PSPSEC304A - Undertake information technology security audits
Assessor Resource
PSPSEC304A Undertake information technology security audits
Assessment tool
Version 1.0 Issue Date: May 2024
Not applicable.
This unit covers security audits of information systems and architecture in accordance with the organisation's security plan and jurisdictional standards for government information security. It includes planning and conducting the information technology security audit and reporting on security findings.
In practice, undertaking information technology security audits may overlap with other generalist or specialist public sector work activities such as acting ethically, complying with legislation, working effectively, organising information.
No licensing, legislative, regulatory or certification requirements apply to this unit at the time of endorsement.
You may want to include more information here about the target group and the purpose of the assessments (eg formative, summative, recognition)
Prerequisites
Not applicable.
Employability Skills
This unit contains employability skills.
Evidence Required
List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.
The Evidence Guide specifies the evidence required to demonstrate achievement in the unit of competency as a whole. It must be read in conjunction with the Unit descriptor, Performance Criteria, the Range Statement and the Assessment Guidelines for the Public Sector Training Package.
Units to be assessed together
Pre-requisite units that must be achieved prior to this unit:Nil
Co-requisite units that must be assessed with this unit:Nil
Co-assessed units that may be assessed with this unit to increase the efficiency and realism of the assessment process include, but are not limited to:
PSPETHC301B Uphold the values and principles of public service
In addition to integrated demonstration of the elements and their related performance criteria, look for evidence that confirms:
the knowledge requirements of this unit
the skill requirements of this unit
application of the Employability Skills as they relate to this unit (see Employability Summaries in Qualifications Framework)
information technology security audits undertaken in a range of (3 or more) contexts (or occasions, over time)
Resources required to carry out assessment
These resources include:
legislation, policy, procedures and protocols relating to information technology security audits
Australian Government Information Security Manual (ISM)
Protective Security Policy Framework
case studies and workplace scenarios to capture the range of situations likely to be encountered when undertaking information technology security audits
Where and how to assess evidence
Valid assessment of this unit requires:
a workplace environment or one that closely resembles normal work practice and replicates the range of conditions likely to be encountered when undertaking information technology security audits, including coping with difficulties, irregularities and breakdowns in routine
information technology security audits undertaken in a range of (3 or more) contexts (or occasions, over time)
Assessment methods should reflect workplace demands, such as literacy, and the needs of particular groups, such as:
people with disabilities
people from culturally and linguistically diverse backgrounds
Aboriginal and Torres Strait Islander people
women
young people
older people
people in rural and remote locations
Assessment methods suitable for valid and reliable assessment of this competency may include, but are not limited to, a combination of 2 or more of:
case studies
demonstration
observation
portfolios
questioning
scenarios
simulation or role plays
authenticated evidence from the workplace and/or training courses
For consistency of assessment
Evidence must be gathered over time in a range of contexts to ensure the person can achieve the unit outcome and apply the competency in different situations or environments
Submission Requirements
List each assessment task's title, type (eg project, observation/demonstration, essay, assingnment, checklist) and due date here
Assessment task 1: [title] Due date:
(add new lines for each of the assessment tasks)
Assessment Tasks
Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.
This section describes the essential skills and knowledge and their level, required for this unit.
Skill requirements
Look for evidence that confirms skills in:
applying legislation, regulations and policies relating to information technology security audits and government security management
gathering, analysing and recording data
using computer technology to undertake security audits
managing risk in the context of government security management
engaging in discussion involving complex exchanges of oral information
responding to diversity, including gender and disability
using written communication, including ongoing and final reporting
reading complex and formal documents such as legislation and other documents
using information technology for preparing written recommendations and reports requiring formality of language and style
applying procedures relating to occupational health and safety and environment in the context of information technology security audits
Knowledge requirements
Look for evidence that confirms knowledge and understanding of:
legislation, regulations, policies, procedures and guidelines relating to information technology security audits
operational knowledge of policies and procedures in regard to use of information technology systems
organisation's security plan
information technology systems and architecture
use and maintenance of hardware and software systems
solutions to problems/breakdowns
operation of equipment
Australian Audit Standards
aspects of criminal law and administrative law relating to the outcomes of compliance audits
protocols for reporting fraud, corruption, maladministration and security breaches
fundamental ethical principles in the handling of documents and information, natural justice, procedural fairness, respect for persons and responsible care
equal employment opportunity, equity and diversity principles
public sector legislation such as occupational health and safety and environment in the context of security audits
The Range Statement provides information about the context in which the unit of competency is carried out. The variables cater for differences between States and Territories and the Commonwealth, and between organisations and workplaces. They allow for different work requirements, work practices and knowledge. The Range Statement also provides a focus for assessment. It relates to the unit as a whole. Text in bold italics in the Performance Criteria is explained here.
Information systems may include:
architecture
audio-visual systems
communications equipment
hardware
Internet
intranet
laptops
pagers
personal computers
scanning equipment
software
systems
Information systems may be:
centrally based
location based
stand-alone
networked
Appropriate personnel may include:
supervisors
managers
employees
contractors
Security risk may include:
technical
actual events
political circumstances
human behaviour
environmental
conflict
terrorism
internal
external
local
national
international
Specialist input may include:
agency security adviser/s
specialist agencies such as:
Australian Security Intelligence Organisation
Department of Foreign Affairs and Trade
Australian Public Service Commission
Defence Signals Directorate
Australian Federal Police
Attorney-General's Department
Australian National Audit Office
Office of the Australian Information Commissioner (OAIC)
Other areas may include:
fraud investigation area
compliance area
other organisations such as police, other law enforcement or investigation agencies
senior management
Report may be:
written
oral
electronic
Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.
Observation Checklist
Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice
Yes
No
Comments/feedback
The scope and objectives of the audit are identified
An audit plan is prepared that meets organisational requirements and the objectives of the audit
The organisation's information systems to be included in the audit are identified in the audit plan
Appropriate personnel are advised of the audit plan and its requirements
Possible sources of security risk are identified and prioritised
Audit checklist is prepared in accordance with organisational policy and procedures
Systems, procedures, records and documents are identified and analysed
Audit is conducted in accordance with the audit plan
Audit activities are recorded in accordance with the checklist and organisational requirements
Situations requiring specialist input are identified and referred for action
Situations requiring referral to other areas are identified and referred in a timely manner
Audit records are maintained in accordance with legislation, policy and procedures
Audit report is prepared in accordance with organisational requirements and audit objectives
Background and scope of the audit, outcomes and recommendations are included in the report
Report is written in a language and style to suit the audience and meets organisational requirements for accuracy and timeliness
Recommendations are supported by evidence, and written as actions with responsible person/s identified for implementation
The scope and objectives of the audit are identified.
An audit plan is prepared that meets organisational requirements and the objectives of the audit.
The organisation's information systems to be included in the audit are identified in the audit plan.
Appropriate personnel are advised of the audit plan and its requirements.
Possible sources of security risk are identified and prioritised.
Audit checklist is prepared in accordance with organisational policy and procedures.
Systems, procedures, records and documents are identified and analysed.
Audit is conducted in accordance with the audit plan.
Audit activities are recorded in accordance with the checklist and organisational requirements.
Situations requiring specialist input are identified and referred for action.
Situations requiring referral to other areas are identified and referred in a timely manner.
Audit records are maintained in accordance with legislation, policy and procedures.
Audit report is prepared in accordance with organisational requirements and audit objectives.
Background and scope of the audit, outcomes and recommendations are included in the report.
Report is written in a language and style to suit the audience and meets organisational requirements for accuracy and timeliness.
Recommendations are supported by evidence, and written as actions with responsible person/s identified for implementation.
Forms
Assessment Cover Sheet
PSPSEC304A - Undertake information technology security audits
Assessment task 1: [title]
Student name:
Student ID:
I declare that the assessment tasks submitted for this unit are my own work.
Student signature:
Result: Competent Not yet competent
Feedback to student
Assessor name:
Signature:
Date:
Assessment Record Sheet
PSPSEC304A - Undertake information technology security audits
Student name:
Student ID:
Assessment task 1: [title] Result: Competent Not yet competent
(add lines for each task)
Feedback to student:
Overall assessment result: Competent Not yet competent