Overview of assessment

Critical aspects for assessment and evidence required to demonstrate competency in this unit

Evidence of the ability to:

confirm sufficient knowledge of security products and organisational security policy

establish realistic ground rules for security product procedures

design security controls for a system

incorporate these into a security strategy.

Context of and specific resources for assessment

Assessment must ensure access to:

IT security assurance specifications

probability, frequency and severity of direct and indirect harm, loss or misuse of the IT system

risk analysis tools and methodologies

risks to the mission or business resulting from IT-related risks

security environment, which also includes the threats to security that are, or are held to be, present in the environment

security environment relating to laws and legislation, existing organisational security policies and organisational expertise

appropriate learning and assessment support when required

modified equipment for people with special needs.

Method of assessment

A range of assessment methods should be used to assess practical skills and knowledge. The following examples are appropriate for this unit:

verbal or written questioning to assess knowledge of:

layered security

risk management

security issues

statutory requirements

review of documented security, including:

policy

plan

strategy.

Guidance information for assessment

Holistic assessment with other units relevant to the industry sector, workplace and job role is recommended, where appropriate.

Assessment processes and techniques must be culturally appropriate, and suitable to the communication skill level, language, literacy and numeracy capacity of the candidate and the work being performed.

Indigenous people and other people from a non-English speaking background may need additional support.

In cases where practical assessment is used it should be combined with targeted questioning to assess required knowledge.

Requirements may relate to:

business

network

people in the organisation

system.

Security threats may include:

by-pass actions

data tampering and manipulation

eavesdropping

impersonation

keyboard logging

local applications or local area network (LAN) connections

penetration

weaknesses in internet networks.

Security policy may relate to:

audits and alerts

privacy

standards, including:

archival

backup

network

theft

viruses.

Security plan may include:

logical controls

physical controls

social controls.

Security strategy:

may include:

authentication

authorisation and integrity

privacy

usually forms part of the overall objectives of the organisation.

Stakeholders may include:

development team

project team

sponsor

user.

Organisational guidelines may include:

communication methods

content of emails

dispute resolution

document procedures

downloading information and accessing particular websites

financial control mechanisms

opening mail with attachments

personal use of emails and internet access

templates

virus risk.

Risk assessment may include:

developing risk plans

developing scenarios

evaluating threats

following up

gathering information

identifying counter measures

identifying threats

ranking risk

reporting.