Information Systems Security Developer

Designs, develops, tests, and evaluates information system security throughout the systems development lifecycle.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1000 additional Ensure security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
• T1152 additional Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment.
• T2354 additional Employ configuration management processes.
• T416 additional Analyze design constraints, analyze trade-offs and detailed system and security design, and consider lifecycle support.
• T419 additional Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications.
• T425 additional Assess the effectiveness of cybersecurity measures utilized by system(s).
• T426 additional Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile.
• T431 additional Build, test, and modify product prototypes using working models or theoretical models.
• T457 additional Conduct Privacy Impact Assessments (PIA) of the application’s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).
• T494 additional Design and develop cybersecurity or cybersecurity-enabled products.
• T496A additional Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.
• T501 additional Design or integrate appropriate data backup capabilities into overall system designs, and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data.
• T503A additional Design to security requirements to ensure requirements are met for all systems and/or applications.
• T516 additional Develop and direct system testing and validation procedures and documentation.
• T5200 additional Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.
• T530 additional Develop detailed security design documentation for component and interface specifications to support system design and development.
• T531 additional Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment.
• T542A additional Develop mitigation strategies to address cost, schedule, performance, and security risks.
• T626 additional Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements.
• T630 additional Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).
• T632 additional Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability.
• T648 additional Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization's evaluation and validation requirements.
• T659 additional Implement security designs for new or existing system(s).
• T662 additional Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts).
• T710 additional Monitor and evaluate a system's compliance with information technology (IT) security, resilience, and dependability requirements.
• T737B additional Perform an information security risk assessment.
• T766A additional Perform security reviews and identify security gaps in architecture.
• T770 additional Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
• T803 additional Provide guidelines for implementing developed systems to customers or installation teams.
• T808A additional Provide input to implementation plans and standard operating procedures as they relate to information systems security.
• T809 additional Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
• T850 additional Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
• T856 additional Provide support to security/certification test and evaluation activities.
• T860A additional Trace system requirements to design components and perform gap analysis.
• T874 additional Utilize models and simulations to analyze or predict system performance under different operating conditions.
• T877A additional Verify stability, interoperability, portability, and/or scalability of system architecture.
• T936 additional Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
• T997 additional Design and develop key management functions (as related to cybersecurity).
• T998 additional Analyze user needs and requirements to plan and conduct system security development.
• T999 additional Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information).

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• K0021 knowledge core Knowledge of computer algorithms.
• K0025 knowledge core Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
• K0034 knowledge core Knowledge of database systems.
• K0038 knowledge core Knowledge of organization's enterprise information security architecture system.
• K0046 knowledge core Knowledge of fault tolerance.
• K0051 knowledge core Knowledge of how system components are installed, integrated, and optimized.
• K0052 knowledge core Knowledge of human-computer interaction principles.
• K0063 knowledge core Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K0064 knowledge core Knowledge of performance tuning tools and techniques.
• K0070 knowledge core Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
• K0072 knowledge core Knowledge of local area and wide area networking principles and concepts including bandwidth management.
• K0079 knowledge core Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K008A knowledge core Knowledge of access authentication methods.
• K0090 knowledge core Knowledge of operating systems.
• K0092 knowledge core Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0094 knowledge core Knowledge of parallel and distributed computing concepts.
• K0098 knowledge core Knowledge of policy-based and risk adaptive access controls.
• K0101 knowledge core Knowledge of process engineering concepts.
• K0109 knowledge core Knowledge of secure configuration management techniques.
• K0118 knowledge core Knowledge of software development models (e.g., Waterfall Model, Spiral Model).
• K0119 knowledge core Knowledge of software engineering.
• K0121 knowledge core Knowledge of structured analysis principles and methods.
• K0124 knowledge core Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
• K0126 knowledge core Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design.
• K0129 knowledge core Knowledge of system life cycle management principles, including software security and usability.
• K0130 knowledge core Knowledge of virtualization technologies and virtual machine development and maintenance.
• K0144 knowledge core Knowledge of the systems engineering process.
• K027A knowledge core Knowledge of cryptology.
• K043A knowledge core Knowledge of embedded systems.
• K081A knowledge core Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K082A knowledge core Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.
• K1038B knowledge core Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).
• K1072 knowledge core Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth, Zero Trust).
• K1073 knowledge core Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
• K110A knowledge core Knowledge of security management.
• K1133 knowledge core Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
• K1142 knowledge core Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• S1002 skill core Skill in conducting audits or reviews of technical systems.
• S177 skill core Skill in designing countermeasures to identified security risks.
• S179 skill core Skill in designing security controls based on cybersecurity principles and tenets.
• S197 skill core Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
• S199 skill core Skill in evaluating the adequacy of security designs.
• S3B skill core Skill in conducting vulnerability scans and recognizing vulnerabilities in information systems and networks.
• A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
• A6919 ability additional Ability to determine the best cloud deployment model for the appropriate operating environment.
• K0040 knowledge additional Knowledge of organization's evaluation and validation requirements.
• K0042 knowledge additional Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware.
• K0075 knowledge additional Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics.
• K0078 knowledge additional Knowledge of microprocessors.
• K0100 knowledge additional Knowledge of Privacy Impact Assessments.
• K0133 knowledge additional Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
• K065A knowledge additional Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).
• K0904 knowledge additional Knowledge of interpreted and compiled computer languages.
• K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1037 knowledge additional Knowledge of information technology (IT) supply chain security and risk management policies, requirements, and procedures.
• K1125 knowledge additional Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.
• K1135 knowledge additional Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K177A knowledge additional Knowledge of countermeasure design for identified security risks.
• S1140A skill additional Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
• S173A skill additional Skill in integrating and applying policies that meet system security objectives.
• S180 skill additional Skill in designing the integration of hardware and software solutions.
• S191 skill additional Skill in developing and applying security system access controls.
• S224A skill additional Skill in the use of design modeling (e.g., unified modeling language).

EWU courses that develop this role

Other roles in this element