List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.
ELEMENT | PERFORMANCE CRITERIA |
Elements describe the essential outcomes. | Performance criteria describe the performance needed to demonstrate achievement of the element. |
1. Undertake the risk assessment | 1.1 Identify the functionality and features of the website, and confirm these with the client 1.2 Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards 1.3 Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities 1.4 Identify resource and budget constraints, and validate with the client as required 1.5 Source the appropriate products, security services and equipment, according to enterprise purchasing policies |
2. Secure the operating systems | 2.1 Identify operating system (OS) and cross-platform vulnerabilities 2.2 Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy 2.3 Identify and rectify weaknesses specific to the OS |
3. Secure the site server | 3.1 Configure the web server securely, with reference to the required functionality and the security policy 3.2 Review and analyse, server-side scripting with reference to the required functionality and the security policy 3.3 Install firewalls as required 3.4 Establish access control permissions to the server and database |
4. Secure data transactions | 4.1 Identify data transactions, with reference to the functionality and features of the website 4.2 Identify and apply, the channel protocols related to the requirements 4.3 Install and configure, the payment systems |
5. Monitor and document the security framework | 5.1 Develop a program of selective independent audits and penetration tests 5.2 Determine the performance benchmarks 5.3 Implement audit and test programs, and record, analyse and report the results 5.4 Make security framework changes based on the test results 5.5 Develop the site-security plan, with reference to the security policy and requirements 5.6 Develop and distribute, related policy and procedures to the client |
Evidence of the ability to:
determine the client security framework, and its requirements
identify any potential security threats to a website, and document the risk and performance benchmarks
develop and implement, strategies to secure a dynamic website.
Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.
To complete the unit requirements safely and effectively, the individual must:
summarise the Australian Computer Society Code of Ethics
explain a client business domain, its structure, function and organisation, including the organisational issues surrounding security
identify and outline the legislation, regulations, and codes of practice pertinent to website information, including:
copyright
intellectual property
privacy
ethics
outline current industry-accepted hardware and software products
describe desktop applications and operating systems (OS), as they relate to website security
explain the functions and features of:
automated intrusion detection software
authentication and access control
common stored account payment systems
cryptography
common gateway interface (CGI) scripts
generic secure protocols
stored-value payment systems
explain the implications of network address translation (NAT), related to:
securing internal, internet protocol (IP) addresses
buffer overruns and stack smashing
operating system deficiencies
the protocol stack for internet communications
physical web server security, particularly remote
describe the advantages, and disadvantages, of using a range of security features
identify and describe, host security threats.
Gather evidence to demonstrate consistent performance in conditions that are safe and replicate the workplace. Noise levels, production flow, interruptions and time variances must be typical of those experienced in the website technologies field of work, and include access to:
a dynamic website
a security plan
the user requirements
all relevant legislation, standards and organisational requirements.
Assessors must satisfy NVR/AQTF assessor requirements.