Model Curriculum Analyst Security Operations Centre SECTOR: SUB-SECTOR: IT-ITeS IT Services OCCUPATION: REF ID: NSQF LEVEL: Information/Cyber Security SSC/Q0909 7
TABLE OF CONTENTS 1. Curriculum... 01 2. Trainer Prerequisites. 07 3. Annexure: Assessment Criteria 08
Analyst Security Operations Centre CURRICULUM / SYLLABUS This program is aimed at training candidates for the job of a Analyst Security Operations Centre, in the IT-Services Sector/Industry and aims at building the following key competencies amongst the learner Program Name Qualification Pack Name & Reference ID. ID Analyst Security Operations Centre Analyst Security Operations Centre SSC/Q0909 Version No. 1.0 Version Update Date Pre-requisites to Training Diploma in Engineering or any graduate course Certification in Information systems or related fields, Basic soft skills training 0-2 years of work experience/internship in security Minimum Job Entry Age 21 years Training Outcomes After completing this programme, participants will be able to: 1. SSC/N0906 (Monitor and log events and alarms of possible security threats) 2. SSC/N0907 (Investigate and respond to events and alarms that could be security threats) 3. SSC/N9001 (Manage your work to meet requirements) 4. SSC/N9002 (Work effectively with colleagues) 5. SSC/N9003 (Maintain a healthy, safe and secure working environment) 6. SSC/N9004 (Provide data/information in standard formats) 7. SSC/N9005 (Develop your knowledge, skills and competence) Analyst Security Operations Centre 1
This course encompasses 3 out of 3 National Occupational Standards (NOS) of Analyst Security Operations Centre Qualification Pack issued by IT-ITeS SSC. Sr. No. 1 IT-ITES/BPM Industry An Introduction Module Key Learning Outcomes Equipment Required 02:00 01:00 The introduction is not based on any NOS, however is important in order to understand the context of the course and the role. 2 IT Services An Introduction 02:00 01:00 The introduction is not based on any NOS, however is important in order to understand the context of the course and the role. 3 Information/Cyber Security An Introduction Explain relevance of the IT-ITES industry State the various sub-sectors in the IT-ITES sector Explain the relevance of IT services sector A General Overview of the IT BPM Industry The organisations within IT BPM Industry The sub sectors within the IT BPM Industry State the various occupations and tracks in the IT-ITES sector General Overview of the IT Services Sub Sector Profile of the IT Services Sub Sector Key Trends in the IT Services Sub Sector Roles in the IT Services Sub Sector Explain the relevance of cyber security in the society Qualification Pack - Analyst Security Operations Centre List the range of skills and behavior, expected from Analyst Lab equipped with the following: PCs/Laptops Internet with WiFi (Min 2 Mbps Dedicated) Networking Equipment Routers & Switches Chart paper and sketch pens Lab equipped with the following: PCs/Laptops Internet with WiFi (Min 2 Mbps Dedicated) Lab equipped with the following: PCs/Laptops Internet with WiFi (Min 2 Mbps Dedicated) Analyst Security Operations Centre 2
Sr. No. Module Key Learning Outcomes Equipment Required 02:00 01:00 The introduction is not based on any NOS, however is important in order to understand the context of the course and the role. 4 Fundamental Concepts 35:00 30:00 SSC/N0906 5 Monitoring and Data collection 30:00 Security Operations Centre List the responsibilities of an Analyst Security Operations Centre State the growth opportunities for an Analyst Security Operations Centre General Overview of Information/cyber security and its Roles Career Map for Information/cyber security Computer fundamentals including but not limited to hard drives, networking, and encryption Internet ports, protocols and services and their usefulness System architecture and design Basic cyber security concepts Common cyber security solutions Types of electronic evidence, devices containing electronic evidence and external connections to such devices Possible electronic evidence sources relevant networking concepts, devices and terminologies Intrusion Detection Systems Vs Intrusion Prevention Systems use specified monitoring and data collection methods and tools monitor traffic and logs originating using Security Information and Event Whiteboard and markers LCD projector and laptop for Lab equipped with the following: PCs/ laptops o Internet with Wi Fi (min 2 Mbps dedicated) LCD projector and laptop for Chart paper and sketch pens Whiteboard and markers LCD projector and laptop for presentation Lab with: o key devices, software and hardware in a large network o application of multiple networking topology; use of various network protocols; bandwidth management tools; application of host network access controls; hubs; switches; routers; bridges; servers; transmission media IDS/IPS; application of SSL, VPN, 2FA, encryption, etc. provision for software development work in the lab including software and tools Lab with access to organisations for company visits and provision for online research. Analyst Security Operations Centre 3
Sr. No. Module Key Learning Outcomes Equipment Required 20:00 SSC/N0906 6 Basic Analysis 25:00 15:00 SSC/N0906 7 Responding to Alerts and Events Management (SIEM) tool collect logs from all types of ICT systems devices and applications as required by organisation monitor multiple security technologies, such as monitor external data sources perform telemetry monitoring to identify security platform issues Determine security issues which may have an impact on the enterprise Characterize and analyze network traffic to identify anomalous activity and potential threats to network resources Identify trends and patterns as per standard guidelines for the same coordinate with enterprise-wide computer network defense (CND) staff to validate network alerts Perform analysis of logs for identifying risks Categorise the priority of identified risks by determining potential impact as per organizational processes and policies Describe operational processes such as data analysis and correlation, etc. Explain event and Log analysis and packet analysis record and categorize the service request as per organizational processes and policies prioritize the service request according to organizational Samples of the tools/templates and checklists used for data collection. Lab with Standard Equipment plus access to SIEM tool and other software for log management, event and log analysis. Lab with access to internet for online research Application security Monitoring SOPs of a few organisations Access to spreadsheet software for all students. Provision for online research for all learners Lab with access to SIEM tool and other software s for log management, event and log analysis, packet analysis Lab with 1 event correlation tool Analyst Security Operations Centre 4
Sr. No. Module Key Learning Outcomes Equipment Required 25:00 20:00 SSC/N0906 8 Introduction to Investigation procedures and policies raise incidents in ticketing tools if something is found suspicious during the analysis assign the ticket to the relevant persons as per the type of risk following organisational procedures and policies obtain help or advice from specialist if the problem is outside his/her area of competence or experience follow-up with the relevant personnel for actioning of the tickets within agreed timelines use escalation matrix for unresolved tickets within agreed turnaround times report the results of the monitoring, ticket raising and ticket closure activities using standard documentation following organisational procedures comply with relevant legislation, standards, policies and procedures describe operational processes such as report generation state typical response times and service times for problems maintain a knowledge-base of the known problems explain the importance of documenting, classifying, prioritizing service requests received over voice calls, email, incident management tools and incident reports receive and analyse alarms and alerts from various sources within Sample with charts/diagrams on different organisation s different types of Escalation matrix. Lab with internet for online research. Cases for report writing w.r.t recording of requirement, gathering of information and examples of previous reporting documents. Analyst Security Operations Centre 5
Sr. No. Module Key Learning Outcomes Equipment Required 30:00 20:00 SSC/N0907 9 Analysis Tools 35:00 25:00 the enterprise and determine possible causes of such alerts Interpret and incorporate data from multiple tool sources Verify the scope of detected incidents with relevant persons Distinguish these incidents and events from benign activities Perform computer network defense (CND) incident triage, to include determining scope, urgency, and potential impact; Correlate data by researching logs, analysing graphs and packet inspection Perform deep packet analysis to identify DDoS/DoS attack vectors and security threats and mitigation strategy Identify information assets and system components that may be impacted by detected incidents Analyse identified malicious activity to determine weaknesses exploited, exploitation methods, and effects on system and information Perform analysis of log files from a variety of sources to identify possible threats to network Perform health check of the security solution validate Intrusion Prevention System (IPS) alerts against network traffic using packet analysis tools correlate and analyse events using Security Information and Event Management (SIEM) tool to detect IT security incidents. track and document incidents Lab with access to at least one popular open source and one popular paid vulnerability assessment tool along with their tutorials or user manuals in the lab. Such that the learners can download, install and practice on the same. Provide to database and samples of the tools/templates and checklists used for application vulnerability assessment and penetration testing. Lab with 1 event correlation tool Application of firewall, IDPS tool, web security gateways, email security and content management on the Analyst Security Operations Centre 6
Sr. No. Module Key Learning Outcomes Equipment Required SSC/N0907 10 Incident Management 25:00 20:00 from initial detection through final resolution using SIEM tool integrate the assets with the SIEM solution for log analysis configure application securely across the environments for minimum exposure and weaknesses Configuration Management Secure configuration of applications network. Access to SIEM tool and other software for log management, event and log analysis, packet Lab with Application of firewall, IDPS tool, web security gateways, email security and content management on the network. SSC/N0907 11 Data Backup 25:00 20:00 Carry out backups of security devices and applications in line with information security policies, procedures and guidelines, where required Explain different types of backups for security devices and applications and how to carry out backups Provide to database and samples of the tools/templates and checklists used for application back up process. SSC/N0907 31 Manage your work to meet requirements 50:00 Understanding scope of work and working within limits of authority Work and work environment Maintaining Confidentiality Training organization s confidentiality policy 00:00 Analyst Security Operations Centre 7
Sr. No. Module Key Learning Outcomes Equipment Required SSC/N9001 32 Work effectively with colleagues Effective Communication Working Effectively 40:00 Provision to write emails and send in the lab Lab with provision for 10:00 internet, email, word processor and presentation software SSC/N9002 Chart paper, markers, picture magazines and old newspapers 33 Maintain a healthy, safe and secure working environment Need for Health and Safety at Work Analyst s Role Emergency Situations The training organization s 18:00 Skills for Maintaining Health and Safety at Work current health, safety and security policies and procedures 07:00 Provision for online research in the Lab A sample health and safety policy document SSC/N9003 Emergency broadcast system and mock emergency signage in the appropriate areas of the training institute 34 Provide data/information in standard formats 38:00 Information and Knowledge Management How to manage data/ information effectively Skills required to manage data and information effectively LCD Projector and Laptop for Provision for online research in the lab 12:00 Analyst Security Operations Centre 8
Sr. No. Module Key Learning Outcomes Equipment Required SSC/N9004 35 Develop knowledge, skills and competence 21:00 04:00 Importance of self-development Knowledge and Skills required for the job Avenues for Self-Development Planning for Self-Development Soft copy of QP NOS Provision for online access to all students in the lab Questionnaire and key for Honey and Mumford learning styles SSC/N9005 Grand Total Course Duration: 600 Hours, 0 Minutes (This syllabus/ curriculum has been approved by IT- ITeS Sector Skills Council) Analyst Security Operations Centre 9
Trainer Prerequisites for Job role: Analyst Security Operations Centre mapped to Qualification Pack: SSC/Q0909 v1.0 Sr. Area No. 1 Description 2 Personal Attributes 3 Minimum Educational Qualifications 4a Domain Certification 4b Platform Certification 5 Experience Details Analyst Security Operations Centre 10
Annexure: Assessment Criteria Assessment Criteria Job Role Analyst Security Operations Centre Qualification Pack SSC/Q909, v1.0 Sector Skill Council IT-ITeS Guidelines for Assessment: 1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS. 2. The assessment will be conducted online through assessment providers authorised by SSC. 3. Format of questions will include a variety of styles suitable to the PC being tested such as multiple choice questions, fill in the blanks, situational judgment test, simulation and programming test. 4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%. 5. For latest details on the assessment criteria, please visit www.sscnasscom.com. 6. In case of successfully passing only certain number of NOS's, the trainee is eligible to take subsequent assessment on the balance NOS's to pass the Qualification Pack. Mark Allocation Assessment Outcomes Assessment Criteria for Outcomes Total Marks Out of Theory Skills Practical 1. SSC/N0906 (Monitor and log events and alarms of possible security threats) PC1. verify the scope of information assets and system components to be monitored with authorised persons PC2. use specified monitoring and data collection methods and tools following organisational procedures and policies PC3. monitor organization s traffic and logs originating from ICT systems using various security technologies to detect security threats and health of the ICT systems PC4. monitor external data sources (e.g., computer network defense [CND] vendor sites, Computer Emergency Response Teams, SANS, Security Focus) PC5. determine security issues which may have an impact on the enterprise PC6. perform telemetry monitoring to identify security platform issues PC7. identify and gather information to enable the security of identified devices to be assessed PC8. collect logs from all types of ICT systems devices and applications as required by organisation 100 5 2 3 5 2 3 5 2 3 6 2 4 Analyst Security Operations Centre 11
PC9. collect data w.r.t to various types of security alerts /alarms through SIEM PC10. characterize and analyze network traffic to identify anomalous activity and potential threats to network resources 6 2 4 PC11. identify trends and patterns using SIEM tool PC12. coordinate with enterprise wide computer network defense (CND) staff to validate network alerts PC13. perform event correlation using information gathered to gain situational awareness and determine the threat potential PC14. perform analysis of logs for identifying risks PC15. categorise the priority of identified risks by determining potential impact as per organizational processes and policies PC16. record and categorize the service request accurately as per organizational processes and policies PC17. raise incidents in ticketing tools if something is found suspicious during the analysis PC18. assign the ticket to the relevant persons as per the type of risk following organisational procedures and policies PC19. prioritize the service request according to organizational procedures and policies PC20. obtain help or advice from specialist if the problem is outside his/her area of competence or experience PC21. report the results of the monitoring, ticket raising and ticket closure activities using standard documentation following organisational procedures PC22. participate in 24/7 security operations center shift schedule PC23. receive shift handover alongwith relevant information, authorities and instructions PC24. comply with relevant legislation, standards, policies and procedures PC25. maintain a knowledge base of the known problems Analyst Security Operations Centre 12
2. SSC/N0907 (Investigate and respond to events and alarms that could be security threats) PC26. use escalation matrix for unresolved tickets within agreed turn around times PC1. receive and analyse alarms and alerts from various sources within the enterprise and determine possible causes of such alerts PC2. interpret and incorporate data from multiple tool sources PC3. validate Intrusion Detection System (IDS)/ IPS alerts against network traffic using packet analysis tools PC4. perform deep packet analysis to identify DDoS/DoS attack vectors and security threats and mitigation strategy PC5. verify the scope of detected incidents with relevant persons PC6. distinguish these incidents and events from benign activities PC7. identify the information assets and system components that may be impacted by detected incidents PC8. analyse identified malicious activity to determine weaknesses exploited, exploitation methods, and effects on system and information PC9. perform analysis of log files from a variety of sources to identify possible threats to network security PC10. perform computer network defense (CND) incident triage, to include determining scope, urgency, and potential impact; PC11. correlate data by researching logs, analysing graphs and packet inspection to provide detailed reports PC12. correlate and analyse events using Security Information and Event Management (SIEM) tool to detect IT security incidents PC13. obtain and preserve evidence relating to detected incidents PC14. examine how access to the affected information assets and system components was obtained Total 100 31 69 5 2 3 6 2 4 100 6 2 4 5 1 4 5 1 4 6 2 4 6 2 4 4 2 2 Analyst Security Operations Centre 13
4. SSC/N9001 (Manage your work to meet requirements) 5. SSC/N9002 (Work effectively with colleagues) PC15. identify and categorize types of vulnerabilities and associated attacks PC16. determine appropriate course of action in response to identified and analysed anomalous activity PC17. make recommendations for specific actions to be taken to respond to incidents PC18. perform health check of the security solution PC19. use external information sources for incident investigation PC20. report any incidents which cannot be resolved or mitigated to the relevant persons following organisational procedures PC21. follow organisational procedures for the closure of incidents PC22. report on incident management activities using standard documentation following organisational procedures PC23. track and document incidents from initial detection through final resolution using SIEM tool PC24. integrate the assets with the SIEM solution for log analysis PC1. establish and agree your work requirements with appropriate people PC2. tidy keep your immediate work area clean and 4 2 2 4 2 2 Total 100 32 68 7 0 7 12 6 6 PC3. utilize your time effectively 12 6 6 PC4. use resources correctly and efficiently 19 6 13 PC5. treat confidential information correctly 7 1 6 100 PC6. work in line with your organization s 12 0 12 policies and procedures PC7. work within the limits of your job role 6 0 6 PC8. obtain guidance from appropriate people, where necessary PC9. ensure your work meets the agreed requirements PC1. communicate with colleagues clearly, concisely and accurately PC2. work with colleagues to integrate your work effectively with theirs 6 0 6 19 6 13 Total 100 25 75 100 20 0 20 Analyst Security Operations Centre 14
6. SSC/N9003 (Maintain a healthy, safe and secure working environment) 7. SSC/N9004 (Provide data/information in standard formats) PC3. pass on essential information to colleagues in line with organizational requirements 10 10 0 PC4. work in ways that show respect for colleagues 20 0 20 PC5. carry out commitments you have made to colleagues PC6. let colleagues know in good time if you cannot carry out your commitments, explaining the reasons PC7. identify any problems you have working with colleagues and take the initiative to solve these problems PC8. follow the organization s policies and procedures for working with colleagues PC1. comply with your organization s current health, safety and security policies and procedures PC2. report any identified breaches in health, safety, and security policies and procedures to the designated person PC3. identify and correct any hazards that you can deal with safely, competently and within the limits of your authority PC4. report any hazards that you are not competent to deal with to the relevant person in line with organizational procedures and warn other people who may be affected PC5. follow your organization s emergency procedures promptly, calmly, and efficiently PC6. identify and recommend opportunities for improving health, safety, and security to the designated person PC7. complete any health and safety records legibly and accurately PC1. establish and agree with appropriate people the data/information you need to provide, the formats in which you need to provide it, and when you need to provide it PC2. obtain the data/information from reliable sources PC3. check that the data/information is accurate, complete and up to date 10 10 0 Total 100 20 80 100 20 10 10 20 10 10 20 10 10 Total 100 30 70 100 13 13 0 13 0 13 12 6 6 Analyst Security Operations Centre 15
8. SSC/N9005 (Develop your knowledge, skills and competence) PC4. obtain advice or guidance from appropriate people where there are problems with the data/information PC5. carry out rule based analysis of the data/information, if required PC6. insert the data/information into the agreed formats PC7. check the accuracy of your work, involving colleagues where required PC8. report any unresolved anomalies in the data/information to appropriate people PC9. provide complete, accurate and up to date data/information to the appropriate people in the required formats on time PC1. obtain advice and guidance from appropriate people to develop your knowledge, skills and competence PC2. identify accurately the knowledge and skills you need for your job role PC3. identify accurately your current level of knowledge, skills and competence and any learning and development needs PC4. agree with appropriate people a plan of learning and development activities to address your learning needs PC5. undertake learning and development activities in line with your plan PC6. apply your new knowledge and skills in the workplace, under supervision PC7. obtain feedback from appropriate people on your knowledge and skills and how effectively you apply them PC8. review your knowledge, skills and competence regularly and take appropriate action 6 0 6 25 0 25 13 0 13 6 0 6 6 6 0 6 0 6 Total 100 25 75 20 10 10 100 20 10 10 Total 100 20 80 Analyst Security Operations Centre 16
Analyst Security Operations Centre 17