Assessor Resource

ICTWEB423
Ensure dynamic website security

Assessment tool

Version 1.0
Issue Date: May 2024


This unit describes the skills and knowledge required to ensure, and maintain, the security of a dynamic commercial website.

It applies to individuals working as website developers responsible for security of dynamic websites, who are proficient communicators and can analyse technical data capably and with efficiency.

No licensing, legislative or certification requirements apply to this unit at the time of publication.

You may want to include more information here about the target group and the purpose of the assessments (eg formative, summative, recognition)


Evidence Required

List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Undertake the risk assessment

1.1 Identify the functionality and features of the website, and confirm these with the client

1.2 Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards

1.3 Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities

1.4 Identify resource and budget constraints, and validate with the client as required

1.5 Source the appropriate products, security services and equipment, according to enterprise purchasing policies

2. Secure the operating systems

2.1 Identify operating system (OS) and cross-platform vulnerabilities

2.2 Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy

2.3 Identify and rectify weaknesses specific to the OS

3. Secure the site server

3.1 Configure the web server securely, with reference to the required functionality and the security policy

3.2 Review and analyse, server-side scripting with reference to the required functionality and the security policy

3.3 Install firewalls as required

3.4 Establish access control permissions to the server and database

4. Secure data transactions

4.1 Identify data transactions, with reference to the functionality and features of the website

4.2 Identify and apply, the channel protocols related to the requirements

4.3 Install and configure, the payment systems

5. Monitor and document the security framework

5.1 Develop a program of selective independent audits and penetration tests

5.2 Determine the performance benchmarks

5.3 Implement audit and test programs, and record, analyse and report the results

5.4 Make security framework changes based on the test results

5.5 Develop the site-security plan, with reference to the security policy and requirements

5.6 Develop and distribute, related policy and procedures to the client

Evidence of the ability to:

determine the client security framework, and its requirements

identify any potential security threats to a website, and document the risk and performance benchmarks

develop and implement, strategies to secure a dynamic website.

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

To complete the unit requirements safely and effectively, the individual must:

summarise the Australian Computer Society Code of Ethics

explain a client business domain, its structure, function and organisation, including the organisational issues surrounding security

identify and outline the legislation, regulations, and codes of practice pertinent to website information, including:

copyright

intellectual property

privacy

ethics

outline current industry-accepted hardware and software products

describe desktop applications and operating systems (OS), as they relate to website security

explain the functions and features of:

automated intrusion detection software

authentication and access control

common stored account payment systems

cryptography

common gateway interface (CGI) scripts

generic secure protocols

stored-value payment systems

explain the implications of network address translation (NAT), related to:

securing internal, internet protocol (IP) addresses

buffer overruns and stack smashing

operating system deficiencies

the protocol stack for internet communications

physical web server security, particularly remote

describe the advantages, and disadvantages, of using a range of security features

identify and describe, host security threats.

Gather evidence to demonstrate consistent performance in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the website technologies field of work, and include access to:

a dynamic website

a security plan

the user requirements

all relevant legislation, standards and organisational requirements.

Assessors must satisfy NVR/AQTF assessor requirements.

Submission Requirements

List each assessment task's title, type (eg project, observation/demonstration, essay, assingnment, checklist) and due date here

Assessment task 1: [title]      Due date:

(add new lines for each of the assessment tasks)

Assessment Tasks

Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Undertake the risk assessment

1.1 Identify the functionality and features of the website, and confirm these with the client

1.2 Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards

1.3 Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities

1.4 Identify resource and budget constraints, and validate with the client as required

1.5 Source the appropriate products, security services and equipment, according to enterprise purchasing policies

2. Secure the operating systems

2.1 Identify operating system (OS) and cross-platform vulnerabilities

2.2 Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy

2.3 Identify and rectify weaknesses specific to the OS

3. Secure the site server

3.1 Configure the web server securely, with reference to the required functionality and the security policy

3.2 Review and analyse, server-side scripting with reference to the required functionality and the security policy

3.3 Install firewalls as required

3.4 Establish access control permissions to the server and database

4. Secure data transactions

4.1 Identify data transactions, with reference to the functionality and features of the website

4.2 Identify and apply, the channel protocols related to the requirements

4.3 Install and configure, the payment systems

5. Monitor and document the security framework

5.1 Develop a program of selective independent audits and penetration tests

5.2 Determine the performance benchmarks

5.3 Implement audit and test programs, and record, analyse and report the results

5.4 Make security framework changes based on the test results

5.5 Develop the site-security plan, with reference to the security policy and requirements

5.6 Develop and distribute, related policy and procedures to the client

Evidence of the ability to:

determine the client security framework, and its requirements

identify any potential security threats to a website, and document the risk and performance benchmarks

develop and implement, strategies to secure a dynamic website.

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

To complete the unit requirements safely and effectively, the individual must:

summarise the Australian Computer Society Code of Ethics

explain a client business domain, its structure, function and organisation, including the organisational issues surrounding security

identify and outline the legislation, regulations, and codes of practice pertinent to website information, including:

copyright

intellectual property

privacy

ethics

outline current industry-accepted hardware and software products

describe desktop applications and operating systems (OS), as they relate to website security

explain the functions and features of:

automated intrusion detection software

authentication and access control

common stored account payment systems

cryptography

common gateway interface (CGI) scripts

generic secure protocols

stored-value payment systems

explain the implications of network address translation (NAT), related to:

securing internal, internet protocol (IP) addresses

buffer overruns and stack smashing

operating system deficiencies

the protocol stack for internet communications

physical web server security, particularly remote

describe the advantages, and disadvantages, of using a range of security features

identify and describe, host security threats.

Gather evidence to demonstrate consistent performance in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the website technologies field of work, and include access to:

a dynamic website

a security plan

the user requirements

all relevant legislation, standards and organisational requirements.

Assessors must satisfy NVR/AQTF assessor requirements.
Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.

Observation Checklist

Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice Yes No Comments/feedback
Identify the functionality and features of the website, and confirm these with the client 
Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards 
Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities 
Identify resource and budget constraints, and validate with the client as required 
Source the appropriate products, security services and equipment, according to enterprise purchasing policies 
Identify operating system (OS) and cross-platform vulnerabilities 
Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy 
Identify and rectify weaknesses specific to the OS 
Configure the web server securely, with reference to the required functionality and the security policy 
Review and analyse, server-side scripting with reference to the required functionality and the security policy 
Install firewalls as required 
Establish access control permissions to the server and database 
Identify data transactions, with reference to the functionality and features of the website 
Identify and apply, the channel protocols related to the requirements 
Install and configure, the payment systems 
Develop a program of selective independent audits and penetration tests 
Determine the performance benchmarks 
Implement audit and test programs, and record, analyse and report the results 
Make security framework changes based on the test results 
Develop the site-security plan, with reference to the security policy and requirements 
Develop and distribute, related policy and procedures to the client 

Forms

Assessment Cover Sheet

ICTWEB423 - Ensure dynamic website security
Assessment task 1: [title]

Student name:

Student ID:

I declare that the assessment tasks submitted for this unit are my own work.

Student signature:

Result: Competent Not yet competent

Feedback to student

 

 

 

 

 

 

 

 

Assessor name:

Signature:

Date:

Assessment Record Sheet

ICTWEB423 - Ensure dynamic website security

Student name:

Student ID:

Assessment task 1: [title] Result: Competent Not yet competent

(add lines for each task)

Feedback to student:

 

 

 

 

 

 

 

 

Overall assessment result: Competent Not yet competent

Assessor name:

Signature:

Date:

Student signature:

Date: