BCS Practitioner Certificate in Information System Security Management Syllabus

Transcription

1 BCS Practitioner Certificate in Information System Security Management Syllabus Version 1.2 September 2013

2 Change History Version Number Version 1.2 Version 1.1 Version 1.0 Version 0.1 Changes Made Updated syllabus weightings. Updated details of extra time for foreign language candidates. Approved and signed off Formatted to BCS house style template Page 1 of 13

3 BCS Practitioner Certificate in Information System Security Management Syllabus Contents Change History... 1 Introduction... 3 Objectives... 4 Eligibility for the Examination... 4 Accreditation Guidelines for Training Providers... 5 Additional Time for Candidates requiring Reasonable Adjustments... 5 Additional Time for Candidates whose business language is not English... 5 Syllabus Secure Operations Management and Service Delivery (40%) (K4) Vulnerability Assessment (10%) (K3) Legal and Regulatory Environment (25%) (K4) Incident Management (25%) (K4)... 7 Appendix A... 8 Levels of Knowledge... 8 Levels of Skill and Responsibility (SFIA Levels)... 9 Appendix B The IISP Skills Framework Format of the Examination Trainer Qualification Criteria Classroom Size...13 Page 2 of 13

4 Introduction This document is the syllabus for the Practitioner Level Certificate in Information System Security Management, administered by BCS Professional Certification. Achievement of this certificate is designed to demonstrate the candidate s competence as an Information System Security Manager. This Practitioner Level Certificate is one of a series of certifications available from BCS in the area of Information Security and Information Assurance. A Foundation Level certificate, the Certificate in Information Security Management Principles (CISMP), is also available. Background information on BCS Professional Certification and details of these other qualifications are available from the BCS Web Site. BCS CESG Certified Professional Candidates The award of this Certificate provides part of the demonstration of competence at Senior Practitioner level of the BCS CESG Certified Professional Scheme as outlined in the Certification Framework for Information Assurance specialists developed by CESG, the UK National Technical Authority for Information Assurance. Certification as a BCS CESG recognised IA Senior Practitioner against this framework requires demonstration of core skills equivalent to those covered by this syllabus, together with some specialist knowledge of UK Government security policies and procedures. To be certified as a BCS CESG Certified Professional you will also need to complete a Written Submission and attend an Expert Interview. For more information please visit The Information System Security Manager Role An Information System Security Manager must be able to: Provide governance of IT security within an organisation; Manage effective IT Security across a portfolio of information systems. The Information System Security Manager role corresponds broadly to SFIA Responsibility Level 4 (enable) and Knowledge Level K4 (analyse). See Appendix A for more details. It requires up to Level 3 (Skilful Application) competence as defined in the Skills Framework developed by the Institute of Information Security Professionals (IISP). See Appendix B for more details. The level of competence required for each syllabus section is indicated in the syllabus. Page 3 of 13

5 Objectives Holders of the BCS Practitioner Certificate in Information System Security Management should be able to: Develop Security Operating Procedures (SyOPs) for IT systems; Review IT system change requests, and reject requests that breach SyOPs; Develop job descriptions for Information System security personnel; Manage a team of operational Information System security personnel; Chair IT system security coordination committees; Specify test requirements to identify system vulnerabilities and control weaknesses, both internally and externally; Review the effectiveness of IT security controls; Identify and report systemic weaknesses in control effectiveness; Alert security compliance assessment officers concerning changes in system use that might affect the level of residual risk accepted; Report security incidents or breaches of security policy in accordance with local procedures and applicable legislation; Lead investigations into IT security incidents; Contribute to development of IT security policy; Provide advice on compliance with IT security policy. Eligibility for the Examination Entry Criteria There are no formal entry requirements for candidates taking the examination for the Practitioner Certificate in Information System Security Management. However, candidates will require a broad understanding of all aspects of Information Security and Information Assurance equivalent to the BCS Certificate in Information Security Management Principles. Candidates will also need practical experience of the areas of expertise covered within the syllabus. It is recommended that candidates attend an accredited training course. The Examination The Practitioner Certificate examination will be based on the syllabus in this document. It will be a one hour closed book examination (no materials can be taken into the examination room) and consist of 12 scenario-based multiple choice questions, organised as four scenarios each with three related questions. Each scenario will be based around one of the four core areas of expertise identified in the syllabus, although individual questions may require knowledge of the other core areas, and also general information security and information assurance knowledge as defined in the Certificate in Information Security Management Principles (CISMP), Foundation Level syllabus. Page 4 of 13

6 Since this is primarily an operational security qualification, up to two scenarios out of four may target expertise in Secure Operations Management and Service Delivery. If this is so, the two other core areas targeted may vary from candidate to candidate and examination to examination. Candidates must be prepared to address scenarios based on all four core areas. Candidates will need to read all scenarios carefully, and read and consider all questions and their implications before selecting answers. All aspects of the syllabus may be questioned. The pass mark is 8 correct answers out of 12. A distinction is 10 correct answers out of 12. Marks are not deducted for the selection of incorrect answers. Accreditation Guidelines for Training Providers The major subject headings in the syllabus are considered to be of equal importance and should be allocated approximately equal time. Training Providers will be expected to deliver not less than 8 hours of lecture material and 8 hours of practical work. The nature of practical training is for the provider to determine, but it is envisaged that syndicate exercises followed by directed debriefings and guidance may be appropriate. Training Providers may spend more time than is indicated and candidates may spend more time again in reading and research. The course may be delivered as a series of modules with gaps between them, as long as it meets all other constraints. Courses do not have to follow the same order as the syllabus. Additional Time for Candidates requiring Reasonable Adjustments Candidates may request additional time if they require reasonable adjustments. Please refer to the reasonable adjustments policy for detailed information on how and when to apply. Additional Time for Candidates whose business language is not English An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their mother tongue, and where the language of the exam is not their primary business language, Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). The candidate registration form asks for the candidate to state if they think they are entitled to additional time, if they are BCS will automatically allocate additional time. Page 5 of 13

7 Syllabus 1. Secure Operations Management and Service Delivery (40%) (K4) Objective: to be able to develop Secure Operating Procedures, including procedures for use across multiple information systems, and monitor their application. Required IISP Skill Level: 3 (Skilful Application) 1.1 Appreciate how to manage security within an overall operations framework 1.2 Understand the need for Secure Operating Procedures 1.3 Appreciate techniques for drafting Secure Operating Procedures 1.4 Understand access control, including access control lists and roles, control of privileged access, and role and rule based access 1.5 Understand the need for configuration management and operational change control 1.6 Appreciate techniques for change management 1.7 Understand the need to protect system documentation 1.8 Recognise variances in staff capabilities and skill levels 2. Vulnerability Assessment (10%) (K3) Objective: to be able to perform complex risk assessments that influence senior risk owners, managers or other stakeholders. Required IISP Skill Level: 3 (Skilful Application) These seem out of place. It isn t possible that both of the skill levels are appropriate and it is most likely that the correct level is L2 Comment [k1]: Does this need taking out? Objective: to be able to obtain, assess and act on vulnerability information. Required IISP Skill Level: 2 (Basic Application) 2.1 Identify sources of vulnerability information 2.2 Understand techniques for monitoring system and network access and usage 2.3 Appreciate common types of vulnerability analysis tools, i.e. scanners 2.4 Appreciate common types of intrusion monitoring tools, detection methods and their application Page 6 of 13

8 3. Legal and Regulatory Environment (25%) (K4) Objective: to understand applicable legislation and regulations relating to Information Security. Required IISP Skill Level: 2 (Basic Application) 3.1 Understand the need for protection of personal data, restrictions on monitoring, surveillance, communications interception and trans-border data flows 3.2 Appreciate employment issues and employee rights (e.g. relating to monitoring, surveillance and communications interception rights and employment law) 3.3 Understand common concepts of computer misuse 3.4 Understand requirements for records retention 3.5 Appreciate intellectual property rights, e.g. copyright, including its application to software, databases, documentation 3.6 Understand contractual safeguards including common security requirements in outsourcing contracts, third party connections, information exchange, etc. 3.7 Recognise requirements on collection of admissible evidence 3.8 Understand securing digital signatures (e.g. legal acceptance issues) 3.9 Identify restrictions on purchase, use and movement of cryptography technology 3.10 Identify and appreciate relevant UK Legislation: Including the Data Protection Act, Computer Misuse Act, Copyright, designs and patents legislation 3.11 Appreciate relevant EC directives and regulations 3.12 Understand the uses of Non Disclosure Agreements 4. Incident Management (25%) (K4) Objective: to contribute to security incident management. Required IISP Skill Level: 2 (Basic Application) 4.1 Understand how to organise incident response teams/procedures 4.2 Understand concepts of responsibility, accountability and authority 4.3 Understand security incident reporting, recording and management 4.4 Understand the need for links to corporate incident management systems, especially Disaster Recovery and Business Continuity Planning 4.5 Understand the relationships with law enforcement 4.6 Understand how to prepare for potential incidents (forensics readiness planning) Page 7 of 13

9 Appendix A Levels of Knowledge This course will provide candidates with the levels of difficulty / knowledge highlighted within the following table, enabling them to develop the skills to operate at the levels of responsibility indicated. The levels of knowledge are explained in the following text. Note that each K level subsumes lower levels. For example, a K4 level topic is one for which a candidate must be able to analyse a situation and extract relevant information. A question on a K4 topic could be at any level up to and including K4. As an example, a scenario requiring a candidate to analyse a scenario and select the best risk identification method would be at K4, but questions could also be asked about this topic at K3 and a question at K3 for this topic might require a candidate to apply one of the risk identification methods to a situation. Level 1: Remember (K1) The candidate should be able to recognise, remember and recall a term or concept but not necessarily be able to use or explain. Typical questions would use: define, duplicate, list, memorise, recall, repeat, reproduce, state. Level 2: Understand (K2) The candidate should be able to explain a topic or classify information or make comparisons. The candidate should be able to explain ideas or concepts. Typical questions would use: classify, describe, discuss, explain, identify, locate, recognise, report, select, translate, paraphrase. Level 3: Apply (K3) The candidate should be able apply a topic in a practical setting. The candidate should be able to use the information in a new way. Typical questions would use: choose, demonstrate, employ, illustrate, interpret, operate, schedule, sketch, solve, use, write. Level 4: Analyse (K4) The candidate should be able to distinguish/separate information related to a concept or technique into its constituent parts for better understanding, and can distinguish between facts and inferences. Typical questions would use: appraise, compare, contrast, criticise, differentiate, discriminate, distinguish, examiner, question, test. Level 5: Synthesise (K5) The candidate should be able to justify a decision and can identify and build patterns in facts and information related to a concept or technique, they can create new meaning or structure from parts of a concept. Typical questions would use: appraise, argue, defend, judge, select, support, value, evaluate. Level 6: Evaluate (K6) The candidate should be able to provide a new point of view and can judge the value of information and decide on its applicability in a given situation. Typical questions would use: assemble, contract, create, design, develop, formulate, write. Page 8 of 13

10 Levels of Skill and Responsibility (SFIA Levels) The levels of knowledge above will enable candidates to develop the following levels of skill to be able to operate at the following levels of responsibility (as defined within the SFIA framework) within their workplace: Level 1: Follow Work under close supervision to perform routine activities in a structured environment. They will require assistance in resolving unexpected problems, but will be able to demonstrate an organised approach to work and learn new skills and applies newly acquired knowledge. Level 2: Assist Works under routine supervision and uses minor discretion in resolving problems or enquiries. Works without frequent reference to others and may have influence within their own domain. They are able to perform a range of varied work activities in a variety of structured environments and can identify and negotiate their own development opportunities. They can also monitor their own work within short time horizons and absorb technical information when it is presented systematically and apply it effectively. Level 3: Apply Works under general supervision and uses discretion in identifying and resolving complex problems and assignments. They usually require specific instructions with their work being reviewed at frequent milestones, but can determines when issues should be escalated to a higher level. Interacts with and influences department/project team members. In a predictable and structured environment they may supervise others. They can perform a broad range of work, sometimes complex and non-routine, in a variety of environments. They understand and use appropriate methods, tools and applications and can demonstrate an analytical and systematic approach to problem solving. They can take the initiative in identifying and negotiating appropriate development opportunities and demonstrate effective communication skills, sometimes planning, scheduling and monitoring their own work. They can absorb and apply technical information, works to required standards and understand and uses appropriate methods, tools and applications. Level 4: Enable Works under general direction within clear framework of accountability and can exercise substantial personal responsibility and autonomy. They can plan their own work to meet given objectives and processes and can influence their team and specialist peers internally. They can have some responsibility for the work of others and for the allocation of resources. They can make decisions which influence the success of projects and team objectives and perform a broad range of complex technical or professional work activities, in a variety of contexts. They are capable of selecting appropriately from applicable standards, methods, tools and applications and demonstrate an analytical and systematic approach to problem solving, communicating fluently orally and in writing, and can present complex technical information to both technical and non-technical audiences. They plan, schedule and monitor their work to meet time and quality targets and in accordance with relevant legislation and procedures, rapidly absorbing new technical information and applying it effectively. They have a good appreciation of the wider field of information systems, their use in relevant employment areas and how they relate to the business activities of the employer or client. Page 9 of 13

11 Level 5: Ensure and advise Works under broad direction, being fully accountable for their own technical work and/or project/supervisory responsibilities, receiving assignments in the form of objectives. Their work is often self-initiated and they can establish their own milestones, team objectives, and delegates responsibilities. They have significant responsibility for the work of others and for the allocation of resources, making decisions which impact on the success of assigned projects i.e. results, deadlines and budget. They can also develop business relationships with customers, perform a challenging range and variety of complex technical or professional work activities and undertake work which requires the application of fundamental principles in a wide and often unpredictable range of contexts. They can advise on the available standards, methods, tools and applications relevant to own specialism and can make correct choices from alternatives. They can also analyse, diagnose, design, plan, execute and evaluate work to time, cost and quality targets, communicating effectively, formally and informally, with colleagues, subordinates and customers. They can demonstrate leadership, mentor more junior colleagues and take the initiative in keeping their skills up to date. Takes customer requirements into account and demonstrates creativity and innovation in applying solutions for the benefit of the customer. Level 6: Initiate and influence Have a defined authority and responsibility for a significant area of work, including technical, financial and quality aspects. They can establish organisational objectives and delegates responsibilities, being accountable for actions and decisions taken by them self and their subordinates. They can influence policy formation within their own specialism to business objectives, influencing a significant part of their own organisation and customers/suppliers and the industry at senior management level. They make decisions which impact the work of employing organisations, achievement of organisational objectives and financial performance, developing high-level relationships with customers, suppliers and industry leaders. They can perform highly complex work activities covering technical, financial and quality aspects. They contribute to the formulation of IT strategy, creatively applying a wide range of technical and/or management principles. They absorb complex technical information and communicate effectively at all levels to both technical and non-technical audiences, assesses and evaluates risk and understand the implications of new technologies. They demonstrate clear leadership and the ability to influence and persuade others, with a broad understanding of all aspects of IT and deep understanding of their own specialism(s). They take the initiative in keeping both their own and subordinates' skills up to date and to maintain an awareness of developments in the IT industry. Level 7: Set strategy, inspire and mobilise Have the authority and responsibility for all aspects of a significant area of work, including policy formation and application. They are fully accountable for actions taken and decisions made, by both them self and their subordinates. They make decisions critical to organisational success and influence developments within the IT industry at the highest levels, advancing the knowledge and/or exploitation of IT within one or more organisations. They develop long-term strategic relationships with customers and industry leaders, leading on the formulation and application of strategy. They apply the highest level of management and leadership skills, having a deep understanding of the IT industry and the implications of emerging technologies for the wider business environment. They have a full range of strategic management and leadership skills and Page 10 of 13

12 can understand, explain and present complex technical ideas to both technical and nontechnical audiences at all levels up to the highest in a persuasive and convincing manner. They have a broad and deep IT knowledge coupled with equivalent knowledge of the activities of those businesses and other organisations that use and exploit IT. Communicates the potential impact of emerging technologies on organisations and individuals and analyses the risks of using or not using such technologies. They also assess the impact of legislation, and actively promote compliance. Level Levels of knowledge Levels of skill and responsibility (SFIA) K7 Set strategy, inspire and mobilise K6 Evaluate Initiate and influence K5 Synthesise Ensure and advise K4 Analyse Enable K3 Apply Apply K2 Understand Assist K1 Remember Follow Page 11 of 13

13 Appendix B The IISP Skills Framework 1 Definitions for Levels The four IISP levels are defined as follows: Level 1: (Awareness) Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may have no practical experience of its application. Level 2: (Basic Application) Understands the skill and applies it to basic tasks under some supervision. Has acquired the basic knowledge associated with the skill, for example has acquired an academic or professional qualification in the skill. Understands how the skills should be applied. Has experience of applying the skill to a variety of basic tasks. Determines when problems should be escalated to a higher level. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Level 3: (Skilful Application) Understands the skill and applies it to complex tasks with no supervision. Has acquired a deep understanding of the knowledge associated with the skill. Understands how the skill should be applied. Has experience of applying the skill to a variety of complex tasks. Demonstrates significant personal responsibility or autonomy, with little need for escalation. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Contributes ideas for technical development and new areas for application of the skill. Level 4: (Expert) An authority who leads the development of the skill. Is an acknowledged expert by peers in the skill. Has experience of applying the skill in circumstances without precedence. Proposes, conducts, and/or leads innovative work to enhance the skill. 1 The IISP Skills Framework is copyright The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals IISP, M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may only be used with express permission of the Institute. Page 12 of 13

14 Format of the Examination This syllabus has an accompanying examination at which the candidate must achieve a pass score to gain the Certificate. Type Duration Pre-requisites Supervised / Invigilated Open Book Pass Mark Distinction Mark Delivery 12 scenario-based multiple choice questions 1 Hour An additional 15 minutes will be allowed for candidates sitting the examination in a language that is not their mother tongue, and where the language of the exam is not their primary business language, Foreign language candidates who meet the above requirements are also entitled to the use of a paper dictionary (to be supplied by the candidate). Accredited training is strongly recommended but is not a prerequisite Yes No 8/12 pass 10/12 Distinction Paper based examination Trainer Qualification Criteria Criteria: Trainers must themselves hold the Practitioner Certificate in Information System Security Management. If they do not, they will be required to achieve the certificate within 1 year. Classroom Size Trainer to candidate ratio: 1:16 Page 13 of 13