My Student Site

Occupational Specialism - PO1: Apply procedures and controls to maintain the digital security of an organisation and its data

Unit: 21

Occupational Specialism - PO1: Apply procedures and controls to maintain the digital security of an organisation and its data

Knowledge specific to Performance Outcome	Skills specific to Performance Outcome
Business control techniques (physical and administrative) Including an understanding of: · preventative e.g. Fencing/gate/cage, Separation of duties · detective e.g. CCTV, Logs, audit · corrective e.g. Fire suppression, Standard operating procedure · deterrent e.g. security guards, employment contracts · directive e.g. signage, Agreement types, general security policies · compensating e.g. air conditioning, Role-based awareness training · recovery e.g. backups, business continuity An understanding of impact and risk management for the mitigation of threats and vulnerabilities Impact: · types e.g. Life, Property, Safety, finance, reputation · privacy e.g. breaches to business data which could compromise company confidential information · measures e.g. RTO/RPO, MTBF, MTTR · identification of critical systems e.g. single point of failure, mission essential functions Risk management : · threat assessment e.g. Environmental, Manmade, Internal vs. external · risk assessment e.g. Asset value, Likelihood of occurrence, Supply chain assessment · an understanding of Qualitative and Quantitative approaches using tools such as Fault Tree Analysis, Failure Mode Effect Critical Analysis, Annualised Loss Expectancy and /or CCTA Risk Analysis and Management Methodology · testing e.g. Penetration testing authorisation, Vulnerability testing authorisation · risk response e.g. accept, transfer, avoid, mitigate Design and execution of risk mitigation techniques that are appropriate to the perceived business risk including: · technical security controls using e.g. the 5 Cyber Essentials controls · encryption using industry standard tools e.g. Windows 10, Apple macOS, for Full Disk Encryption or File encryption and TLS and SSL for data in transit. Knowing when each would be applicable · backups · policies including the relationships of organisation policies and procedures in risk mitigation Industry, international standards and regulatory compliance e.g. Cyber Essentials, 10 steps to cyber security, ISO27001 and GDPR/DPA 2018 · Principles of network security including the general principles of CIA, role-based access and the IAAA model (Identification, Authentication, Authorisation and Auditing) and MAC, DAC, ABAC (Attibute Based Access Control) and RBAC Principles of cyber security including why cyber security matters and the importance to business and society including understanding the need for the protection of personal data, the legal framework of the Data Protection Act 2018 and the rights of the individual. The relevance of the CIA model to assess the impact on security of systems Cyber security concepts applied to ICT infrastructure including the fundamentals of architectures and common vulnerabilities in networks and systems	Apply and maintain procedures and security controls in the installation, configuration and support of end-user services to ensure confidentiality, integrity and availability, such as: · Set up a small Workgroups environment and apply groups and roles within directory services · Set up and apply a certificate authority · Implement security controls in a small business environment according to NCSC cyber essentials · Manage physical documents in line with the GDPR · Set up a simple network and apply access controls Protect personal, physical and environmental security in accordance with procedures, controls and policies · Install software for end user devices to identify and mitigate vulnerabilities, including: · vulnerability scanning · anti-malware · device hardening Explain organisational and departmental operational procedures in respect of adherence to security Undertake a security risk assessment for a simple system such as a user’s own device for corporate use (BYOD: Bring your own Device) Demonstrate continuous improvement such as mitigating vulnerabilities detected in end user equipment and services, and evaluating trends in incidents to identify underling problems Operate data systems effectively, appropriately and securely to meet business requirements.

Knowledge specific to Performance Outcome

Skills specific to Performance Outcome

Business control techniques (physical and administrative)

Including an understanding of:

· preventative e.g. Fencing/gate/cage, Separation of duties

· detective e.g. CCTV, Logs, audit

· corrective e.g. Fire suppression, Standard operating procedure · deterrent e.g. security guards, employment contracts

· directive e.g. signage, Agreement types, general security policies · compensating e.g. air conditioning, Role-based awareness training · recovery e.g. backups, business continuity

An understanding of impact and risk management for the mitigation of threats and vulnerabilities

Impact:

· types e.g. Life, Property, Safety, finance, reputation

· privacy e.g. breaches to business data which could compromise company confidential information

· measures e.g. RTO/RPO, MTBF, MTTR

· identification of critical systems e.g. single point of failure, mission essential functions

Risk management :

· threat assessment e.g. Environmental, Manmade, Internal vs. external

· risk assessment e.g. Asset value, Likelihood of occurrence, Supply chain assessment

· an understanding of Qualitative and Quantitative approaches using tools such as Fault Tree Analysis, Failure Mode Effect Critical Analysis, Annualised Loss Expectancy and /or CCTA Risk Analysis and Management Methodology

· testing e.g. Penetration testing authorisation, Vulnerability testing authorisation

· risk response e.g. accept, transfer, avoid, mitigate Design and execution of risk mitigation techniques that are appropriate to the perceived business risk including:

· technical security controls using e.g. the 5 Cyber Essentials controls

· encryption using industry standard tools e.g. Windows 10, Apple macOS, for Full Disk Encryption or File encryption and TLS and SSL for data in transit. Knowing when each would be applicable

· backups

· policies including the relationships of organisation policies and procedures in risk mitigation

Industry, international standards and regulatory compliance e.g. Cyber Essentials, 10 steps to cyber security, ISO27001 and GDPR/DPA 2018 ·

Principles of network security including the general principles of CIA, role-based access and the IAAA model (Identification, Authentication, Authorisation and Auditing) and MAC, DAC, ABAC (Attibute Based Access Control) and RBAC

Principles of cyber security including why cyber security matters and the importance to business and society including understanding the need for the protection of personal data, the legal framework of the Data Protection Act 2018 and the rights of the individual. The relevance of the CIA model to assess the impact on security of systems

Cyber security concepts applied to ICT infrastructure including the fundamentals of architectures and common vulnerabilities in networks and systems

Apply and maintain procedures and security controls in the installation, configuration and support of end-user services to ensure confidentiality, integrity and availability, such as:

· Set up a small Workgroups environment and apply groups and roles within directory services

· Set up and apply a certificate authority · Implement security controls in a small business environment according to NCSC cyber essentials · Manage physical documents in line with the GDPR

· Set up a simple network and apply access controls Protect personal, physical and environmental security in accordance with procedures, controls and policies

· Install software for end user devices to identify and mitigate vulnerabilities, including:

· vulnerability scanning

· anti-malware

· device hardening

Explain organisational and departmental operational procedures in respect of adherence to security

Undertake a security risk assessment for a simple system such as a user’s own device for corporate use (BYOD: Bring your own Device)

Demonstrate continuous improvement such as mitigating vulnerabilities detected in end user equipment and services, and evaluating trends in incidents to identify underling problems

Operate data systems effectively, appropriately and securely to meet business requirements.