Вы находитесь на странице: 1из 15

BCS Practitioner Certificate

in Information Assurance
Architecture Syllabus

Version 1.2
February 2016
Change History
Any changes made to the syllabus shall be clearly documented with a change history log.
This shall include the latest version number, date of the amendment and changes made.
The purpose is to identify quickly what changes have been made.

Version Number Changes Made


Version 1.2 Expanded content in Module 2, providing more emphasis on
February 2016 Advanced Security Concepts

Version 1.1 Updated language requirements for extra time and use of
March 2015 dictionaries. Standardised the trainer requirements

Version 1.0 Syllabus Created


March 2014

Copyright © BCS 2016 Page 1 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
BCS Practitioner Certificate in Information
Assurance Architecture Syllabus
Contents

Change History .................................................................................................................. 1

Introduction ........................................................................................................................ 3

Objectives .......................................................................................................................... 4

Duration and Format of the Course .................................................................................... 4

Eligibility for the examination and pre-requisites................................................................. 4

Duration and Format of the Examination ............................................................................ 4

Guidelines for Accredited Training Organisations............................................................... 5

Additional time for candidates requiring Reasonable Adjustments ..................................... 5

Additional time for candidates whose language is not the language of the examination ..... 5

Course Outline ................................................................................................................... 5

Assessment ....................................................................................................................... 6

Syllabus ............................................................................................................................. 7

Module 1 – The Basics of IA Architecture (15%) 6 Hours ................................................... 8

Module 2 – Advanced Security Architecture Concepts (35%) 14 Hours ............................. 9

Module 3 – Information Assurance Methodologies (20%) 8 Hours ................................... 10

Module 4 – Innovation and Business Improvement (15%) 6 Hours .................................. 11

Module 5 – Security Across the Lifecycle (10%) 4 Hours ................................................. 12

Module 6 – Preparation for the IA Architecture Mock & Live Exam (5%) 2 Hours ............. 13

Levels of Knowledge and Skills / SFIA Levels .................................................................. 13

Format of the Examination ............................................................................................... 14

Copyright © BCS 2016 Page 2 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Introduction
An Information Assurance (IA) Architect is a senior-level enterprise architect role, either
within a dedicated Security team or as part of a more general Enterprise Architecture (EA)
team.

The IA Architect role identifies responsibilities, as well as the business, technical, procedural
and administrative requirements of the role. The role originates from a modern approach to
IT in business, known as Enterprise Architecture, as explained by a variety of frameworks in
use today, such as TOGAF, MODAF, DODAF and Zachman, all of which have their own
views pertaining to security architecture.

Definition: The term architecture is defined as, “The fundamental organisation of a system,
embodied in its components, their relationships to each other and the environment and the
principles governing its design and evolution” (ISO/IEC 42010:2012).

When attempting to build an architecture that is considered secure, the architect must first
understand the business environment the systems need to provide for, as well as the
technical controls that are available to the Architect that can be called upon to address the
threats against confidentiality, integrity and availability.

These three main tenets of security – confidentiality, integrity and availability - sit at the heart
of all IT security work. However, the job of the Architect is as much aligned to the needs of
the business as it is to the technical aspects of architecture. This is not suggesting that the
IA Architect should not be technical, as a technical person can often discharge the
responsibilities of an IA Architect, however, that person must first be aware of the bigger
business picture prior to developing a technical solution.

This is exactly what the IA Architecture syllabus is all about – explaining to the candidate
what it takes to be an IA Architect and how that differs from being a technical or
administrative (non-technical, such as policy writing, risk assessments, etc.) security subject
matter expert.

IA Architecture is not just about preventing specific attacks. Instead it is about providing a
multi-layered set of defences against different kinds of attack by implementing the most
appropriate and cost-effective security controls.

This course is aimed at:

 Candidates who wish to gain the BCS IA Architecture certificate.


 System Administrators who wish to become Security Architects.
 Technical Architects looking to move into the field of security architecture.
 Security professionals wishing to gain an appreciation of the technical and business
aspects of their profession, or to move into a more senior architecture role.

Copyright © BCS 2016 Page 3 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Objectives
On completion of training against this syllabus, candidates should be able to demonstrate:

 Knowledge and concepts relating to Information Security Architecture Principles.


 To gain an understanding of the business environment and the available technical
controls.
 Knowledge of how to provide a multi layered set of defences and implementation of
the most cost effective security controls.
 Gain an understanding and knowledge of Information Assurance Methodologies.

Duration and Format of the Course


Candidates can study for this certificate in two ways: by attending an accredited training
course or by self-study. An accredited training course will require a minimum of 40 hours of
study consisting of lecture and practical work run over a minimum of five days. The course
can be delivered a number of different ways from traditional class-room based training to
online e-learning. Candidates may benefit should spending more time on reading and
research.

Eligibility for the examination and pre-requisites


There are no pre-requisite entry criteria for the course, however candidates will require;

 A broad understanding of the aspects within Information Security and Information


Assurance equivalent to the BCS Certificate in Information Security Management
Principles.
 Experience in working as part of a Security team or as part of an Enterprise
Architecture department.

Duration and Format of the Examination


The examination comprises of two multiple choice question sections.

 Section A contains 60 simple multiple questions each worth one mark


 Section B contains 25 scenario based complex multiple choice questions with a
maximum of 65 marks available.

The pass mark is 81/125 (65%). The time allocated for the examination is two hours.

Copyright © BCS 2016 Page 4 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Guidelines for Accredited Training Organisations
Each major subject heading in the syllabus is assigned an allocated time. The purpose is to
give both guidance on the relative proportion of time to be allocated to each section of an
accredited course and an approximate minimum time for the teaching of each section. ATOs
may spend more time than is the 40 hours and may be delivered as a series of modules with
gaps between them, as long as the course meets all other constraints. Courses do not have
to follow the same order as the syllabus. Note that specific laws and legal issues relating to
the country(s) within which an ATO operates may be mentioned as examples and included
in course material, but the examination will only test the principles.

Additional time for candidates requiring Reasonable


Adjustments
Candidates may request additional time if they require reasonable adjustments. Please refer
to the reasonable adjustments policy for detailed information on how and when to apply.

Additional time for candidates whose language is not


the language of the examination
If the examination is taken in a language that is not the candidate’s native / official language
then they are entitled to 25% extra time. If the examination is taken in a language that is not
the candidate’s native / official language then they are entitled to use their own paper
language dictionary (whose purpose is translation between the examination language and
another national language) during the examination. Electronic versions of dictionaries will
not be allowed into the examination room.

Course Outline
Course Summary & Module Number of Number
Topics (Guideline) of Hours
Module 1 – The Basics of Security Architecture 4 6
Module 2 – Advanced Security Architecture Concepts 3 14
Module 3 – Information Assurance Methodologies 4 8
Module 4 – Innovation & Business Improvement 4 6
Module 5 – Security Across the Lifecycle 1 4
Module 6 – Prep for the IA Architect Exam & Mock Exam 2 2
Totals 18 40

Copyright © BCS 2016 Page 5 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Assessment
At the end of each module the candidate is encouraged to undertake an assessment to
assess their knowledge of the material provided in that module and to verify that the
objectives of the module have been met. Throughout the course, quizzes are undertaken
that enables a candidate to test their knowledge of the information covered in that topic.

The Practitioner Certificate examination will be based on the syllabus in this document. It
will be a two hour closed book examination (no materials can be taken into the examination
room) and consist of:

 Section A; 60 multiple choice questions.


 Section B; 5 scenarios, each with 5 multiple choice questions.

Each scenario will be aimed at describing the threats, vulnerabilities and mitigations for that
scenario and will contain five multiple choice questions.

Candidates will need to read all scenarios carefully and read and consider all questions and
their implications before selecting answers.

All aspects of the syllabus may be questioned.

Copyright © BCS 2016 Page 6 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Syllabus
The Security Architecture Role

The IA Architect is based on a set of skills defined by the Institute of Information Security
Professionals (IISP) and the UK Government’s GCHQ department. The IA Architect, also
referred to in industry as the Security Architect (SA), must be able to drive beneficial security
change into an organisation through the development or review of security architectures so
that they:

 Meet business requirements for security.


 Mitigate identified risks and conform to relevant corporate security policies.
 Balance information risk against the cost of countermeasures.

The Senior Security Architect role corresponds broadly to SFIA Responsibility Level 4
(enable) and Blooms Taxonomy of Learning Level K4 (analyse). This course aligns to Level
3 (Skilful Application) competence as defined in the Skills Framework developed by the IISP.

Note: This Practitioner Level certificate is one of a series of certificates available from BCS in
the area of Information Security and Information Assurance. A Foundation Level certificate,
the Certificate in Information Security Management Principles (CISMP), is also available.
Background information on BCS Professional Certification and details of these other
certifications are available from the BCS website: www.bcs.org/infosecurity

Certification in Security Architecture

Candidates that have successfully completed the Practitioner in IA Architecture course


should be able to:
 Describe the business environment and the information risks that apply to systems.
 Describe and apply security design principles.
 Identify information risks that arise from potential solution architectures.
 Design alternate architectures or countermeasures to mitigate identified information
risks.
 Ensure that proposed architectures and countermeasures adequately mitigate
identified information risks.
 Apply ‘standard’ security techniques and architectures to mitigate security risks.
 Develop new architectures that mitigate the risks posed by new technologies and
business practices.
 Provide consultancy and advice to explain Information Assurance and architectural
problems.
 Securely configure ICT systems in compliance with their approved security
architectures.

Copyright © BCS 2016 Page 7 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 1 – The Basics of IA Architecture (15%) 6 Hours
Introduction

What is IA Architecture? This module lays down the foundation of understanding what it
means to be an IA Architect and what the basic principles of architecture are. It describes
the relationship to Enterprise Architecture Frameworks and how some of these frameworks
address security. Security architecture is at the heart of what it is to be an IA Architect.
However, unlike technical architecture work, where components are added together to
create an end-solution based on technical know-how, security architecture adopts a
framework approach for deploying patterns of risk-reducing technology that provide varying
levels of assurance depending on the underlying security requirements.

Being an IA Architect is a technical job, without doubt, but the key to success in these areas
comes from detailed knowledge of what comprises security technology in terms of product
assurance, network and technical design/development work (using secure development
principles) and the trade-off between physical, logical and procedural controls.

Topics
 What is IA Architecture?
 The Role of an IA Architect.
 Security Design Principles.
 Conceptual Architectures.

Module Learning Outcomes

At the end of this module the candidates will be able to:

 Describe the role of the IA Architect and the concept of security architectures in
context of enterprise architectures.
 Explain the skills, especially soft skills, an IA Architect must possess.
 Explain concepts and design principles used by IA Architects when designing
systems. Design principles such as least privileged and segregation of duties are
described.
 Describe security architectures at a high level using appropriate contextual terms
and have sufficient knowledge to describe architectural concepts related to
security concerns.
 Explain the importance of design patterns and conceptual architectures.
 Recognise separation of systems as a way to reduce risk.

Copyright © BCS 2016 Page 8 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 2 – Advanced Security Architecture Concepts (35%) 14 Hours
Introduction

This module builds on Module 1, laying down the next level of detail for a variety of
architectural concepts. It starts by describing security mechanisms, such as cryptographic
mechanisms. It then goes on to describe a wide range of security services. Finally, the
module describes how the security services can be applied within a system and how design
patterns are an important tool for an IA Architect.

Topics
 Core Security Mechanisms.
 Security Services.
 Security Design.

Module Learning Outcomes

 Describe intruder detection and prevention services and their placement in


systems. – including file integrity monitoring.
 Describe the role of directories in a system.
 Describe the functions of security management within a system.
 Describe a wide range of network technologies, and associated security controls,
and the threats they counter. This includes layer 2 controls and the use of packet
filtering, firewalls and VLANs.
 Identify common methods for resilience and recognise different recovery
capabilities and techniques, including back-up and audit trails.
 Identify security aspects of virtualisation and describe the characteristics of
common virtualisation products.
 Describes the threats to Industrial Control Systems and appropriate
countermeasures.
 Describe the purpose of Digital Right Managements and common standards and
technologies in use.
 Discuss the threats to an organisation in rolling out Multi-Function Devices.
 Explain the risks of using mobile devices and describe common mobile platforms
and technologies such as mobile device management and containerisation.
 Appreciate practicality as an issue in the selection of security mechanisms.
 Appreciate the need for correctness of input and on-going correctness of all
stored data including parameters for all generalised software.
 Distinguish between different cryptographic mechanisms and techniques.
 Appreciate the use of threat modelling techniques to establish where security
services should be positioned within a system.
 Describe a number of design patterns being able to explain the threats and
security controls used to counter the threats.

Copyright © BCS 2016 Page 9 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 3 – Information Assurance Methodologies (20%) 8 Hours
Introduction

This module goes into the various methodologies and techniques that can be used to assure
the implementation of a system or a product. This includes the purpose of vulnerability and
penetration testing.

Topics
 Information Assurance Frameworks.
 Cryptographic Assurance.
 Product and Service Assurance.
 Vulnerability and Penetration Testing.

Module Learning Outcomes

At the end of this module the candidate will be able to:


 Explain a wide range of Information Assurance methodologies.
 Compare the benefits of using different methodologies.
 Describe how Information Assurance methodologies can reduce risk.
 Employ methods, tools and techniques for identifying potential vulnerabilities.
 Apply different testing strategies depending on the risk profile of a system
 Recognise that business processes need to be tested and not just the ICT
elements.
 Explain the role of vulnerability and penetration testing.
 Plan and manage a penetration test
 Explain the typical structure of a penetration test report.
 Describe the typical findings of a penetration test report.

Copyright © BCS 2016 Page 10 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 4 – Innovation and Business Improvement (15%) 6 Hours
Introduction

This module explains how security can drive change and improve business functions when
properly implemented. Different business scenarios and sectors can drive a wide variety of
security architecture innovations and changes and it is important that the accomplished
security architect has a good understanding of business practices, such as mergers,
outsourcing and SaaS solutions.

Topics
 Business Change, Security Metrics and ROI.
 Risk, Security Postures and Security Culture.
 Security as a Business Enabler.
 IA Maturity Models.

Module Learning Outcomes

At the end of this module the candidate will be able to:


 Discuss the security implications of business transition (mergers, de-mergers, in-
sourcing and out-sourcing, etc.).
 Describe the nature of organisational risk culture and exposure.
 Recognise security as a business enabler.
 Describe continuous improvement as a philosophy.
 Propose security metrics.
 Describe a number of different IA maturity models.

Copyright © BCS 2016 Page 11 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 5 – Security Across the Lifecycle (10%) 4 Hours
Introduction

This final module introduces the Security Architect to the various security concerns and
considerations when embarking on a new development project all the way to in-service
support. It pulls together many of the previous points in the course. This module looks at
auditing and traceability of solutions, building systems using COTS or bespoke code (and
the complications of each choice), some aspects related to the business matters needing
consideration when embarking on a secure development programme, and how systems are
accepted as fit for purpose and put into an operational capacity.

Topics
 Security Across the Lifecycle.

Module Learning Outcomes

At the end of this module the candidate will be able to:


 Describe the typical Terms of Reference of an IA Architect.
 Explain why it is important to brief Engineering teams at the start of a
development process.
 Describe the concepts of audit and traceability.
 Describe the different types of design artefacts at the conceptual, logical and
physical layers.
 Recognise the security issues associated with commercial off-the-shelf /
outsourced / off shore systems / applications / products.
 Describe the role of hardening and coding standards in the development of a
system and sources of guidance.
 Describe the OWASP top ten risks.
 Discuss the importance of links with the whole business process.
 Identify the benefits of separation of development, test and support from
operational systems.

Copyright © BCS 2016 Page 12 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Module 6 – Preparation for the IA Architecture Mock & Live Exam (5%)
2 Hours
Introduction

The final module will prepare the candidate for the IA Architect examination which would
normally be taken at the end of the course.
This is a paper based examination which is available to take via an ATO or via the direct
entry sittings in the BCS London Offices.

Topics
 Format, structure and scoring of the examination.
 Mock examination, using the BCS sample paper.

Module Learning Outcomes

At the end of this module the candidate will:


 Understand the format and scoring of the examination.
 Be prepared to take the IA Architecture examination.

Levels of Knowledge and Skills / SFIA Levels


This course will provide candidates with the levels of difficulty / knowledge skill highlighted
within the following table, enabling them to develop the skills to operate at the levels of
responsibility indicated.

The levels of knowledge and SFIA levels are explained in on the website www.bcs.org/levels

Level Levels of Knowledge Levels of Skill and Responsibility


7 Set strategy, inspire and mobilise
6 Evaluate Initiate and influence
5 Synthesise Ensure and advise
4 Analyse Enable
3 Apply Apply
2 Understand Assist
1 Remember Follow

Copyright © BCS 2016 Page 13 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016
Format of the Examination
Type 85 Question Multiple Choice Examination
Duration 2 Hours. Candidates are entitled to an additional 30 minutes
if they are sitting an examination in a language that is not their
native/official language as well as the use of a paper
dictionary.
Supervised / Invigilated Yes
Closed Book Yes, no reading materials allowed into the examination room
Pass Mark 81/125 (65%)
Delivery Paper based examination via an ATO or via the direct entry
sittings in the BCS London Offices.

Trainer Criteria
Criteria  Hold the BCS Certificate in IA Architecture
 Have a minimum of three years practical experience in Information
Assurance
 Have 10 days training experience or hold a train the trainer qualification

Class Room Size


Trainer to candidate ratio 1:16

Copyright © BCS 2016 Page 14 of 14


BCS Practitioner Certificate in Information Assurance Architecture Syllabus
Version 1.2 February 2016

Оценить