NTISthis.com

Evidence Guide: ICTWEB423 - Ensure dynamic website security

Student: __________________________________________________

Signature: _________________________________________________

Tips for gathering evidence to demonstrate your skills

The important thing to remember when gathering evidence is that the more evidence the better - that is, the more evidence you gather to demonstrate your skills, the more confident an assessor can be that you have learned the skills not just at one point in time, but are continuing to apply and develop those skills (as opposed to just learning for the test!). Furthermore, one piece of evidence that you collect will not usualy demonstrate all the required criteria for a unit of competency, whereas multiple overlapping pieces of evidence will usually do the trick!

From the Wiki University

 

ICTWEB423 - Ensure dynamic website security

What evidence can you provide to prove your understanding of each of the following citeria?

Undertake the risk assessment

  1. Identify the functionality and features of the website, and confirm these with the client
  2. Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards
  3. Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities
  4. Identify resource and budget constraints, and validate with the client as required
  5. Source the appropriate products, security services and equipment, according to enterprise purchasing policies
Identify the functionality and features of the website, and confirm these with the client

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify resource and budget constraints, and validate with the client as required

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Source the appropriate products, security services and equipment, according to enterprise purchasing policies

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Secure the operating systems

  1. Identify operating system (OS) and cross-platform vulnerabilities
  2. Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy
  3. Identify and rectify weaknesses specific to the OS
Identify operating system (OS) and cross-platform vulnerabilities

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify and rectify weaknesses specific to the OS

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Secure the site server

  1. Configure the web server securely, with reference to the required functionality and the security policy
  2. Review and analyse, server-side scripting with reference to the required functionality and the security policy
  3. Install firewalls as required
  4. Establish access control permissions to the server and database
Configure the web server securely, with reference to the required functionality and the security policy

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Review and analyse, server-side scripting with reference to the required functionality and the security policy

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Install firewalls as required

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Establish access control permissions to the server and database

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Secure data transactions

  1. Identify data transactions, with reference to the functionality and features of the website
  2. Identify and apply, the channel protocols related to the requirements
  3. Install and configure, the payment systems
Identify data transactions, with reference to the functionality and features of the website

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Identify and apply, the channel protocols related to the requirements

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Install and configure, the payment systems

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Monitor and document the security framework

  1. Develop a program of selective independent audits and penetration tests
  2. Determine the performance benchmarks
  3. Implement audit and test programs, and record, analyse and report the results
  4. Make security framework changes based on the test results
  5. Develop the site-security plan, with reference to the security policy and requirements
  6. Develop and distribute, related policy and procedures to the client
Develop a program of selective independent audits and penetration tests

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Determine the performance benchmarks

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Implement audit and test programs, and record, analyse and report the results

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Make security framework changes based on the test results

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Develop the site-security plan, with reference to the security policy and requirements

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Develop and distribute, related policy and procedures to the client

Completed
Date:

Teacher:		 Evidence:

 

 

 

 

 

 

 

Assessed

Teacher: ___________________________________ Date: _________

Signature: ________________________________________________

Comments:

 

 

 

 

 

 

 

 

Instructions to Assessors

Evidence Guide

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Undertake the risk assessment

1.1 Identify the functionality and features of the website, and confirm these with the client

1.2 Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards

1.3 Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities

1.4 Identify resource and budget constraints, and validate with the client as required

1.5 Source the appropriate products, security services and equipment, according to enterprise purchasing policies

2. Secure the operating systems

2.1 Identify operating system (OS) and cross-platform vulnerabilities

2.2 Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy

2.3 Identify and rectify weaknesses specific to the OS

3. Secure the site server

3.1 Configure the web server securely, with reference to the required functionality and the security policy

3.2 Review and analyse, server-side scripting with reference to the required functionality and the security policy

3.3 Install firewalls as required

3.4 Establish access control permissions to the server and database

4. Secure data transactions

4.1 Identify data transactions, with reference to the functionality and features of the website

4.2 Identify and apply, the channel protocols related to the requirements

4.3 Install and configure, the payment systems

5. Monitor and document the security framework

5.1 Develop a program of selective independent audits and penetration tests

5.2 Determine the performance benchmarks

5.3 Implement audit and test programs, and record, analyse and report the results

5.4 Make security framework changes based on the test results

5.5 Develop the site-security plan, with reference to the security policy and requirements

5.6 Develop and distribute, related policy and procedures to the client

Required Skills and Knowledge

ELEMENT

PERFORMANCE CRITERIA

Elements describe the essential outcomes.

Performance criteria describe the performance needed to demonstrate achievement of the element.

1. Undertake the risk assessment

1.1 Identify the functionality and features of the website, and confirm these with the client

1.2 Identify security threats, with reference to the functionality of the site and organisational security policy, legislation and standards

1.3 Complete a risk analysis to prioritise the security threats, and identify system vulnerabilities

1.4 Identify resource and budget constraints, and validate with the client as required

1.5 Source the appropriate products, security services and equipment, according to enterprise purchasing policies

2. Secure the operating systems

2.1 Identify operating system (OS) and cross-platform vulnerabilities

2.2 Make the appropriate scripting or configuration adjustments, with reference to the functionality of the site and the security policy

2.3 Identify and rectify weaknesses specific to the OS

3. Secure the site server

3.1 Configure the web server securely, with reference to the required functionality and the security policy

3.2 Review and analyse, server-side scripting with reference to the required functionality and the security policy

3.3 Install firewalls as required

3.4 Establish access control permissions to the server and database

4. Secure data transactions

4.1 Identify data transactions, with reference to the functionality and features of the website

4.2 Identify and apply, the channel protocols related to the requirements

4.3 Install and configure, the payment systems

5. Monitor and document the security framework

5.1 Develop a program of selective independent audits and penetration tests

5.2 Determine the performance benchmarks

5.3 Implement audit and test programs, and record, analyse and report the results

5.4 Make security framework changes based on the test results

5.5 Develop the site-security plan, with reference to the security policy and requirements

5.6 Develop and distribute, related policy and procedures to the client

Evidence of the ability to:

determine the client security framework, and its requirements

identify any potential security threats to a website, and document the risk and performance benchmarks

develop and implement, strategies to secure a dynamic website.

Note: If a specific volume or frequency is not stated, then evidence must be provided at least once.

To complete the unit requirements safely and effectively, the individual must:

summarise the Australian Computer Society Code of Ethics

explain a client business domain, its structure, function and organisation, including the organisational issues surrounding security

identify and outline the legislation, regulations, and codes of practice pertinent to website information, including:

copyright

intellectual property

privacy

ethics

outline current industry-accepted hardware and software products

describe desktop applications and operating systems (OS), as they relate to website security

explain the functions and features of:

automated intrusion detection software

authentication and access control

common stored account payment systems

cryptography

common gateway interface (CGI) scripts

generic secure protocols

stored-value payment systems

explain the implications of network address translation (NAT), related to:

securing internal, internet protocol (IP) addresses

buffer overruns and stack smashing

operating system deficiencies

the protocol stack for internet communications

physical web server security, particularly remote

describe the advantages, and disadvantages, of using a range of security features

identify and describe, host security threats.