Conducting computer system security assessments for engineering software
Overview
This standard identifies the competences you need to conduct a computer system security assessment, in accordance with approved procedures. You will be given a detailed brief, and will be required to assess these requirements and to extract all necessary information in order to carry out the security assessment. You will need to select the appropriate computer systems security assessment methods to use, based on the type of computer application. You will be expected to use current British, European, international and company standards where appropriate.
Your responsibilities will require you to comply with organisational policy and procedures for computer and information security. You will be required to report any problems with the computer hardware, software, security or procedures that you cannot personally resolve, or that are outside your permitted authority, to the relevant people. You will be expected to work to verbal/written instructions and draft specifications, with a minimum of supervision, taking personal responsibility for your own actions and for the quality and accuracy of the work that you carry out.
Your underpinning knowledge will provide a good understanding of your work, and will provide an informed approach to applying computer security assessment procedures. You will understand the computer system and software used, and its application, and will know about the various tools and techniques used to assess whether the computer integrity is sufficient for its intended role within a defined operational environment.
You will understand the safety precautions required when performing the security assessment. You will be required to demonstrate safe and secure working practices throughout, and will understand the responsibility you owe to yourself and others in the workplace.
Performance criteria
You must be able to:
- work safely at all times, complying with health and safety legislation, regulations, directives and other relevant guidelines
- plan the computer system security assessment activities before you start them
- use appropriate analysis tools to obtain the required information for the analysis activity
- use references that follow the required conventions
- determine the evidence required to achieve the necessary level of computer and information security
- perform the computer security assessment
- review the output from the security assessment
- report your findings on the assessment performed
- save and store the computer security assessment results as the appropriate file type and in the correct location
- deal promptly and effectively with problems within your control, and seek help and guidance from the relevant people if you have problems that you cannot resolve
Knowledge and Understanding
You need to know and understand:
- the specific safety precautions to be taken when working with software development environment hardware (to include such items as safety guidance relating to the use of visual display unit (VDU) equipment and work station environment such as lighting, seating, positioning of equipment; repetitive strain injury (RSI); the dangers of trailing leads and cables; how to spot faulty or dangerous electrical leads, plugs and connections)
- the importance of good housekeeping arrangements (such as cleaning down work surfaces; putting media, manuals and unwanted items of equipment into safe storage; leaving the work area in a safe and tidy condition)
- the documentation required for the computer system security analysis (such as scanner analysis reports, base level security reports, relevant log extracts and other analysis reports)
- computer system security analysis tools, and national, international and relevant company security policies, procedures, methods and tools
- identification of the correct version of software tool, and the various techniques that are supported by the tool
- how to use and configure the computer security analysis tools
- how the engineering software security assessments contribute to the overall safety assessment of the product
- how to recognise specific security vulnerabilities (such as denial of service, attacks)
- how to access the specific security and vulnerability results
- how to access, recognise and use a wide range of standard vulnerability libraries from the tools
- the need for configuration control on all components (such as ensuring that completed results are verified, labelled and stored on a suitable storage device)
- why it is necessary to be able to recall previous issues of analysis results
- when to act on your own initiative and when to seek help and advice from others
Scope/range
Scope Performance
Prepare for the computer system security assessment, by carrying out all of the following:
- check that the working environment is in a safe and suitable condition and that all working equipment is in a safe, tested and usable condition (such as cables undamaged, correctly connected, safely routed)
- identify all potential vulnerabilities which the computer system may have
- identify the severity of each vulnerability (such as catastrophic, severe, minor, negligible)
- identify the computer's worst case contribution to the vulnerability (such as direct cause, cause in conjunction with other failure, one of several independent contributors, no contribution)
- identify the required standards and all relevant sources (such as customer (contractual) standards and requirements, recognised compliance agency/body's standards, corporate information security policy, industry best practice in secure computer operation)
Review five of the following to obtain sources of data to assess correctly the computer system security:
- computer network connectivity configuration
- computer system malware scan
- computer software version numbers and applied updates
- computer system vulnerability sweep
- computer service start-up configuration
- computer system usage logs
- computer peripheral connections
- standards reference documents
Carry out all of the following before performing the computer system security assessment:
- ensure that the data and information you have is current, complete and under configuration control
- confirm that the system level security identification and analysis have been performed
- recognise and deal with problems (such as technical issues and lack of information, or incorrect information)
Perform the computer system security assessment, using five of the following:
- security analyser (such as base level security analyser)
- installed virus scanner
- malware and spyware scanning results
- computer usage logs
- server and gateway access logs
- record of connected devices (such as USB devices)
- system vulnerability scanning tool
- standards reference documents
Review and report on a sample of the security related evidence for all of the following:
- completeness
- traceability
- accuracy
- adequacy
Save and store the results in appropriate locations, to include carrying out all of the following:
- check that the results are correctly titled, referenced and annotated
- ensure that the results have been checked and that they comply with the company procedure
- save the results to an appropriate location (such as storage device, configuration database)
- ensure that a separate backup copy is created and placed in safe storage
Scope Knowledge
Values
Behaviours
Additional Information
You will be able to apply the appropriate behaviours required in the workplace to meet the job profile and overall company objectives, such as:
- strong work ethic
- positive attitude
- team player
- dependability
- responsibility
- honesty
- integrity
- motivation
- commitment