Application
This unit describes the skills and knowledge required to develop an information security and risk management strategy (ISRM) within an organisation that supports business processes.
It applies to individuals who work in information technology security and have the knowledge and skills in cyber security to support business functions in planning and implementing information security strategies. In this instance, the individual may work internally within an organisation, or be engaged externally in supporting organisations with their development of information security strategies.
No licensing, legislative or certification requirements apply to this unit at the time of publication.
Elements and Performance Criteria
1. Plan information security strategies | 1.1 Discuss implementation opportunities for organisational information security strategies with required personnel 1.2 Gain management buy in and approval in planning and implementing information security strategy 1.3 Identify and confirm organisational policies including password policies, bring your own device (BYOD) and on boarding processes with required personnel 1.4 Analyse organisational environments, processes and risk profile requirements 1.5 Identify legislation and industry requirements to implement information security strategies in an organisation |
2. Design and implement information security strategy | 2.1 Develop action plan with specific goals and objectives of information security strategy according to organisational needs 2.2 Design secure network infrastructure and security strategy according to organisational needs 2.3 Analyse data classifications and levels of access in operational processes and integrate with strategy 2.4 Document designed information security strategy according to organisational procedures 2.5 Implement information security strategy according to design and organisational needs |
3. Test and finalise information security strategy | 3.1 Establish security baselines and metrics according to organisational needs 3.2 Perform testing procedures and confirm information security strategy addresses organisational needs 3.3 Record and compare test results to established metrics and benchmarks 3.4 Finalise documentation and report information security strategy outcomes to required personnel 3.5 Obtain feedback from required personnel and amend information security strategy accordingly 3.6 Review final information security strategy and obtain sign-off from required personnel |
Evidence of Performance
The candidate must demonstrate the ability to complete the tasks outlined in the elements, performance criteria and foundation skills of this unit, including evidence of the ability to:
plan and implement an information security strategy according to organisational needs.
In the course of the above, the candidate must:
establish at least three security baselines and at least three testing metrics
comply with legislation and industry requirements
follow organisational procedures.
Evidence of Knowledge
The candidate must be able to demonstrate knowledge to complete the tasks outlined in the elements, performance criteria and foundation skills of this unit, including knowledge of:
function of information security strategy testing procedures, including:
vulnerability tests
basic penetration tests
key organisational environment and business processes required to plan and implement information security strategies for an organisation
network and cyber security features and principals
types of data and classifications including sensitivity levels
advantages and importance of implementing information security strategies
organisational procedures applicable to developing information security strategies, including:
documentation processes
designing secure network infrastructure
establishing requirements and features of information security strategies
establishing baselines and metrics
testing methodologies.
Assessment Conditions
Skills in this unit must be demonstrated in a workplace or simulated environment where the conditions are typical of those in a working environment in this industry.
This includes access to:
required hardware, software and its components
information and documents applicable to organisational procedures and processes
information security strategy testing software.
Assessors of this unit must satisfy the requirements for assessors in applicable vocational education and training legislation, frameworks and/or standards.
Foundation Skills
Learning | Identifies and gathers information applicable to business, organisational security and environment |
Numeracy | Uses tools when developing security baselines and metrics |
Reading | Selects and applies procedures and strategies required in developing information security strategies after reading required texts |
Writing | Uses required and industry specific terminology in documenting action plans and information security strategies |
Teamwork | Works collaboratively with required personnel and interdisciplinary teams in developing information security strategies |
Planning and organising | Manages development of information security strategies using logical sequencing |
Technology | Uses required technological tools and software in planning and implementing information security strategies Applies skills in systems administration, network security, applications and programming |
Sectors
Cyber security