Information Systems Security Developer (NCWF ID-SP-SYS-001)

Designs, develops, tests, and evaluates information system security throughout the systems development life cycle

Tasks

  • Analyze design constraints, analyze trade-offs and detailed system and security design, and consider lifecycle support.
  • Apply security policies to applications that interface with one another, such as Business to Business (B2B) applications.
  • Assess the effectiveness of cybersecurity measures utilized by system(s).
  • Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile
  • Build, test, and modify product prototypes using working models or theoretical models.
  • Conduct risk analysis, feasibility study, and/or trade-off analysis to develop, document, and refine functional requirements and specifications.
  • Design and develop cybersecurity or cybersecurity-enabled products
  • Design hardware, operating systems, and software applications to adequately address cybersecurity requirements.
  • Design or integrate appropriate data backup capabilities into overall system designs, and ensure appropriate technical and procedural processes exist for secure system backups and protected storage of backup data.
  • Develop and direct system testing and validation procedures and documentation.
  • Develop detailed security design documentation for component and interface specifications to support system design and development
  • Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment
  • Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed.
  • Develop specific cybersecurity countermeasures and risk mitigation strategies for systems and/or applications.
  • Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements
  • Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).
  • Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability
  • Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure recommended products are in compliance with organization’s evaluation and validation requirements.
  • Implement security designs for new or existing system(s).
  • Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts).
  • Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change
  • Provide guidelines for implementing developed systems to customers or installation teams.
  • Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials)
  • Store, retrieve, and manipulate data for analysis of system capabilities and requirements
  • Provide support to security/certification test and evaluation activities.
  • Utilize models and simulations to analyze or predict system performance under different operating conditions.
  • Design and develop key management functions (as related to cybersecurity).
  • Analyze user needs and requirements to plan and conduct system security development
  • Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information)
  • Ensure security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary
  • Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment
  • Employ configuration management processes
  • Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.
  • Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation
  • Design to security requirements to ensure requirements are met for all systems and/or applications
  • Develop mitigation strategies to address cost, schedule, performance, and security risks.
  • Perform an information security risk assessment
  • Perform security reviews and identify security gaps in architecture
  • Provide input to implementation plans and standard operating procedures as they relate to information systems security
  • Trace system requirements to design components and perform gap analysis.
  • Verify stability, interoperability, portability, and/or scalability of system architecture

Skills

  • Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems
  • Skill in designing countermeasures to identified security risks
  • Skill in designing security controls based on cybersecurity principles and tenets
  • Skill in designing the integration of hardware and software solutions
  • Skill in developing and applying security system access controls
  • Skill in discerning the protection needs (ie, security controls) of information systems and networks
  • Skill in evaluating the adequacy of security designs
  • Skill in conducting audits or reviews of technical systems
  • Skill in integrating and applying policies that meet system security objectives
  • Skill in the use of design modeling (eg, unified modeling language)

Source :
http://csrc.nist.gov/publications/drafts/800-181/sp800_181_draft.pdf