Security Control Assessor Job Profile

What is a Security Control Assessor?

The Security Control Assessor conducts independent comprehensive assessments of the management, operational, and technical security controls and control enhancements employed within or inherited by an information technology (IT) system to determine the overall effectiveness of the controls.

Professional Certifications

Core competencies Security Control Assessor

  • Network Management
  • Risk Management
  • Criminal Law
  • Information Assurance
  • Vulnerability Management
  • Identity Management
  • Cyber Operations
  • Software Development
  • System Architecture
  • Cryptography
  • Forensics Analysis
  • Data Management
  • Continuity Planning and Disaster Recovery
  • Enterprise Architecture
  • Information Security Management
  • Cyber Defense Analysis
  • Cybersecurity Management
  • Security Policy
  • Acquisition Management
  • IT Risk Management
  • Training, Education, and Awareness
  • System Administration
  • Cyber Policy and Strategy Development
  • Cyber Defense Support

Security Control Assessor must know:

  • computer networking concepts and protocols, and network security methodologies.
  • risk management processes (e.g., methods for assessing and mitigating risk).
  • laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • cybersecurity and privacy principles.
  • cyber threats and vulnerabilities. 
  • specific operational impacts of cybersecurity lapses.
  • computer networking concepts and protocols, and network security methodologies.
  • risk management processes (e.g., methods for assessing and mitigating risk).
  • laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
  • cybersecurity and privacy principles.
  • cyber threats and vulnerabilities.
  • specific operational impacts of cybersecurity lapses.
  • authentication, authorization, and access control methods.
  • applicable business processes and operations of customer organizations.
  • application vulnerabilities.
  • communication methods, principles, and concepts that support the network infrastructure.
  • capabilities and applications of network equipment including routers, switches, bridges, servers, transmission media, and related hardware.
  • cyber defense and vulnerability assessment tools and their capabilities.
  • encryption algorithms
  • cryptography and cryptographic key management concepts
  • encryption algorithms
  • data backup and recovery.
  • database systems.
  • business continuity and disaster recovery continuity of operations plans.
  • organization’s enterprise information security architecture.
  • organization’s evaluation and validation requirements.
  • organization’s Local and Wide Area Network connections.
  • Security Assessment and Authorization process.
  • cybersecurity and privacy principles used to manage risks related to the use, processing, storage, and transmission of information or data.
  • vulnerability information dissemination sources (e.g., alerts, advisories, errata, and bulletins).
  • cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • Risk Management Framework (RMF) requirements.
  • information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
  • current industry methods for evaluating, implementing, and disseminating information technology IT security assessment, monitoring, detection, and remediation tools and procedures utilizing standards-based concepts and capabilities.
  • network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
  • new and emerging IT and cybersecurity technologies.
  • system and application security threats and vulnerabilities (e.g., buffer overflow, mobile code, cross-site scripting, Procedural Language/Structured Query Language [PL/SQL] and injections, race conditions, covert channel, replay, return-oriented attacks, malicious code).
  • structured analysis principles and methods.
  • systems diagnostic tools and fault identification techniques.
  • the cyber defense Service Provider reporting structure and processes within one’s own organization.
  • the enterprise IT architecture.
  • the organization’s enterprise IT goals and objectives.
  • Supply Chain Risk Management Practices
  • the organization’s core business/mission processes.
  • applicable laws, statutes (e.g., in Titles 10, 18, 32, 50 in U.S. Code), Presidential Directives, executive branch guidelines, and/or administrative/criminal legal guidelines and procedures.
  • IT supply chain security and supply chain risk management policies, requirements, and procedures.
  • critical infrastructure systems with information communication technology that were designed without system security considerations.
  • network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
  • security architecture concepts and enterprise architecture reference models (e.g., Zachman, Federal Enterprise Architecture [FEA]).
  • security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
  • Personally Identifiable Information (PII) data security standards.
  • Payment Card Industry (PCI) data security standards.
  • Personal Health Information (PHI) data security standards.
  • laws, policies, procedures, or governance relevant to cybersecurity for critical infrastructures.
  • an organization’s information classification program and procedures for information compromise.
  • embedded systems.
  • penetration testing principles, tools, and techniques.
  • controls related to the use, processing, storage, and transmission of data.
  • Application Security Risks (e.g. Open Web Application Security Project Top 10 list)
  • key skills of the Security Control Assessor include:

  • conducting vulnerability scans and recognizing vulnerabilities in security systems.
  • applying confidentiality, integrity, and availability principles.
  • determining how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes.
  • discerning the protection needs (i.e., security controls) of information systems and networks.
  • identifying measures or indicators of system performance and the actions needed to improve or correct performance, relative to the goals of the system.
  • using virtual machines. (e.g., Microsoft Hyper-V, VMWare vSphere, Citrix XenDesktop/Server, Amazon Elastic Compute Cloud, etc.).
  • recognizing and categorizing types of vulnerabilities and associated attacks.
  • applying security controls.
  • utilizing or developing learning activities (e.g., scenarios, instructional games, interactive exercises)
  • identifying Test & Evaluation infrastructure (people, ranges, tools, instrumentation) requirements.
  • interfacing with customers.
  • managing test assets, test resources, and test personnel to ensure effective completion of test events.
  • preparing Test & Evaluation reports.
  • reviewing logs to identify evidence of past intrusions.
  • troubleshooting and diagnosing cyber defense infrastructure anomalies and work through resolution.
  • using manpower and personnel IT systems.
  • conducting reviews of systems.
  • secure test plan design (e. g. unit, integration, system, acceptance).
  • network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
  • conducting application vulnerability assessments.
  • using Public-Key Infrastructure (PKI) encryption and digital signature capabilities into applications (e.g., S/MIME email, SSL traffic).
  • assessing security systems designs.
  • integrating and applying policies that meet system security objectives.
  • assessing security controls based on cybersecurity principles and tenets. (e.g., CIS CSC, NIST SP 800-53, Cybersecurity Framework, etc.).
  • performing impact/risk assessments.
  • applying secure coding techniques.
  • using security event correlation tools.
  • using code analysis tools.
  • performing root cause analysis.
  • administrative planning activities, to include preparation of functional and specific support plans, preparing and managing correspondence, and staffing procedures.
  • analyzing a target’s communication networks.
  • analyzing traffic to identify network devices.
  • identifying intelligence gaps and limitations.
  • identifying language issues that may have an impact on organization objectives.
  • identifying leads for target development.
  • identifying non-target regional languages and dialects
  • identifying the devices that work at each level of protocol models.
  • identifying, locating, and tracking targets via geospatial analysis techniques
  • information prioritization as it relates to operations.
  • interpreting compiled and interpretive programming languages.
  • interpreting metadata and content as applied by collection systems.
  • interpreting traceroute results, as they apply to network analysis and reconstruction.
  • interpreting vulnerability scanner results to identify vulnerabilities.
  • knowledge management, including technical documentation techniques (e.g., Wiki page).
  • managing client relationships, including determining client needs/requirements, managing client expectations, and demonstrating commitment to delivering quality results.
  • performing target system analysis.
  • preparing and presenting briefings.
  • preparing plans and related correspondence.
  • prioritizing target language material.
  • processing collected data for follow-on analysis.
  • providing analysis to aid writing phased after action reports.
  • reviewing and editing assessment products.
  • reviewing and editing plans.
  • tailoring analysis to the necessary levels (e.g., classification and organizational).
  • target development in direct support of collection operations.
  • target network anomaly identification (e.g., intrusions, data-flow or processing, target implementation of new technologies).
  • technical writing.
  • utilizing feedback to improve processes, products, and services.
  • information on current assets available, usage.
  • access the databases where plans/directives/guidance are maintained.
  • analyze strategic guidance for issues requiring clarification and/or additional guidance.
  • analyze target or threat sources of strength and morale.
  • develop a collection plan that clearly shows the discipline that can be used to collect the information needed.
  • evaluate requests for information to determine if response information exists.
  • extract information from available tools and applications associated with collection requirements and collection operations management.
  • apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
  • use cyber defense Service Provider reporting structure and processes within one’s own organization.
  • identify cybersecurity and privacy issues that stem from connections with internal and external customers and partner organizations.
  • Security Control Assessor must be able to:

    • identify systemic security issues based on the analysis of vulnerability and configuration data.
    • answer questions in a clear and concise manner.
    • ask clarifying questions.
    • communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
    • communicate effectively when writing.
    • conduct vulnerability scans and recognize vulnerabilities in security systems.
    • facilitate small group discussions.
    • prepare and present briefings.
    • produce technical documentation.
    • design valid and reliable assessments.
    • analyze test data.
    • collect, verify, and validate test data.
    • dissect a problem and examine the interrelationships between data that may appear unrelated.
    • identify basic common coding flaws at a high level.
    • translate data and test results into evaluative conclusions.
    • ensure security practices are followed throughout the acquisition process.
    • apply collaborative skills and strategies.
    • apply critical reading/thinking skills.
    • effectively collaborate via virtual teams.
    • evaluate information for reliability, validity, and relevance.
    • evaluate, analyze, and synthesize large quantities of data (which may be fragmented and contradictory) into high quality, fused targeting/intelligence products.
    • exercise judgment when policies are not well-defined.
    • expand network access by conducting target analysis and collection to identify targets of interest.
    • focus research efforts to meet the customer’s decision-making needs.
    • function effectively in a dynamic, fast-paced environment.
    • function in a collaborative environment, seeking continuous consultation with other analysts and experts’s both internal and external to the organization’s to leverage analytical and technical expertise.
    • identify external partners with common cyber operations interests.
    • identify intelligence gaps.
    • identify/describe target vulnerability.
    • identify/describe techniques/methods for conducting technical exploitation of the target.
    • interpret and apply laws, regulations, policies, and guidance relevant to organization cyber objectives.
    • interpret and translate customer requirements into operational action.
    • interpret and understand complex and rapidly evolving concepts.
    • participate as a member of planning teams, coordination groups, and task forces as necessary.
    • recognize and mitigate cognitive biases which may affect analysis.
    • think critically.
    • understand objectives and effects.
    • utilize multiple intelligence sources across all intelligence disciplines.
    • relate strategy, business, and technology in the context of organizational dynamics.
    • understand technology, management, and leadership issues related to organization processes and problem solving.
    • understand the basic concepts and issues related to cyber and its organizational impact.
    • work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
    • monitor advancements in information privacy technologies to ensure organizational adaptation and compliance.
    • develop or procure curriculum that speaks to the topic at the appropriate level for the target.
    • work across departments and business units to implement organization’s privacy principles and programs, and align privacy objectives with security objectives.
    • prioritize and allocate cybersecurity resources correctly and efficiently.
    • understand the basic concepts and issues related to cyber and its organizational impact.
    • apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
    • identify critical infrastructure systems with information communication technology that were designed without system security considerations.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel