Vous êtes sur la page 1sur 83

Page | 1

Table of Contents 

Institute of Charted Financial Analyst of India

Final Evaluation for management thesis

Information Technology Security &
Risk Management of Information Technology Systems
Submitted To
Mrs. Ekta Jain
Mr. Amit Ganesh Takkar
Second Year MBA

Page 1 of 83
Page | 2


I (Amit Ganesh Takkar) student of ICFAI National College Thane

(MBA Sem 4) hereby declare that the Final report is submitted by me in
the academic year 2007-09. The Information submitted is true and original to
the best of my knowledge and available Information from Internet and other

Amit Ganesh Takkar

Page 2 of 83
Page | 3

This is to certify that

Mr. Amit Ganesh
Takkar student of
Sem-4 has
completed the Final
Evaluation Report
titled “Information
Technology Security & Risk
Management of Information
Technology Systems.” &
that this interim
report represents his
Page 3 of 83
Page | 4

bonafied work during

the year 2007-09.

( Mrs .Ekta Jain)

Page 4 of 83
Page | 5


I am grateful to all the people who have contributed towards the

completion of the project. I would like to thank all of them who
have helped me for giving me the opportunity to work on this
I would also like to take this opportunity to thank who gave me
support throughout the project research and providing me with
useful information.

Page 5 of 83
Page | 6

Table of Contents
Sr. No Contents
1 Introduction
1.1 Overview
1.2 Background
1.3 Purpose
1.4 Scope
1.5 Methodology
1.6 Organization
2 IT Security Competency Area
2.1 Data Security
2.2 Data Forensics
2.3 Enterprise Continuity
2.4 Incident Management
2.5 IT Security Training & Awareness
2.6 IT System Operation & Maintenance
2.7 Network Security & Telecommunications
2.8 Personal Security
2.9 Physical & Environment Security
2.10 Procurement
2.11 Regulatory & Standard Compliance
2.12 Risk Management
2.13 Strategic Management
2.14 System & Application Security
3 IT Security Essential Body of Knowledge
3.1 Data Security
3.2 Data Forensic
3.3 Enterprise Continuity
3.4 Incident Management
3.5 IT Security Training &Awareness
3.6 IT Systems Operations and Maintenance
3.7 Network Security & Telecommunications
3.8 Personal Security
3.9 Physical & Environment Security
3.10 Procurement
3.11 Regulatory & Standards Compliance
3.12 Risk Management
3.13 Strategic Management
3.14 System & Application Security
4 Security Roles, Competencies & Functional Prespectives
4.1 Chief Information Officer
4.2 Digital Forensics Professional
Page 6 of 83
Page | 7

4.3 Information Security Officer/Chief Security Officer

4.4 IT Security Compliance Professional
4.5 IT Security Engineer
4.6 IT Systems Operations & Maintenance Professional
4.7 IT Security Professional
4.8 Physical Security Professional
4.9 Privacy Professional
4.10 Procurement Professional
5 IT Security Role, Competency & Functional Matrix
6 Case Study(1):

7 Case Study(2):
8 Appendix: List of Acronyms

 ➢   1 Introduction :­ 

Page 7 of 83
Page | 8

Over the past two decades, the evolution of technology has quickened society’s 
transformation to a digital environment. These advances have been nonlinear 
and sometimes chaotic leading to disparities in the composition of the 
information technology (IT) workforce. The Variation in training, expertise, 
acumen, and experience is a natural consequence and is found in the myriad 
of recruiting, education, and retention practices of employers. Since the very 
beginning of the digital revolution, public and private organizations, leaders, 
and experts have dedicated significant resources to developing the IT security 
field of practice, yet disparities remain. Now more than ever, IT securities 
professionals must be prepared to meet the challenges that exist today and in 
the future. The convergence of voice and data communications systems, the 
reliance of organizations on those systems, and the emerging threat of 
sophisticated adversaries and criminals seeking to compromise those systems 
underscores the need for well trained, well equipped IT security specialists. 
Furthermore, the interconnectedness of government and industry through 
shared infrastructures and services demonstrates the need for a universal 
understanding across domains of the required roles, responsibilities, and 
competencies of the IT security workforce. IT security must be a fundamental 
strategic driver of an organization’s business or mission because it protects 
against theft and hostile acts, has the potential of enhancing productivity, and 
can improve organizational function and design. As the IT security field 
matures, it requires qualified professionals to support increasingly 
sophisticated security demands. In response to this challenge, the Department 
of Homeland Security National Cyber Security Division (DHS­NCSD) worked 
with academia, government, and private sector experts to develop a high level 
framework that establishes a national baseline representing the essential 
knowledge and skills that IT security practitioners should possess to perform. 
DHS­NCSD developed the IT Security Essential Body of Knowledge (EBK): A 

Page 8 of 83
Page | 9

Competency and Functional Framework for IT Security Workforce 
Development as an umbrella document that links competencies and functional 
perspectives to IT security roles fulfilled by personnel in the public and 
private sectors. Potential benefits of the IT Security EBK for professional 
development and workforce management initiatives include:

Articulating the functions that professionals within the IT security 
workforce perform, in a context­neutral format and language.
Promoting uniform competency guidelines to increase the overall 
efficiency of IT security education, training, and professional 
development, and.
Providing a content guideline that can be leveraged to facilitate cost­
effective professional development of the IT workforce, including future 
skills training and certifications, academic curricula, or other affiliated 
human resource activities. 
The IT Security EBK reflects the vast contribution of resources to date and 
builds directly upon the work of established references and best practices 
from the public and private sectors, which were used in the development 
process and are reflected within the content of this document. The EBK is not 
an additional set of guidelines, and it is not intended to represent a standard, 
directive, or policy by DHS. Instead, it further clarifies key IT security terms 
and concepts for well­defined competencies, identifies notional security roles, 
defines four primary functional perspectives, and establishes an IT Security 
Role, Competency, and Functional Matrix. This effort was launched to 
advance the IT security training and certification landscape to help ensure 
that we have the most qualified and appropriately trained IT security 
workforce possible.

 ✔   1.2 Background :­
The President’s Critical Infrastructure Protection Board (PCIPB) was 
established in October of 2001 to recommend policies and to coordinate 
programs for Protecting information systems for critical infrastructure, such 

Page 9 of 83
P a g e | 10

as the electrical grid and telecommunications systems. PCIPB was responsible 
for performing key activities such as: collaborating with the private sector 
and all levels of government, encouraging information sharing with 
appropriate stakeholders, and coordinating incident response. All of these 
activities involve IT security and require qualified professionals to support 
increasingly complex demands. 
Knowing that IT security workforce development was an issue requiring a 
focused strategy, the PCIPB created the IT Security Certification Working 
Group (ITSC­WG). This group was tasked to examine possible approaches to 
developing and sustaining a highly skilled IT security workforce, such as 
establishing a national IT security certification process. In 2003, the President 
released the National Strategy to Secure Cyberspace, which provides direction 
for strengthening cyber security. The National Strategy was created to 
“engage and empower Americans to secure the portions of cyberspace that 
they own, operate, control, or with which they interact.” It acknowledged that, 
“securing cyberspace is a difficult strategic challenge that requires 
coordinated and focused effort from our entire society, the Federal 
government, State and local governments, the private sector, and the 
American people.” DHS­NCSD was also established in 2003 to act as a 
national focal point for cyber security, facilitate the implementation of the 
National Strategy, and coordinate cyber security efforts across the Nation.  
A key recommendation from the PCIPB’s ITSC­WG work is addressed in the 
National Strategy as the foundation for recommendations on IT security 
certifications, listed in Priority III of the Strategy. Specifically, 
action/recommendation (A/R) 3/9 states:  
DHS will encourage efforts that are needed to build foundations for the  
development of security certification programs that will be broadly accepted by  
the public and private sectors. DHS and other federal agencies can aid these  
efforts by effectively articulating the needs of the federal IT security community. 
DHS­NCSD established the Training and Education (T/E) Program to lead 
this effort, among others, in the area of IT security workforce development. 

Page 10 of 83
P a g e | 11

 ✔   1.3 Purpose:­
The IT Security EBK acknowledges the vast contribution of various 
stakeholders to IT security training and professional development and seeks 
to articulate a path to better align those efforts within a unifying framework. 
For instance, over the last several years, the T/E Program has worked with 
DoD, academia, and private sector leaders in the IT and information security 
fields to arrive at the conclusion that while many worthwhile, well­regarded 
IT security certifications exist, these certifications have been developed 
according to varying criteria based on the focus of each certifying 
organization and its own market niche.
It is challenging to identify, with certainty, which certifications validate which 
workforce competencies and which certifications would be the best choice to 
confirm or build the strengths of those individuals serving in various IT 
security roles. Resolving these concerns has been the goal of the T/E 
Program’s certification­related work. As a result of this complexity and 
uncertainty, in 2006 the T/E Program assembled a working group from 
academia, the private sector, and the Federal government to develop a 
competency­based, functional framework that linked competency areas and 
functions to IT security roles fulfilled by personnel regardless of sector. The 
EBK framework provides the following outcomes: 
Articulates the functions that professionals within the IT security workforce 
perform, in a common format and language that conveys the work, rather 
than the context in which work is performed (i.e., private sector, government, 
higher education); Provides a reference against which to compare the content 
of IT security certifications, which have been developed independently 
according to varying criteria; Offers one way to further substantiate the wide 
acceptance of existing certifications so that they can be leveraged 
appropriately as credentials; and Provides a content guideline that can be 
used to facilitate cost­effective professional development of the IT workforce, 
including skills training, academic curricula, or additional human resource 

Page 11 of 83
P a g e | 12

 ✔   1.4 Scope:­
The IT Security EBK is a resource that can be used by organizations for workforce 
development and planning, by certification consumers for personal development, 
and by other groups as they find it useful within their programs. This draft 
document is not mandated by existing policy and it should be viewed as a 
complement to existing, widely­used models for describing IT security processes 
such as the National Institute of Standards and Technology (NIST) or Committee on 
National Security Systems (CNSS) guidance on IT security training. These resources 
were used, along with other widely accepted references from the public and private 
sectors, during the development process and are reflected within the content of this 
document. The IT Security EBK framework is intended to conceptualize IT security 
skill requirements in a new way to address evolving IT security challenges.
DHS­NCSD provides the IT Security EBK as a product for use across the public and 
private sectors. It will be revised over time, with input from subject matter experts 
(SMEs), to ensure it remains a useful, contemporary resource for the community.

 ✔   1.5 Methodology:­
The development of the competency and functional framework was an iterative 
process involving close collaboration with SMEs from academia, industry, and 
government. Figure 1­1 identifies the process followed in preparing the Framework 
and each step is described below, followed by a description of the IT Security EBK 
review cycle.
Figure 1­1: Competency and Functional Framework Development Process 

➢  Step 1 : Develop Notional Competencies Using DoD Information Assurance 
Skill Standard (IASS). The DoD IASS was a core document used to shape the 
competency areas and functions captured in the IT Security Competency and 
Functional Framework. The IASS was developed by the Defense­wide IA 
Program (DIAP) as part of the DoD 8570­Workforce Improvement Program. 
DHS­NCSD participated in working groups conducted by DoD in a similar 
effort of culling public and private sector resources; DoD’s goal for its own 

Page 12 of 83
P a g e | 13

workforce through the IASS is similar to the national level goal of the IT 
Security EBK: “to define a common language for describing IA work 
and work components, in order to provide commercial certification providers 
and training vendors with targeted information to enhance their learning 
The DoD IASS describes IA work within DoD according to 53 critical work 
functions (noted as CWF in Figure 1­1), each of which contains multiple 
tasks. To begin creating a framework for DHS­NCSD, the DoD IASS 
document was reverse­engineered to arrive at a set of technical competency 
areas to which the 53 critical work functions and tasks aligned. Each technical 
competency area was given a functional statement/definition to clarify the 
boundaries of what would be included in each area.
➢  Step 2 : Identify Functions/CWFs and Map to Competencies. Once the 
competencies were developed, the critical work functions were remapped 
according to the competency area structure. A multitude of IT security 
documents were then analyzed to identify additional functions associated with 
each competency area. These documents included NIST standards, CNSS 
role­based training standards, International Organization for 
Standardization (ISO) standards, widely­used private sector models such as 
Control Objectives for Information and related Technology (COBIT), Systems 
Security Engineering (SSE) Capability Maturity Model (CMM), and others. 
Data was captured as functions rather than as job tasks, so that the 
terminology and procedural specificity of the sector from which the data was 
gathered could be replaced by more general language that would apply to all 
➢  Step 3 : Identify Key Terms and Concepts per Competency Area. This step of 
development entailed identifying key terms and concepts that represent the 
knowledge required of professionals to perform the functions within each 
competency area. The key terms and concepts from all of the competency 
areas make up the Essential Body of Knowledge (EBK) for IT security (refer 
to Section 3) which reflects the set of terms, topics, and concepts that one 
should be familiar with to be a conversant generalist in the IT security field. 

Page 13 of 83
P a g e | 14

The scope of professional responsibility of practitioners performing IT 
security functions varies considerably, and knowledge of key terms and 
concepts is fundamental to performance. Therefore, individuals should know, 
at minimum, the key terms and concepts that are part of the competencies to 
which their role is mapped. In nearly all cases, each key term or concept was 
assigned to only one competency. In some instances, concepts with wider 
impact across IT security were included in multiple competencies (e.g., 
➢  Step 4:  Identify Notional IT Security Roles. After the competencies were 
adequately populated with functions based on source document analysis, a set 
of notional roles performed by individuals in the IT security field were 
identified. Again, roles were chosen rather than job titles to eliminate sector­
specific language and to succinctly capture the multitude of IT security 
positions in a way that would allow the practitioner to easily identify his or 
her role. For example, an IT Security Compliance Officer is defined as a role, 
while the applicable job titles might include auditor, compliance officer, 
inspector general, or inspector.
➢  Step 5 : Categorize Functions by Perspective (Manage, Design, Implement, or 
Evaluate). After roles were identified, the competencies were revisited and the 
work functions within each competency were divided into four functional 
perspectives. It is important to note that the perspectives do not convey a 
lifecycle concept of task or program execution, as is typical of a traditional 
system development life cycle (SDLC). The functional perspectives are used to 
segment the full set of functions within a competency area into four categories 
containing functions of a similar nature. The functional perspectives are 
defined as follows: 
a) Manage: Functions that concern overseeing a program or technical 
aspect of a security program at a high level and ensuring its currency 
with changing risk and threat. 
b) Design: Functions that concern scoping a program or developing 
procedures and processes that guide work execution at the program 
and/or system level. 

Page 14 of 83
P a g e | 15

c) Implement: Functions that concern putting programs, processes, or 
policy into action within an organization, either at the program or 
system level. 
d) Evaluate: Functions that concern assessing the effectiveness of a 
program, policy, or process in achieving its objectives. 

➢  Step 6 : Map Roles to Competencies to Functional Perspectives. The final step 
in developing the competency and functional framework was to map roles to 
appropriate sets of competencies and to identify the specific functional 
perspective that contains the work that the role would perform. This activity 
created the IT Security Role, Competency, and Functional Matrix, as 
illustrated in Section 5. A conceptual, visual depiction of the mapping is 
shown in Figure 1­2. When a role is mapped to a competency, and to a 
functional perspective within that competency, it means that the role 
performs all of the functions within the perspective. For example, an IT 
Security Professional who develops procedures related to incident 
management is mapped to a Design function within the Incident Management 
competency area and would perform the work within the Design functional 
perspective. The premise behind the mapping and the competency and 
functional framework is that work conducted by the IT security workforce is 
complex, and not all work in a given area is performed by a single role. By 
contrast, the work—from creating the strategy for a component of the IT 
security program, to developing a program’s procedures and scope, to 
performing hands­on implementation work, to evaluating the work’s 
effectiveness—is performed by a team of individuals with different 
responsibilities and spans of control. Instead of all roles being responsible for 
knowing all areas of IT security and being able to perform all job tasks, 
individual roles are associated with a subset of competencies to represent the 
work performed as part of the IT security team. The type of work performed 
is resolved through the four functional perspectives by role across a series of 
technical competency areas. It is these functions that an individual should be 

Page 15 of 83
P a g e | 16

evaluated on if a role­based certification truly measures the ability of a given 
individual to perform. 
Figure 1­2: Roles to Competencies to Functions Mapping Diagram Review 
Cycle. The conceptual framework was shared with focus groups comprised of 
SMEs representing the private sector, government, and academia. The focus 
groups analyzed the framework to ensure that the competencies, key terms 
and concepts, and the roles were complete and fully incorporated all aspects 
of the IT security discipline. Feedback was incorporated into a draft 
framework, which was then presented to another larger working group. The 
working group, which included both IT security generalists and SMEs 
representing specific roles, reviewed the functional perspectives for each 
competency and role mapping. This information was compiled to create the 
first draft in December 2006. DHS­NCSD introduced the first draft to a 
broader audience of SMEs in January 2007, including members of the 
Federal training and education community. This activity was followed by a 
series of supplementary role­based focus groups to ensure that the respective 
competencies and functional perspectives fully represent the specific role 
types. A broader review process will continue through Fall 2007, leveraging 
professional associations, industry conferences, sector­specific organizations, 
and the Federal Register for public review and comment. DHS­NCSD will 
then aggregate the additional input into the IT Security EBK and a final 
product is expected to be released in Winter 2008. The IT Security EBK: A 
Competency and Functional Framework for IT Security Workforce 
Development will then be reevaluated to ensure relevancy and timeliness 
approximately every two years. 

 ✔   1.6 Organization:­
The remaining sections of this document are organized as follows: 

 Section 2: IT Security Competency Areas.  

Page 16 of 83
P a g e | 17

This section contains the fourteen competency areas, along with their 
functional statements/definitions and all work functions categorized by four 
functional perspectives as Manage, Design, Implement, or Evaluate. 

 Section 3: The IT Security Essential Body of Knowledge.  
This section contains a full, consolidated list of the terms and concepts 
associated with each IT security competency area. Key Terms and Concepts 
identify the knowledge that professionals should know to be conversant in the 
field of IT Security and to perform required work functions.

 Section 4: IT Security Roles, Competencies and Functional Perspectives.  
This section includes a listing of the ten roles that characterize the IT security 
field, as well as the related functional perspectives and competencies. Sample job 
titles are identified for each role to clarify which job titles align with which role and 
to allow the individual consumer to identify where his or her role may fit within the 

 Section 5: IT Security Role, Competency, and Functional Matrix.  
This section contains a visual depiction of the relationship between roles, 
competencies, and functions clarifying the competencies and perspectives associated 
with each role. 

 Appendix: List of Acronyms . 
This section lists and defines all of the acronyms contained in the IT Security 

 IT Security Competency Areas (Definitions and Functions).  
This section contains the fourteen competency areas, along with their 
affiliated functional statements/definitions and all work functions categorized 
as Manage, Design, Implement, or Evaluate.

Page 17 of 83
P a g e | 18

 ∇    2.1 Data Security:­ 
It refers to the application of the principles, policies, and procedures necessary to 
ensure the confidentiality, integrity, availability, and privacy of data in all forms of 
media (electronic and hardcopy) throughout the data life cycle. 

 ✔   2.1.1 Manage:­
Ensure that security classification and data management policies and guidance are 
issued and updated Specify policy and coordinate review and approval Report 
compliance to data security policies Provide oversight Implement appropriate 
changes and improvement actions as required 

 ✔   2.1.2 Design:­
Develop the data security policy using data security standards, guidelines, and 
requirements that include privacy, access, incident management, disaster recovery, 
and configuration Identify and document the appropriate level of protection for the 
data Specify information classification, sensitivity, and need­to­know requirements 
by data or data type Create data user authentication and authorization system data 
access levels and privileges. Develop acceptable use procedures in support of the 
data security policy. Develop sensitive data collection and management procedures 
in accordance with standards, procedures, directives, policies, regulations, and laws. 
Identify appropriate set of information security controls based on perceived risk of
compromise to the data.
✔  2.1.3 Implement  :­  
Perform the data access management process according to established guidelines. 
Apply and maintain data security controls and processes in accordance with data 
security policy, guidelines, and requirements. Apply media controls and processes.
Apply and verify data security access controls and privileges. Address alleged 
violations of data security and privacy breaches. Apply and maintain privacy 
controls in accordance with privacy guidance in accordance with standards, 
procedures, directives, policy, regulations, and laws.

Page 18 of 83
P a g e | 19

 ✔   2.1.4 Evaluate:­
Assess the effectiveness of the enterprise data security policies, processes, and 
procedures against established standards, guidelines, and requirements and suggest 
changes where appropriate. Evaluate the effectiveness of products and technologies 
implemented to provide the required protection of data. Review alleged violations of 
data security and privacy breaches. Identify improvement actions required to 
maintain appropriate level of data protection.

 ∇    2.2 Digital Forensics:­
It refers to the knowledge and understanding of digital investigation and analysis 
techniques used for recovering, authenticating, and analyzing electronic data to 
reconstruct events related to security incidents. Such activities require building a 
digital knowledge base. 
The investigative process is composed of three phases: acquire, analyze, and report. 

 ✔   2.2.1 Manage:­
Acquire the necessary contractual vehicle and resources, including financial 
resources, to run forensic labs and programs. Coordinate and build internal and 
external consensus for developing and managing an organizational digital forensic 
program. Establish a digital forensic team, usually composed of investigators, IT 
professionals, and incident handlers, to perform digital and network forensics.
Provide adequate work spaces that at a minimum take in to account electrical, 
thermal, acoustic, and privacy concerns (i.e., intellectual properties, classification, 
contraband) and security requirements (including access control) of equipment and 
personnel as well as provide adequate report writing/administrative areas 
Implement appropriate changes and improvement actions as required

 ✔   2.2.2 Design:­
Create policies and procedures for establishing and/or operating a digital forensic 
unit in accordance with standards, procedures, directives, policy, regulations, and 
law. Establish policies for the imaging (bit for bit copying) of electronic media 

Page 19 of 83
P a g e | 20

Specify hardware and software requirements to support the digital forensic 
program. Establish the hardware and software requirements (configuration 
management) of the forensic laboratory. Develop policies for the preservation of 
electronic evidence, data recovery and analysis, reporting and archival requirements 
of examined material in accordance with standards, procedures, directives, policy, 
regulations, and laws.
Consider establishing examiner requirements that include an ongoing mentorship 
program, competency testing prior to assuming individual case responsibilities, 
periodic proficiency testing, and participation in a nationally recognized 
certification program that encompasses a continuing education requirement
Adopt or create a chain of custody procedures that include disposal procedures and 
when required, the return of media to its original owner in accordance with 
standards, procedures, directives, policy, regulations, and law.

 ✔   2.2.3 Implement:­ 
Assist in collecting and preserving evidence in accordance with established 
procedures, plans, policies, and best practices. Perform forensic analysis on 
networks and computer systems and make recommendations for remediation 
Apply, maintain, and analyze results from intrusion detection systems, intrusion 
prevention systems, network mapping software, and other tools to protect, detect, 
and correct information security­related vulnerabilities and events. Follow proper 
chain­of­custody best practices in accordance with standards, procedures, directives, 
policy, regulations, and law. Collect and retain audit data to support technical 
analysis relating to misuse, penetration reconstruction, or other investigations. 
Provide audit data to appropriate law enforcement or other investigating agencies to 
include corporate security elements. Assess and extract the relevant pieces of 
information from the collected data. Report contains complete and accurate findings 
and the result of analysis of digital evidence to appropriate resources. Coordinate 
dissemination of forensic analysis findings to appropriate resources. Provide 
training, as appropriate, on using forensic analysis equipment, technologies, and 
procedures, such as the installation of forensic hardware and software components. 
Acquire and manage a Standard Operating Environment (SOE) (baseline standard) 
Page 20 of 83
P a g e | 21

of company or agency computer footprint. Coordinate applicable legal and 
regulatory compliance requirements. Coordinate, interface and work under the 
direction of appropriate corporate entities (e.g., corporate legal, corporate 
investigations) with regard to investigations or other legal requirements, including 
investigations that involve external governmental entities (e.g., international, 
national, state, local)

 ✔   2.2.4 Evaluate:­
Ensure the effectiveness and accuracy of forensic tools used by digital forensic 
examiners and implement changes as required. Assess the effectiveness, accuracy 
and appropriateness of testing processes and procedures that are followed by the 
forensic laboratories and teams and suggest changes where appropriate. Assess the 
digital forensic staff to ensure that they have the appropriate knowledge, skills, and 
abilities to perform forensic activities. Validate the effectiveness of the analysis and 
reporting process and implement changes where appropriate. Review and 
recommend standard validated forensic tools. Assess the digital forensic laboratory 
quality assurance program, monitor, peer review process, audit and proficiency 
testing procedures and implement changes where appropriate. Examine penetration 
testing and vulnerability analysis results to identify risks and implement patch 
management. Identify improvement actions based on the results of validation, 
assessment, and review.

 ∇    2.3 Enterprise Continuity:­
Refers to the application of the principles, policies, and procedures used to ensure an 
enterprise continues to perform essential business functions after the occurrence of 
a wide range of potential catastrophic events. For the purposes of the IT Security 
EBK, Enterprise Continuity relates to IT assets and resources and associated IT 
security requirements. 

 ✔   2.3.1 Manage:­
Coordinate with corporate stakeholders to establish the enterprise continuity of 
operations program. Acquire the necessary resources, including financial resources, 
Page 21 of 83
P a g e | 22

to conduct an effective enterprise continuity of operations program. Define the 
enterprise continuity of operations organizational structure and staffing model. 
Define emergency delegations of authority and orders of succession for key 
positions. Direct contingency planning, operations, and programs to manage risk
Define the scope of the enterprise continuity of operations program to address 
business continuity, business recovery, contingency planning, and disaster recovery 
and related activities. Integrate enterprise concept of operations activities with 
related contingency planning activities. Establish an enterprise continuity of 
operations performance measurement program. Identify and prioritize critical 
business functions. Implement appropriate changes and improvement actions as 

 ✔   2.3.2 Design:­
1. Develop strategic policy for the organization’s continuity of operations.
2. Develop an enterprise continuity of operations plan and procedures.
3. Develop and maintain enterprise continuity of operations documentation such 
as contingency, business continuity, business recovery, disaster recovery, and 
incident handling plans.
4. Develop a comprehensive test, training, and exercise program to evaluate and 
validate the readiness of enterprise continuity of operations plans, 
procedures, and execution.
5. Prepare internal and external continuity of operations communications 
procedures and guideline.

 ✔   2.3.3 Implement:­
Execute the enterprise continuity of operations and related contingency plans and 
procedures. Control access to information assets during an incident in accordance 
with the organizational policy. Execute crisis management tests, training, and 
exercises and apply lessons learned from them.

 ✔   2.3.4 Evaluate:­

Page 22 of 83
P a g e | 23

Review test, training and exercise results to determine areas for process 
improvement and recommend changes as appropriate. Assess the effectiveness of the 
enterprise continuity program, processes, and procedures and implement changes 
where appropriate. Continuously validate the organization against additional 
mandates, as developed, to ensure full compliance. Collect and report performance 
measures and identify improvement actions.

 ∇    2.4 Incident Management:­
Refers to the knowledge and understanding of the process to prepare and prevent, 
detect, contain, eradicate, and recover, and apply lessons learned from incidents 
impacting the mission of an organization.

 ✔   2.4.1 Manage:­
Coordinate with stakeholders to establish the incident management program. 
Establish relationships between the incident response team and other groups, both 
internal (e.g., legal department) and external (e.g., law enforcement agencies, 
vendors, and public relations Professionals). Acquire and manage the resources, 
including financial resources, for the incident management functions. Ensure the 
coordination between the incident response team and the security administration 
and technical support teams. Apply lessons learned from information security 
incidents to improve incident management processes and procedures. Implement 
appropriate changes and improvement actions as required.

 ✔   2.4.2 Design:­
Develop the incident management policy. Identify the services the incident response 
team should provide. Create incident response plans in accordance with security 
policy and organizational goals. Develop procedures for performing incident 
handling and reporting. Create incident response exercises and red teaming 
activities. Develop specific processes for collecting and protecting forensic evidence 
during incident response. Specify the incident response staffing and training 
requirements. Establish incident management measurement program

Page 23 of 83
P a g e | 24

✔  2.4.3 Implement :­ 
Apply response actions in reaction to security incidents in accordance 
with established policy, plans, and procedures. 
Respond to and report incidents. 
Assist in collecting, processing, and preserving evidence according to 
standards, procedures, directives, policy, regulations, and law Monitor 
the network and information systems for intrusions. 
Execute incident response plans Execute red teaming activities and 
incidence response exercises.
Ensure lessons learned from incidents are collected in a timely manner 
and are incorporated into plan reviews. 
Collect, analyze, and report incident management measures.

 ✔   2.4.4 Evaluate:­
Assess the efficiency and effectiveness of the incident response program 
activities and implement changes as required.
Examine the effectiveness of red teaming and incident response tests, 
training, and exercises.
Assess the effectiveness of communications between incident response 
team and related internal and external organizations and implement 
changes where appropriate.
Identify incident management improvement actions based on 
assessments of effectiveness.

 ∇    2.5 IT Security Training and Awareness:­
It refers to the principles, practices, and methods required to raise employee 
awareness about basic information security, and to train individuals with 
information security roles to increase their knowledge, skills and abilities. 
Training activities are designed to instruct workers about their security 
responsibilities and teach them about information security processes and 
procedures so duties are performed optimally and securely within related 

Page 24 of 83
P a g e | 25

environments. Awareness activities present essential information security 
concepts to the workforce in order to change user behavior. 

 ✔    2.5.1 Manage:­ 
Identify business requirements and establish the enterprise­wide policy 
for the IT security awareness and training program.
Acquire and manage the necessary resources, including financial 
resources, to support the IT awareness and training program.
Set operational performance measures for training and delivery and 
ensure that they are met.
Ensure the organization complies with IT security awareness and 
training standards/requirements.
Implement appropriate improvement actions as required.

 ✔   2.5.2 Design:­
Develop the security awareness and training policy.
Define the goals and objectives of the IT security awareness and 
training program.
Work with appropriate security subject­matter experts to ensure the 
completeness and accuracy of the security training program.
Establish a tracking and reporting strategy for IT security training and 
Establish a change management process to ensure currency and 
accuracy of training and awareness materials.
Develop a workforce development, training, and awareness program 

 ✔   2.5.3 Implement:­
Perform needs assessment to determine skill gaps and identify critical 
needs based on mission requirements.

Page 25 of 83
P a g e | 26

Develop new or identify existing awareness and training materials that 
are appropriate and timely for the intended audiences.
Deliver awareness and training to the intended audiences based on 
identified needs.
Update awareness and training materials when necessary.
Communicate the management commitment and importance of the IT 
security awareness and training program to the workforce.

 ✔   2.5.4 Evaluate:­
Assess and evaluate the IT security awareness and training program 
for compliance with corporate policy and measure performance of the 
program against objectives.
Review the IT security awareness and training program materials and 
recommend improvements.
Audit the awareness and training program to ensure that it meets the 
organization’s stakeholder needs.
Ensure that information security personnel are receiving the 
appropriate level and type of training.
Collect, analyze, and report performance measures.

 ∇    2.6  IT Systems Operations and Maintenance:­  
Refers to the ongoing application of principles, policies, and procedures to 
maintain, monitor, control, and protect IT infrastructure and the information 
residing on it during the operations phase of an IT system or application in 

✔  2.6.1 Manage :­ 
Establish the security administration program goals and objectives.
Monitor the security administration program budget.
Direct the security administration personnel.
Address security administration program risks.

Page 26 of 83
P a g e | 27

Define the scope of the security administration program.
Establish communications between the security administration team 
and other security­related personnel (e.g., technical support, incident 
Integrate the security administration team activities with other 
security­related team activities (e.g., technical support, incident 
management, security engineering).
Acquire the necessary resources, including financial resources, to 
execute the security administration program.
Ensure operational compliance with applicable legislation, regulations, 
standards, and policies.
Implement appropriate improvement actions, as required.

 ✔   2.6.2 Design:­
Develop security administration processes and procedures in 
accordance with standards, procedures, directives, policy, regulations, 
and laws.
Develop personnel, application, middleware, operating system, 
hardware, network, facility, and egress security controls.
Develop security administration tests, test scripts, test criteria, and 
testing procedures.
Develop security administration change management procedures to 
ensure security policies and controls remain effective following a 
Recommend appropriate forensics sensitive policies into the enterprise 
security plan.

 ✔   2.6.3 Implement:­
Perform security administration processes and procedures in 
accordance with standards, procedures, directives, policy, regulations, 
and law.

Page 27 of 83
P a g e | 28

Establish a secure computing environment by applying, monitoring, 
controlling, and managing security controls.
Ensure that information systems are assessed regularly for 
vulnerabilities and that appropriate solutions to eliminate or otherwise 
mitigate identified vulnerabilities are implemented.
Monitor IT security performance measures to ensure optimal system 
Perform security performance testing and reporting and recommend 
security solutions in accordance with standards, procedures, directives, 
policy, regulations, and law.
Perform security administration changes and validation testing.
Identify, control, and track all IT security configuration items.
Collaborate with the technical support, incident management, and 
security engineering teams to develop, implement, control, and manage 
new security administration technologies.
Monitor vendor agreements and Service Level Agreement’s (SLA) to 
ensure that contract and performance measures are achieved.
Establish and maintain controls and surveillance routines to monitor 
and control conformance to all applicable information security laws 
and regulations.

 ✔   2.6.4 Evaluate:­
Review strategic security technologies.
Review the performance and correctness of applied security controls in 
accordance with standards, procedures, directives, policy, regulations, 
and law and apply corrections as required.
Assess the performance of security administration measurement 
Assess system and network vulnerabilities.
Assess compliance with standards, procedures, directives, policy, 
regulations, and law.

Page 28 of 83
P a g e | 29

Identify improvement actions based on reviews, assessments, and other 
data sources.

 ∇    2.7 Network Security and Telecommunications:­ 
Refers to the application of the principles, policies, and procedures involved in 
ensuring the security of basic network services and data and in maintaining 
the hardware layer on which it resides. These practices address perimeter 
defense strategies, defense­in­depth strategies, and data encryption 

✔  2.7.1 Manage  :­  
Establish a network security and telecommunications program in line 
with enterprise policy and security goals.
Manage the necessary resources, including financial resources, to 
establish and maintain an effective network security and 
telecommunications program.
Direct network security and telecommunications personnel.
Define the scope of the network security and telecommunications 
Establish communications between the network security and 
telecommunications team and related security teams (e.g., technical 
support, security administration, incident response).
Integrate network security and telecommunications program activities 
with technical support, security administration, and incident response 
Establish a network security and telecommunications performance 
measurement program.
Ensure enterprise compliance with applicable network­based 
standards, procedures, directives, policies, regulations, and laws. 
Ensure that network­based audits and management reviews are 
conducted to implement process improvement. 
Implement appropriate improvement actions, as required. 
Page 29 of 83
P a g e | 30

 ✔   2.7.2 Design:­
Develop network and host­based security policies in accordance with 
standards, procedures, directives, policies, regulations, and laws.
Specify strategic security plans for network telecommunications in 
accordance with established policy to meet organizational security goals.
Develop network security and telecommunications operations and 
maintenance standard operating procedures.
Develop network security test plans and procedures in accordance with 
standards, procedures, directives, policies, regulations, and laws. 
Generate network security performance reports.
Develop network security and telecommunication audit processes and 

✔  2.7.3 Implement  :­  
Prevent and detect intrusions and protect against viruses.
Perform audit tracking and reporting. 
Create, develop, apply, control, and manage effective network domain 
security controls in accordance with enterprise, network, and host­
based policies. 
Test strategic network security technologies for effectiveness; 
incorporate controls that ensure compliance with the enterprise, 
network and host­based security policies. 
Monitor and assess network security threats and issues.
Gather technical data and monitor and assess network vulnerabilities.
Correct network security vulnerabilities in response to problems 
identified in vulnerability reports.
Provide real­time network intrusion response.

Determine whether or not antivirus systems are in place and operating 

Page 30 of 83
P a g e | 31

Ensure that messages are confidential and free from tampering and 
Defend network communications from tampering and/or 

 ✔   2.7.4 Evaluate:­
Perform a network security evaluation, calculate risks to the enterprise, and 
recommend remediation activities.
Ensure that appropriate solutions to eliminate or otherwise mitigate 
identified vulnerabilities are implemented effectively.
Arrange independent verification and validation of the network to assess full 
satisfaction of functional requirements.
Compile data into measures for analysis and reporting.

∇  2.8  Personnel Security  :­  
It refers to methods and controls used to ensure that an organization’s selection 
and application of human resources (both employee and contractor) are 
controlled to promote security. Personnel security controls are used to prevent 
and detect employee­caused security breaches such as theft, fraud, misuse of 
information, and noncompliance. The controls include organization/functional 
design elements such as separation of duties, job rotation, and determining 
position sensitivity.

 ✔   2.8.1 Manage:­
Coordinate with IT security, physical security, operations security, and 
other organizational managers to ensure a coherent, coordinated 
approach to security across the organization. 
Acquire and manage the necessary resources, including financial 
resources, to manage and maintain the personnel security program. 

Page 31 of 83
P a g e | 32

Establish objectives for the personnel security program relative to the 
overall security goals for the enterprise.
Ensure compliance through periodic audits of methods and controls.
Ensure personnel security is a component of enterprise continuity of 
Direct the ongoing operations of the personnel security program.
Implement appropriate improvement actions, as required.

✔  2.8.2 Design:­  
Establish personnel security processes and procedures for individual 
job roles. 
Establish procedures to coordinate with other organizations to ensure 
common processes are aligned.
Establish personnel security standards to which external suppliers 
(e.g., vendors, contractors) must conform. 

 ✔   2.8.3Implement:­ 
Coordinate within the personnel security office or with Human 
Resources to ensure that position sensitivity is established prior to the 
interview process and that appropriate background screening and 
suitability requirements are identified for each position.
Coordinate within the personnel security office or with Human 
Resources to ensure background investigations are processed based on 
the level of trust and position sensitivity. 
Review, analyze, and adjudicate reports of investigations, personnel 
files, and other records to determine whether to grant, deny, revoke, 
suspend, or restrict clearances consistent with national security and/or 
suitability issues. 
Coordinate with physical security and IT security operations personnel 
to ensure that employee access to physical facilities, media, and IT 
systems and networks is modified or terminated upon reassignment, 
change of duties, resignation, or termination.
Page 32 of 83
P a g e | 33

Exercise oversight of personnel security program appeals procedures to 
verify that the rights of individuals are being protected according to 
Periodically review the personnel security program for compliance with 
standards, procedures, directives, policy, regulations, and law. 

 ✔    2.8.4 Evaluate:­
Review the effectiveness of the personnel security program and 
recommend changes that will improve internal practices and/or 
security organization­wide.
Assess the relationships between personnel security procedures and 
organization­wide security needs and make recommendations for 
Periodically assess the personnel security program for compliance with 
standards, procedures, directives, policies, regulations, and laws.

 ∇    2.9 Physical and Environmental Security:­ 
Refers to the methods and controls used to proactively protect an organization 
from natural or manmade threats to physical facilities and buildings, as well 
as to the physical locations where IT equipment is located or work is 
performed (e.g., computer rooms, work locations). Physical and 
environmental security protects an organization’s personnel, electronic 
equipment, and information.

 ✔   2.9.1 Manage:­
Coordinate with personnel managing IT security, personnel security, 
operations security, and other security program areas to provide an 
integrated and coherent security effort. 
Acquire the necessary resources, including financial resources, to 
support an effective physical security program. 
Establish a physical security performance measurement system.

Page 33 of 83
P a g e | 34

Establish a program to determine the value of physical assets and their 
impact if unavailable.
Implement appropriate improvement recommendations, as required.

✔  2.9.2 Design :­ 
Identify the physical security program requirements and specifications 
in relationship to the enterprise security goals.
Develop the policies and procedures for identifying and mitigating 
physical and environmental threats to information assets, personnel, 
facilities, and equipment.
Develop a physical security and environmental security plan, including 
security test plans and contingency plans, in coordination with other 
security planning functions.
Develop countermeasures against identified risks and vulnerabilities.
Develop criteria for inclusion in the acquisition of facilities, equipment, 
and services that impact physical security.

✔  2.9.3 Implement :­ 
Apply physical and environmental controls in support of the physical 
security plan.
Control access to information assets in accordance with standards, 
procedures, directives, policy, regulations, and law.
Integrate physical security concepts into test plans, procedures, and 
Conduct threat and vulnerability assessments to identify physical and 
environmental risks and vulnerabilities then update the applicable 
controls as necessary.
Review construction projects to ensure that appropriate physical 
security and protective design features are incorporated into the 

✔  2.9.4 Evaluate  :­  
Page 34 of 83
P a g e | 35

Assess and evaluate the overall effectiveness of the physical and 
environmental security policy and controls and make recommendations 
for improvement. 
Review incident data and make process improvement 
Assess the effectiveness of physical and environmental security control 
Evaluate acquisitions that have physical security implications and 
report findings to management.
Compile, analyze, and report performance measures. 

 ∇    2.10 Procurement:­ 
It refers to the application of principles, policies, and procedures required 
planning, applying, and evaluating the purchase of IT products or services, 
including "risk­based" pre­solicitation, solicitation, source selection, award, 
and monitoring, disposal, and other post­award activities. Procurement 
activities may consist of the development of procurement and contract 
administration documents that include, but are not limited to, procurement 
plans, estimates, requests for information, requests for quotes, requests for 
proposals, statements of work, contracts, cost­benefit analyses, evaluation 
factors for award, source selection plans, incentive plans, service level 
agreements, justifications required by policies or procedures, and contract 
administration plans.

✔  2.10.1 Manage  :­  
Collaborate with various stakeholders (which may include internal 
client, lawyers, Chief Information Officer (CIO), Chief Information 
Security Officer, IT Security Professional, Privacy Professional, 
Security Engineer, suppliers, and many others) on the procurement of 
IT security products and services.
Page 35 of 83
P a g e | 36

Ensure the inclusion of risk­based IT security requirements in 
acquisition plans, cost estimates, statements of work, contracts, and 
evaluation factors for award, service level agreements, and other 
pertinent procurement documents.
Ensure that suppliers understand the importance of IT security.
Conduct detailed IT investment reviews and security analyses and 
review IT investment business cases for security requirements. 
Ensure that organization’s IT contracts do not violate laws and 
regulations, and require compliance with standards when applicable.
Specify policies for the use of third party information by 
vendors/partners and connection requirements and acceptable use 
policies for vendors that connect to networks.
Implement appropriate improvement recommendations, if required.

✔  2.10.2 Design :­ 
Develop contracting language that mandates the incorporation of IT 
security requirements in information services, IT integration services, 
IT products, and information security product purchases. 
Develop contract administration policies that direct the evaluation and 
acceptance of  delivered IT security products and services under a 
contract, as well as the security evaluation of IT and software being 
Develop measures and reporting standards to measure and report on 
key objectives in procurements aligned with IT security policies and 
Develop a vendor management policy and associated program that 
implements policy with regard to use of third party information and 
connection requirement and acceptable use policies for vendors who 
connect to corporate networks. Include due diligence activities to 
ensure that vendors are operationally and technically competent to 
receive third party information and to connect and communicate with 
corporate networks. 

Page 36 of 83
P a g e | 37

 ✔    2.10.3 Implement:­
Include IT security considerations as directed by policies and 
procedures in procurement and acquisition activities. 
Negotiate final deals (e.g., contracts, contract changes, grants, 
agreements) that include IT security requirements that minimize risk 
to the organization. 
Ensure that physical security concerns are integrated into the 
acquisition strategies. 
Maintain ongoing and effective communications with suppliers and 
Perform compliance reviews of delivered products and services to 
assess the delivery of IT requirements against stated contract 
requirements and measures.

 ✔    2.10.4 Evaluate:­
Review contracting documents, such as statements of work or requests 
for proposals, for inclusion of IT security considerations in accordance 
with information security requirements, policies, and procedures. 
Assess industry landscape for applicable IT security trends, including 
practices for mitigating security risks associated with global supply 
chain management.
Review Memorandum of Agreements, Memorandum of 
Understandings and/or Service. 
Level Agreements for agreed level of IT security responsibility.
Conduct detailed IT investment reviews and security analyses and 
review IT investment business cases for security requirements.
Assess and evaluate the effectiveness of the vendor management 
program in complying with corporate policy with regard to use of third 
party information and connection requirement and acceptable use 
policies for vendors who connect to corporate networks. 

Page 37 of 83
P a g e | 38

Conduct due diligence activities to ensure that vendors are 
operationally and technically competent to receive third party 
information, to connect and communicate with networks, and to deliver 
and support secure applications.
Evaluate effectiveness of procurement function at addressing 
information security requirements through procurement activities and 
recommend improvements.

 ∇    2.11 Regulatory and Standards Compliance:­ 
Refers to the application of the principles, policies, and procedures that 
enable an enterprise to meet applicable information security laws, 
regulations, standards, and policies to satisfy statutory requirements, perform 
industry­wide best practices, and achieve its information security program 

✔  2.11.1 Manage  :­  
Establish and administer a risk­based enterprise information security 
program that addresses applicable standards, procedures, directives, policies, 
regulations and laws.
Define the scope of the enterprise information security compliance program.
Maintain the information security enterprise compliance program budget.
Organize and direct a staff that is responsible for information security 
compliance, licensing and registration, and data security surveillance.
Ensure that all employees are informed of their obligations and are motivated 
to comply with the applicable information security standards, procedures, 
directives, policies, regulations, and laws.
Identify major enterprise risk factors (product, compliance, and operational) 
and develop and coordinate the application of information security strategies, 
plans, policies, and procedures to reduce regulatory risk.
Maintain relationships with all regulatory information security organizations 
and appropriate industry groups, forums, stakeholders and organizations.

Page 38 of 83
P a g e | 39

Keep informed on pending information security changes, trends, and best 
practices by participating in collaborative settings.
Secure the resources necessary to support an effective information security 
enterprise compliance program.
Establish an enterprise information security compliance performance 
measures program.
Implement appropriate improvements, as required.

 ✔   2.11.2 Design:­
Develop enterprise information security compliance strategies, policies, plans 
and procedures in accordance with established standards, procedures, 
directives, policies, regulations, and laws.
Specify enterprise information security compliance program control 
Author information security compliance performance reports, Document 
information security audit results and develop remedial action policies and 
Develop a plan of action and associated mitigation strategies to address 
program deficiencies.
Document compliance reporting process in a manner that produces evidence 
that process exists.

 ✔   2.11.3 Implement:­ 
Monitor and assess the information security compliance practices of all 
personnel in accordance with enterprise policies and procedures.
Maintain ongoing and effective communications with key compliance 
Conduct internal audits to determine if information security control 
objectives, controls, processes, and procedures are effectively applied and 
maintained, and perform as expected.
Page 39 of 83
P a g e | 40

✔  2.11.4 Evaluate:­  
Assess the effectiveness of enterprise compliance program controls against the 
applicable laws, regulations, standards, policies, and procedures.
Assess the effectiveness of the information security compliance process and 
procedures for process improvement and implement changes where 
Compile, analyze, and report performance measures.

∇  2.12 Risk Management:­  
It refers to the policies, processes, procedures, and technologies used by an 
organization to create a balanced approach to identifying and assessing risks 
to information assets and to manage mitigation strategies that achieve the 
security needed at an affordable cost. 

✔  2.12.1 Manage:­  
Establish a IT security risk management program based on the enterprise 
business goals and objectives.
Advise senior management during the decision making process by helping 
them understand and evaluate the impact of IT security risks on business 
goals, objectives, plans, programs and actions.
Acquire and manage the resources, including financial resources, necessary to 
conduct an effective risk management program.
Authorize operations to acknowledge acceptance of residual risk.
Implement appropriate improvement recommendations, as required.

✔  2.12.2 Design :­
Specify risk­based information security requirements and a security concept 
of operations.
Develop the policies, processes and procedures for identifying, assessing, and 
mitigating risks to information assets, personnel, facilities, and equipment.

Page 40 of 83
P a g e | 41

Develop processes and procedures for determining the costs and benefits of 
risk mitigation strategies.
Develop the procedures for documenting the decision to apply mitigation 
strategies or acceptance of risk.
Develop and maintain risk­based security policies, plans, and procedures 
based on security requirements and in accordance with standards, 
procedures, directives, policy, regulation and law.

✔  2.12.3 Implement :­
Apply controls in support of the risk management program.
Provide input to policies, plans, procedures, and technologies to balance the 
level of risk associated with the benefits provided by mitigating controls.
Implement threat and vulnerability assessments to identify security risks and 
update the applicable security controls regularly.
Identify risk/functionality tradeoffs and work with stakeholders to ensure risk 
management implementation is consistent with desired organization’s risk 

✔  2.12.4 Evaluate:­  
Assess the effectiveness of the risk management program and implement 
changes where required.
Review the performance of and provide recommendations for risk 
management (security controls, policies/procedures that make up risk 
management program) tools and techniques.
Assess the residual risk in the information infrastructure used by the 
Assess the results of threat and vulnerability assessments to identify security 
risks and update the applicable security controls regularly.
Identify changes to risk management policies and processes to remain current 
with emerging risk and threat environment.

 2.13  Strategic Management:­ 
Page 41 of 83
P a g e | 42

It refers to the principles, practices, and methods involved in making 
managerial decisions and actions that determine the long­term performance of 
an organization. Strategic management requires the practice of external 
business analyses such as customer analyses, competitor analyses, market 
analyses, and industry environmental analyses. Strategic management also 
requires the performance of internal business analyses that address financial 
performance, performance measurement, quality assurance, risk management, 
and organizational capabilities and constraints. The goal of these analyses is to 
ensure that an organization’s IT security principles, practices and system 
design are in line with the organization’s mission statement. 

 ✔   2.13.1 Manage:­
Establish an IT security program to provide security for all systems, 
networks, and data that support the operations and business/mission needs of 
the organization.
Integrate and align IT security, physical security, personnel security, and 
other security components into a systematic process to ensure information 
protection goals and objectives are reached.
Align IT security priorities with the organization’s mission and vision and 
communicate the value of IT security within the organization.
Acquire the necessary resources, including financial resources, to support IT 
security goals and objectives and reduce overall organizational risk.
Establish overall enterprise security architecture (EA) by aligning business 
processes, IT software and hardware, local and wide area networks, people, 
operations, and projects with the organization’s overall security strategy.
Acquire and manage the necessary resources, including financial resources, 
for instituting the security policy elements in the operational environment.
Establish the organizational goals that are in accordance with standards, 
procedures, directives, policies, regulations and laws.
Balance the IT security investment portfolio based on EA considerations and 
enterprise security priorities.

Page 42 of 83
P a g e | 43

✔  2.13.2 Design :­
Establish a performance management program that will measure the 
efficiency, effectiveness, and maturity of the IT security program in support 
of the business/mission needs of the organization.
Develop IT security program components and associated strategy to support 
organization’s IT security program.
Develop information security management strategic plans.
Integrate applicable laws and regulations into the enterprise information 
security strategy, plans, policies, and procedures.

 ✔   2.13.3 Implement:­
Provide feedback to management on the effectiveness and performance of 
security strategic plans in accomplishing business/mission needs.
Perform internal and external enterprise analyses to ensure the organization’s 
IT security principles and practices are in line with the organizational 
Integrate business goals with information security program policies, plans, 
processes, and procedures.
Collect, analyze, and report performance measures.
Use performance measures to inform strategic decision making.

✔  2.13.4 Evaluate :­ 
Determine if security controls and processes are adequately integrated into 
the investment planning process based on IT portfolio and security reporting.
Review security funding within IT portfolio to determine if funding 
accurately aligns with security goals and objectives and make funding 
recommendations accordingly.
Assess the integration of security with the business/mission and recommend 
Review the cost goals of each major investment.
Assess the performance and overall effectiveness of the security program with 
respect to security goals and objectives.
Page 43 of 83
P a g e | 44

Assess and refresh performance measurement program to ensure currency 
with organization’s goals and priorities.

 ∇    2.14 System and Application Security:­ 
It refers to the principles, policies, and procedures pertaining to integrating 
information security into an IT system or application during the System 
Development Life Cycle (SDLC) prior to the Operations and Maintenance 
phase. The practice of these protocols ensures that the operation of IT systems 
and software does not present undue risk to the enterprise and its information 
assets. This objective is accomplished through risk assessment; risk 
mitigation; security control selection, implementation and evaluation; and 
software security standards compliance.

 ✔   2.14.1 Manage:­ 
Establish the IT system and application security engineering program.
Acquire the necessary resources, including financial resources, to support the 
integration of security in the SDLC.
Guide IT security personnel through the SDLC phases.
Define the scope of the IT security program as it applies to the application of 
Plan the IT security program components into the SDLC.

 ✔   2.14.2 Design:­ 
Specify the enterprise and IT system or application security policies.
Specify the security requirements for the IT system or application.
Author and IT system or application security plan in accordance with the 
enterprise and IT system or application security policies.
Identify the standards against which to engineer the IT system or application.
Specify the criteria for performing risk­based audits against the IT system or 
Develop processes and procedures to mitigate the introduction of 
vulnerabilities during the engineering process.
Page 44 of 83
P a g e | 45

Integrate applicable information security requirements, controls, processes, 
and procedures into IT system and application design specifications in 
accordance with established standards, policies, regulations, and laws.

 ✔   2.14.3 Implement:­ 
Execute the enterprise and IT system or application security policies.
Apply and verify compliance with the identified standards against which to 
engineer the IT system or application.
Perform the processes and procedures to mitigate the introduction of 
vulnerabilities during the engineering process.
Perform secure configuration management practices.
Validate that the engineered IT security and application security controls 
meet the specified requirements.
Reengineer security controls to mitigate vulnerabilities identified during the 
operations phase.
Ensure the integration of information security practices throughout the 
SDLC process.
Document IT or application security controls addressed within the system.
Practice secure coding practices.

 ✔   2.14.4 Evaluate:­ 
Review new and existing risk management technologies to achieve an optimal 
enterprise risk posture.
Review new and existing IT security technologies to support secure 
engineering across the SDLC phases.
Continually assess the effectiveness of the information system’s controls based 
on risk management practices and procedures.
Assess and evaluate system compliance with corporate policies and 

Page 45 of 83
P a g e | 46

Assess system maturation and readiness for promotion to the production 
Collect lessons learned from integration of information security into the 
SDLC and use to identify improvement actions.
Collect, analyze, and report performance measures.

 ➢   3 The IT Security Essential Body of Knowledge:­  
Knowledge of key terms and concepts is the foundation for effective 
performance of the functions associated with each of the technical 
competency areas. Without requisite knowledge, it is virtually impossible to 
perform work functions. The IT Security EBK lists all of the key terms and 
concepts that have been identified for each competency area. At minimum, 
individuals should know, understand, and be able to apply the key terms and 
concepts that relate to the competencies to which their role is linked. Full 
knowledge of all of the key terms and concepts is the foundation for 
performance as a conversant IT security generalist. This section describes and 
lists the 14 IT security competency areas with affiliated key terms and 

 ∇    3.1Data Security:­  
It refers to the application of the principles, policies, and procedures 
necessary to ensure the confidentiality, integrity, availability, and 
privacy of data in all forms of media throughout the media (electronic 
and hardcopy) throughout the data life cycle.
Access Control  
Antivirus Software
Authentication Data Classification
Discretionary Access Control
Electronic Commerce

Page 46 of 83
P a g e | 47

Firewall Configuration 
Information Classification
Mandatory Access Control 
No repudiation 
Personally Identifiable 
Privilege Levels 
Public Key Infrastructure 
Role­Based Access Control
Rule­Based Access Control
Secure Data Handling 
Security Clearance 
Sensitive Information 
Sensitivity Determination 
Sensitivity of Data 
System of Records 
User Privileges 
User Provisioning 

 ∇    3.2Digital Forensics:­  
It refers to the knowledge and understanding of digital investigation and 
analysis techniques used for recovering, authenticating, and analyzing 
electronic data to reconstruct events related to security incidents. Such 
activities require building a digital knowledge base. The investigative process 
is composed of three phases: acquire, analyze, and report. 
Bit­Stream Copy/Image
Chain of Custody 
Page 47 of 83
P a g e | 48

Computer Forensics 
Digital Forensic Systems 
Disk File System 
Duplicate Image 
Evidence Archival 
Forensic Analysis 
Forensic Labs
Integrity of Evidence 
Intrusion Detection Systems 
Intrusion Prevention Systems 
Network Forensics 
Network Monitoring 
Persistent Data
Portable Media Forensics
Security Incident 

 ∇    3.3 Enterprise Continuity:­  
It refers to the application of the principles, policies, and procedures used to 
ensure an enterprise continues to perform essential business functions after 
the occurrence of a wide range of potential catastrophic events. For the 
purposes of the IT Security EBK, Enterprise Continuity relates to IT assets 
and resources and associated IT security requirements.
Alternate Facility 
Business Continuity 
Business Recovery
Crisis Communication 
Cyber Incident Response 
Delegation of Authority 
Disaster Recovery
Page 48 of 83
P a g e | 49

Essential Functions 
Information Technology 
Contingency Plan 
Interoperable Communications 
Occupant Emergency 
Order of Succession 
Risk Mitigation
Standard Operating Procedures 
Tests, Training, and Exercises 
Threat Environment 
Vital Records and Databases 

 ∇    3.4 Incident Management:­  
It refers to the knowledge and understanding of the process to prepare and 
prevent, detect, contain, eradicate, and recover, and apply lessons learned 
from incidents impacting the mission of an organization.
Computer Security
Escalation Procedures 
Incident Handling 
Incident Records 
Incident Response 
Information Assurance Posture 
Information Security Policy
Information System 
Privacy (personally identifiable data) 
Reconstitution of System 
Risk Assessment 
Page 49 of 83
P a g e | 50

Risk Management 
Security Alerts 
Security Incident 
System Compromise 
Threat Motivation
Unauthorized Access 

 ∇    3.5IT Security Training and Awareness:­  
It refers to the principles, practices, and methods required to raise employee 
awareness about basic information security, and to train individuals with 
information security roles to increase their knowledge, skills and abilities. 
Training activities are designed to instruct workers about their security 
responsibilities and teach them about information security processes and 
procedures so duties are performed optimally and securely within related 
environments. Awareness activities present essential information security 
concepts to the workforce in order to change user behavior.
• Awareness 
• End User Security Training 
• IT Security Awareness Program 
• Instructor Led Training (ILT)
• Computer Based Training (CBT) 
• Curriculum 
• Learning Objectives 
• IT Security Training Program 
• Role­Based Training 
• Training 
• Instructional Systems Design (ISD) 
• Web Based Training (WBT)
• Learning Management System (LMS) 
Page 50 of 83
P a g e | 51

• Needs Assessment 

 ∇    3.6 IT Systems Operations and Maintenance:­  
It refers to the ongoing application of principles, policies, and procedures to 
maintain, monitor, control, and protect IT infrastructure and the information 
residing on it during the operations phase of an IT system or application in 
Access Control 
Antivirus Software 
Configuration Management
Insider Threat 
Intrusion Detection Systems 
Intrusion Prevention Systems 
Patch Management
Penetration Testing 
Security Data Analysis 
Security Measures 
Security Reporting 
System Hardening 
System Logs 
System Monitoring 
Threat Analysis 
Threat Monitoring 
Vulnerability Analysis 

 ∇    3.7Network Security and Telecommunications:­  
It refers to the application of the principles, policies, and procedures involved 
in ensuring the security of basic network services and data and in 
maintaining the hardware layer on which it resides. These practices address 

Page 51 of 83
P a g e | 52

perimeter defense strategies, defense­in­depth strategies, and data encryption 
Access Control 
Biometrics Authentication 
Crypto security 
Email Scanners 
Emission Security 
Encryption Technologies (e.g., Secure Sockets Layer [SSL], Transport Layer 
Security [TLS]) 
Internal and External Telecommunications Technology (e.g., Private Branch 
Exchange [PBX] and Voice Over Internet Protocol [VOIP]) 
Intrusion Detection Systems 
Intrusion Prevention Systems 
Load Balancers 
Network Architecture 
Network Segmentation (e.g., Virtual Local Area Network [V­LAN], 
Demilitarized Zone [DMZ]) 
Penetration Testing 
Transmission Security 
Virtual Private Network 

 ∇    3.8Personnel Security:­  

Page 52 of 83
P a g e | 53

It refers to methods and controls used to ensure that an organization’s 
selection and application of human resources (both employee and contractor) 
are controlled to promote security. Personnel security controls are used to 
prevent and detect employee­caused security breaches such as theft, fraud, 
misuse of information, and noncompliance. The controls include 
organization/functional design elements such as separation of duties, job 
rotation, and determining position sensitivity.
Background Checks/Background Investigation
Human Resources 
Insider Threat 
Job Rotation 
Nondisclosure Agreement 
Position Sensitivity 
Secure Employee Termination 
Security Breach
Security Clearance 
Separation of Duties 

 ∇    3.9Physical and Environmental Security:­  
It refers to the methods and controls used to proactively protect an 
organization from natural or manmade threats to physical facilities and 
buildings, as well as to the physical locations where IT equipment is located or 
work is performed (e.g., computer rooms, work locations). Physical and 
environmental security protects an organization’s personnel, electronic 
equipment, and information. 
Access Cards 
Access Control 
Page 53 of 83
P a g e | 54

Environmental Threat
Identification and Authentication
Manmade Threat 
Natural Threat
Perimeter Defense 
Risk Management 
Threat and Vulnerability Assessment 

 ∇    3.10 Procurement:­ 
It refers to the application of principles, policies, and procedures required to 
plan, apply, and evaluate the purchase of IT products or services, including 
"risk­based" pre­solicitation, solicitation, source selection, award, and 
monitoring, disposal, and other post­award activities. Procurement activities 
may consist of the development of procurement and contract administration 
documents that include, but are not limited to, procurement plans, estimates, 
requests for information, requests for quotes, requests for proposals, 
statements of work, contracts, cost­benefit analyses, evaluation factors for 
award, source selection plans, incentive plans, service level agreements, 
justifications required by policies or procedures, and contract administration 
Acceptable risk
Acquisition Life Cycle 
Business Impact 
Category Management 
Cost­Benefit Analysis 
Cost Reimbursement Contract 

Page 54 of 83
P a g e | 55

Fixed Price Contract 
Incentive Contract
Indefinite Delivery Contract
Performance­based Contracts 
Regulatory Compliance 
Request for Information 
Request for Proposal 
Risk Analysis 
Risk­Based Decision 
Risk Mitigation
Security Measures 
Service Level Agreement 
Sole Source Justification 
Spend Analysis
Statement of Objectives 
Statement of Work 
Terms and Conditions 
Time and Materials Contract
Total Cost of Ownership

 ∇    3.11Regulatory and Standards Compliance:­ 
It refers to the application of the principles, policies, and procedures that 
enable an enterprise to meet applicable information security laws, 
regulations, standards, and policies to satisfy statutory requirements, perform 
industry­wide best practices, and achieve its information security program 

Page 55 of 83
P a g e | 56

Laws (including but not limited to Health Insurance Portability and 
Accountability Act [HIPAA], Federal Information Security Management Act 
[FISMA], Clinger­Cohen Act, Privacy Act, Sarbanes­Oxley, etc.) 
Privacy Principles/Fair Info Practices 
Security program 
Standards (e.g., ISO 27000 series, Federal Information Processing Standards 

 ∇    3.12Risk Management:­  
It refers to the policies, processes, procedures, and technologies used by an 
organization to create a balanced approach to identifying and assessing risks 
to information assets and to manage mitigation strategies that achieve the 
security needed at an affordable cost. 
Acceptable Risk 
Annual Loss Expectancy 
Annual Rate of Occurrence
Asset Valuation
Business Impact 
Likelihood Estimation
Page 56 of 83
P a g e | 57

Risk Analysis 
Risk Mitigation
Risk Treatment
Security Measures 
Single Loss Expectancy 
Threat and Vulnerability 
Threat Modeling 
Types of Risk

 ∇    3.13 Strategic Management:­  
It refers to the principles, practices, and methods involved in making 
managerial decisions and actions that determine the long­term performance 
of an organization. Strategic management requires the practice of external 
business analyses such as customer analyses, competitor analyses, market 
analyses, and industry environmental analyses. Strategic management also 
requires the performance of internal business analyses that address financial 
performance, performance measurement, quality assurance, risk 
management, and organizational capabilities and constraints. The goal of 
these analyses is to ensure that an organization’s IT security principles, 
practices and system design are in line with the organization’s mission 
Acquisition Management 
Budgeting Process and Financial Management 
Built­In Security 
Capital Planning 
Enterprise Architecture 
Page 57 of 83
P a g e | 58

Enterprise Security 
Performance Management 
Strategic Planning 
Strategic Resource and Investment Management 

 ∇    3.14 System and Application Security:­  
It refers to the principles, policies, and procedures pertaining to integrating 
information security into an IT system or application during the SDLC prior 
to the Operations and Maintenance phase. The practice of these protocols 
ensures that the operation of IT systems and software does not present undue 
risk to the enterprise and its information assets. This objective is 
accomplished through risk assessment; risk mitigation; security control 
selection, implementation and evaluation; and software security standards 
Application and Technical Security Controls 
Application Development 
Configuration Management
Process Maturity 
Risk Mitigation
Secure Coding 
Security Management 
Security Testing and Evaluation
System Development Life Cycle 
Risk Assessment 
Secure System Design 
Security Requirements Analysis 
Security Specifications 
Software Assurance 
System Engineering 

Page 58 of 83
P a g e | 59

➢  4  IT Security Roles, Competencies and Functional
Ten roles have been identified to segment the multitude of job titles within the 
public and private sector workforce into manageable functional groupings. 
Each role represents a cluster of organizational positions/job titles that 
perform similar functions in the workplace and therefore have the same IT 
security competencies. 

 ∇    4.1 Chief Information Officer:­ 
The Chief Information Officer focuses on the information security strategy 
within an organization and is responsible for the strategic use and 
management of information, information systems, and IT within that 
organization. The CIO establishes and oversees IT security metrics program, 
including evaluation of compliance with corporate policies and effectiveness 
of policy implementation. The CIO leads the evaluation of new and emerging 
IT security technologies. 
 ξ     Competencies: 
Data Security: Manage
Enterprise Continuity: Manage
Incident Management: Manage
IT Security Training and Awareness: Manage
Physical and Environmental Security: Manage
Procurement: Manage, Design
Regulatory and Standards Compliance: Manage, Evaluate
Risk Management: Manage, Evaluate
Strategic Management: Manage, Design, Evaluate
System and Application Security: Manage 
 ξ     Example Job Titles: 
Chief Information Officer (CIO) 

 ∇    4.2 Digital Forensics Professional:­ 
Page 59 of 83
P a g e | 60

The Digital Forensics Professional performs a variety of highly technical 
analyses and procedures in collecting, processing, preserving, analyzing, and 
presenting computer­related evidence, including but not limited to data 
retrieval, breaking passwords, and finding hidden or otherwise “invisible” 
 ξ     Competencies: 
Digital Forensics: Manage, Design, Implement, Evaluate
Incident Management: Implement
IT Systems Operations and Maintenance: Design, Implement, Evaluate
Network Security and Telecommunications: Design, Implement Procurement: 
Risk Management: Implement
 ξ     Example Job Titles: 
Digital Forensics Analyst 
Digital Forensics Engineer
Digital Forensics Practitioner 
Digital Forensics Professional 

 ∇    4.3 Information Security Officer/Chief Security Officer:­ 
The Information Security Officer/Chief Security Officer (ISO/CSO) 
specializes in the information and physical security strategy within an 
organization. The ISO/CSO is charged with developing and subsequent 
enforcing of the company’s security policies and procedures, security 
awareness program, business continuity and disaster recovery plans, and all 
industry and governmental compliance issues. 
 ξ     Competencies: 
Data Security: Manage, Design, Evaluate
Digital Forensics: Manage, Design
Enterprise Continuity: Manage, Evaluate
Incident Management: Manage, Design, Evaluate
IT Security Training and Awareness: Manage, Evaluate
Physical and Environmental Security: Manage, Evaluate
Page 60 of 83
P a g e | 61

Procurement: Manage, Design, Evaluate
Regulatory and Standards Compliance: Manage, Design, Evaluate
Risk Management: Manage, Design, Evaluate
Strategic Management: Manage, Design, Implement, Evaluate
System and Application Security: Manage, Evaluate 
 ξ     Example Job Titles: 
Chief Cyber Security Officer
Chief Security Officer 
Information Security Officer 
Senior Agency Information Security Officer 

 ∇    4.4 IT Security Compliance Professional:­  
The IT Security Compliance Professional is responsible for overseeing, 
evaluating, and supporting compliance issues pertinent to the organization. 
Individuals in this role perform a variety of activities, encompassing 
compliance from an internal and external perspective. Such activities include 
leading and conducting internal investigations, assisting employees comply 
with internal policies and procedures, and serving as a resource to external 
compliance officers during independent assessments. The IT Security 
Compliance Professional provides guidance and autonomous evaluation of the 
organization to management. 
 ξ     Competencies: 
Data Security: Evaluate
Digital Forensics: Evaluate
Enterprise Continuity: Evaluate
Incident Management: Evaluate
IT Security Training and Awareness: Evaluate 
IT Systems Operations and Maintenance: Evaluate
Network Security and Telecommunications: Evaluate
Personnel Security: Evaluate
Physical and Environmental Security: Evaluate
Procurement: Evaluate
Page 61 of 83
P a g e | 62

Regulatory and Standards Compliance: Design, Implement, Evaluate
Risk Management: Implement, Evaluate
Strategic Management: Evaluate
System and Application Security: Evaluate
 ξ     Example Job Titles: 
Compliance Officer 
Inspector General 
Regulatory Affairs Analyst 

 ∇    4.5 IT Security Engineer:­  
The Security Engineer applies cross­disciplinary IT security knowledge to 
build IT systems that remain dependable in the face of malice, error, and 
 ξ     Competencies: 
Data Security: Design, Evaluate
IT Operations and Maintenance: Design, Implement
Network Security and Telecommunications: Design, Implement
Risk Management: Implement
System and Application Security: Design, Implement, Evaluate
ξ  Example Job Titles : 
Requirements Analyst 
Security Analyst 
Security Architect 
Security Engineer 
Software Architect
System Engineer 

 ∇    4.6 IT Systems Operations and Maintenance Professional:­ 

Page 62 of 83
P a g e | 63

The IT Security Operations and Maintenance Professional ensures the 
security of information and information systems during the Operations and 
Maintenance phase of the SDLC. 
 ξ     Competencies: 
Data Security: Implement, Evaluate
Digital Forensics: Implement
Enterprise Continuity: Design, Implement
Incident Management: Design, Implement, Evaluate
IT Systems Operations and Maintenance: Manage, Design, Implement,  
Network Security and Telecommunications: Manage, Design, Implement,  
Procurement: Evaluate
Risk Management: Implement
System and Application Security: Implement 
 ξ     Example Job Titles: 
Database Administrator 
Directory Services Administrator 
Network Administrator 
Service Desk Representative
System Administrator 
Technical Support Personnel 

 ∇    4.7 IT Security Professional:­  
The IT Security Professional concentrates on protecting information and 
information systems from unauthorized access, use, disclosure, disruption, 
modification, or destruction to provide confidentiality, integrity, and 
 ξ     Competencies: 
Data Security: Manage, Design, Evaluate
Enterprise Continuity: Evaluate
Incident Management: Design, Evaluate
Page 63 of 83
P a g e | 64

IT Security Training and Awareness: Design, Implement, Evaluate
Personnel Security: Design, Evaluate
Physical and Environmental Security: Design, Evaluate
Regulatory and Standards Compliance: Implement
Risk Management: Design, Implement, Evaluate
 ξ     Example Job Titles: 
Information Security Program Manager 
Information Systems Security Manager (ISSM) 
Information Systems Security Officer (ISSO) 
Security Program Director 

 ∇    4.8 Physical Security Professional:­ 
The Physical Security Professional protects physical computer systems and 
related buildings and equipment from intrusion and from fire and other 
natural and environmental hazards.
 ξ     Competencies: 
Enterprise Continuity: Design, Implement
Incident Management: Implement
Personnel Security: Evaluate
Physical and Environmental Security: Manage, Design, Implement, Evaluate 
Procurement: Evaluation
Risk Management: Implement
 ξ     Example Job Titles: 
Physical Security Administrator 
Physical Security Officer 

 ∇    4.9 Privacy Professional:­  
The Privacy Professional is responsible for developing and managing an 
organization’s privacy compliance program. The privacy professional 
establishes a risk management framework and governance model to assure 

Page 64 of 83
P a g e | 65

the appropriate handling of Personally Identifiable Information (PII). The 
privacy professional ensures PII is managed throughout the information life 
cycle, from collection to disposal. 
 ξ    Competencies: 
Data Security: Design, Evaluate
Incident Management: Manage, Design, Implement, Evaluate
IT Security Training and Awareness: Design, Evaluate
Personnel Security: Design, Implement
Regulatory and Standards Compliance: Manage, Design, Implement, Evaluate
Risk Management: Manage, Design, Implement, Evaluate
 ξ     Example Job Titles: 
Chief Privacy Officer 
Privacy Act Officer 
Privacy Information Professional 
Privacy Officer 
Senior Agency Official for Privacy 

 ∇    4.10 Procurement Professional:­ 
The Procurement Professional purchases or negotiates for products (software, 
hardware, etc.) and services (contractor support, etc.) in support of an 
organization’s IT strategy. In the IT security context, procurement 
professionals must ensure that security requirements are specified within 
solicitation and contract documents and ensure that only products and 
services meeting requirements are procured. The Procurement Professional 
must be knowledgeable about their industry and own organization, and must 
be able to effectively communicate with suppliers and negotiate terms of 
 ξ     Competencies: 
Procurement: Manage, Design, Implement, Evaluate
 ξ     Example Job Titles: 
Acquisition Manager 

Page 65 of 83
P a g e | 66

Contracting Officer 
Contracting Officer’s Technical Representative (COTR) 
Contract Specialist 
Purchasing Manager 

 ➢   5 IT Security Role, Competency, and Functional Matrix:­  
The IT Security Role, Competency, and Functional Matrix provides a visual 
representation of the linkage between roles, competency areas, and functions. 
In this section, the IT Security Roles are broadly grouped into Executive, 
Functional and Corollary categories. 

➢ 6 Wayne State University implements Q1 Labs QRadar technology.

By Denise Dubie, Network World
The IT security team at Wayne State University in Detroit wanted to get
better visibility into the traffic crossing the urban institution's main and
satellite locations. With some 33,000 students and 10,000 faculty, staff and
employees using the network - which includes 10,000 internal and 50,000
external hosts - the team turned to network behaviour analysis (NBA)
software from Q1 Labs.

NBA tools monitor and analyse network traffic, looking for abnormalities and
patterns that could indicate a zero-day attack, such as a server sending too
many queries or one that is trying to connect to the Internet in the middle of
the night. The products prove to be another layer of security: in addition to
identifying top talkers on the network, NBA technology can help network and
security teams detect undocumented vulnerabilities and symptoms of
unknown threats, before the environment is impacted.

"We have so many sources for network traffic and we needed better insight
into the network," says Morris Reynolds, director of information security and
access management at Wayne State. "We had a funding opportunity that
Page 66 of 83
P a g e | 67

enabled us to purchase the technology that would help us see what

vulnerabilities were coming across our network and how we were at risk."

The university implemented Q1 Labs QRadar technology, which is packaged

as an appliance, in July 2007 and upon installation detected between 10 and
15 bot-controlled computers on the network. The security policy at the
university cuts such computers off from the outside world and gives systems
administrators four days to remediate the problems. Finding these
vulnerabilities helps the security team spot potential vulnerabilities and
monitor traffic sources.

"Right off the bat, QRadar gave us a general idea of what was going on in our
network. It broke down the traffic by applications - I think it can handle
more than 1000 types of network traffic - and we were able to see which of
our networks were most vulnerable and which had the most problems," says
Graydon Huffman, Wayne State's senior systems security specialist
responsible for QRadar.

Reynolds adds that the information QRadar serves up from more than 50
devices (at a rate of 600 events per second) helps the security team protect the
integrity of the entire network. It also provides data on the potential
vulnerability to support their requests to other IT staff. Wayne State
University is currently planning a move to a distributed deployment model to
monitor university-wide inter-hub traffic, and has plans to expand the use of
QRadar to its medical campus in 2009.

"We want to give our systems administrators the best insight into their
environments, so they can prevent issues before they happen," Reynolds says.
∇ 6.1 Cisco routers are out and Juniper gear is in at Amazing mail.
By Tim Greene, Network World US
Amazingmail.com tossed its Cisco routers, switches and firewalls for Juniper
gear and wound up saving enough in ongoing support costs that the project
will pay for itself in eight months.

Page 67 of 83
P a g e | 68

The Arizona firm, which has about 90 employees spread over three sites,
made the swap during the first quarter of the year with no interruption to its
online custom printing and mailing operations, says Larry Prine, its lead
systems administrator.
There were some trade-offs, including that only certain models of the EX
switches can be configured to act as part of a single logical switch, but the
money the company saves on maintenance fees is worth it.
"Cost savings - that was the motivation," Prine says. By cutting support costs
from US$48,000 (around £25,600) for Cisco to less than $6,000 per year for
Juniper and selling off the two-year-old Cisco hardware, Amazingmail.com
will have the Juniper gear paid off by the end of this year, he says.
Along with the cost savings comes the ability to switch WAN routers when one
of the company's T-1 lines fails, something that was too complex for
Amazingmail.com to get running on its Cisco routers, Prine says.

• Login | Register

• Subscribe to our newsletters

• Subscribe to our RSS Feeds

Registration is free, and gives you access to our white paper library, case
studies & analysis, downloads & speciality areas, forums, and more.
We editorially select highlights of the latest, breaking IT news, most-read
articles and expert insight, and deliver them to your inbox.

Page 68 of 83
P a g e | 69

Techworld’s RSS feeds send the latest industry news, reviews & analysis

direct to your desktop!

Overall, he thinks the Juniper gear is more manageable because each switch,
router and firewall works on the same operating system version as the rest, so
any configuration changes need to be done just once for each. With Cisco,
software versions could vary within device type, he says, requiring more
administrative time.
Prine swapped two Cisco Catalyst 6509 switches for four Juniper EX4200
switches. A Juniper SSG 140 security gateway and four SSG 320s replaced
three Cisco ASA 5520 security appliances. Prine says Cisco didn't make any
special efforts to retain Amazingmail.com's business.
Juniper EX 4200 switches can be deployed in a virtual chassis that enables
managing them as a single device, but that is not a feature of the EX 3200s, he
says. So the two EX 3200s in his network are managed separately. In that
sense, the Cisco equipment kind of had the advantage," Prine says.

∇ 6.2 The sweet smell of WAN acceleration

By Matt Hamblen, Computerworld US
Glen Dalgleish, vice president of infrastructure services at global perfumer
Coty, well remembers why he and his staff had implemented WAN
acceleration technology last January: to improve download speeds for some
6,000 users world-wide.

Page 69 of 83
P a g e | 70

With the devices from Riverbed Technology in place, users in Europe or Asia
could download a 50MB multimedia presentation on a hot new fragrance in
less than five minutes - a big improvement over the 30 minutes it had taken
before the acceleration fix.
"It is extremely potent technology," Dalgleish said. "People were calling and
saying, 'This can't be right.... Is something wrong? The downloads are too
FAST.' With a smile, we said, 'It is what it is...'"
Dalgleish, who started working for New York-based Coty nearly a year ago,
credits Riverbed and Orange, the network provider that has worked with
Coty for more than seven years, for the improvements.
In all, Riverbed and Orange spent about $500,000 to install about 50
Riverbed Steelhead appliances of various sizes in offices around the globe.
The devices talk to one big Steelhead at Coty's data centre in North Carolina,
Dalgleish said. Coty expects its investment should be paid back in 18 months.
The big advantage? Coty didn't need to expand network capacity to handle
exploding amounts of video and other multimedia data, he said. While adding
bandwidth might not be too expensive in New York, trying to boost
throughput by even a modest amount in some countries in Eastern Europe
can be exorbitant, he noted. With the Riverbed technology in place, the
loading on some network links dropped from 90 percent to 60 percent.
With the improved efficiency, Dalgleish has been able to remove about 12
caching servers around the world, saving money on the software licensing
costs for those servers. Now, when a user needs a file, the data comes straight
from the data centre, ensuring that they get the most recent version.
One problem Dalgleish encountered involved several legacy applications that
did not work with the acceleration software and would time-out. The
Page 70 of 83
P a g e | 71

applications were not mission critical and affected very few users, so they
were excluded from the acceleration pathway and still transmit at their older,
slower pace. Because the issue was minor, Dalgleish did not investigate the
Coty chose Riverbed's technology over several others, including Cisco,
Dalgleish said. Orange had recommended Riverbed after using the
technology itself; Dalgleish praised Orange for recognising that the
acceleration market is growing and offers clear benefits for network users.
"Because of what Orange did, it helps me want to stay with Orange," he said.
Now, he wants to test Riverbed's Steelhead mobile application to provide
optimisation to several hundred employee laptops. "You could use it from
your hotel room," he said.
We editorially select highlights of the latest, breaking IT news, most-read
articles and expert insight, and deliver them to your inbox. Techworld’s RSS
feeds send the latest industry news, reviews & analysis direct to your desktop!
Coty's experience with acceleration is not unusual, analysts said. Since WAN
optimisation technology began appearing five years ago, it has continued to
gain popularity at least in part because of success stories like Coty's.
"The market is still growing, and we have not seen a slowdown in end-user
demand for WAN optimisation," said Robert Whiteley, an analyst at
Forrester Research. "As IT [departments] look to trim the fat from budgets,
they often turn to consolidation projects, which increases the need for WAN
optimisation to accelerate connections to centralised data centre resources."
Whiteley said Riverbed is in the top tier of WAN optimisation vendors, along
with Cisco, Blue Coat Systems, Juniper Networks and Silver Peak System

∇ 6.3 How Wi-Fi eased the classroom crunch

Teachers need to take the Internet anywhere.
By Peter Judge, Techworld
Schools can be hesitant to use Wi-Fi, because they need to control the Internet
access their children get - but for Heathland Comprehensive School in West
London, blanket coverage was the best way to ease the pressure on the
school's computer rooms.

Page 71 of 83
P a g e | 72

In universities, adult pupils can be expected to provide their own laptops, and
take care of themselves online, so it makes sense to cover the site with Wi-Fi.
Secondary schools and below are less likely to go for full coverage, as their
pupils require more supervision and can't be expected to provide hardware.
School-level IT has generally been provided in special purpose computer
rooms - but modern teaching increasingly requires Internet access, and this
may have to change.
"Learning isn't centred completely on computers," says Adam Urch, network
manager at Heathland, "but our school is very tight on rooms, with around
95 percent of the rooms in use." The school, in Hounslow, West London, has
1850 pupils aged 11 to 18, 150 teachers and 200 support staff.
In that situation, there is always someone in the computer room, and it's not
possible to use it for a lesson which only needs access for ten minutes. In 2006,
it was obvious that teachers and pupils need to be able to access the Internet
from anywhere.
∇ 6.4 Is wireless best?
Wireless might seem to be the obvious answer, but Urch took some
persuading. He was happy with the general performance of wireless, provided
by some standalone Linksys Wi-Fi access points the school had bought on the
high street, but these could only support about a dozen users at a time, and
were awkward to use and unlikely to scale to larger coverage.
Also, as well as supporting the current building, any wireless LAN would
have to expand easily into new buildings that the school has planned.
➢ 7 Use of Network Security in WNS
 ∇    7.1 Introduction:­

WNS is a leading global business process outsourcing company. Deep 
industry and business process knowledge, a partnership approach, comprehensive 
service offering and a proven track record enables WNS to deliver business value to 
Page 72 of 83
P a g e | 73

some of the leading companies in the world. WNS is passionate about building a 
market­leading company valued by our clients, employees, business partners, 
investors and Communities.
∇  7.2Wireless Networks and Services Program ( WNS
Faculty handling the programme: Professor Djamal ZEGHLACHE

The Wireless Networks and Services program covers advances in wireless

architectures with an emphasis on wireless networking and services. The program
takes into account current technologies, the emergence of new devices and systems
and the growth expected in wireless. Wireless technologies and services represent
today one of the largest growth sector and market in the information technology and
society and this is especially true with the emergence of sensor (e.g. Zigbee),
mesh (e.g. WiMAX) and P2P networks in addition to the current cellular (such as
GSM, IS-95, IS-136, GPRS, EDGE, UMTS, Cdma2000) and the wireless local access
technologies (WiFi and Bluetooth as well as Ad Hoc networks). The number of
wireless devices (including sensors and actuators) and nodes is expected to grow into
billions worldwide while personal computers in the fixed infrastructure are not
expected to exceed a billion. This expected massive introduction of nodes and
devices will change the way wireless services are offered to end users and will
broaden the scope and applicability of wireless to all the sectors of the information
society. This evolution makes wireless networks much more complex. As multiple air
interfaces, multiple access technologies and multiple service architectures compose
the network, new capabilities and features are needed (to enable intelligent access
network selection and the secure and spontaneous formation of personal area
networks around the user) to provide context aware networking and to achieve
adaptation of applications and services to ambient conditions.

ξ Objectives:
The expected evolution in wireless networks and technologies poses real
challenges to the industry that tomorrow’s graduates must understand and be
prepared to tackle when joining the research and development community. The
objective of the Wireless Networks and Services education program at INT is to
train students, in the wireless networking and services area, to become an active
force in addressing these new technological challenges, the strategic objectives of the
industry and the needs of the information and human society. This program
consequently aims at providing in depth understanding of wireless networks and
services architectures by providing students with the underlying background in
radio propagation, in signalling and wireless systems fundamentals. Given this basic
knowledge, the program will address wireless network architectures encountered in
both cellular and short range wireless followed by an analysis and study of wireless
services architectures in the NGN and NGI context (including paradigms available

Page 73 of 83
P a g e | 74

in working groups and standardisation bodies such as W3C, OMA, 3GPP and
TISPAN). Emerging technologies and paradigms in wireless sensor networks,
wireless personal area networks and pervasive networks and services widen the
scope of the program and provide students with a longer term vision on the expected
evolutions in wireless systems, networks, services and applications. In addition to
acquiring knowledge in wireless networking and services in general, the students
will in finebe able to:
Model, analyze as well as develop new and economically viable wireless
networks and services architectures.
Specify and design mechanisms, protocols and procedures to achieve mobility
management, Ensure security and privacy.
Integrate future mobile services and applications in current and emerging
wireless networks VAP WNS (version 07.11a).
ξ Organisation:
The program consists of 6 essentially independent courses, since students with
documented prerequisite knowledge can enrol in these courses. The program is
scheduled during semesters S8 and S9 and each course corresponds to an in class
teaching load of 45 Hours supplemented by 45 hours of personal work, for a total
of 90 equivalent hours per course. The Wireless Networks and Services program is
organized in the following Teaching Units:
S8: - NET4508 : “Propagation et Signalisation” (Propagation and signalling in
wireless environments and networks)
- NET4519 : Wireless Data Networks (short range wireless and wireless LAN
and PAN for data and multimedia communications)
S9: - NET5011 : Mobile Networks Architectures (wireless systems and networks
architectures, physical and logical channel organization, protocols, procedures,
mobility management, call and session establishment)
NET5012 : NGN and Wireless Service Architectures (service architectures for
multimedia wireless services including NGN, IMS and service oriented
NET5013 :Service Discovery and Adaptation to Context (advanced service
discovery protocols and framework to support wireless services & applications
NET5014 : Secure Pervasive Wireless Networks and Services (addresses
security,mobility of nodes, services and applications in pervasive wireless
In addition to these courses a project, running throughout Semester S9, will be
conducted by the students in small groups. The project will put into practice what
has been learned in class and enable students to develop the invaluable research and
development skills sought by the industry and the research community.

∇ 7.2 Security Concern for WNS:-

Page 74 of 83
P a g e | 75

The proliferation of commercial activities over different networked systems 
has brought security concerns on an unprecedented scale. From traditional 
Internet­based applications to newly emerging ubiquitous services over 3G, Wireless 
LAN, and mobile ad hoc and sensor networks, there is an increasing demand of 
measures to guarantee the confidentiality, integrity, and availability of system 
services. The main purpose of this workshop is to promote further research interests 
and activities on network security. It is also aimed at increasing the synergy between 
academic and industrial researchers working in this area. We are interested in 
experimental, systems­related, and work­in­progress papers in all aspects of network 
The topics of interest include (but are not limited to): 
Novel and emerging secure architecture 

Study of attack strategies, attack modelling 

Case studies and analysis of actual attacks 

Continuity of Operations during an attack

Key management

Trust management

Intrusion detection techniques

Intrusion response, alarm management, and correlation analysis

Study of tradeoffs between security and system performance 

Intrusion tolerance systems 

Secure protocols 

Page 75 of 83
P a g e | 76

Security in wireless networks (e.g., ad hoc networks, sensor 
networks, WiMAX, WPAN, etc.) 

Battlefield wireless security solutions

Security issues in Software Defined Radios
Authors are invited to submit full papers for presentation at the workshop. 
Papers (no more than 8 camera­ready pages, in IEEE TRANSACTION format) 
should describe original, previously unpublished work, not currently under review 
by another conference, workshop, or journal. All accepted papers will appear in the 
IEEE LCN conference proceedings. All paper submissions will be handled 
electronically in EDAS. Manuscripts that are not compliant with the requirements 
may be declined with the requirements may be declined without review.
∇  7.3 WNS  and CIMA partner with the Bucharest University of
 Economics  (
  Using IT Security for Enhancing Financial Skills
& Protecting Accounting Data)

Program aims to further excellence in finance and accounting skills 

WNS (Holdings) Limited (NYSE:WNS), a leading provider of global business

process outsourcing (BPO) services, and the Chartered Institute of Management
Accountants (CIMA), the only international accountancy body with a sole focus on
business, today announced a partnership with the Bucharest University of
Economics (ASE), a premier Romanian institution of higher education. In a move to
promote excellence in financial management, CIMA has granted accreditation to the
University’s two-year master’s degree in Accounting and Financial Techniques for
Business Management (TECOFIG). This is the first accreditation CIMA has
granted in Romania and recognizes the degree’s comprehensive grounding in
management accounting. WNS will contribute business case studies from its
operations and lectures given by its senior managers in order to provide insights
into the rapidly growing BPO services industry. WNS will also offer scholarships
and internships to TECOFIG students and the opportunity for graduates to join the
company once they have successfully completed the program. TECOFIG graduates
Page 76 of 83
P a g e | 77

can choose an accelerated route to the CIMA qualification through exemptions from
five of the Institute’s papers. Additionally, ASE will develop a new post graduate
diploma which covers accounting content from the CIMA Certificate in Business
Accounting. This program will be accessible to graduates of all disciplines who want
to build a career in accounting and finance. “WNS sees immense potential for
growth and scale in Romania. We are committed to developing talent locally and are
pleased to announce this three-way partnership with ASE and CIMA,” said Akos
Csernus,Head of Romanian Operations for WNS. “This initiative will provide an
excellent education program for Romanian students seeking to pursue careers in
management accounting and financial analytics.” Eastern Europe provides a strong
combination of language skills and talent, and has emerged as a major provider of
BPO services. BPO exports from the region total US $1 billion and employ
approximately 30,000 FTEs. Finance and accounting (F&A) is the primary BPO
service in the region, including processes ranging from transaction processing to
high end analytics.
“WNS is committed to nurturing leaders, and through our strategic
relationship with CIMA, we ensure our employees gain internationally recognized
training,” said Neeraj Bhargava, Group Chief Executive Officer. “As the first BPO
provider to forge a strategic relationship with CIMA, we endeavor to educate, train
and qualify world class professionals in order to provide high value services to our
clients.” “Operating in over 161 countries, CIMA provides a global qualification
certificate recognized by leading organizations around the world,” said Ray Perry,
Director of Brand, CIMA. “CIMA values its strong relationships with global
commercial organizations such as WNS and is delighted to partner with leading
institutions such as the Bucharest University of Economics.”
WNS launched its Bucharest delivery center in January of this year. The
WNS facility serves as a nearshore delivery centre for global clients with European
operations. The center provides multi-lingual services, focused on delivering finance
and accounting and customer care services in French, German, Italian and Spanish.
According to a TBR report on BPO Delivery from Eastern Europe published
on June 17th 2008 WNS and CIMA partner with Bucharest University of Economics
• September 18, 2008

ξ About WNS
WNS is a leading global business process outsourcing company. Deep
industry and business process knowledge, a partnership approach, comprehensive
service offering and a proven track record enables WNS to deliver business value to
Page 77 of 83
P a g e | 78

some of the leading companies in the world. WNS is passionate about building a
market-leading company valued by our clients, employees, business partners,
investors and communities. For more information, visit www.wnsgs.com.

ξ About CIMA
CIMA (the Chartered Institute of Management Accountants) is a world
leading professional institute that offers an internationally recognized qualification
in management accountancy, focusing on accounting in business in both the private
and public sectors. It is the voice of 164,000 students and members in 161 countries.
CIMA is committed to upholding the highest ethical and professional standards of
members and students, and to maintaining public confidence in management
accountancy. For more information about CIMA, please visit www.cimaglobal.com.

ξ Safe Harbor Statement under the provisions of the United

States Private Securities Litigation Reform Act of 1995
This news release contains forward-looking statements, as defined in the safe
harbor provisions of the U.S. Private Securities Litigation Reform Act of 1995.
These statements involve a number of risks, uncertainties and other factors that
could cause actual results to differ materially from those that may be projected by
these forward looking statements. These risks and uncertainties include but are not
limited to technological innovation; telecommunications or technology disruptions;
future regulatory actions and conditions in our operating areas; our dependence on
a limited number of clients in a limited number of industries; our ability to attract
and retain clients; our ability to expand our business or effectively manage growth;
our ability to hire and retain enough sufficiently trained employees to support our
operations; negative public reaction in the US or the UK to offshore outsourcing;
regulatory, legislative and judicial developments; increasing competition in the
business process outsourcing industry; political or economic instability in India, Sri
Lanka and Jersey; worldwide economic and business conditions, including a
slowdown in the U.S. and Indian economies and in the sectors in which our clients
are based and a slowdown in the BPO and IT sectors world-wide; our ability to
successfully consummate strategic acquisitions, as well as other risks detailed in our
reports filed with the U.S. Securities and Exchange Commission. These filings are
available at www.sec.gov. We may, from time to time, make additional written and
oral forward-looking statements, including statements contained in our filings with
the Securities and Exchange Commission and our reports to shareholders. You are
Page 78 of 83
P a g e | 79

cautioned not to place undue reliance on these forward-looking statements, which

reflect management’s current analysis of future events. We undertake no obligation
to publicly update or revise any forward-looking statements, whether as a result of
new information, future events or otherwise.

➢  8  Appendixes: List of Acro

ξ  Acronym / Definition 
 1.     A 
∇ A/R 
 2.     C 
∇ CBT 
Computer Based Training 
∇ CIO 
Chief Information Officer 
Committee on National Security Systems 
Control Objectives for Information and related Technology 
Contracting Officer’s Technical Representative 
∇ CSO 

Page 79 of 83
P a g e | 80

Chief Security Officer 
∇ CWF 
Critical Work Function 
 3.     D 
∇ DHS 
Department of Homeland Security 
Department of Homeland Security National Cyber Security Division 
Defense­wide Information Assurance Program 
∇ DMZ 
Demilitarized Zone 
∇ DoD 
Department of Defense 
 4.     E 
∇ EA 
Enterprise Architecture 
∇ EBK 
Essential Body of Knowledge
 5.     F 
Federal Information Processing Standard 
Federal Information Security Management Act 
6. H 
Health Insurance Portability and Accountability Act 
 7.     I 
∇ IA 
Information Assurance 
Information Assurance Skill Standard 

Page 80 of 83
P a g e | 81

∇ ILT 
Instructor Led Training 
∇ ISD 
Instructional Systems Design 
∇ ISO 
International Standards Organization
∇ ISO 
Information Security Officer 
Information Systems Security Manager 
Information Systems Security Officer 
∇ IT 
Information Technology 
Information Technology Security Certification Working Group

 8.     L 
∇ LMS 
Learning Management System
 9.     N 
National Cyber Security Division 
National Institute of Standards and Technology 
 10.    P  
∇ PBX 
Private Branch Exchange 
President’s Critical Infrastructure Protection Board 
∇ PII 
Personally Identifiable Information 

Page 81 of 83
P a g e | 82

 11.    S  
System Development Life Cycle 
∇ SOE 
Standard Operating Environment 
Systems Security Engineering Capability Maturity Model 
∇ SSL 
Secure Sockets Layer 
 12.    T  
∇ T/E 
Training and Education (Program) 
∇ TLS 
Transport Layer Security 
13. V 
∇ V­LAN 
Virtual Local Area Network
Voice Over Internet Protocol
 14.    W 
∇ WBT 
Web Based Training 

➢ 8 Methodology:-
✔ Primary data is collected with the help of questionnaires, personal interviews
✔ Secondary data is collected from various websites, journals, magazines etc.

Page 82 of 83
P a g e | 83

➢ 9 Conclusion:-
The broadband future promises a digital world which we can imagine with a
host of economic & social benefits accruing throughout the world. Yet reaching that
future will require first acknowledging the scope of broadband challenge we face
and responding decisively. By taking these steps we can accelerate down the path of
our digital future.
On the flip side though the security of our IT system becomes of paramount
importance & protecting it from unauthorized copying, viewing or hacking becomes

Page 83 of 83