of information systems and the correct implementation of mitigation measures. ESKISP Direct security testing 1

2 Performance criteria You must be able to: P1 be fully accountable for all penetration and information security testing activities, results and recommendations for mitigation P2 P3 P4 P5 P6 P7 P8 P9 design, develop, implement and maintain the policy and standards to provide a detailed information security testing framework for use within the organisation review, improve and update penetration testing methods and tools to continue to provide effective testing services ensure penetration testing activities and reports are clearly documented design, develop, implement and maintain resourcing and training strategy and plans to retain and develop appropriate penetration and information security testing expertise within the organisation continually monitor information security threat trends and keep aware of the latest information providing informed guidance to penetration testing activities monitor the quality and effectiveness of penetration testing activities, critically reviewing the approach and process and making recommendations for improvement where appropriate provide timely and objective advice and guidance to others on all aspects of information security testing activities including penetration testing best practice and the application of lessons learned maintain an authoritative position on proactive information security testing to identify and disseminate new threats to contribute to the body of knowledge P10 develop communication processes for internal and external parties (e.g. customers) relating to penetration testing activities and results P11 authorise the issue of formal reports to management on the effectiveness and efficiency of security testing, in appropriate ESKISP

3 language for the audience P12 provide thought leadership on the discipline of information security testing, contributing to internal best practice and to externally recognised publications, white papers etc P13 take timely and decisive action in the event of information security testing activities and their deliverables not complying with relevant legislation, regulations, and internal and external standards ESKISP

4 Knowledge and understanding You need to know and understand: K1 K2 K3 K4 K5 K6 K7 K8 K9 who are the executive sponsors and stakeholders of information security testing activities within the organisation the need to advise and guide others on all aspects of information security testing activities how to manage the implications and consequences: K3.1 of failure to identify and mitigate/control risks that arise K3.2 of information security testing activities failing to meet the expectations of the business sources of best practice in information security testing activities the importance of analysing the results gained from monitoring the alignment of information security testing activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards the scope of information assurance governance within the organisation the importance of establishing effective capabilities for the assurance of information assets with the organisation the need to have effective and coordinated governance of a range of activities, including risk management, information security, vulnerability assessments, security education and awareness training the need to ensure that timely and effective independent review of information security testing activities takes place K10 how to objectively analyse the findings from independent review of information security testing activities and report recommendations to sponsors and stakeholders ESKISP

5 K11 how to design and develop strategy, policies plans and standards to ensure the alignment with all relevant legislation, regulations and external standards K12 the importance of using lessons learned in order to inform future information security testing ESKISP

6 Direct security testing Developed by e-skills UK Version number 1 Date approved February 2013 Indicative review date Validity Status Originating organisation Original URN Relevant occupations Suite Key words December 2015 Current Original e-skills UK ESKISP Information and Communication Technology; Information and Communication Technology Professionals; Information and Communication Technology Officer; IT Service Delivery Occupations; Software Development Information Security Cyber Security; Information Security ESKISP Direct security testing 6