Upload
travis-grant
View
233
Download
0
Embed Size (px)
Citation preview
8/8/2019 FSU - Analysis JobTask Analysis
1/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 1 of 19 Confidential Internal Use Only Version 1.0
XYZ Company
Job / Task Analysis:
Information Assurance Specialist
Creation Date: 19 October 2009Last Update: 27 October 2009
Participant:
Travis [email protected]
Introduction to Instructional SystemsEME5601
Professor Keller
This document is the work of ABC IDS Contractors of Surrey, U.K.,
and is the sole property of XYZ Company of London, U.K.
8/8/2019 FSU - Analysis JobTask Analysis
2/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 2 of 19 Confidential Internal Use Only Version 1.0
Table of Contents
1.0 Introduction ..................................................................................... .................................................. 3
1.1 Background ....................................................................................... ............................................. 31.2 Setting ........................................................................................................................................... 4
1.1.1 Department Structure ............................................................................................................. 4
1.1.2 Statements of Commitment .................................................................................................... 4
2.0 Procedure .......................................................................................................................................... 6
2.1 Preparation ...................................................................................... .............................................. 6
2.2 Interviews and Observations ........................................................................................................ 10
2.3 Analysis ........................................................................................................................................ 10
3.0 Results of Job / Task Analysis ........................................................................................................... 11
3.1 Description of job position (in brief) ............................................................................................. 11
3.2 Task Listing................................................................................................................................... 12
3.3 Requisite Skills and Knowledge ..................................................................................................... 15
3.4 Requisite Qualifications ................................................................................................................ 17
3.5 Summary Finding ......................................................................................................................... 17
Appendix 1 ............................................................................................................................................ 18
8/8/2019 FSU - Analysis JobTask Analysis
3/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 3 of 19 Confidential Internal Use Only Version 1.0
1.0 Introduction
1.1 Background
This document outlines a Job / Task Analysis performed for XYZ Company of London, UK. This analysis
has been performed on the Information Assurance Specialist (IA Specialists) position within the
Information Security Department (IS). The analysis was conduct on location at XYZ Companys
headquarters located at: 8596 Tally Road, London, UK SW1P 1AE.
There are currently three occupied Information Assurance Specialist positions within the Information
Security Department.
y John Locke, IA SPECIALIST
y Cathy Booker, IA SPECIALIST
y
Terry Chatworth, IA SPECIALIST
The immediate supervisor to all three IA Specialist employees is the Information Systems Security
Officer (ISSO).
y Kevin Tanner, ISSO
The three Information Assurance Specialists were interviewed and observed during the week of 12
October 2009. The ISSO was interviewed on 16 October 2009. This document represents an analysis of
the results of the four interviews and three observations, and it defines and classifies the major
functions, duties, and tasks the IA Specialists perform. In addition, the analysis was performed to
determine if reclassification of the position and its duties is necessary.
Note: Please see Chart 1 on the next page (p.4) for an organizational chart identifying the present
positioning of the IA Specialist position.
XYZ Company is in the process of developing an Information Security Program to provide a foundational
security direction for the company. Established in 1985, XYZ Company is a highly respected international
leader within the financial services industry. The company has a strong and well-developed customer
base that expects high-quality secure financial services with. A well-developed and maintained security
program will ensure that XYZ Company is successful in providing a foundation from which to build its
security infrastructure and maintain the security that its customers expect. In the process of developing
the Information Security Program it was determined that a job / task analysis was required to define and
classify the major functions, duties, and tasks of the IA Specialist position, and identify whether
reclassification of the position and its duties is necessary.
Note: Please see Appendix 1 for a current (as of 20 October 2009) job description of the Information
Assurance Specialist position.
8/8/2019 FSU - Analysis JobTask Analysis
4/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 4 of 19 Confidential Internal Use Only Version 1.0
1.2 Setting
1.1.1 Department Structure
The Information Security (IS) Department is composed of four personnel. The Information Systems
Security Officer is the head of IS Department and reports to the Chief Executive Officer. The ISSO
oversees a total of three personnel. These three personal all go by the same title, Information Assurance
Specialist. The Information Assurance Specialists report directly to the ISSO, and work closely with
leaders from each business department.
Chart 1: Organizational chart identifying present positioning of the ISA position.
1.1.2 Statements of Commitment
The Information Security Department of XYZ Company is dedicated to maintaining the confidentiality,
integrity, and availability of corporate assets and customer information. This is accomplished in-line with
the companys Statements of Commitment. The following guiding principles reflect the commitments ofXY Company employees to all of the companys stakeholders (customers, suppliers, employees,
shareholders, governments and society).
8/8/2019 FSU - Analysis JobTask Analysis
5/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 5 of 19 Confidential Internal Use Only Version 1.0
Vision Statement (Global)
XYZ Companys vision is to maintain its competitive advantage in the domestic and international
financial services industry by providing secure, valuable, and high quality services with expert employee
knowledge to our customers when they want them and where they want them.
Quality Statement (Global)
XYZ Company understands the value of continuous improvement. Our unwavering focus and steadfast
passion is to provide the highest quality customer service and financial products while consistently
exceed customer expectations. Our employees are committed to understanding and meeting customers'
evolving needs, and our company and service offerings are able to adapt quickly to changing
environments and competitive pressures.
Mission Statement (Global)
XYZ Companys mission is to serve consumers and institutions with its well-established and uniquefinancial products and services.
Technology Statement (IS Department Specific)
XYZ Companys use of technology is vital to its continued success. The technology mission of XYZ
Companys security department is to maintain the confidentiality, integrity, and availability of
information assets and systems while delivering high quality, timely, and effective responses to
customer requirements (both internal and external) through technology and connectivity.
8/8/2019 FSU - Analysis JobTask Analysis
6/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 6 of 19 Confidential Internal Use Only Version 1.0
2.0 Procedure
The procedure utilized in this Job / Task Analysis follows from preparation to interviewing to analysis.
2.1 Preparation
1) Collect Information:
a) Corporate-wide
i) Statements of Commitment
ii) Business goals
iii) Organizational structure
b) Departmental (Information Security Department)
i) Statements of Commitment
ii) Business goalsiii) Organizational structure
c) Position under analysis (Information Assurance Specialist)
i) Job description on file (current and past)
ii) Expectations from supervisors
iii) Entry qualifications
iv) Responsibilities
v) Certifications
vi) Compensation
2) Select the Sample for Interviewa) Sample Size
i) Four persons (more than one person must always be included in the sample)
(1) 3 IA SPECIALIST employees
(2) 1 supervisor (ISSO)
b) Sample Information:
i) Designation IA SPECIALIST #1
(1) Name: John Locke
(2) Gender: Male
(3) Current job title: Information Assurance Specialist(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 4 years
(7) Education: B.S. in IT, Stanford University, Stanford, CA, USA
(a) M.S. in IA, Rockfurn University, UK
(8) Certifications: CISSP
8/8/2019 FSU - Analysis JobTask Analysis
7/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 7 of 19 Confidential Internal Use Only Version 1.0
ii) Designation IA SPECIALIST #2
(1) Name: Cathy Booker
(2) Gender: Female
(3) Current job title: Information Assurance Specialist
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 2 years
(7) Education: B.S. in IM, Stopwidth University, UK
(a) M.S. in IS, Blackburn University, UK
(8) Certifications: CISSP
iii) Designation IA SPECIALIST #3
(1) Name: Terry Chatworth
(2) Gender: Male
(3) Current job title: Information Assurance Specialist
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 1.5 years
(7) Education: B.S. in IT, Warick University, UK
(a) M.S. in IS, Blackburn University, UK
(8) Certifications: CISSP
iv) Designation ISSO #1
(1) Name: Kevin Tanner
(2) Gender: Male(3) Current job title: Information Systems Security Officer
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 5 years
(7) Education: B.S. in IT, Stanford University, Stanford, CA
(a) M.S. in IS, Cambridge, UK
(8) Certifications: CISSP
3) Ensure appropriate permissions
a) Ensure that supervisor also contacts the intervieweesb) Ensure appropriate documentation (signed letter on company paper head) in hard and soft copy
notifying employees that you have been given permission to conduct the interviews and
observations
8/8/2019 FSU - Analysis JobTask Analysis
8/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 8 of 19 Confidential Internal Use Only Version 1.0
4) Contact personnel to interview and observe
a) John Locke (IA SPECIALIST #1) Contacted by phone call. Purpose of analysis explained during
call. Introduction to plan of analysis explained. Requested assistance by means of interview and
observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
b) Cathy Booker (IA SPECIALIST #2) - Contacted by phone call. Purpose of analysis explained during
call. Introduction to plan of analysis explained. Requested assistance by means of interview and
observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
c) Terry Chatworth (IA SPECIALIST #3) - Contacted by phone call. Purpose of analysis explained
during call. Introduction to plan of analysis explained. Requested assistance by means of
interview and observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
d) Kevin Tanner (ISSO #1) Contacted in person. ISSO provided hard and soft copy of signed
permissions letter. Introduction to plan of analysis explained. Requested interview. Scheduled
interview.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview time.
Note: Please see Item 1 on the following page (p.9) for an outline of the email sent to the IA
Specialist interviewees.
8/8/2019 FSU - Analysis JobTask Analysis
9/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 9 of 19 Confidential Internal Use Only Version 1.0
Item 1: Outline of email sent to IA Specialist interviewees
1. The goal of the Job / Task Analysis
2. The purpose of the interview
3. The expected results of the analysisa. Functions, duties, tasks, and subtasks (if necessary)
b. Knowledge and skills required to conduct certain complex tasks
c. List of qualifications necessary to perform will in the position
4. The scheduled time and date of the interview
5. Sample of questions that shall be asked during the interview
a. Questions about the work setting:
i. The mission, business goals and organizational structure of
XYZ Company
ii. The mission, business goals and organizational structure of
XYZ Companyiii. What business are you in? Yes, a financial services business,
but please be more specific.
b. Questions about your job
i. Would you please provide a general introduction to your
current job?
ii. What functions are required to perform your job?
iii. What duties are necessary to perform each function?
iv. Would you kindly breakdown complicated duties into a series
of tasks?
v. What is the most frequently performed function/duty/task?vi. At what frequency are the remainder of the
functions/duties/tasks performed?
vii. What are the difficulties you encounter on your job?
viii. What kind of knowledge and skills are needed to perform
these tasks?
ix. What inputs are available to perform the job?
x. What results are being achieved by performing your job?
xi. Do you have any job performance standards?
8/8/2019 FSU - Analysis JobTask Analysis
10/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 10 of 19 Confidential Internal Use Only Version 1.0
2.2 Interviews and Observations
The three Information Assurance Specialists were interviewed and observed during the week of 12
October 2009. The ISSO was interviewed on 16 October 2009. The Job / Task Analysis was developed
during the week of 19 October 2009.
y John Locke (IA SPECIALIST) Interviewedon 12 October 2009 at 10:25. Observedon 12 October
2009 from 12:00 17:00.
y Cathy Booker (IA SPECIALIST) - Interviewed on 13 October 2009 at 08:25. Observed on 12
October 2009 from 10:00 17:45.
y Terry Chatworth (IA SPECIALIST) - Interviewed on 14 October 2009 at 09:00. Observed on 15
October 2009 from 8:00 17:00 and 16 October 2009 from 8:00 14:25.
y Kevin Tanner (ISSO) - Interviewedon 16 October 2009 at 14:45.
2.3 Analysis
Extensive notes were taken during the four interviews and three observation sessions. The notes were
first checked for potential inaccuracies, and then, consolidated. The consolidated notes were translated
into a hierarchical list of functions, duties, and tasks as deemed necessary to perform the job. Required
skills and knowledge for some frequently performed tasks were also identified.
8/8/2019 FSU - Analysis JobTask Analysis
11/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 11 of 19 Confidential Internal Use Only Version 1.0
3.0 Results of Job / Task Analysis
The results of the analysis are a short description of the Information Assurance Specialist job position as
it was so described, the prerequisites that an IA Specialists should posses at XYZ Company, a list of
functions, duties, and tasks that are necessary to perform the job, and required skills and knowledge for
frequently performed tasks.
3.1 Description of job position (in brief)
The IA Specialists work both independently and as part of the Information Security Department team
under the leadership of the ISSO. The IA Specialists report directly to the ISSO as seen in Chart 1 (p.4). In
addition, IA Specialists work closely with leaders in other key business departments to ensure the
confidentiality, integrity, and availability of information assets and systems. IA Specialists are expected
to deliver high-quality, timely and effective responses to customer requirements (both internal andexternal) through technology, connectivity, and communication.
Of note, the current job description on file matched with a high degree of accuracy the job
responsibilities and qualifications detailed by the ISSO and the IA Specialists.
To be successful as an IA Specialist, the following knowledge elements and capabilities have been
identified:
y Ability to develop and maintain security policies, standards, procedures and guidelines where
appropriate.
y Ability to develop security assessments, and develop and maintain security plans.y Ability to participate in security investigations, incident response, and disaster recovery.
y Ability to develop and analyze the systems security.
y Knowledge of how to develop additional systems security documentation.
y Knowledge of how to develop and implement security policies, standards, procedures and
guidelines.
y Knowledge of security regulations and standards.
y Knowledge of technical and administrative information assurance issues.
y Technical and administrative skills for implementing security mechanisms and controls.
8/8/2019 FSU - Analysis JobTask Analysis
12/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 12 of 19 Confidential Internal Use Only Version 1.0
3.2 Task Listing
There are five major functions for the IA Specialist position at XYZ Company: protect; monitor; analyze;
detect; and respond. Functions provide a means of distinguishing between different levels of work. The
functional level indicates the roles that employees perform.
Functions Duties Tasks Criticality(1=Low / 5 = High)
Frequency(Low / Moderate / High)
1.0 Protect 1.1 Develop security
policies, standards,
procedures and guidelines
1.1.1 Identify
security
requirements, goals,
and functions
3 Low1.1.2 Identify
relevant security
regulations andstandards
1.1.3 Write security
documentation
1.2 Maintain security
policies, standards,
procedures and guidelines
1.2.1 Identify
changes to security
environment3 Low
1.2.2 Update
security
documentation
1.3 Develop systems
security documentation
1.3.1 Identify
security practices of
systems 3 Low1.3.2 Write security
documentation
1.4 Maintain systems
security documentation
1.4.1 Identify
changes to systems
4 Moderate1.4.2 Update
security
documentation
1.5 Implement security
mechanisms and controls
1.5.1 Show
knowledge of
security mechanisms
and control
4 Moderate
1.5.2 Deploy
security mechanisms
and controls
1.5.3 Configure
security mechanisms
and controls
1.6 Maintain security
mechanisms and controls
1.6.1 Identify
changes to
environment
4 High
8/8/2019 FSU - Analysis JobTask Analysis
13/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 13 of 19 Confidential Internal Use Only Version 1.0
1.6.2 Identify
updates to
mechanisms and
controls
1.6.3 Apply updates
1.6.4 Reconfigure
2.0 Monitor 2.1 Monitor security
mechanisms and controls
2.1.1 Identify
suspicious
information asset
activities
5 High
3.0 Analyze 3.1 Analyze information
security requirements
3.1.1 Show
knowledge of
organization
3 Low3.1.2 Show
knowledge of
security best
practices, standards,
and regulations
3.2 Analyze securitymechanism and control
reports
3.2.1 Showknowledge of
analysis procedures5 High
3.2.2 Show
knowledge of alarms
and alerts
4.0 Detect 4.1 Identify information
security threats
4.1.1 Show
knowledge of
security mechanism
and control alerts5 Moderate
4.1.2 Identify
suspicious IT and
network systemsactivity
4.2 Identify physical
security threats
4.2.1 Show
knowledge of alarm
and surveillance
systems 4 Low
4.2.2 Identify
suspicious people
and activities
5.0 Respond 5.1 Participate in security
investigations
5.1.1 Respond to
incident
5 Low
5.1.2 Aid in recovery
from incident
5.1.3 Restore
systems after
incident
5.1.4 Prepare
systems in case of
incident
5.1.5 Conduct
exercises to ensure
8/8/2019 FSU - Analysis JobTask Analysis
14/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 14 of 19 Confidential Internal Use Only Version 1.0
preparation
5.2 Participate in incident
response
5.2.1 Respond to
incident
5 Moderate
5.2.2 Aid in recovery
from incident
5.2.3 Restore
systems after
incident
5.2.4 Prepare
systems in case of
incident
5.2.5 Conduct
exercises to ensure
preparation
5.3 Participate in disaster
recovery
5.3.1 Respond to
incident
5 Low
5.3.2 Aid in recovery
from incident
5.3.3 Restoresystems after
incident
5.3.4 Prepare
systems in case of
incident
5.3.5 Conduct
exercises to ensure
preparation
8/8/2019 FSU - Analysis JobTask Analysis
15/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 15 of 19 Confidential Internal Use Only Version 1.0
3.3 Requisite Skills and Knowledge
This section identifies some of the requisite skills and knowledge required to perform the tasks
identified as High Frequency in the Task Listing.
Function: 1.0 Protect
Duty: 1.6 Maintain security mechanisms and controls
Task(s): 1.6.1 1.6.4
y 1.6.1 Identify changes to environment
y 1.6.2 Identify updates to mechanisms and controls
y
1.6.3 Apply updatesy 1.6.4 Reconfigure
Task(s) Skills and Knowledge
1.6.1 Identify changes to environment a) Ability to gather data about Internet-wide
security environment
b) Ability to gather data about corporate-wide
security environment
1.6.2 Identify updates to mechanisms and controls a) Ability to gather data about updates to
mechanisms and controls
b) Knowledge of best practices of mechanisms and
controls
1.6.3 Apply updates a) Working knowledge of mechanisms and controls
b) Ability to apply updates
1.6.4 Reconfigure a) Ability to configure mechanisms and controls
b) Ability to test configurations of mechanisms and
controls
c) Configuration knowledge of mechanisms and
controls
8/8/2019 FSU - Analysis JobTask Analysis
16/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 16 of 19 Confidential Internal Use Only Version 1.0
Function: 2.0 Monitor
Duty: 2.1 Monitor security mechanisms and controls
Task(s): 2.1.1 Identify suspicious activity
Task(s) Skills and Knowledge
2.1.1 Identify suspicious information asset
activities
a) Ability to gather data on information assets
b) Ability to read and comprehend gathered data
c) Knowledge of what constitutes suspicious
activity
d) Knowledge of intrusion techniques and
defenses
Function: 3.0 Analyze
Duty: 3.2 Analyze security mechanism and control reports
Task(s): 3.2.1 3.2.2
y 3.2.1 Show knowledge of analysis procedures
y 3.2.2 Show knowledge of alarms and alerts
Task(s) Skills and Knowledge
3.2.1 Show knowledge of analysis procedures a) Knowledge of application specific analysis
procedures
b) knowledge of corporate security analysis
procedures
3.2.2 Show knowledge of alarms and alerts a) Knowledge of information alarm sensor
locations
b) Knowledge of alarm triggers
c) Knowledge of how to activate an alarm
d) Knowledge of how to deactivate an alarm
d) Knowledge of what constitutes a false positive
e) Knowledge of what constitutes a false negative
f) Knowledge of how to verify an incident
8/8/2019 FSU - Analysis JobTask Analysis
17/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 17 of 19 Confidential Internal Use Only Version 1.0
3.4 Requisite Qualifications
This section identifies the requisite qualifications essentially needed to perform the functions, duties,
and tasks identified in the Task Listing.
y A thorough knowledge of IA processes to include but not limited to certification and
accreditation, computer network defense, and vulnerability assessments. Must be able to work
with changing and evolving requirements.
y A high-level security certification (CISSP, GSE, SCNA, or CISA) is required.
y Strong research and analysis skills as well as strong verbal/written communication skills.
3.5 Summary Finding
At this time it is not believed that a reclassification of the ISSO position and its duties is necessary.
8/8/2019 FSU - Analysis JobTask Analysis
18/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 18 of 19 Confidential Internal Use Only Version 1.0
Appendix 1
Job Description: Information Assurance Specialist
Last revised: 07 September 2009
XYZ Company is seeking an Information Assurance Specialist (IA SPECIALIST) to work in London, UK. The
IA SPECIALIST will work closely with other IA SPECIALIST employees, the ISSO, and leaders in Information
Technology, Human Resources and other departments to oversee and coordinate corporate information
security operations across 1 UK and 1 overseas office. The IA SPECIALIST will report directly to the CSO.
Aside from the qualifications listed below, the IA SPECIALIST must also have an in-depth understand of
the XYZ Company's business environment and have a strong background in information assurance. The
responsibilities of this position include but are not limited to the following:
Responsibilities:
y Develop and maintain security policies, standards, procedures and guidelines where
appropriate. Enforce established security policies, standards, procedures and guidelines.
y Perform IT security assessments, and develop and maintain security plans.
y Develop additional systems security documentation.
y Participate in secure systems development and analysis.
y Provide technical and administrative direction on information assurance issues.
y Provide technical and administrative guidance on implementing and monitoring security
mechanisms and controls.
y Identify regulations and standards and support company compliance.
y Support a security awareness-training program.
y Participate in security investigations, incident response, and disaster recovery.y Other duties as assigned.
Qualifications:
y A bachelors degree is required in a related field. A masters degree in a related field is
preferable.
y 5+ years of experience in IT, IT Audit, or combined Information Assurance.
y Must have a thorough knowledge of IA processes to include but not limited to certification and
accreditation, computer network defense, and vulnerability assessments. Must be able to work
with changing and evolving requirements.
y A high-level security certification (CISSP or equivalent) is required.y Must have strong research and analysis skills as well as verbal/written communication skills.
y Excellent oral and written communication skills.
y Project management skills preferred.
8/8/2019 FSU - Analysis JobTask Analysis
19/19
JOB TASK ANALYSIS
Document Number: ISD57
Page 19 of 19 Confidential Internal Use Only Version 1.0
Compensation:
y Annual salary of $80,000 US dollars.
y Full health care package.
y Starting 20 days of accrued vacation time.
y 401k Plan.