NTISthis.com

Evidence Guide: ICANWK519A - Design an IT security framework

Student: __________________________________________________

Signature: _________________________________________________

Tips for gathering evidence to demonstrate your skills

The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!

From the Wiki University

 

ICANWK519A - Design an IT security framework

What evidence can you provide to prove your understanding of each of the following citeria?

Research IT security requirements

  1. Investigate and assemble statutory, commercial and application security requirements
  2. Assess impact on the existing IT system
  3. Identify additional IT security requirements
  4. Document security requirements and forward to appropriate person for approval
Investigate and assemble statutory, commercial and application security requirements

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Assess impact on the existing IT system

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify additional IT security requirements

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Document security requirements and forward to appropriate person for approval

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Conduct risk analysis

  1. Identify security threats and determine security specifications, taking into account the internal and external business environment
  2. Develop controls and contingencies to alleviate security threats
  3. Identify the costs associated with contingencies
  4. Document and forward recommendations to appropriate person for approval
Identify security threats and determine security specifications, taking into account the internal and external business environment

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Develop controls and contingencies to alleviate security threats

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify the costs associated with contingencies

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Document and forward recommendations to appropriate person for approval

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Develop IT security policy and operational procedures

  1. Review feedback from appropriate person to determine how to manage security threats
  2. Develop security policies based on the security strategy
  3. Create and document work procedures based on the security policies
  4. Document operating procedures and forward to appropriate person for approval
  5. Take action to ensure confidentiality of client and user information
  6. Apply statutory requirements to policy and procedures
Review feedback from appropriate person to determine how to manage security threats

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Develop security policies based on the security strategy

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Create and document work procedures based on the security policies

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Document operating procedures and forward to appropriate person for approval

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Take action to ensure confidentiality of client and user information

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Apply statutory requirements to policy and procedures

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Assessed

Teacher: ___________________________________ Date: _________

Signature: ________________________________________________

Comments:

 

 

 

 

 

 

 

 

Instructions to Assessors

Evidence Guide

The evidence guide provides advice on assessment and must be read in conjunction with the performance criteria, required skills and knowledge, range statement and the Assessment Guidelines for the Training Package.

Overview of assessment

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the ability to:

explain legal obligations with respect to privacy and the specific application of security issues

design a security framework.

Context of and specific resources for assessment

Assessment must ensure access to:

information on the security environment, including:

laws or legislation

existing organisational security policies

organisational expertise

IT business specifications

IT security assurance specifications

possible security environment, which also includes the threats to security that are, or are held to be, present in the environment

risk analysis tools or methodologies

appropriate learning and assessment support when required

modified equipment for people with special needs.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

verbal or written questioning to assess candidate’s knowledge of:

security threats

current industry security trends

current legislation

review of candidate’s documented security policies

evaluation of candidate’s documented operating procedures.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended, where appropriate.

Assessment processes and techniques must be culturally appropriate, and suitable to the communication skill level, language, literacy and numeracy capacity of the candidate and the work being performed.

Indigenous people and other people from a non-English speaking background may need additional support.

In cases where practical assessment is used it should be combined with targeted questioning to assess required knowledge.

Required Skills and Knowledge

Required skills

analytical skills to:

analyse International Organization for Standardization (ISO), International Electrotechnical Commission (IEC), Australian Standards (AS) and other standards to establish and maintain a security framework

evaluate and present information across a range of technical and management functions

communication skills to liaise with clients and users and articulate complex security scenarios in a clear and concise manner

literacy skills to produce document procedures and recommendations

numeracy skills to develop a broad plan, budget or strategy

planning and organisational skills to:

contribute to the development of security policies, procedures and frameworks

facilitate presentations to groups

research skills to:

identify the range of security risks

transfer and collect information.

Required knowledge

detailed knowledge of:

accurate and in-depth knowledge of the client business domain

awareness of legislation relating to IT security

current industry-accepted hardware and software products, including broad knowledge of security features and capabilities

operating systems, including strengths and weaknesses over lifetime of product

sources of risk relating to IT security

overview knowledge of privacy issues and legislation.

Range Statement

The range statement relates to the unit of competency as a whole. It allows for different work environments and situations that may affect performance. Bold italicised wording, if used in the performance criteria, is detailed below. Essential operating conditions that may be present with training and assessment (depending on the work situation, needs of the candidate, accessibility of the item, and local industry and regional contexts) may also be included.

Security requirements may include:

customs

expertise

knowledge

laws

organisational security policies

security environment, which also includes:

authentication

encryption

hardware

passwords

policies

threats to security that are, or are held to be, present in the environment.

Appropriate person may include:

authorised business representative

client

supervisor.

Security threats may include:

data tampering and manipulation; impersonation, penetration and by-pass actions

eavesdropping

keyboard logging

local applications or LAN connections

weaknesses in internet networks.

Security policies may cover:

theft

viruses

standards, including archival, backup and network

privacy

audits and alerts.

Security strategy may include:

authentication

authorisation and integrity

privacy.

Client may include:

employees

external organisations

individuals

internal departments.

User may include:

department within the organisation

person within a department

third party.