The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!
From the Wiki University
What evidence can you provide to prove your understanding of each of the following citeria?
Establish security risk context
|
|
The scope of the risk assessment and its strategic and organisational context are identified in accordance with organisational requirements. Completed |
Evidence:
|
Legislation, policies, procedures and guidelines related to security risk management are identified and complied with. Completed |
Evidence:
|
Stakeholders are identified and their expectations and input are obtained in accordance with organisational policy and procedures. Completed |
Evidence:
|
Security risk criteria are identified in accordance with the organisation's security policy, jurisdictional policies and legislation. Completed |
Evidence:
|
A risk assessment plan is developed in accordance with organisational priorities, and endorsement is obtained. Completed |
Evidence:
|
Gather and analyse information
|
|
Sources of information are identified and information is gathered in accordance with organisational policy and procedures. Completed |
Evidence:
|
Internal information including historical information is reviewed. Completed |
Evidence:
|
New information from internal/external sources is aggregated. Completed |
Evidence:
|
Information is contextualised to the organisational context. Completed |
Evidence:
|
Gaps in information are identified and addressed. Completed |
Evidence:
|
Identify security risks
|
|
Sources of threat to the organisation's resources and functions are identified, and threats/potential threats are determined in accordance with organisational policy and procedures. Completed |
Evidence:
|
Threat assessment is conducted against organisational policies, procedures and guidelines. Completed |
Evidence:
|
Access to, availability of and procedures relating to resources/areas are analysed to determine risk exposure. Completed |
Evidence:
|
Risks are assessed using risk assessment techniques to suit the type and level of risk in accordance with organisational policy and procedures. Completed |
Evidence:
|
Risk potential is determined and risks are documented in accordance with organisational requirements. Completed |
Evidence:
|
Analyse security risks
|
|
Potential consequences of risks/threats are analysed in light of potential damage to agency, including critical lead time for recovery. Completed |
Evidence:
|
Analysis techniques are used in accordance with organisational policy and procedures. Completed |
Evidence:
|
Intent, capability and opportunity for each risk/threat to occur are assessed. Completed |
Evidence:
|
Using all known information, likelihood of risks/threats occurring is assessed. Completed |
Evidence:
|
Current security countermeasures/treatment options are analysed to determine areas of vulnerability. Completed |
Evidence:
|
Risk ratings are determined and documented in agreed format using all known information. Completed |
Evidence:
|
Assess and prioritise security risks
|
|
Stakeholders are consulted about acceptable/unacceptable risk levels. Completed |
Evidence:
|
Acceptable/unacceptable levels of risk are documented. Completed |
Evidence:
|
Identified risks are compared with security risk criteria to determine whether they are acceptable/unacceptable. Completed |
Evidence:
|
Identified risks are prioritised in accordance with security criteria. Completed |
Evidence:
|
Risks are documented in priority order in accordance with organisational policies, procedures and guidelines. Completed |
Evidence:
|
Residual risks are determined and documented in accordance with organisational policies, procedures and guidelines. Completed |
Evidence:
|