CYBER SECURITY CURRICULUM GUIDE Securit… · conjunction with the CCCS Learning Hub pathways, new...

UNCLASSIFIED

1

CYBER SECURITY CURRICULUM GUIDE A ROLE-BASED GUIDE FOR TRAINING AND EDUCATION PROVIDERS

REVIEW DRAFT

FOR POST-SECONDARY TRAINING AND EDUCATION

PROVIDERS

UNCLASSIFIED

2

FOREWORD The CYBER SECURITY CURRICULUM GUIDE: A ROLE-BASED GUIDE FOR TRAINING AND EDUCATION PROVIDERS is an UNCLASSIFIED publication. This guide provides a role-based perspective on post-secondary cyber security curriculum in two domains: security and business. As a curriculum guide, the intent is not to prescribe, but to provide a catalogue of curriculum elements that establish a national benchmark against which post-secondary institutions, including private sector providers, can assess their programs, courses, and micro learning programs.

This guide was developed leveraging multiple sources and with the support of representatives of the Communications Security Establishment, Canada School of Public Services, Department of National Defence, Public Safety, Royal Canadian Mounted Police, and Treasury Board Secretariat.

This guide recognizes that there are several institutions that have already introduced programs or courses that support cyber security educational or training outcomes, some of which surpass the curricular guidance provided. Notwithstanding, the skills shortage is anticipated for the coming years and small, medium, and large enterprises within the public and private sector will continue to face cyber challenges. This guide is distinct in that it focuses on curricular elements that prepare graduates for roles within a common organizational security context, that is, while technical generalists and specialists are need, there are also non-technical roles within organizations that require cyber security education to help mitigate the risks and reduce the challenges faced.

EFFECTIVE DATE This guide is effective as of (to be promulgated).

REVISION HISTORY Revision Amendments Date

1 Public Review Draft. 31 January 2019

UNCLASSIFIED

3

TABLE OF CONTENTS 1 Introduction ........................................................................................................................ 6

1.1 Purpose ...................................................................................................................................... 6

1.2 Scope ......................................................................................................................................... 6

1.2.1 Out-of-Scope ........................................................................................................................... 6

1.2.2 A Note on Computer Science and Related Engineering programs ............................................... 7

1.3 Target Audiences ........................................................................................................................ 7

1.4 The Canadian Centre for Cyber Security Role ................................................................................ 7

2 Analysis and framework ........................................................................................................ 8

2.1 Analysis...................................................................................................................................... 8

2.1.1 Methodology and Analysis ....................................................................................................... 8

2.1.2 Main Findings ......................................................................................................................... 8

2.2 Foundational Concepts ............................................................................................................... 9

2.3 Role-based Framework .............................................................................................................. 10

2.3.1 Business Roles – Cyber Security Curriculum ........................................................................... 10

2.3.2 Cyber Security Roles and Specialisations ............................................................................... 11

3 Curriculum Guide Format ......................................................................................................13

3.1 How To Use This Guide ............................................................................................................. 13

3.2 Examples and exemplars ........................................................................................................... 13

3.3 Review and Recommended Changes .......................................................................................... 13

4 Business Roles – Cyber Security Curriculum ............................................................................14

4.1 Overview ................................................................................................................................... 14

4.1.1 Reference Model ................................................................................................................... 14

4.1.2 Suggested curriculum components structure .......................................................................... 14

4.1.3 Proficiency Levels ................................................................................................................. 14

4.1.4 Core Curriculum Topics ......................................................................................................... 15

4.2 Business Roles ......................................................................................................................... 16

4.2.1 Strategic Planners / Business Advisors .................................................................................. 16

4.2.2 Business Analyst ................................................................................................................... 17

4.2.3 Risk Analysts ........................................................................................................................ 18

4.2.4 Project Managers .................................................................................................................. 19

4.2.5 Financial Analysts ................................................................................................................. 20

4.2.6 Policy Analysts & Developers ................................................................................................. 21

UNCLASSIFIED

4

4.2.7 Procurement Analysts & Supply Chain Managers .................................................................... 22

4.2.8 Communications ................................................................................................................... 23

5 Cyber Security Roles and Specializations.................................................................................24

5.1 Overview ................................................................................................................................... 24

5.1.1 Reference Model ................................................................................................................... 24

5.1.2 Core Curriculum Topics ......................................................................................................... 24

5.1.3 Suggested Curriculum Components Structure ......................................................................... 25

5.2 Govern and Manage .................................................................................................................. 26

5.2.1 Context ................................................................................................................................. 26

5.2.2 Strategic Planner ................................................................................................................... 27

5.2.3 Policy Analyst ....................................................................................................................... 28

5.2.4 Requirements Analyst ............................................................................................................ 29

5.2.5 Program Manager ................................................................................................................. 30

5.2.6 System Authorizer ................................................................................................................. 32

5.2.7 Disaster Recovery Planner ..................................................................................................... 33

5.2.8 Contracting and Procurement Security Advisor ....................................................................... 34

5.3 Operate and Maintain ................................................................................................................ 35

5.3.1 Context ................................................................................................................................. 35

5.3.2 Cyber Defence Operator ......................................................................................................... 36

5.3.3 Cyber Security Incident Handler ............................................................................................. 38

5.3.4 Digital Forensics Analyst (Security) ........................................................................................ 40

5.3.5 PKI Support Analyst............................................................................................................... 42

5.3.6 Identity, Credentials and Access Analyst ................................................................................ 43

5.4 Evaluate and Measure ............................................................................................................... 44

5.4.1 Context ................................................................................................................................. 44

5.4.2 Vulnerability Assessor ........................................................................................................... 45

5.4.3 Penetration Tester................................................................................................................. 47

5.4.4 Security Assessor ................................................................................................................. 48

5.4.5 Security Tester & Evaluator .................................................................................................... 50

5.5 Design and Build ....................................................................................................................... 51

5.5.1 Context ................................................................................................................................. 51

5.5.2 IT Security Analyst – Projects ................................................................................................ 52

5.5.3 Security Architect .................................................................................................................. 53

5.5.4 Security Engineer .................................................................................................................. 55

UNCLASSIFIED

5

5.5.5 Cyber Security Researcher ..................................................................................................... 57

5.5.6 Secure Software Analyst/ Developer ...................................................................................... 59

6 Supporting Content ..............................................................................................................61

6.1 List of Abbreviations ................................................................................................................. 61

6.2 Glossary ................................................................................................................................... 62

6.3 General Competency Descriptions ............................................................................................. 64

6.4 References ............................................................................................................................... 65

LIST OF FIGURES Business Roles and Security .................................................................................................... 11

Security Roles - Cyber Security Specializations ........................................................................ 12

Business roles and cyber security ............................................................................................ 14

Security Governance and Management Roles........................................................................... 26

Operate and Maintain Roles ..................................................................................................... 35

Evaluate and Measure Roles .................................................................................................... 44

Design and Build Roles ............................................................................................................. 51

UNCLASSIFIED

6

1 INTRODUCTION

1.1 PURPOSE

This guide provides a role-based perspective on Canadian post-secondary cyber security curriculum within an organizational context. It therefore provides suggested curricular outcomes in terms of technical and non-technical domains. As a curriculum guide, the intent is not to prescribe, but to establish a national benchmark against which post-secondary institutions, including private sector providers, can assess their programs.

This guide recognizes that there are several institutions that have already introduced programs or courses that support cyber security educational or training outcomes, some of which may surpass the curricular guidance provided. Notwithstanding, the skills shortage is anticipated for the coming years and small, medium and large enterprises within the public and private sector will continue to face cyber challenges.

1.2 SCOPE

This guide is distinct in that it focuses on curricular elements that prepare graduates for roles within a common organizational security context. That is, while technical generalists and specialists are needed, there are also non-technical roles within organizations that require cyber security education to help mitigate the organizational security risks.

While the points are out of scope, specific advice and guidance can nonetheless be sought directly from the Canadian Centre for Cyber Security (Hereafter referred to as the Cyber Centre) through [email protected].

1.2.1 Out-of-Scope

Acknowledging that cyber security can be concurrently transdisciplinary, multidisciplinary and interdisciplinary, curricular requirements in other disciplines that are not common within public and private sector organizations are not included. The following are considered out of scope for this guide:

Disciplines such as law, health services, criminology, social sciences, and political studies – These programs and courses contain pioneering work in cyber security and there are programs that can provide examples of integration of cyber security within traditionally non-technical domains. However, as they are not commonly associated with management of organizational security, and so they have not been included.

Research activities - Research activities are an important aspect of knowledge generation and learning. The assumption upon which this guide is based is that post-secondary institutes expose students to the research process and, where required as outcomes, embed research opportunities into the curriculum.

Broader, generalist security studies (e.g. international security, human security, police foundations, etc.) – These are not part of this guide though there are elements of relevance (e.g. cyber risk) that may be worth integrating into existing programs or courses.

Programs or courses that are more broadly aimed at exploring cyber security theory or the science of cyber security – These are critical to theory and knowledge building but are not included in this guide.

Post-graduate (PG) programs and courses – There are several existing post-graduate programs, and more are in development. While this guide may serve to better inform those engaged in development and delivery of PG programs, it does not provide any specific guidance in this area.

UNCLASSIFIED

7

1.2.2 A NOTE ON COMPUTER SCIENCE AND RELATED ENGINEERING PROGRAMS Specifics to computer science, computer engineering, software engineering and similar programs have not been included in this guide. Cyber security requirements should be a foundational component of these programs as would be required in any requirements gathering or design activities associated with a new system or capability. Accordingly, the cyber security content of such programs should be tailored to the program outcomes. However, it is suggested that all programs that support IT and communications systems should be exposed, at a minimum, the curriculum elements noted in Section 5.1.1. Core Curriculum Topics.

1.3 TARGET AUDIENCES

Aligned with scope of this guide, the primary audiences for this curriculum guide are those post-secondary academic institutions or private sector vendors that are attempting to generate new courses or programs or integrate cyber security into existing programs.

Other potential audiences: Organizational decision makers who are looking for guidance on the competencies and human

capabilities to support the local security requirements. The specific role-based descriptions may assist decision makers in identifying training requirements for specific roles.

New or existing cyber security practitioners to determine where they can build on their expertise. In conjunction with the CCCS Learning Hub pathways, new or existing cyber security practitioners should be able to appreciate expectations in other roles in which they may have interest and can support technical career growth. Those interested in non-technical career paths should consult with their management or human resource departments to determine what options exist.

Prospective cyber security professionals or students who have yet to commence a course of study or program can refer to this document to gain a better appreciation of the role expectations. In post-secondary education, it is not always clear the degree to which programs will prepare students for the future work force that they will enter at the end of their programs. This guide can help this group to better understand work tasks and competency requirements, including knowledge and skills, that are expected in common organizational roles. Additionally, this guide may help students to refine their education and training goals.

Professional associations or organizations that have a role in supporting Canadian workforce development. These types of organizations are uniquely placed to provide additional information, professional networks, learning support, and professional development opportunities that enhance human capabilities in meeting expected cyber security outcomes.

1.4 THE CANADIAN CENTRE FOR CYBER SECURITY ROLE

The federal government does not have a specific mandate to provide post-secondary curriculum nor has there been a national curriculum framework established for cyber security as has been done in other countries. Rather, the role of the federal government and, more specifically, the CCCS is to lead efforts that support national security and help protect systems of importance to the Government of Canada.1

1 Refer to the Communications Security Establishment Mandate B at https://www.cse-cst.gc.ca/en/inside-interieur/protect-protection

https://cyber.gc.ca/en/learning-and-innovation-hub

https://www.cse-cst.gc.ca/en/inside-interieur/protect-protection

https://www.cse-cst.gc.ca/en/inside-interieur/protect-protection

UNCLASSIFIED

8

2 ANALYSIS AND FRAMEWORK

The following provides the analysis, underpinning concepts and reference models that provide the framework for this guide.

2.1 ANALYSIS

2.1.1 METHODOLOGY AND ANALYSIS

The Communications Security Establishment (CSE) conducted an environmental scan of existing curriculum in 2016 and 2017 to better identify where training and education were occurring in post-secondary institutions. This scan was subsequently updated in 2018. Online open-source research was conducted to locate academic cyber security programs currently offered in Canada. Programs were located via keyword searches primarily using the universitystudy.ca search engine as well as other sites such as canadian-universities.net, studyincanada.com, ontariocolleges.ca, and Google searches. For each scan, several different searches were conducted using the terms “security,” “cyber,” “computer security,” “information system,” and “network.”

The environmental scan addressed two typologies: cyber security specific programs, largely technical in nature, and business-related programs, largely non-technical in nature. The scan included college diplomas, university undergraduate and professional and post-graduate certificate programs. Those programs identified as cyber security specific programs included computer-based or IT-related discipline such as computer science, computer or communications engineering, software development, IT systems administration where there were significant cyber security components, as well as IT/cyber security specialized programs. Business-related programs were largely non-technical programs were surveyed to determine the degree to which cyber security concepts and principles have been integrated. This stream included programs such as business administration, management, finance, project management, and communications programs.

In addition to the scan and the subsequent analysis of those results, there has been a significant amount of anecdotal information collected from subject matter experts, business councils, professional associations, community groups and others that have reinforced the results.

2.1.2 MAIN FINDINGS

To summarize, the scan and subsequent analysis revealed the following: The number and quality of courses and programs is expanding year after year to date. Most of the university and college courses and programs were found within technical departments

(e.g. computer science, IT, etc.). They predominantly were focused on security operations roles; that is detecting, responding and mitigating cyber threats.

Programs that focused on generating graduates for the workforce, predominated. Relevant, yet underrepresented topics were: the Canadian legal and policy context including personal information protection and privacy; ethical considerations including workplace and investigatory practices in organizational contexts; integrated risk management; business communications; and emerging issues.

Some courses or programs labelled as ‘cyber security’ only deal with certain aspects of cyber security or were a re-design of existing IT courses to include some cyber security elements. While contributing to role-based requirements, these courses or programs could perhaps be better labelled to indicate the curricular focus (e.g. Cyber Security Operations or Cyber Security Incident Handling).

UNCLASSIFIED

9

Some courses or programs labelled as ‘cyber security’ reflect the multi/inter-disciplinary nature of the field. While attending to the broader educational needs for generalists or those who may be employed in the proximity of cyber security, they often did not provide sufficient depth to support specific cyber security responsibilities within an organization.

Some of the courses and programs labelled as cyber security have not attracted enough enrollment to sustain them year to year. Some that were planned and advertised could not even muster enough interest to run.

For computer or communications engineering programs there appeared to be very limited content related to cyber security or security writ large as a curriculum requirement.

Few business-related programs had integrated relevant cyber security content that is applicable to organizations.

In response to the results of this study, the Cyber Centre, in discussion with partners in other levels of government, industry and academia has developed this guide to help identify role-based educational and training requirements that support security activities within an organizational context. In addition to integrating technical training requirements for cyber security specialists, this guide extends into business-related disciplines as well.

2.2 FOUNDATIONAL CONCEPTS

There are four foundational concepts upon which this guide has been based. While some remain contentious, these concepts will help readers to understand the approach used within this guide.

Cyber security should be more broadly defined. There are many definitions of cyber security that inherently lean towards specific technologies, processes, and/or originator perspectives. For the purposes of this guide, cyber security is the “protection of digital information and the infrastructure on which it resides.”2 It includes the more common topics of IT security, data security, network security, as well as digital information security. Consequently, cyber security remains predominately within technically oriented training and education programs. However, many issues within cyber security are due to, and impact on humans and human systems. As such, cyber security should ensure that there is a balance between technical and non-technical considerations. Accordingly, within this guide cyber security also includes concepts, policies, processes, decisions, actions and mechanisms to protect the confidentiality, integrity and availability of assets and information of value from deliberate or accidental compromise as well as from the potential effects of natural hazards.

Cyber security is transdisciplinary in nature. Cyber security is often discussed as a singular professional domain of work often focused on those who do specific technical jobs in security operations such as incident response, cyber analytics and digital forensics. However, following the first point, there is no shortage of evidence that shows cyber security as a cross-cutting domain where there is a variety of technical and non-technical disciplines that support international, national, organizational, and human dimensions that are critical to ensuring safe and secure use of the internet and interconnected systems. Therefore, the reality is that cyber security is considered as inter-, multi-, and even trans-disciplinary in nature.

Cyber security issues are ubiquitous. The extension of the internet into portable devices of varying uses and the explosion of internet-connected technological systems, - also known as the ‘Internet of

2 National Cyber Security Strategy: Canada's Vision for Security and Prosperity in the Digital Age https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx#s12

https://www.publicsafety.gc.ca/cnt/rsrcs/pblctns/ntnl-cbr-scrt-strtg/index-en.aspx#s12

UNCLASSIFIED

10

Things’ (IoT), has expanded the reach of IT systems into our lives. Indeed, emerging cyber-physical realities including wearable devices and increasing use of connected sensors in a variety of work domains and impacts significantly on the lives of Canadians in many ways. While we enjoy the benefits of this interconnectedness, it also has significantly increased the number of vulnerabilities and potential vectors of act from cyber security threats.

Cyber security is dynamic. Cyber security is constantly evolving alongside information and communications technology and stakeholders are experiencing significant challenges keeping up with this evolution. Foresight is therefore necessary to determine the impact on an organization. For example, the implications of the ‘cloud’ and virtualization, 5G, artificial intelligence and machine learning are all relevant evolutions and present their own challenges.

2.3 ROLE-BASED FRAMEWORK

The curriculum guide has categorized the cyber security curriculum components using a ‘role-based’ approach meaning that the learning requirements are based upon outcomes that contribute to specific organizational roles. The reasons are two-fold. First, for job-specific courses and programs, the job title is often explicitly stated. However, an individual may not have the job title of ‘security assessor’ or ‘business analyst’. Rather they may have a role within the organization that they fill that requires that expertise. Second, in post-secondary educational institutions, course or program descriptions rarely directly refer to current work roles. Rather they support building student disciplinary knowledge based on the current understanding in the field; unless it is a professional program the degree to which general disciplinary programs such as Computer Science are practically applied in the workplace are often not of central concern. In such cases, the role-based categorization help those engaged in curriculum development and implementation to identify curriculum components that might be applicable to their program/course without being overly prescriptive.

This guide specifically situates organizational security at the intersection of business, in the general sense, and technology within the contemporary organization. The intended reading audience is business and security managers, security practitioners, private sector training vendors, academics and students. Understanding that there are other models out there, this guide is seen to be complementary to:

existing cyber security frameworks such as the U.S. National Initiative on Cybersecurity Education (NICE) Cybersecurity Workforce Framework (CWF);

the Information System Security Competency Profiles collaboratively developed by Shared Services Canada and the Communications Security Establishment (CSE), IT Security Learning Centre;

the published CSE Cyber Security Learning Pathways; and the Task-based Informatics Professional Services Cyber Security work stream requirements

identified within the Public Services and Procurement Canada.3 The guide is divided into two key functional areas within the contemporary organizational context – Business Roles and Cyber Security Roles.

2.3.1 BUSINESS ROLES – CYBER SECURITY CURRICULUM

A generic and scalable, role-based model of organizational security (figure 1) appreciates that cyber security activities and functions are part of the larger organizational or enterprise security activities which are driven by business requirements.

3 Available at https://www.tpsgc-pwgsc.gc.ca/app-acq/sptb-tbps/cyberprotect-eng.html

https://www.nist.gov/itl/applied-cybersecurity/nice/resources/nice-cybersecurity-workforce-framework

https://www.cse-cst.gc.ca/en/page/it-security-learning-pathways

https://www.tpsgc-pwgsc.gc.ca/app-acq/sptb-tbps/cyberprotect-eng.html

https://www.tpsgc-pwgsc.gc.ca/app-acq/sptb-tbps/cyberprotect-eng.html

UNCLASSIFIED

11

The model is generic in that it can be adapted to different organizational contexts. It is scalable in that, regardless of the size of the organization, it represents requirements. The functions identified can be performed by a single individual in a small enterprise or shared by many individuals in a large enterprise. For example, in small and medium enterprises, the case of security functions, they may be performed by one or many individuals, acquired or, as is more and more the case, a combination of the two.

Business Roles and Security

For the purposes of this guide, non-security technical roles are not within scope. However, as will be discussed later, each of the technical roles within an organization should have core knowledge related to cyber security outcomes.

2.3.2 CYBER SECURITY ROLES AND SPECIALISATIONS

Within cyber security there are numerous technically-oriented roles as well as non-technical roles. In contrast to the National Initiative on Cybersecurity Education (NICE), Cybersecurity Work Force (CWF) framework, Figure 2 provides a role-based model which categorizes security work into four main functions within the organizational context: Governance & Management; Design & Build; Evaluate & Measure; and Operate & Maintain. These main functions are guided by an appropriate level of leadership and extend into specializations that often require additional task-based training and expertise within the work area to become proficient. Those familiar with the NICE CWF will note that there are many commonalities in specialized tasks, knowledge and skills. This guide is limited to only cyber security elements without reference to other common technical and non-technical curriculum. As well, this guide provides common competencies that should be included in the development of security practitioners intended to support organizational security requirements.

Like the model in figure 1, the model in figure 2 is scalable. In small organizations, one individual may be wholly responsible for all security functions as well as all business functions (e.g. one owner of a small company). In such cases, security is likely to be embedded in the technology or out-sourced. Regardless, there still needs to be foundational understanding of business risks, threats and security requirements to enable decision-making. Similarly, medium and large organizations may have security leadership positions such as Chief Security Officer/Chief Information Security Officer, as well as individuals employed within the

UNCLASSIFIED

12

major security functions and the extending cyber security specialist roles. Alternatively, they may also have embedded or out-source security services.

Cyber Security Roles and Specializations

UNCLASSIFIED

13

3 CURRICULUM GUIDE FORMAT

3.1 HOW TO USE THIS GUIDE

In basic terms a curriculum guide frames the curriculum (what gets taught) and often it can include methods (how it gets taught). This guide is presented in two sections to provide a broader perspective on cyber security related roles within an organization: Business Roles and Cyber Security Curriculum and Cyber Security Roles and Specializations. Each section provides role-based curriculum suggestions progressing from foundational requirements to specialized roles. Each curriculum topic area is divided into components that support further identification of detailed knowledge and skill requirements. Each topic area can be integrated into existing curriculum as determined by learner needs or used as stand-alone curriculum elements in support of new or existing programs, individual courses, or micro-learning activities.

To support a reasonable shelf-life for this guide, detailed knowledge and skill requirements have not been defined. They can, however, be deconstructed from the major statements provided. Further interpretation or questions on how to use this guide should be directed to the CCCS Learning and Innovation Hub via [email protected]

3.2 EXAMPLES AND EXEMPLARS

The CCCS is regularly asked where effective cyber security training and education opportunities exist. As discussed, there are post-secondary institutions that have implemented cyber security courses, programs or components that may serve as examples or exemplars for the larger community. Should you believe that your program, course or learning activity is an example or exemplar, please feel free to contact the Learning and Innovation Hub through [email protected] so we add it to our referral list.

3.3 REVIEW AND RECOMMENDED CHANGES

This guide will be collaboratively reviewed every two years. This review will help ensure that guide accurately reflects post-secondary training and education requirements for roles and specializations that support the evolving cyber security environment. Suggested changes can be submitted to the CCCS, Learning and Innovation Hub via [email protected].

UNCLASSIFIED

14

4 BUSINESS ROLES – CYBER SECURITY CURRICULUM

4.1 OVERVIEW

4.1.1 REFERENCE MODEL

The business-oriented curriculum focuses on cyber security knowledge and skills for decision-makers and those that have specific roles that support decision making and organizational governance as shown within the red box figure 3.

Business roles and cyber security

4.1.2 SUGGESTED CURRICULUM COMPONENTS STRUCTURE

Each of the suggested cyber security curriculum components provides: Role-based title, Primary cyber security related tasks within an organization, Suggested content, Key skills and abilities that should be applied and assessed, Key functional competencies that should be developed, and Suggested sequencing and dependencies on other role-based curricula.

4.1.3 PROFICIENCY LEVELS

The following proficiency levels are used to provide a more accurate description of expected knowledge or skill- based learning outcomes that relate to work roles within an organization.

UNCLASSIFIED

15

Proficiency Knowledge Skill

Basic Able to describe fundamental facts, concepts and processes.

Able to perform the most common techniques and procedures with limited coaching

Intermediate Able to demonstrate application of facts, concepts and processes to common work tasks.

Reliably able to perform all common techniques and procedures independently, requires coaching on complex tasks.

Advanced Able to explain foundations for concepts and processes, can critically assess new concepts and processes relative to current understanding, and can demonstrate ability to apply knowledge in different work contexts.

Reliably performs all common and most complex tasks independently.

4.1.4 CORE CURRICULUM TOPICS

In general, a basic knowledge of the following is suggested for all business-oriented curricula: Cyber threat context (including deliberate, accidental, natural hazards) Legal, policy and ethical context for security Overview of cyber security risk management as part of organizational risk Cyber security incident management (domain specific) Cyber security processes, technology, trends and emerging issues Sources of cyber security expertise and resources

Additional requirements for specific roles are identified in the next section.

UNCLASSIFIED

16

4.2 BUSINESS ROLES

4.2.1 STRATEGIC PLANNERS / BUSINESS ADVISORS

Role Strategic Planner / Business Advisor

Primary responsibilities

Supporting organizational planning and providing strategic business and financial advice

Primary learning outcome

Graduates should be able to effectively advise on and integrate cyber security investments and risks into strategic planning activities.

Primary cyber security related tasks

• Facilitate integration of cyber security goals and objectives into strategic plan • Analyze cyber security investments and their relevance to business outcomes. • Assess business and market trends and the implications of cyber security on

the business • Advise on business activities relative to the cyber threat context

Key education and training topics

Basic Core curriculum + • Business context and cyber security threats and potential

impacts • Strategic implications on legal and policy compliance • Organizational risk management and cyber security risk • Policy enforcement, compliance and risk management

Intermediate • Business needs for security in a domain or operation • Business domain specific technology, trends and emerging

issues

Advanced • Predictive analytics related to cyber security costs/benefits • Foresight activities • Integrated technology planning to include evidence-based

cyber security considerations

Key skills and abilities

• Provide business advice within the legal & policy cyber security context • Differentiating between compliance and risk • Interpreting threat and risk assessments through a business focused lens • Integration of cyber risks into corporate risk assessments

Key functional competencies

• Strategic thinking, analyzing, complex problem solving, communicating, anticipatory thinking.

Sequencing and dependencies

• Topics are best integrated into existing curriculum subjects

UNCLASSIFIED

17

4.2.2 BUSINESS ANALYST

Role Business Analyst


Analyses an organization or business domain, its processes and/or systems and assesses the business model or its integration with technology.


Graduates should be able to integrate cyber security processes and systems into an organizational or business domain structure.


• Identify / map organizational / business cyber security requirements • Identify / analyze the business needs for security • Develop and present the business case for security • Assess technological trends, risks and determine potential business impact • Advise on integration of cyber security processes and technology within the

organization or business domain • Support CSO/CISO to develop, set and assess performance metrics associated

with cyber security • Identify opportunities for improvement in effectiveness or efficiency


Basic Core curriculum + • Primary cyber security processes systems and their uses • Business needs for security in a domain or operation • Cost/benefits analysis for cyber security

Intermediate • Security system integration and business implications • Cyber security business case development • Domain specific technology, trends and emerging issues • Integrated risk management frameworks

Advanced • Integrating current and emerging cyber security risks into strategic planning


• Analyzing cyber security investments relative to business outcomes • Contrasting and comparing cyber security options to address

organizational/business domain needs.


• Collaborating, analyzing, integrating, communicating.


• Topics would be best integrated into related curriculum subjects

UNCLASSIFIED

18

4.2.3 RISK ANALYSTS

Role Risk Analyst


Assess risks, report, and recommend actions to mitigate the risks to acceptable levels within the organization. While predominantly employed within the financial domains of organization, other technical, organizational, and external risks should be included.


Graduates should be able to identify and assess current and emerging cyber-related risks and translate them into actionable activities that will help the organization manage that risk.


• Assess technological trends, risks and determine potential business impact • Conduct threat and risk assessments within the cyber context • Interpret threat and risk assessments • Determine organizational risk profile/risk appetite • Integrate cyber risk with other organizational risk management activities • Develop and monitor cyber security risk management strategies and plans • Maintain the organizational risk profile/register


Basic Core curriculum + • Legal & policy cyber security context and strategic

implications • Integrated risk management frameworks and models • Threat and risk assessments • Qualitative and quantitative asset categorization / valuation

techniques

Intermediate • Risk and cyber security control metrics • Risk and business continuity planning • Incident and business consequence management • Policy enforcement, compliance and risk management

Advanced • Methodologies in managing strategic cyber security risks • Organizational risk governance and evaluation


• Risk appreciation and assessment • Quantitative and qualitative analysis of organizational risk • Analyzing cyber security investments relative to business outcomes • Anticipatory and systems thinking • Exercising judgement • Communicating risk to all levels


• Analysis, integrating, communicating.


• Cyber security risk is best introduced as another risk that is considered other organizational risks within the educational program.

UNCLASSIFIED

19

4.2.4 PROJECT MANAGERS

Role Project Managers*


Develops project plans and manages project throughout its lifecycle to meet milestones and deliverables within scope and within budget. Includes managing budget, timelines, resources and staff.


Graduates should be able to integrate and oversee implementation of cyber security controls as required throughout the project lifecycle.


• Assess technological trends, risks and determine potential project impact • Identify / analyze the business needs for security throughout the lifecycle of the

project • Identify and manage cyber security risks throughout the project • Ensure cyber security controls are integrated and monitored throughout the project • Close out project including appropriate disposal/cleaning of cyber security

technology and related data.


Basic Core curriculum + • Primary cyber security processes systems and their uses • Project management risks, threats and vulnerabilities • Cyber security throughout the project lifecycle

Intermediate • Management of third-party cyber risk in projects • Cyber security incident management in projects

Advanced • Multi-faceted risk analysis in projects • Cyber security performance indicators and metrics within the

project context • Cyber security assessment and mitigating risks in projects


• Communication to various audiences throughout the project • Managing and communicating in crisis • Project leadership • Attention to detail


• Managing, integrating, analyzing, communicating.


• Many of the cyber security considerations for a project should be identified in the initiation and planning phases. However, there are various activities throughout the project lifecycle. Accordingly, cyber security considerations should be introduced with each phase of the project lifecycle/process as required.

* This profile applies broadly to project management and more specifically to technology/IT related projects. However, if the project is a cyber security project, then specific cyber security expertise is required that supports the project outcomes.

UNCLASSIFIED

20

4.2.5 FINANCIAL ANALYSTS

Role Financial Analysts


Analyze and report on financial data needed for decision support and business improvement.


Graduates should be able to recognize the need for cyber security risk management and integrate cyber security investments into organizational planning and budgeting processes.


• Identify/map organizational/business cyber security requirements • Identify cyber security related financial risks • Analyze financial cost/benefits of cyber security • Integrate cyber security factors into financial models • Collect, monitor cyber security financial data • Identify opportunities for efficiencies


Basic Core curriculum + • Primary cyber security processes systems and their uses • Business needs for security in a domain or operation • Cyber security risk as business risk

Intermediate • Cyber security business case development • Measuring cyber security investments and impact on

business outcomes

Advanced • Strategic financial analysis of cyber security • Development of integrated risk management frameworks • Policy enforcement, compliance and risk management


• Analyzing cyber security investments relative to business outcomes • Quantifying cyber security costs and risks • Forecasting cyber security incident/privacy breech costs


• Accounting, analyzing, strategic thinking, communicating.



UNCLASSIFIED

21

4.2.6 POLICY ANALYSTS & DEVELOPERS

Role Policy Analysts & Developers


Analyze and develop local, provincial, federal, and/or international policy with a focus on the relevant needs or influence of the organization.


Graduates should be able to develop organizational policy that effectively integrates cyber security requirements.


• Identify/map organizational/business cyber security requirements • Identify cyber security related risks • Analyze organizational and client culture, legislative or policy compliance,

business standards, best practices and norms, and associated costs related to intended policy implementation or changes

• Develop, implement, monitor and revise organizational policies that have relevant cyber security elements or impact on organizational cyber security

• Advise CSO/CISO on the development of cyber security policy instruments • Ensure policy alignment throughout organizational changes and practices in

cyber security


Basic Core curriculum + • Business context and cyber security threats and potential

impacts • Legal & policy cyber security context and strategic

implications • Organizational risk management and cyber security risk • Policy enforcement, compliance and risk management

Intermediate • Business needs for security in a domain or operation • Integrated risk management frameworks

Advanced • Integrating current and emerging cyber security risks into strategic policy development


• Analyzing policy gaps in cyber security • Drafting and communicating policy changes and rationale


• Analyzing, communicating, strategic thinking, anticipatory thinking.



UNCLASSIFIED

22

4.2.7 PROCUREMENT ANALYSTS & SUPPLY CHAIN MANAGERS

Role Procurement analysts & supply chain managers


Develop, implement and monitor processes for acquiring goods and services for the organization.


Graduates should be able to identify and monitor general security requirements throughout the procurement lifecycle and supply chain.


• Identify cyber security risks throughout the procurement lifecycle and supply chain

• Identify and implement processes to determine and ensure compliance of security requirements for procurement processes

• Identify and implement processes to determine and ensure compliance of security requirements for goods and services to be procured


Basic Core curriculum + • Procurement process cyber security • Cyber security requirements as part of delivered goods and

services • Defining roles and responsibilities in cyber security during

procurement • Supply chain cyber security threats and vulnerabilities • Defining supply chain cyber security risks

Intermediate • Interpreting threat and risk assessments • Cyber security key performance indicators and assessment

throughout the procurement lifecycle • Incident response and mitigation planning • Contract close out procedures

Advanced • International procurement strategies and risks • Open source threat intelligence for supply chain threats • Establishing a trusted supply chain for high integrity

operations • Consistently re-evaluate the supply chain


• Maintaining attention to detail • Personal integrity • Results focused • Relationship management


• Analyzing, collaborating, communicating, negotiating.


• Topics would be best integrated into related curriculum subjects though a separate subject area could be developed that supports a wider range of prospective students.

UNCLASSIFIED

23

4.2.8 COMMUNICATIONS

Role Communications


Developing and implementing communication strategies and plans in support of organizational goals.


Graduates should be able to develop and deliver routine and crisis communications packages on cyber security that support internal and external audiences.


• Developing cyber security communications products in conjunction with cyber security experts

• Supporting translation of cyber security policies into clear and simple communications products

• Advising on key messages in routine and crisis cyber security situations • Coordinating /conducting media events • Supporting the cyber security awareness program


Basic Core curriculum + • Communications and cyber security risk management • Cyber security governance • Cyber security incident management process • Legal, policy and other compliance requirements

Intermediate • Managing organizational risk through communications • Integrating cyber security and trust in media lines

Advanced • Strategic communications related to cyber security issues • Managing crisis communications arising from a cyber

security incident or privacy breech


• Business communications • Communications policy development • Audience appreciation • Communicating in crisis


• Communicating, analyzing, collaborating.



UNCLASSIFIED

24

5 CYBER SECURITY ROLES AND SPECIALIZATIONS

5.1 OVERVIEW

The security-oriented curriculum focuses on cyber security knowledge and skills for generalist and specialized cyber security roles. Note that not all specializations are necessarily represented, but will be amended in later versions.

5.1.1 REFERENCE MODEL

As previously discussed, the cyber security generalist and specialist curriculum elements are categorized in their functional areas as previously shown in Figure 2 and shown again below: Governance & Management; Design & Build; Evaluate & Measure; and Operate and Maintain.

5.1.2 CORE CURRICULUM TOPICS

The curriculum for technical specialist roles assumes that individuals have the technical education, training and/or experience within an IT field and therefore fundamental knowledge of IT systems/software and networks have been met.

For those participants with limited or no technical background, they should be provided opportunities to attain a basic working knowledge of the following:

Network connections, network protocols and devices, telephony, VPNs and wireless

UNCLASSIFIED

25

Internet security protocols, communication protocols, directory standards Cloud computing and virtualization technologies Network architecture and enterprise architecture models System and/or software development lifecycle, software development processes Cryptography and encryption

Typical organizational roles, responsibilities, and structures Configuration and change management Information and data base management

Additionally, all participants who intend on working in a cyber security environment, whether in a technical or non-technical role should have a basic working knowledge of:

Legal, policy and ethical context for security Corporate risk and security risk management Security approaches and models Security management frameworks Security requirements and the threat and risk assessment Technical, operational and management controls Personnel and physical security Security program management and measurement Business continuity & disaster recovery Vulnerability management Analysis and reporting Security incident response and mitigation Common attack methods

5.1.3 SUGGESTED CURRICULUM COMPONENTS STRUCTURE

Due to the relatively nascent body of knowledge and limited programs available that support cyber security, the role-based curriculum descriptions in this section of the guide provide more detail. Each of the suggested cyber security curriculum components provides:

Role-based title Roles with similar requirements Standard work functions Common tasks Pre-requisite education/training Technical training requirements Primary non-technical competencies

Note that specific post-secondary certifications or qualifications have not been identified as they tend to be dynamic. It is recommended that those interested in attaining a certification or qualification for their specialization compare their role-based requirements to the post-secondary institution’s certification/qualification requirements.

UNCLASSIFIED

26

5.2 GOVERN AND MANAGE

5.2.1 CONTEXT

The roles within Security Governance and Management (Figure 4) may or may not be security professionals. Often them may be fill by individuals from other domains (e.g. management, finance, policy) who have either experience in the related role or are security practitioners who have been selected/assigned a role. Accordingly, the degree of experience in the aspects of security governance and management may be highly variable. Each of the specialties is explained in more detail in the tables that follow.

Security Governance and Management Roles

UNCLASSIFIED

27

5.2.2 STRATEGIC PLANNER

Role Strategic Planner

Roles with similar requirements

• Strategic Planner • Strategy Development • IT Security Coordinator • Senior Security Analyst • Senior Security Manager

Standard work functions

Given references, organizational security documentation and required tools, resources: • Developing and, in conjunction with other departmental authorities, implementing a

security strategy • Developing the organizational security plan • Ensuring that security objectives are integrated with other organizational objectives • Frequently reviewing the security strategy

Tasks • Identify security strategies, objectives, priorities and timelines for improving the department's security posture

• Identify other related federal, national or provincial imperatives and compliance requirements (e.g. Privacy, etc.)

• Develop the organizational security strategy • Develop the organizational security plan • Implement and monitoring the organizational security plan • Evaluate the effectiveness of the organizational security plan and other security

strategies/plans • Update the organizational security plan based on the results of performance

measurement, evaluation and risk assessments • Coordinating changes or updates to related security strategies/plans

Pre-requisite education

• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred. Individuals typically employed in this role have extensive experience in either security or strategy development.

Technical Training Requirements

• Structured learning and experience in foresight, strategic planning and program management would be beneficial.

• Core curriculum requirements are encouraged.

Primary operational, non-technical competencies

Business acumen, analyzing, planning, advising.

UNCLASSIFIED

28

5.2.3 POLICY ANALYST

Role Security Policy Analyst


• Security Policy Analyst • Security Policy Developer • Security Advisor


Given references, organizational security documentation and required tools, resources: • Security policy analysis • Development of effective policies and policy instruments that establish security

accountabilities, responsibilities, governance mechanisms, management, monitoring and reporting requirements

• Policy integration across other organizational activities/functions

Tasks • Identify security strategies, objectives, priorities and timelines for improving the department's security posture

• Identify other related federal, national or provincial imperatives and compliance requirements (e.g. Privacy, etc.)

• Generate/Maintain security policy development framework/governance structure • Research policy requirements (e.g. basis for authority/compliance, security policy

context and departmental security context) • Identify and analyze issues • Formulate/develop policy instrument for decision • Develop implementation and performance measurement plan • Communicate policy to stakeholders/decision-makers • Implement, monitor and evaluate policy • Participate in organizational security planning


• Post-secondary education in an applicable field related to policy analysis/development (e.g. economics, business administration, or a related security or IT field).

• Individuals employed in this role can have diverse levels of IT or security expertise and may not have any background in either work domain. Pre-requisite education will depend on the organizational need. All should have experience in crafting documents for senior level decision-makers and be familiar with program management requirements.


• Structured learning and experience in policy analysis and development should be required.

• Core curriculum requirements are required as well as: o Threat and risk assessment methodologies o Sources of reliable threat information o Key system performance indicators, quality control processes and

requirements o Testing and evaluation techniques and processes


Analyzing, advising, communicating, business acumen, evaluating.

UNCLASSIFIED

29

5.2.4 REQUIREMENTS ANALYST

Role Requirements Analyst


• Security Requirements Analyst • Security Analyst • Security Program Manager • Security Manager


Given references, organizational security documentation and required tools, resources: • Evaluating the effectiveness of security controls in meeting security objectives • Recommending corrective action to address deficiencies identified in performance

measurement and evaluations

Tasks • Define the scope of the organizations information system security risk management activities

• Collect business needs for security and translate these needs into security requirements

• Identify injury levels and categorize business activities • Prepare and present categorization report • Define Threat and Risk Assessment (TRA) methodology and requirements • Conduct the IS security threat assessment • Development and tailoring of the security control profile • Participate in security assessment activities • Monitor implementation of security controls to ensure they satisfy the organizational

security requirements • Identify issues or changes required to security control profile • Participate in organizational security planning


• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred. Individuals typically employed in this role have extensive experience in cyber security activities in some other capacity.


• Core curriculum requirements are essential and should also include: o Threat and risk assessment methodologies o Sources of reliable threat information o Key system performance indicators, quality control processes and

requirements o Testing and evaluation techniques and processes


Analyzing, advising, business acumen, communicating, technical writing.

UNCLASSIFIED

30

5.2.5 PROGRAM MANAGER

Role Security Program Manager


• System Security Manager • Security Coordinator • Security Manager


Given references, organizational security documentation and required tools, resources: • Develop security program guidance and directives in support of organizational goals • Ensure security is integrated into other organizational programs • Oversee implementation of, monitoring of and reporting on the security program

Tasks • Develop and implement an integrated security program • Identify and integrate other enterprise program requirements into the security program • Develop and support security governance mechanisms • Develop and support systematic management of security risks • Guide development of IT security policies, procedures and guidelines • Guide security related business function analysis and business impact assessments • Develop and implementing a measurement and quality assurance program • Monitor the security program(s) and control effectiveness • Report on security program results • Provide strategic assessments on technology trends and emerging security

technologies • Commission, guide feasibility studies, technology assessments and cost-benefit

analyses, and propose system implementation plans for IT Security • Collect, collate and prioritize client IT security requirements • Develop strategic IT security architecture vision, strategies and designs • Develop IT security programs and service designs • Develop, analyze and review IT security strategic plans


• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred. Individuals typically employed in this role have extensive experience in one or more roles within the security program


• Core curriculum requirements are essential including: o Key system performance indicators, quality control processes and

requirements • Structured learning and experience in planning and program management would be

beneficial to include: o Business planning o Business case development o Organizational culture o Formal and informal power structures o Types of security governance structures o Program definition and initiation requirements o Scoping process and activities o Business planning o Business case development

UNCLASSIFIED

31


Managing, business acumen planning, analyzing, communicating.

UNCLASSIFIED

32

5.2.6 SYSTEM AUTHORIZER

Role System Authorizer


• System owner • Business line owner • Chief Information Officer


Given references, organizational security documentation and required tools, resources: • Ensure that IT systems meet security compliance and risk management requirements • Authorizing IT systems for use

Tasks • Review IT security policies, procedures and guidelines • Review system security evidence to support operation • Review threat and risk assessment • Evaluate the degree to which implemented or proposed security controls mitigate

organizational risks • Prioritizes system security requirements based on business requirements • Decide on system operation parameters based on established security requirements


• This is often a non-technical role and educational requirements will vary depending on organizational requirements.


• Core curriculum requirements are beneficial but not essential. • Structured learning and experience in program management and risk management

would be beneficial.


Critical thinking, business acumen, attention to detail.

UNCLASSIFIED

33

5.2.7 DISASTER RECOVERY PLANNER

Role Disaster Recovery Planner


• Business Continuity Coordinator • IT Continuity Manager • Incident Management Coordinator


Given references, organizational security documentation and required tools, resources: • Develops, promotes, tests and evaluates the DRP and related controls to address

various scenarios to ensure IT system resilience and continuity. • Participates in business continuity planning

Tasks • Develop disaster recovery plan • Integrate disaster recovery planning elements into other security and business

planning • Plan and interpret the threat and risk assessment in support of disaster recovery

activities • Conduct disaster recovery planning • Support crisis communications, liaise with the communications coordinator • Test and evaluate the disaster recovery plan


• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred. Individuals typically employed in this role have extensive experience in either security or IT incident response coordination or management.


• Core curriculum requirements are beneficial essential. • Structured learning and experience in business continuity planning and crisis

communications would be beneficial.


Planning, communicating, business acumen, advising, evaluating.

UNCLASSIFIED

34

5.2.8 CONTRACTING AND PROCUREMENT SECURITY ADVISOR

Role Contracting and Procurement Security Advisor


• Security analyst • Security analyst - procurement specialist • Vendor management • Project manager


Given references, organizational security documentation and required tools, resources: • Identifies security requirements within proposed goods and/or services to be acquired. • Identifies supply chain integrity requirements • Ensure that the security policy is complied with and that contract documentation

includes the necessary clauses • Monitors security requirements throughout the contracting lifecycle and ensures

compliance to contractual obligations

Tasks • Identify organizational security requirements for services/goods to be acquired. • Support/interpret Threat and Risk Assessments (TRA) related to the potentially

contracted goods and/or services. • Review Supply Chain Integrity (SCI) and other security requirements • Draft security clauses for inclusion in contract documentation. • Advise on security components during bid evaluation process. • Provide security briefings to contractors and contracted resources. • Monitor and address contractor compliance to security requirements throughout the

contracting life-cycle. • Participate in security assessments. • Respond to and report on contractor/vendor related security incidents • Support close out


• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred. Individuals typically employed in this role have extensive experience in project security.


• Core curriculum requirements are essential. • Structured learning and experience in procurement, vendor management, and supply

chain integrity would be beneficial


Analyzing, advising, communicating, investigating, evaluating.

UNCLASSIFIED

35

5.3 OPERATE AND MAINTAIN

5.3.1 CONTEXT

The roles within Operate and Maintain (Figure 5) are typically IT practitioners who have specialist roles within security. Consequently, they should all have IT experience and the emphasis on learning should be to develop them into the security specialty. Each of the specialties is explained in more detail in the tables that follow.

Operate and Maintain Roles

UNCLASSIFIED

36

5.3.2 CYBER DEFENCE OPERATOR

Role Cyber Defence Operator


• Cyber security operator • Infrastructure Security Analyst • Network Security Analyst • Network Security Administrator • Data security analyst


Given references, organizational security documentation, IT security guidance and required tools, resources:

• Supports security system integration, implementation and testing • Monitors and adjusts network security mechanisms, develop, test to ensure required

network security • Provides initial detection, incident response and mitigation • Operates and maintains local security information and event management (SIEM)

services/products • Advises on work domain relevant cyber-related security requirements

Tasks • Identify and analyze technical threats to, and vulnerabilities of, networks • Identify, contain, conduct initial mitigations and report system compromises • Review, analyze, and/or apply internet security protocols, cryptographic algorithms,

directory standards, networking protocols, network hardening, technical IT security controls, IT security tools and techniques, OS, IDS, firewalls, routers, multiplexers and switches, and wireless devices

• Analyze security data and provide alerts, advisories and reports • Install, configure, integrate, adjust, operate, monitor performance, and detect faults on

security devices and systems • Conduct impact analysis for new software implementations, major configuration

changes and patch management • Develop proof-of-concept models and trials for IT security products and services • Troubleshoot security products and incidents • Design/develop IT Security protocols • Complete tasks related to authorization and authentication in physical and logical

environments • Develop options and solutions to meet the security-related project objectives • Identify the security products and its configuration to meet security-related project

objectives • Implement and test configuration specifications • Develop configuration and operational build books • Review, develop and deliver relevant training material.


Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred.


• For this role, there is typically an informal progression from junior (level I) to senior operator (level III)

UNCLASSIFIED

37

Level I - • Network security administration and management • Basic network security architecture • Network security appliance concepts, operation and configuration (equipment specific

based on role - network, server and desktop cyber defence systems and/or appliances) • Basic hardware and firmware security • Basic software defined security and application security • Basic virtual private network security • Basic wireless/mobile device security • IT security zoning • Types of intrusions • Common threat actor tactics, techniques, and procedures (TTPs) • Incident management processes, responsibilities and authorities • Intrusion detection and prevention methodologies, tools and systems • Intrusion analysis and mitigation techniques • Basic malware analysis • Legal and ethical responsibilities associated with cyber security operations including

conduct of investigations, privacy, and preservation of evidence.

For classified domain include: • Network security in high assurance • Information assurance architectures • Emissions security • Encryption and Cryptography • Advanced/sophisticated threats

Level II • Advanced network security technology and protocols • Advanced persistent and sophisticated threat TTPs • Development and testing of network security appliances (including scripts and coding). • Virtualization & cloud security • Wireless network & mobile device security • Vulnerability scanning and analysis • Vulnerability management • Software security analysis • Web application security • Configuration and operational build books • System acquisitions and projects

For classified domain include: • Advanced encryption and cryptography • Cross-domain solutions

Level III (typically within the S&I community only)

• Active cyber defence operations • Deep malware analysis • Legal and ethical responsibilities associated with active cyber defence operations


Analyzing, assessing, communicating

UNCLASSIFIED

38

5.3.3 CYBER SECURITY INCIDENT HANDLER

Role Cyber Security Incident Handler


• Information Protection Centre Operator • Cyber Protection Centre Operator • IT Security Analyst • Incident Responder • Computer or IT Incident Response Team Member


Given references, organizational security documentation, GC IT sec guidance and required tools, resources:

• In conjunction with the network security team, provides immediate and detailed response activities to mitigate/limit unauthorized activities. This includes planning, development of Courses of Action, tools, and solutions, prioritization of activities, preservation of evidence, and support of recovery operations and post-incident analysis

• Links severity of attack to the impact/injury to IT service delivery and business outcomes

• Produces detailed incident reports and technical briefs. Advises on work domain relevant cyber-related security requirements

Tasks • Supports planning and prepares for incident response activities • Review, analyze, and/or apply network scanners, VA tools, network protocols,

internet security protocols, intrusion detection systems, firewalls, content checkers and anti-virus software

• Develop and coordinate prevention and response plans • Monitor systems/networks for security events and incidents • Conduct on-site reviews and analysis of system security logs • Produce system activity reports, logs and incident analysis • Detect, analyze, identify IT security events and incidents (i.e. investigates,

conducts triage) • Develop, implement, and evaluate courses of actions and adapts to contain,

mitigate or eradicate effects of IT security incident • Provide incident analysis support on response mechanisms • Reporting and resolution procedures for IT Security incidents • Support incident recovery operations • Support post-analysis activities • Collect, collate, analyze, and disseminate information related to networked

computer threats and vulnerabilities, security incidents and incident responses

• Conduct research and development on IT security incidents and mitigations • Provide advice to system owners and users in support of prevention and

remediation activities • Archive information related to incidents • Assist in managing and running an incident response centre • Review, develop and deliver relevant training material

UNCLASSIFIED

39

Pre-requisite education & experience

• Post-secondary (College) diploma in IT related field. Cyber or IT security specialization preferred.

• Previous training and experience network security preferred.

Technical training requirements

• System and application-based security threats • Advanced threat actor tactics, techniques, and procedures (TTPs) • Incident management methodologies, responsibilities and authorities • Incident handling and response methodologies • Technical writing in support of incident handling reports and correspondence • Cyber security investigations and evidence preservation • Vulnerability assessment basics • Business continuity and disaster response basics • Malware analysis methodologies, tools and techniques

Specializations: • Incident handling in the cloud and virtualized environments • Incident handling in wireless and mobile device environments

Primary non-technical competencies

Analyzing, investigating, communicating

UNCLASSIFIED

40

5.3.4 DIGITAL FORENSICS ANALYST (SECURITY)

Role Digital Forensics Analyst (Security)


• Digital forensics investigator • Digital forensics examiner • IT Security Incident Recovery Team member • Computer Forensics Analyst/Investigator • Mobile Device Forensics Analyst/Investigator • Security Investigator • Cyber Defence Analyst



• Conducts digital forensics to identify causes and artifacts related to IT system intrusions and impacts across and within systems. This includes planning, development of COAs, tools, prioritization of activities, preservation of evidence, and support of recovery operations and post-incident analysis

• Produces detailed incident reports and technical briefs. Provides expert testimony

• Advises on work domain relevant cyber-related security requirements

This can include digital forensics within separate domains or contexts (mobile devices, memory, computer, network, active directory, etc.).

Tasks • Draft/Review forensics policies, standards, procedures and guidelines in support of local and GC requirements

• Identify and manage secure analysis infrastructure/laboratory • Plan forensics analysis activities for security incidents • Operate digital forensics systems (as required based on function and

systems available) • Manage digital evidence in accordance with appropriate chain of custody

requirements • Investigate security incidents as per local terms of reference • Report on digital forensics analysis result • Present evidence as an expert witness • Contribute to post-analysis on security incidents and provide

recommendations based on forensics activities • Draft investigative reports • Review, develop and deliver relevant training material.



• Previous training and experience in IT security analyst or incident response activities preferred.

UNCLASSIFIED

41


• Cyber security threat intelligence sources • System and application-based security threats • Advanced threat actor tactics, techniques, and procedures (TTPs) • Incident management • Incident handling and response methodologies • Digital forensics methodologies, processes and practices • Forensics lab design configuration and support applications • Systems or device specific forensics (e.g. memory, active director, mobile

device, network, computer (dead box), etc.) • Forensics tools, techniques, and procedures (tool dependent) • Malware analysis tools and techniques • Cyber security investigations, contexts, laws, governance and preservation of

evidence • Processes for collecting, packaging, transporting, and storing electronic

evidence to avoid alteration, loss, physical damage, or destruction of data. • Legal and court procedures, presentation of digital evidence, testimony as an

expert witness • Sandboxing • Archiving and storage of digital forensics data.

Advanced: • Ethical hacking • Reverse malware engineering • Anti-forensics tactics, techniques, and procedure


Analyzing, investigating, auditing, communicating

UNCLASSIFIED

42

5.3.5 PKI SUPPORT ANALYST

Role PKI Support Analyst


• IT security analyst • System analyst • ICAM analyst/specialist


Given references, organizational security documentation, GC IT security guidance and required tools, resources:

• Provides ongoing support to PKI activities including managing and maintaining the PKI system used within their organization.

• Advises on work domain relevant cyber-related security requirements.

Tasks • Review, analyze and/or apply encryption techniques and requirements • Drafting technical documents to support effective PKI operations within the

organization • Support PKI integration into current systems • Define PKI Registration Authority (RA) requirements for unclassified and

classified systems • Issue, revoke and recover PKI certificates • Liaise with and train users • Test, maintain and support PKI programs within the organization • Troubleshoot PKI systems and resolve common errors/problems



• Previous training and experience in identity and access management, preferred.


• Encryption, cryptography and cryptographic key management concept and methodologies

• Specific PKI tool, system, device, or appliance training • Authentication, authorization, and access control methods • Network access, identity, and access management using PKI • Policy-based and risk-adaptive access controls • Developing and applying security system access controls • Maintaining directory services • Organizational information technology (IT) user security policies (e.g.,

account creation, password rules, access control) • Developing and applying user credential management system. • PKI management • Encryption, cryptography and cryptographic key management concept and

methodologies


Analyzing, investigating, auditing, communicating

UNCLASSIFIED

43

5.3.6 IDENTITY, CREDENTIALS AND ACCESS ANALYST

Role Identity, Credentials and Access Management Analyst


• Access management analyst • System analyst • ICAM specialist • PKI analyst

Standard work functions -


• Provides ongoing support to ICAM activities including managing and maintaining the ICAM used within their organization.


Tasks • Identify client requirements and propose technical ICAM solutions • Model and map users to resources (e.g. role based) • Install, configure, operate, maintain and monitor ICAM applications • Deploy, configure and manage user provisioning including identity

synchronization, auto-provisioning and automatic access deactivation, self-service security request approvals workflow and consolidated reporting

• Configure and manage enterprise, web ICAM solutions (single sign on, password management, authentication & authorization, delegated administration)

• Analyze patterns or trends in ICAM incidents for further resolution • Manage identity change-request approval processes • Audit, log and report user life-cycle management steps against access

control list on managed platforms • Configure and manage federated ICAM in compliance with security policy,

standards and procedures





• Authentication, authorization, and access control methods • Network access, identity, and access management (e.g., public key

infrastructure [PKI]) • Policy-based and risk-adaptive access controls • Developing and applying security system access controls. • Maintaining directory services • Organizational information technology (IT) user security policies (e.g.,

account creation, password rules, access control) • Developing and applying user credential management system


Integrating, investigating, analyzing, communicating

UNCLASSIFIED

44

5.4 EVALUATE AND MEASURE

5.4.1 CONTEXT

The roles within Evaluate and Measure (Figure 6) may have IT, security, or auditing and evaluation backgrounds. Roles such as penetration tester are highly specialized and often require a significant amount of training and experience to ensure proficiency. Others, such those filling policy compliance and monitoring roles need only the core curriculum elements provided they have education, training and/or experience in policy and compliance roles. Each of the specialties is explained in more detail in the tables that follow.

Evaluate and Measure Roles

UNCLASSIFIED

45

5.4.2 VULNERABILITY ASSESSOR

Role Vulnerability Assessor


• Vulnerability analyst • Vulnerability assessor • Vulnerability management team member • Blue/red team technician • Ethical hacker • Compliance analyst • Penetration tester • Security testing and evaluation personnel



• Plans and conducts vulnerability assessments on GC systems, applications and devices.


Tasks • Define vulnerability management strategy, standards, tools and processes • Define VA activity scope and requirements • Plan & Prepare for VA activities • Perform VA • Analyze and evaluate results • Develop and monitor remediation activities • Report VA results • Plan and conduct penetration testing • Monitor and report on vulnerability management strategy



• Previous training and experience in identity and access management preferred.


• Sources of threat and vulnerability information • Planning and conducting vulnerability scans and recognizing vulnerabilities in

security systems • Identifying systemic security issues based on the analysis of vulnerability

and configuration data • Common system and application security threats and vulnerabilities • Packet analysis • Network analysis, tools and techniques • Vulnerability management methodologies and processes • Vulnerability assessment tools, techniques and procedures • Penetration testing principles, tools, and techniques • Secure system design concepts, principles, and standards • Designing countermeasures to identified security risks • Evaluating the adequacy of security designs • Hardware and software reverse engineering methodologies and techniques • Exploitation tools and techniques to identify system/software vulnerabilities

UNCLASSIFIED

46


Analyzing, planning, integrating, advising

UNCLASSIFIED

47

5.4.3 PENETRATION TESTER

Role Penetration Tester


• Advanced Vulnerability Analyst • Blue/red team technician • Ethical hacker • Compliance analyst



• Conducts formal, controlled tests and physical security assessments on web-based applications, networks, and other systems as required.


Tasks • Identify threats to, and technical vulnerabilities of, networks, systems and devices

• Develop pen testing plan, standards, tools and processes, risks and mitigations

• Review, analyze, and/or apply threat agent analysis tools and other emerging technologies

• Monitor, review, analyze and results from IT security tools, appliances, logs and systems

• Conduct on-site reviews and analysis of system security logs • Troubleshoot and respond to testing issues mitigating impact to

organization/systems • Prepare and/or deliver IT Security threat, pen testing and vulnerability and/or

risk briefings • Review, develop and deliver relevant training material



• Previous training and experience in IT security role supporting cyber defence, incident or vulnerability management preferred.


• Penetration testing • Penetration application development and testing • Specific tool, system, device, or appliance training

For classified domain include: • Network security in high assurance • Information assurance architectures • Emissions security • Encryption and Cryptography • Advanced/sophisticated threats • Cross-domain solutions



UNCLASSIFIED

48

5.4.4 SECURITY ASSESSOR

Role Security Assessor


• Security Compliance Officer • Security Advisor • Security Assessment Analyst • Security Program Manager • Security Manager • Certification and Accreditation (C&A) Analyst



• Plans and executes the security assessment activities. • Ensures that key outputs satisfy organizational security needs and objectives

up front. • Advises on work domain relevant cyber-related security requirements.

Tasks • Review and analyze, departmental security plans; threat and risk assessments

• Establish a security quality assurance program (Department and/or System Level)

• Identify monitoring and assessment requirements to support Departmental Security Plan (DSP)

• Plan periodic and ongoing assessment activities • Identify assessment points/metrics (key performance indicators) • Select assessment procedures to determine effectiveness of implemented

controls • Select and develop assessors/assessment team • Perform assessment in multiple contexts (organizational or system level) • Conduct testing and evaluation activities (system level) • Communicate assessment results • Monitor implementation of recommended improvements



• Previous training and experience IT security requirements gathering, architectures or similar functions preferred.


• International security standards and compliance • Security architecture concepts and enterprise architecture reference models • Security assessment and authorization processes • Security testing and evaluation methodologies and processes • Vulnerability assessment and penetration testing methodologies and

applications • Systems and software testing and evaluation methodologies • Drafting assessment reports • Measures or indicators of system performance and availability and needed to

improve or correct performance, relative to the goals of the system • Monitoring and optimizing system performance

UNCLASSIFIED

49

• Conducting audits or reviews of technical systems


Analyzing, auditing, advising, planning

UNCLASSIFIED

50

5.4.5 SECURITY TESTER & EVALUATOR

Role Security Tester & Evaluator (ST&E)


Security analyst • Software security analyst • Software security tester • Security auditor • Security product tester



• Conducts testing and evaluation of security devices, systems, controls, and policies relative to stipulated organizational requirements or standards.

• Ensures technically and scientifically defensible rigor in support of security testing software, hardware or systems.

• Reports on the security systems achievement of control objectives and recommends corrective action to address deficiencies.


Tasks • Conduct ST&E to determine if the controls are functioning as intended • Conduct security product testing and evaluation relative product standards,

selected industry, and organizational requirements • Review, develop and deliver relevant training material • Develop ST&E standards and documentation • Plan testing and evaluation activities • Produce ST&E reports



• Training and experience in an IT security role associated with system and/or software security measurement such as vulnerability assessment, software security,


• International security standards and compliance • Security architecture concepts and enterprise architecture reference models • Security assessment and authorization processes • Systems and software testing and evaluation methodologies • Drafting ST&E reports


Analyzing, planning, auditing, integrating, advising

UNCLASSIFIED

51

5.5 DESIGN AND BUILD

5.5.1 CONTEXT

The roles within Design and Build (Figure 7) tend to be highly specialized roles often requiring university degrees and additional training and experience to effectively meet the proficiency requirements within security roles. Predominantly, individuals performing these roles have a combination of training and extensive experience. Few training and education providers supply fulsome programs to support the learning requirements of such roles. However, there are some institutions developing programs for these roles. Each of the specialties is explained in more detail in the tables that follow.

Design and Build Roles

UNCLASSIFIED

52

5.5.2 IT SECURITY ANALYST – PROJECTS

Role IT Security Analyst – Projects and Procurement


• IT Security Requirements Analyst • IT Security Advisor • Business Analyst (Security)



• Ensures that security requirements are identified, addressed, formally documented, implemented and monitored throughout the project life cycle.

• Ensures that information, assets, systems and facilities entrusted to third parties meet the organizational security requirements and are afforded an appropriate level of protection throughout their life cycle.


Tasks • Define the scope of the department’s Information System (IS) security risk management activities

• Identify and categorize business needs • Define and conduct threat and risk assessment (TRA) methodology and

requirements • Participate in security assessment activities • Monitor implementation of security controls • Identify issues or changes required to security controls





• Security throughout the system/software development lifecycle Security in contracting including development of security clauses in the contract and security as part of the project requirements definition

• Vendor management • Cyber security supply chain integrity • Security assessment and authorization processes • Security monitoring and compliance throughout the project • Physical and personnel security in contracting • Vulnerability assessment • Incident management in projects and third-party arrangements


Analyzing, planning, communicating, advising

UNCLASSIFIED

53

5.5.3 SECURITY ARCHITECT

Role Security Architect


• Security Engineer • Security Designer • Security Requirements Analyst



• Ensures that security requirements are adequately addressed in all aspects of system design.

• Develops and advises on security design and architecture. • Advises on work domain relevant cyber-related security requirements.

Tasks • Define, review and/or validate the business for security and security requirements

• Draft security elements within technical architecture documents • Analyze and apply architectural methods, frameworks, and models in a

security requirements context • Develop, review and advise on security requirements in enterprise/systems

architectures, systems design, logical architecture, application architectures, and multiple hardware and software platforms based on best practices and industry standards.

• Review, analyze, and/or apply security standards, communications, security protocols

• Review and analyze emerging technology and trends as they apply to architecture, designs, systems or solutions

• Review, analyze, and/or apply best practices and standards related to the concept of network zoning and defence in-depth principles

• Analyze IT Security statistics, tools and techniques • Analyze security data and provide advisories and reports • Prepare technical reports such as requirement analysis, options analysis,

technical architecture documents, mathematical risk modeling • Conduct data security designation/classification studies • Review, develop and deliver training material relevant to the resource

category


• Post-secondary University Degree in Computer Engineering or related discipline. Cyber / IT security specialization preferred. Previous training and experience IT security infrastructure, requirements analysis or program management preferred.


• International security standards and compliance • Security architecture concepts and enterprise architecture reference models • Security assessment and authorization processes • Security testing and evaluation methodologies and processes • Security across the system / software development lifecycle

UNCLASSIFIED

54

• Vulnerability assessment and penetration testing methodologies and applications

• Systems and software testing and evaluation methodologies • Evidence-based security design • Threat modeling

For Classified Environments: • Communications security • Emissions security standards • Physical and IT security zoning • Cryptography • Encryption • Stenography • Cross-domain solutions, etc. • Advanced persistent and sophisticated threat actor tactics, techniques and

procedures. • Advanced threat modeling • Quantum safe/resistant technology


Designing, planning, integrating, analyzing, advising

UNCLASSIFIED

55

5.5.4 SECURITY ENGINEER

Role Security Engineer


• Security Architect • Security Designer • Security Requirements Analyst • Network Security Engineer



• Ensures business needs for security are captured and addressed in accordance with industry standards & practices.

• Addresses security considerations of all aspects of system engineering and throughout all phases of the System Development Life-Cycle (SDLC).


Tasks • Define/validate business needs for security & security requirements • Review and analyze security IT architectures & design documents, as well as related

systems, protocols, services, controls, appliances, applications, encryption and crypto algorithms relative to security requirements and industry standards

• Develop and review system use cases • Identify the technical threats to, and vulnerabilities of, systems • Manage the IT Security configuration • Analyze IT Security tools and techniques • Analyze the security data and provide advisories and reports • Analyze IT Security statistics • Prepare technical reports such as IT Security Solutions option analysis and

implementation plans • Provide Independent Verification and Validation (IV&V) on IT Security Projects • Oversee IT Security audits • Advise on security of IT projects • Review system plans, contingency plans, Business Continuity Plans and Disaster

Response Plans • Design/development and conduct IT Security protocols tests and exercises • Review, develop and deliver training materials


• Post-secondary University degree in Computer Engineering or related discipline. Cyber / IT security specialization preferred. Previous training and experience IT security infrastructure, requirements analysis or program management preferred.


For basic assurance environments: • Security engineering models • International security standards and compliance • Security architecture concepts and enterprise architecture reference models • Security assessment and authorization processes • Security testing and evaluation methodologies and processes • Security across the system / software development lifecycle • Vulnerability assessment and penetration testing methodologies and applications

UNCLASSIFIED

56

• Systems and software testing and evaluation methodologies • Evidence-based security design • Threat modeling

In addition, for classified/medium to high assurance environments: • Communications security • Emissions security standards • Physical and IT security zoning • Cryptography • Encryption • Stenography • Cross-domain solutions, etc. • Advanced persistent and sophisticated threat actor tactics, techniques and procedures. • Advanced threat modeling • Quantum safe/resistant technology


Designing, advising, analyzing, integrating

Mandatory Certification

In Canada, the term ‘engineer’ means a licensed professional engineer as described in the local jurisdiction. Accordingly, all security engineers must be licensed to practice ‘engineering’ within their jurisdiction.

UNCLASSIFIED

57

5.5.5 CYBER SECURITY RESEARCHER

Role Cyber Security Researcher


• Cyber Security Analyst • Digital Forensics Analyst • Cyber Defence Analyst • IT Security R&D specialist • IT Security Researcher • Security engineer • Security architect • Security Testing and Evaluation



• Investigates current and emerging threat actor tools, techniques and procedures to determine the most effective means to protect networks/systems/software.

• Maintains awareness of cyber futures/emerging trends/technologies. • Advises on work domain relevant cyber-related security requirements • Engages and maintains a professional research network aligned to

organizational requirements.

Tasks • Review, analyze, and/or apply academic and industry capabilities and standards including: directory standards; network protocols; internet security protocols; wireless and Bluetooth standards; communications standards and protocols; intrusion detection systems, firewalls and content checkers; cryptographic algorithms; security best practices.

• Research, develop, and support implementation of new security programs. • Design and develop proof of concept models, prototypes and trials for new

security technologies. • Review and analyze trends and emerging technologies. • Conduct security product evaluations. • Report on research to various target audiences. • Participate in R&D forums and related events and share knowledge. • Review, develop and deliver relevant training material.



• Previous training and experience in security operations roles or security testing and evaluation activities.


• System and application-based security threats • Advanced threat actor tactics, techniques, and procedures (TTPs) • Incident management • Incident handling and response methodologies • Digital forensics methodologies, processes and practices • Security Testing and Evaluation methodologies • Malware analysis tools and techniques

UNCLASSIFIED

58

• Sandboxing • Secure lab development and testing

Advanced: • Ethical hacking • Reverse malware engineering • Anti-forensics tactics, techniques, and procedure


Analyzing, integrating, advising, communicating

UNCLASSIFIED

59

5.5.6 SECURE SOFTWARE ANALYST/ DEVELOPER

Role Software Security Analyst/Developer


• Software security tester • Application security analyst • Web application security analyst • Data security operator • Data security analyst • Application Developer • Application Manager • Application System Analyst • Programmer • Programmer Analyst • Security Analyst • Systems Analyst



• Conducts testing and evaluation of software/data security controls and policies relative to stipulated organizational requirements or standards.

• Reports on the software/data security achievement of control objectives and recommends corrective action to address deficiencies.


Tasks • Examine and analyze the safeguards/controls required to protect software and applications used in an information system and/or data system, as they have been applied in an operational environment

• Provide advice, guidance and coordination efforts on application security best practices to protect sensitive data from threats and vulnerabilities

• Research, analyze and employ secure application development techniques • Develop software/data security standards and documentation Identify, create

and define secure application requirements • Develop and implement secure coding and change control processes • Analyze and recommend secure application solutions in line with the

organizational risks • Test, code and perform unit test plan for threats and vulnerabilities • Conduct system reviews to verify compliance with security policy, standards

and procedures • Evaluate and document secure coding and best practices for applications • Plan and conduct testing and evaluation • Conduct security evaluations and produce reports • Conduct vulnerability scans and audits on existing software and applications

and/or data security controls and measures



• Previous training and experience in software development or coding preferred.

UNCLASSIFIED

60


• System, application and data security threats, risks and vulnerabilities • Secure software design principles as part of the software development

lifecycle (SDLC) • Application security system concepts and functions • Data security conceptions and functions • Software/data security analysis methodologies, testing and protocols • Static and dynamic analysis • Secure coding techniques • Secure configuration techniques • Sandboxing • Software/application/data supply chain integrity • Creating or tailoring programs and code for application specific concerns



UNCLASSIFIED

61

6 SUPPORTING CONTENT

6.1 LIST OF ABBREVIATIONS

Abbreviation Definition

CCCS Canadian Centre for Cyber Security

CIO Chief Information Officer

CISO Chief Information Security Officer

CSE Communications Security Establishment

CSO Chief or Corporate Security Officer

CWF Cybersecurity Workforce Framework

DRP Disaster Recovery Planning

GC Government of Canada

IoT Internet of Things

IS Information System

IT Information Technology

ITS Information Technology Security

NICE (U.S.) National Initiative on Cybersecurity Education (NICE)

PG Post-Graduate

TRA Threat and Risk Assessment

UNCLASSIFIED

62

6.2 GLOSSARY

Ability - Describes a more general capability to perform an observable behavior or a behavior that is necessary to perform a job function resulting in an observable product.

Competency - A complex amalgam of knowledge, skills, abilities and other personal qualities (KSAOs) that underlie and support successful performance. All learning contributes to individual competency development in some capacity.

Core Curriculum – The core curriculum presents foundational topics that cut across all the roles within the given section. Due to the nature of the work, the core curriculum for business related roles differs from security specific roles. Core curriculum will consist primarily of key concepts, facts, processes, and procedures that support all the roles within the business or technical domain as applicable.

Course - A structured learning event of variable duration the goal of which is to provide a learning experience for participants that will allow them to achieve the established objectives.

Curriculum - A structured and programmed series of learning events (e.g. courses) undertaken by a learner. These are often used in formal learning institutions (e.g. schools, colleges, universities, etc.).

Education - Provides knowledge and intellectual skills; in contrast to training, education prepare learners with the ability to provide reasoned responses in uncertain or unpredictable environments.

Function – In terms of work, a function is a common, often ongoing activity that normally spans across more than one job and is not specific to a job or task. Functions are often aligned with organizational structures. Common functions sales, operations, management, etc.

Functional Competencies – In contrast to core (inherent, character-based) or technical (task or job specific) competencies, functional competencies apply to a job family, functional groups, or cross-functional work. In some jobs technical and functional competencies may overlap. Functional competencies often include those that are required to perform functions (as discussed above) and are not necessarily job specific.

Informal Learning — The intentional or unintentional acquisition of skills and knowledge outside of structured learning events through various means including reading, discussion, television, web sites and on-line discussion groups. It is unplanned and often incidental to learner experiences.

Job – A grouping of positions that have similar significant tasks.

Knowledge — Means the theoretical and/or practical understanding of a subject matter required to perform work.

Learning — A change in behaviour that occurs as a result of the acquisition of knowledge, skill or attitude.

Learning outcomes – These are defined in work role terms. There may be professional standards that apply to the work or the role. But these are not included as they may or may not be recognized and are themselves often dynamic. Instead learning outcomes are used which are consistent across organizational contexts. Where applicable, relevant professional standards should be introduced into local curriculum and situated relative to the institution’s requirements.

Occupation - A grouping of related jobs having common tasks or roles that require similar education and/or training.

Role - in terms of the workplace, a role a distinct, assigned portion of a job such as identified in this guide, or it can be assumed and ancillary to one’s job such as a ‘coach’ or ‘mentor’. For the purposes of this guide, for example, role-based implies that an individual may not have the job of ‘incident handler’ but may play have a key role within the incident management organization. Moreover, for post-secondary educational institutions, course or program descriptions do not always indicate to which jobs or roles the education is applicable. However, the curriculum topics/elements and related tasks will be highly suggestive of the role to which they apply. For

UNCLASSIFIED

63

example, for computer science programs with a programming and software development emphasis, secure software development curriculum component may be applicable for integration into the program.

Skill - A practiced mental and/or physical activity that requires a measured degree of proficiency. As distinct from (natural) abilities, skills tend to be learned over time.

Task - A discrete segment of work which has a beginning and an end, is often conducted within an assigned envelope of time and is a part of a role, job or duty. There can be physical or cognitive tasks, or a combination thereof.

Training – A formally structured learning activity where the intent is to provide learners with knowledge and skills related to specific tasks, roles or jobs. Training is often understood to provide individuals with the ability to provide predictable (trained) responses within controlled or predictable contexts.

Work – In self-employment or organizational terms is the effort expended to achieve a goal or fulfill a requirement.

UNCLASSIFIED

64

6.3 GENERAL COMPETENCY DESCRIPTIONS

In the analysis of the cyber security roles within organization, it was found that there were common functional competencies that were often not well honed. While there are a wide-range of potential competencies required depending on the organizational context, the following is a list of the most common competencies. For each suggested curriculum component, up to four functional competencies are identified that can be used to support functional competency development within an educational or training curriculum.

Advising - Assesses situations and provides advice and guidance based on their assessment. Often plays a key figure in determining organizational courses of action or requirements.

Analysing - Gathers, organizes, analyzes and synthesizes data to support organizational requirements. They may also participate in research and development. Work often includes analyzing options or courses of action, developing recommendations, providing conclusions and writing reports.

Anticipatory thinking - Anticipatory thinking is a critical macro cognitive function of individuals and teams that supports the ability to prepare in time for problems and opportunities. (Klein, Snowdon, Lock Pin, 2011, Anticipatory Thinking).

Assessing - Assesses situations and provides advice and guidance based on their assessment. Often plays a key figure in determining organizational courses of action or requirements.

Collaborating – work jointly on an activity or task often with a shared goal or outcome in mind.

Communicating - Provides practical communications to all levels. Often employed in developing communications strategies and plans for internal or external communications and messaging using a variety of media. They may also be involved in preparing and delivering these messages.

Complex problem solving – in contrast to linear or dynamic problem solving, complex problem solving is both a cognitive, emotional and motivational process, involving one or more actors within a dynamic decision environment who are attempting to achieve ill-defined or not fully identified goals that cannot be reached through routine actions alone. Complex problems usually involve knowledge-rich, dynamic environments, uncertainty on both current and desired states and diverse perspectives and intentions.

Designing - Designs solution in line with business needs for security and security requirements. Provides options analyses and recommendation of security solutions. Provides oversight & execution of the security solution implementation. Researches emerging security practices & standards.

Educating - Trains and educates adults through various means. Often involved in designing, developing or instructing courses, curriculum, or other learning activities. Can also be a coach or guide for others’ learning.

Facilitating - Creates collaborative relationships. Plans and coordinates group process and assures sustained participatory environment to appropriate and useful outcomes. Builds and maintains professional knowledge within a community. Models positive professional attributes and attitude.

Integrating - Identifies system interrelationships & dependencies, integrates component sub-systems into one system. Implements, tests, mitigates and troubleshoots integrated systems and supports system changes.

Investigating - Responds to allegations or reports by gathering facts, conducting reviews, interviewing witnesses. In responding to support a formal inquiry or investigation they are often called upon to conduct root cause analyses and provide formal reports and briefs.

UNCLASSIFIED

65

Planning - Develops plans to support organizational objectives. Develops courses of action and options for implementation. Plans, schedules, coordinates and monitors resources in support of organizational plans. Evaluates plan effectiveness.

Strategic thinking – An intentional cognitive activity that, when conducted within a business context, blends the generation and application of business insights and potential opportunities to achieve an organizational goal.

6.4 REFERENCES

Number Reference

1 Public Services and Procurement Canada, Task-based Informatics Professional Services

2 Communications Security Establishment. ITSG-33 IT Security Risk Management: A Lifecycle Approach

3 U.S. National Initiative on Cybersecurity Education (NICE) Cybersecurity Workforce Framework (CWF)

CYBER SECURITY CURRICULUM GUIDE Securit… · conjunction with the CCCS Learning Hub pathways, new...

Documents

Transcript of CYBER SECURITY CURRICULUM GUIDE Securit… · conjunction with the CCCS Learning Hub pathways, new...