Unit of Competency Mapping – Information for Teachers/Assessors – Information for Learners

ICAT4195B Mapping and Delivery Guide
Ensure dynamic website security

Version 1.0
Issue Date: April 2024


Qualification -
Unit of Competency ICAT4195B - Ensure dynamic website security
Description This unit defines the competency required to ensure and maintain the security of a dynamic, commercial website.The following unit is linked and forms an appropriate cluster:ICAB5165B Create dynamic pagesNo licensing, legislative, regulatory or certification requirements apply to this unit at the time of publication.
Employability Skills This unit contains employability skills.
Learning Outcomes and Application
Duration and Setting X weeks, nominally xx hours, delivered in a classroom/online/blended learning setting.
Prerequisites/co-requisites ICAI3020B Install and optimise operating system software ICAT4194B Ensure basic website security
Competency Field
Development and validation strategy and guide for assessors and learners Student Learning Resources Handouts
Activities 		Slides
PPT 		Assessment 1 Assessment 2 Assessment 3 Assessment 4
Elements of Competency Performance Criteria              
Element: Undertake risk assessment
  • Identify functionality and features of the website and confirm with client
  • Identify security threats with reference to functionality of the site and organisational security policy, relevant legislation and standards
  • Complete a risk analysis to prioritise security threats and identify system vulnerabilities
  • Identify resource and budget constraints and validate with client as required
  • Source appropriate products, security services and equipment according to enterprise purchasing policies
       
Element: Secure operating systems
  • Identify operating system and cross-platform vulnerabilities
  • Make appropriate scripting/configuration adjustments with reference to functionality of the site and the security policy
  • Identify and rectify weaknesses specific to the operatingsystem
       
Element: Secure site server
  • Configure the web server securely with reference to required functionality and the security policy
  • Review and analyse relevant server-side scripting with reference to required functionality and the security policy
  • Install firewalls as required
  • Establish access control permissions to server and database
       
Element: Secure data transactions
  • Identify data transactions with reference to functionality and features of website
  • Identify and apply channel protocols where relevant to requirements
  • Install and configure payment systems
       
Element: Monitor and document security framework
  • Develop a program of selective independent audits and penetration tests
  • Determine performance benchmarks
  • Implement audit and test programs with results recorded, analysed and reported
  • Make security framework changes based on test results
  • Develop the site security plan with reference to securitypolicy and requirements
  • Develop and distribute related policies and procedures to client
       


Evidence Required

List the assessment methods to be used and the context and resources required for assessment. Copy and paste the relevant sections from the evidence guide below and then re-write these in plain English.

The evidence guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Overview of assessment

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the following is essential:

Assessment must confirm the ability to identify potential security threats and develop and implement strategies to secure a dynamic website.

To demonstrate competency in this unit the person will require access to:

Dynamic website

Security plan

Context of and specific resources for assessment

The breadth, depth and complexity of knowledge and skills in this competency would cover a broad range of varied activities or application in a wider variety of contexts most of which are complex and non-routine. Leadership and guidance would be involved when organising activities of self and others as well as contributing to technical solutions of a non-routine or contingency nature.

Assessment must ensure:

Performance of a broad range of skilled applications including the requirement to evaluate and analyse current practices, develop new criteria and procedures for performing current practices and provision of some leadership and guidance to others in the application and planning of the skills would be characteristic.

Applications may involve responsibility for, and limited organisation of, others.

Method of assessment

The purpose of this unit is to define the standard of performance to be achieved in the workplace. In undertaking training and assessment activities related to this unit, consideration should be given to the implementation of appropriate diversity and accessibility practices in order to accommodate people who may have special needs. Additional guidance on these and related matters is provided in ICA05 Section 1.

Competency in this unit should be assessed using summative assessment to ensure consistency of performance in a range of contexts. This unit can be assessed either in the workplace or in a simulated environment. However, simulated activities must closely reflect the workplace to enable full demonstration of competency.

Assessment will usually include observation of real or simulated work processes and procedures and/or performance in a project context as well as questioning on underpinning knowledge and skills. The questioning of team members, supervisors, subordinates, peers and clients where appropriate may provide valuable input to the assessment process. The interdependence of units for assessment purposes may vary with the particular project or scenario.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended, for example:

ICAB5165B Create dynamic pages

An individual demonstrating this competency would be able to:

Demonstrate understanding of a broad knowledge base incorporating some theoretical concepts

Apply solutions to a defined range of unpredictable problems

Identify and apply skill and knowledge areas to a wide variety of contexts, with depth in some areas

Identify, analyse and evaluate information from a variety of sources

Take responsibility for own outputs in relation to specified quality standards

Take limited responsibility for the quantity and quality of the output of others

Maintain knowledge of industry products and services

Submission Requirements

List each assessment task's title, type (eg project, observation/demonstration, essay, assignment, checklist) and due date here

Assessment task 1: [title]      Due date:

(add new lines for each of the assessment tasks)

Assessment Tasks

Copy and paste from the following data to produce each assessment task. Write these in plain English and spell out how, when and where the task is to be carried out, under what conditions, and what resources are needed. Include guidelines about how well the candidate has to perform a task for it to be judged satisfactory.

Required skills

Ability to develop enterprise policies and procedures

Auditing and penetration testing techniques

Configuring a web server

Ability to identify key sources of information

Ability to understand specification sheets

Ability to accurately summarise and document information

Ability to see conflicts and integration capabilities between diverse equipment

Ability to collate, analyse and assess importance and relevance of product information.

Required knowledge

Security threats, including vandalism, sabotage, breach of privacy or confidentiality, theft and fraud, violations of data integrity, denial of service

Organisational issues surrounding security

Functions and features of stored value payment systems (e.g. DigiCash, CyberCoin, Mondex, CAFE, Visa Cash)

Functions and features of common stored account payment systems (e.g. First Virtual's Internet Payment System, CyberCash secure internet payment system, Secure Electronic Transactions standard (SET), smart cards)

Functions and features of generic secure protocols (e.g. secure socket layer (SSL), secure hypertext transfer protocol (SHTTP), secure multi-purpose internet mail extensions (S/MIME))

Functions and features of automated intrusion detection software, functions and features of network address translation (NAT) in relation to securing internal IP addresses, buffer overruns and stack smashing with reference to operating system deficiencies, functions and features of authentication and access control (e.g. single-factor and two-factor authentication, biometric authentication)

Functions and features of cryptography, including digital signatures and public and private key algorithms, functions and features of CGI scripts, advantages and disadvantages of using the range of security features, protocol stack for internet communications, knowledge of physical web server security, particularly remote hosts

Australian Computer Society Code of Ethics

Copyright and intellectual property

The Commonwealth Privacy Act 2000

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Client may include but is not limited to:

internal departments

external organisations

individual people

internal employees

Legislation may include:

privacy legislation

copyright

liability statements

Standards may include:

ISO/IEC/AS standards

organisational standards

project standards (for further information refer to the Standards Australia website at: www.standards.com.au)

Security threats may include:

eavesdropping

manipulation and impersonation

penetration

denial of service and by-pass

hackers

viruses using logging

Equipment may include but is not limited to:

workstations

personal computers

modems and other connectivity devices

printers

hard drives

monitors

switches

DSL modems

Hubs

personal digital assistant (PDA)

other peripheral devices

Security policy may include:

theft

viruses

standards (including archival, back-up, network)

privacy

audits

alerts and usually relates directly to the security objectives of the organisation

Operating system may include but is not limited to:

Linux 6.0 or above, Windows 98 or above, Apple OS 8 or above.

Note: The use of operating system in this unit is in the context of a pre-existing system and may therefore not be current industry version. Preference is for Linux 7.0 or above, Windows 2000 or above, Apple OS X or above

Firewalls may include:

hardware appliances

proxy servers

individual PC solution; varying functionality, including network address translation (NAT)/IP masquerading, routing to specific machines

Server may include:

Application/web servers

BEA Weblogic servers

IBM VisualAge and WebSphere

Novell NDS servers

Email servers

File and print servers

FTP servers

Firewall servers

Proxy/cache servers

Database may include but are not limited to:

relational databases

object-relational databases

proprietary databases

commercial off-the-shelf (COTS) database packages

Requirements may be in reference to:

business

system

network

people in the organisation

Security services may include:

SSL

S-HTTP

stored account payment systems

stored value payment systems

file access permissions

single stage and dual stage firewalls

encryption

smart cards

digital certificates

authentication and access control

digital signatures

VPN technology

screening routers

packet filters

application proxies

trusted systems with C and B assurance levels

support for generalised security services interfaces

personnel security

servers

trusted hardware and operating systems at selective desktops

network points and mainframes

multi-platform directory services supporting relevant standards

Copy and paste from the following performance criteria to create an observation checklist for each task. When you have finished writing your assessment tool every one of these must have been addressed, preferably several times in a variety of contexts. To ensure this occurs download the assessment matrix for the unit; enter each assessment task as a column header and place check marks against each performance criteria that task addresses.

Observation Checklist

Tasks to be observed according to workplace/college/TAFE policy and procedures, relevant legislation and Codes of Practice Yes No Comments/feedback
Identify functionality and features of the website and confirm with client 
Identify security threats with reference to functionality of the site and organisational security policy, relevant legislation and standards 
Complete a risk analysis to prioritise security threats and identify system vulnerabilities 
Identify resource and budget constraints and validate with client as required 
Source appropriate products, security services and equipment according to enterprise purchasing policies 
Identify operating system and cross-platform vulnerabilities 
Make appropriate scripting/configuration adjustments with reference to functionality of the site and the security policy 
Identify and rectify weaknesses specific to the operatingsystem 
Configure the web server securely with reference to required functionality and the security policy 
Review and analyse relevant server-side scripting with reference to required functionality and the security policy 
Install firewalls as required 
Establish access control permissions to server and database 
Identify data transactions with reference to functionality and features of website 
Identify and apply channel protocols where relevant to requirements 
Install and configure payment systems 
Develop a program of selective independent audits and penetration tests 
Determine performance benchmarks 
Implement audit and test programs with results recorded, analysed and reported 
Make security framework changes based on test results 
Develop the site security plan with reference to securitypolicy and requirements 
Develop and distribute related policies and procedures to client 

Forms

Assessment Cover Sheet

ICAT4195B - Ensure dynamic website security
Assessment task 1: [title]

Student name:

Student ID:

I declare that the assessment tasks submitted for this unit are my own work.

Student signature:

Result: Competent Not yet competent

Feedback to student

 

 

 

 

 

 

 

 

Assessor name:

Signature:

Date:

Assessment Record Sheet

ICAT4195B - Ensure dynamic website security

Student name:

Student ID:

Assessment task 1: [title] Result: Competent Not yet competent

(add lines for each task)

Feedback to student:

 

 

 

 

 

 

 

 

Overall assessment result: Competent Not yet competent

Assessor name:

Signature:

Date:

Student signature:

Date: