Security Architect

Designs enterprise and systems security throughout the development lifecycle; translates technology and environmental conditions (e.g., law and regulation) into security designs and processes.

Tasks

The concrete work activities defined for this role in the DCWF v5.1 spreadsheet. Core tasks are required for the role; additional tasks are associated but not mandatory.

• T1147A additional Develop data management capabilities (e.g., cloud based, centralized cryptographic key management) to include support to the mobile workforce.
• T2014 additional Analyze candidate architectures, allocate security services, and select security mechanisms.
• T2248 additional Develop a system security context, a preliminary system security CONOPS, and define baseline system security requirements in accordance with applicable cybersecurity requirements.
• T2390 additional Evaluate security architectures and designs to determine the adequacy of security design and architecture proposed or provided in response to requirements contained in acquisition documents.
• T2887 additional Write detailed functional specifications that document the architecture development process.
• T413A additional Analyze user needs and requirements to plan architecture.
• T465 additional Develop threat model based on customer interviews and requirements.
• T483 additional Define and prioritize essential system capabilities or business functions required for partial or full system restoration after a catastrophic failure event.
• T484 additional Define appropriate levels of system availability based on critical system functions and ensure system requirements identify appropriate disaster recovery and continuity of operations requirements to include any appropriate fail-over/alternate site requirements, backup requirements, and material supportability requirements for system recover/restoration.
• T502A additional Develop enterprise architecture or system components required to meet user needs.
• T525A additional Develop procedures and test fail-over for system operations transfer to an alternate site based on system availability requirements.
• T534 additional Develop/integrate cybersecurity designs for systems and networks with multilevel security requirements or requirements for the processing of multiple classification levels of data primarily applicable to government organizations (e.g., UNCLASSIFIED, SECRET, and TOP SECRET).
• T561 additional Document and address organization's information security, cybersecurity architecture, and systems security engineering requirements throughout the acquisition lifecycle.
• T568 additional Employ secure configuration management processes.
• T569A additional Document and update as necessary all definition and architecture activities.
• T579 additional Ensure acquired or developed system(s) and architecture(s) are consistent with organization's cybersecurity architecture guidelines.
• T602 additional Evaluate factors such as reporting formats required, cost constraints, and need for security restrictions to determine hardware configuration.
• T631 additional Identify and prioritize critical business functions in collaboration with organizational stakeholders.
• T646A additional Document the protection needs (i.e., security controls) for the information system(s) and network(s) and document appropriately.
• T669 additional Integrate and align information security and/or cybersecurity policies to ensure system analysis meets security requirements.
• T765 additional Perform security reviews, identify gaps in security architecture, and develop a security risk management plan.
• T797 additional Provide advice on project costs, design concepts, or design changes.
• T807 additional Provide input on security requirements to be included in statements of work and other appropriate procurement documents.
• T809 additional Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
• T864A additional Translate proposed capabilities into technical requirements.
• T865 additional Translate security requirements into application design elements including documenting the elements of the software attack surfaces, conducting threat modeling, and defining any specific security criteria.
• T936 additional Develop security compliance processes and/or audits for external services (e.g., cloud service providers, data centers).
• T994 additional Define and document how the implementation of a new system or new interfaces between systems impacts the security posture of the current environment.
• T996A additional Assess and design security management functions as related to cyberspace.

Knowledge, Skills, and Abilities

KSA statements define what a person filling this role knows or can do. "Knowledge" is what they must know, "Skill" is what they can perform, and "Ability" is a durable capacity they bring to the work.

• A1072A ability core Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
• A6030 ability core Ability to apply an organization's goals and objectives to develop and maintain architecture.
• A68B ability core Ability to design architectures and frameworks.
• K0038 knowledge core Knowledge of organization's enterprise information security architecture system.
• K0063 knowledge core Knowledge of cybersecurity principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
• K143A knowledge core Knowledge of integrating the organization’s goals and objectives into the architecture.
• K3307 knowledge core Knowledge of cybersecurity-enabled software products.
• S183 skill core Skill in determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
• S197A skill core Skill in translating operational requirements into protection needs (i.e., security controls).
• S70B skill core Skill in applying cybersecurity methods, such as firewalls, demilitarized zones, and encryption.
• A111A ability additional Ability to apply secure system design tools, methods and techniques.
• A124A ability additional Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools.
• A6150 ability additional Ability to optimize systems to meet enterprise performance requirements.
• A6918 ability additional Ability to apply cybersecurity strategy to cloud computing service and deployment models, identifying proper architecture for different operating environments.
• A6919 ability additional Ability to determine the best cloud deployment model for the appropriate operating environment.
• A993A ability additional Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization's enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).
• K0008 knowledge additional Knowledge of authentication, authorization, and access control methods.
• K0021 knowledge additional Knowledge of computer algorithms.
• K0025 knowledge additional Knowledge of encryption algorithms (e.g., Internet Protocol Security [IPSEC], Advanced Encryption Standard [AES], Generic Routing Encapsulation [GRE], Internet Key Exchange [IKE], Message Digest Algorithm [MD5], Secure Hash Algorithm [SHA], Triple Data Encryption Standard [3DES]).
• K0027 knowledge additional Knowledge of cryptography and cryptographic key management concepts.
• K0034 knowledge additional Knowledge of database systems.
• K0042 knowledge additional Knowledge of electrical engineering as applied to computer architecture, including circuit boards, processors, chips, and associated computer hardware.
• K0051 knowledge additional Knowledge of how system components are installed, integrated, and optimized.
• K0052 knowledge additional Knowledge of human-computer interaction principles.
• K0062 knowledge additional Knowledge of industry-standard and organizationally accepted analysis principles and methods.
• K0075 knowledge additional Knowledge of mathematics, including logarithms, trigonometry, linear algebra, calculus, and statistics.
• K0078 knowledge additional Knowledge of microprocessors.
• K0079 knowledge additional Knowledge of network access, identity, and access management (e.g., public key infrastructure [PKI]).
• K0090 knowledge additional Knowledge of operating systems.
• K0092 knowledge additional Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
• K0094 knowledge additional Knowledge of parallel and distributed computing concepts.
• K0110 knowledge additional Knowledge of key concepts in security management (e.g., Release Management, Patch Management).
• K0119 knowledge additional Knowledge of software engineering.
• K0130 knowledge additional Knowledge of virtualization technologies and virtual machine development and maintenance.
• K0132 knowledge additional Knowledge of technology integration processes.
• K0133 knowledge additional Knowledge of key telecommunications concepts (e.g., Routing Algorithms, Fiber Optics Systems Link Budgeting, Add/Drop Multiplexers).
• K0144 knowledge additional Knowledge of the systems engineering process.
• K040A knowledge additional Knowledge of organization's evaluation and validation criteria.
• K043A knowledge additional Knowledge of embedded systems.
• K046A knowledge additional Knowledge of system fault tolerance methodologies.
• K053A knowledge additional Knowledge of risk assessments and authorization per Risk Management Framework processes.
• K065A knowledge additional Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).
• K069A knowledge additional Knowledge of risk management processes and requirements per the Risk Management Framework (RMF).
• K081A knowledge additional Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
• K082A knowledge additional Knowledge of network design processes, to include understanding of security objectives, operational objectives, and tradeoffs.
• K1034A knowledge additional Knowledge of Personally Identifiable Information (PII) data security standards.
• K1034B knowledge additional Knowledge of Payment Card Industry (PCI) data security standards.
• K1034C knowledge additional Knowledge of Personal Health Information (PHI) data security standards.
• K1037B knowledge additional Knowledge of program protection planning to include information technology (IT) supply chain security/risk management policies, anti-tampering techniques, and requirements.
• K1038B knowledge additional Knowledge of local specialized system requirements (e.g., critical infrastructure/control systems that may not use standard information technology [IT]) for safety, performance, and reliability).
• K1073 knowledge additional Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
• K109A knowledge additional Knowledge of configuration management techniques.
• K1125 knowledge additional Knowledge of Cloud-based knowledge management technologies and concepts related to security, governance, procurement, and administration.
• K1130 knowledge additional Knowledge of organizational process improvement concepts and process maturity models (e.g., Capability Maturity Model Integration (CMMI) for Development, CMMI for Services, and CMMI for Acquisitions).
• K1133 knowledge additional Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
• K1135 knowledge additional Knowledge of the application firewall concepts and functions (e.g., Single point of authentication/audit/policy enforcement, message scanning for malicious content, data anonymization for PCI and PII compliance, data loss protection scanning, accelerated cryptographic operations, SSL security, REST/JSON processing).
• K1136A knowledge additional Knowledge of use cases related to collaboration and content synchronization across platforms (e.g., Mobile, PC, Cloud).
• K113A knowledge additional Knowledge of N-tiered typologies including server and client operating systems.
• K1141A knowledge additional Knowledge of an organization's information classification program and procedures for information compromise.
• K141A knowledge additional Knowledge of the enterprise information technology (IT) architectural concepts and patterns to include baseline and target architectures.
• K3153 knowledge additional Knowledge of circuit analysis.
• K3246 knowledge additional Knowledge of confidentiality, integrity, and availability requirements.
• K3642 knowledge additional Knowledge of various types of computer architectures.
• K6210 knowledge additional Knowledge of cloud service models and possible limitations for an incident response.
• K6330 knowledge additional Knowledge of multi-level/security cross domain solutions.
• S0155 skill additional Skill in monitoring and optimizing system/server performance.
• S1140A skill additional Skill in using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
• S1142B skill additional Skill in applying security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
• S180 skill additional Skill in designing the integration of hardware and software solutions.
• S224 skill additional Skill in design modeling and building use cases (e.g., unified modeling language).
• S238A skill additional Skill in writing code in a currently supported programming language (e.g., Java, C++).
• S6640 skill additional Skill in designing multi-level security/cross domain solutions.
• S6680 skill additional Skill in the use of design methods.
• S6942 skill additional Skill in designing or implementing cloud computing deployment models.
• S6945 skill additional Skill in migrating workloads to, from, and among the different cloud computing service models.

EWU courses that develop this role

Other roles in this element