Application
This unit describes the skills required to plan and conduct an information technology security audit and report on security findings.
This unit applies to those working in a role where they have responsibilities under the organisation's security plan.
The skills and knowledge described in this unit must be applied within the legislative, regulatory and policy environment in which they are carried out. Organisational policies and procedures must be consulted and adhered to.
Those undertaking this unit would generally work independently and as part of a team using support resources as required. They would perform complex tasks in a range of familiar and unfamiliar contexts.
No licensing, legislative or certification requirements apply to unit at the time of publication.
Elements and Performance Criteria
ELEMENTS | PERFORMANCE CRITERIA |
Elements describe the essential outcomes | Performance criteria describe the performance needed to demonstrate achievement of the element. Where bold italicised text is used, further information is detailed in the range of conditions section. |
1. Plan security audit | 1.1 Identify the scope and objectives of the audit and prepare an audit plan to meet the objectives. 1.2 Identify the organisation’s information systems to be included in the audit plan. 1.3 Advise appropriate personnel of the audit plan and its requirements. 1.4 Identify and prioritise possible sources of security risk and prepare an audit checklist. |
2. Conduct security audit | 2.1 Identify and analyse systems, procedures, records and documents. 2.2 Conduct audit in accordance with the audit plan. 2.3 Record audit activities. 2.4 Identify situations requiring specialist input or referral to other areas and act on referral. |
3. Report on security findings | 3.1 Maintain audit records and prepare audit reports. 3.2 Produce report including background, scope, outcomes and recommendations. 3.3 Use language and style to suit the audience and in line with organisational requirements for accuracy and timeliness. 3.4 Support recommendations with evidence and highlight actions identifying person/s responsible for implementation. |
Evidence of Performance
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the candidate must demonstrate evidence of performance of the following on at least two occasions.
applying legislation, regulations and policies relating to information technology security audits and government security management
gathering, analysing and recording data
using computer applications to undertake security audits
managing risk in the context of government security management
engaging in discussion involving exchanges of complex information
responding to diversity
Evidence of Knowledge
Evidence required to demonstrate competence must satisfy all of the requirements of the elements and performance criteria. If not otherwise specified the depth of knowledge demonstrated must be appropriate to the job context of the candidate.
legislation, regulations, policies, procedures and guidelines relating to information technology security audits
operational knowledge of policies and procedures in regard to use of information technology systems
organisation’s security plan
information technology systems and architecture
use and maintenance of hardware and software systems
Australian Audit Standards
aspects of criminal law and administrative law relating to the outcomes of compliance audits
protocols for reporting fraud, corruption, maladministration and security breaches
fundamental ethical principles in the handling of documents and information, natural justice, procedural fairness, respect for persons and responsible care
Assessment Conditions
Assessment of this unit requires a workplace environment or one that closely resembles normal work practice and replicates the range of conditions likely to be encountered when undertaking IT security audits.
Assessors must satisfy the NVR/AQTF mandatory competency requirements for assessors.
Foundation Skills
The foundation skills demands of this unit have been mapped for alignment with the Australian Core Skills Framework (ACSF). The following tables outline the performance levels indicated for successful attainment of the unit.
Further information on ACSF and the foundation skills underpinning this unit can be found in the Foundation Skills Guide on the GSA website.
Competency Field
Security