Information Systems Security Developer

Designs, develops, tests, and evaluates information system security throughout the systems development life cycle.

Below are the Knowledge, Skills, Abilities and Tasks identified as being required to perform this work role.

Knowledge of computer networking concepts and protocols, and network security methodologies.
Knowledge of risk management processes (e.g., methods for assessing and mitigating risk).
K0003Knowledge of laws, regulations, policies, and ethics as they relate to cybersecurity and privacy.
K0004Knowledge of cybersecurity and privacy principles.
K0005Knowledge of cyber threats and vulnerabilities.
K0006Knowledge of specific operational impacts of cybersecurity lapses.
K0015Knowledge of computer algorithms.
K0018Knowledge of encryption algorithms
K0024Knowledge of database systems.
K0027Knowledge of organization’s enterprise information security architecture.
K0028Knowledge of organization’s evaluation and validation requirements.
K0030Knowledge of electrical engineering as applied to computer architecture (e.g., circuit boards, processors, chips, and computer hardware).
K0032Knowledge of resiliency and redundancy.
K0035Knowledge of installation, integration, and optimization of system components.
K0036Knowledge of human-computer interaction principles.
K0044Knowledge of cybersecurity and privacy principles and organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
K0045Knowledge of information security systems engineering principles (NIST SP 800-160).
K0049Knowledge of information technology (IT) security principles and methods (e.g., firewalls, demilitarized zones, encryption).
K0050Knowledge of local area and wide area networking principles and concepts including bandwidth management.
K0052Knowledge of mathematics (e.g. logarithms, trigonometry, linear algebra, calculus, statistics, and operational analysis).
K0055Knowledge of microprocessors.
K0056Knowledge of network access, identity, and access management (e.g., public key infrastructure, Oauth, OpenID, SAML, SPML).
K0060Knowledge of operating systems.
K0061Knowledge of how traffic flows across the network (e.g., Transmission Control Protocol [TCP] and Internet Protocol [IP], Open System Interconnection Model [OSI], Information Technology Infrastructure Library, current version [ITIL]).
K0063Knowledge of parallel and distributed computing concepts.
K0065Knowledge of policy-based and risk adaptive access controls.
K0066Knowledge of Privacy Impact Assessments.
K0067Knowledge of process engineering concepts.
K0073Knowledge of secure configuration management techniques. (e.g., Security Technical Implementation Guides (STIGs), cybersecurity best practices on
K0081Knowledge of software development models (e.g., Waterfall Model, Spiral Model).
K0082Knowledge of software engineering.
K0084Knowledge of structured analysis principles and methods.
K0086Knowledge of system design tools, methods, and techniques, including automated systems analysis and design tools.
K0087Knowledge of system software and organizational design standards, policies, and authorized approaches (e.g., International Organization for Standardization [ISO] guidelines) relating to system design.
K0090Knowledge of system life cycle management principles, including software security and usability.
K0091Knowledge of systems testing and evaluation methods.
K0093Knowledge of telecommunications concepts (e.g., Communications channel, Systems Link Budgeting, Spectral efficiency, Multiplexing).
K0102Knowledge of the systems engineering process.
K0126Knowledge of Supply Chain Risk Management Practices (NIST SP 800-161)
K0139Knowledge of interpreted and compiled computer languages.
K0169Knowledge of information technology (IT) supply chain security and supply chain risk management policies, requirements, and procedures.
K0170Knowledge of critical infrastructure systems with information communication technology that were designed without system security considerations.
K0179Knowledge of network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
K0180Knowledge of network systems management principles, models, methods (e.g., end-to-end systems performance monitoring), and tools.
K0200Knowledge of service management concepts for networks and related standards (e.g., Information Technology Infrastructure Library, current version [ITIL]).
K0203Knowledge of security models (e.g., Bell-LaPadula model, Biba integrity model, Clark-Wilson integrity model).
K0260Knowledge of Personally Identifiable Information (PII) data security standards.
K0261Knowledge of Payment Card Industry (PCI) data security standards.
K0262Knowledge of Personal Health Information (PHI) data security standards.
K0276Knowledge of security management.
K0287Knowledge of an organization’s information classification program and procedures for information compromise.
K0297Knowledge of countermeasure design for identified security risks.
K0308Knowledge of cryptology.
K0322Knowledge of embedded systems.
K0325Knowledge of Information Theory (e.g., source coding, channel coding, algorithm complexity theory, and data compression).
K0332Knowledge of network protocols such as TCP/IP, Dynamic Host Configuration, Domain Name System (DNS), and directory services.
K0333Knowledge of network design processes, to include understanding of security objectives, operational objectives, and trade-offs.
K0336Knowledge of access authentication methods.
S0001Skill in conducting vulnerability scans and recognizing vulnerabilities in security systems.
S0022Skill in designing countermeasures to identified security risks.
S0023Skill in designing security controls based on cybersecurity principles and tenets.
S0024Skill in designing the integration of hardware and software solutions.
S0031Skill in developing and applying security system access controls.
S0034Skill in discerning the protection needs (i.e., security controls) of information systems and networks.
S0036Skill in evaluating the adequacy of security designs.
S0085Skill in conducting audits or reviews of technical systems.
S0145Skill in integrating and applying policies that meet system security objectives.
S0160Skill in the use of design modeling (e.g., unified modeling language).
S0367Skill to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0001Ability to identify systemic security issues based on the analysis of vulnerability and configuration data.
A0008Ability to apply the methods, standards, and approaches for describing, analyzing, and documenting an organization’s enterprise information technology (IT) architecture (e.g., Open Group Architecture Framework [TOGAF], Department of Defense Architecture Framework [DoDAF], Federal Enterprise Architecture Framework [FEAF]).
A0012Ability to ask clarifying questions.
A0013Ability to communicate complex information, concepts, or ideas in a confident and well-organized manner through verbal, written, and/or visual means.
A0015Ability to conduct vulnerability scans and recognize vulnerabilities in security systems.
A0019Ability to produce technical documentation.
A0026Ability to analyze test data.
A0040Ability to translate data and test results into evaluative conclusions.
A0048Ability to apply network security architecture concepts including topology, protocols, components, and principles (e.g., application of defense-in-depth).
A0049Ability to apply secure system design tools, methods and techniques.
A0050Ability to apply system design tools, methods, and techniques, including automated systems analysis and design tools.
A0056Ability to ensure security practices are followed throughout the acquisition process.
A0061Ability to design architectures and frameworks.
A0074Ability to collaborate effectively with others.
A0089Ability to function in a collaborative environment, seeking continuous consultation with other analysts and experts??both internal and external to the organization??to leverage analytical and technical expertise.
A0098Ability to participate as a member of planning teams, coordination groups, and task forces as necessary.
A0108Ability to understand objectives and effects.
A0119Ability to understand the basic concepts and issues related to cyber and its organizational impact.
A0123Ability to apply cybersecurity and privacy principles to organizational requirements (relevant to confidentiality, integrity, availability, authentication, non-repudiation).
A0170Ability to identify critical infrastructure systems with information communication technology that were designed without system security considerations.
T0012Analyze design constraints, analyze trade-offs and detailed system and security design, and consider life cycle support.
T0015Apply security policies to applications that interface with one another, such as Business-to-Business (B2B) applications.
T0018Assess the effectiveness of cybersecurity measures utilized by system(s).
T0019Assess threats to and vulnerabilities of computer system(s) to develop a security risk profile.
T0021Build, test, and modify product prototypes using working models or theoretical models.
T0032Conduct Privacy Impact Assessments (PIAs) of the application¡¯s security design for the appropriate security controls, which protect the confidentiality and integrity of Personally Identifiable Information (PII).
T0053Design and develop cybersecurity or cybersecurity-enabled products.
T0055Design hardware, operating systems, and software applications to adequately address cybersecurity requirements.
T0056Design or integrate appropriate data backup capabilities into overall system designs, and ensure that appropriate technical and procedural processes exist for secure system backups and protected storage of backup data.
T0061Develop and direct system testing and validation procedures and documentation.
T0069Develop detailed security design documentation for component and interface specifications to support system design and development.
T0070Develop Disaster Recovery and Continuity of Operations plans for systems under development and ensure testing prior to systems entering a production environment.
T0076Develop risk mitigation strategies to resolve vulnerabilities and recommend security changes to system or system components as needed.
T0078Develop specific cybersecurity countermeasures and risk mitigation strategies for systems and/or applications.
T0105Identify components or elements, allocate security functions to those elements, and describe the relationships between the elements.
T0107Identify and direct the remediation of technical problems encountered during testing and implementation of new systems (e.g., identify and find work-arounds for communication protocols that are not interoperable).
T0109Identify and prioritize essential system functions or sub-systems required to support essential capabilities or business functions for restoration or recovery after a system failure or during a system recovery event based on overall system requirements for continuity and availability.
T0119Identify, assess, and recommend cybersecurity or cybersecurity-enabled products for use within a system and ensure that recommended products are in compliance with organization’s evaluation and validation requirements.
T0122Implement security designs for new or existing system(s).
T0124Incorporate cybersecurity vulnerability solutions into system designs (e.g., Cybersecurity Vulnerability Alerts).
T0181Perform risk analysis (e.g., threat, vulnerability, and probability of occurrence) whenever an application or system undergoes a major change.
T0201Provide guidelines for implementing developed systems to customers or installation teams.
T0205Provide input to the Risk Management Framework process activities and related documentation (e.g., system life-cycle support plans, concept of operations, operational procedures, and maintenance training materials).
T0228Store, retrieve, and manipulate data for analysis of system capabilities and requirements.
T0231Provide support to security/certification test and evaluation activities.
T0242Utilize models and simulations to analyze or predict system performance under different operating conditions.
T0269Design and develop key management functions (as related to cybersecurity).
T0270Analyze user needs and requirements to plan and conduct system security development.
T0271Develop cybersecurity designs to meet specific operational needs and environmental factors (e.g., access controls, automated applications, networked operations, high integrity and availability requirements, multilevel security/processing of multiple classification levels, and processing Sensitive Compartmented Information).
T0272Ensure that security design and cybersecurity development activities are properly documented (providing a functional description of security implementation) and updated as necessary.
T0304Implement and integrate system development life cycle (SDLC) methodologies (e.g., IBM Rational Unified Process) into development environment.
T0326Employ configuration management processes.
T0359Design, implement, test, and evaluate secure interfaces between information systems, physical systems, and/or embedded technologies.
T0446Design, develop, integrate, and update system security measures that provide confidentiality, integrity, availability, authentication, and non-repudiation.
T0449Design to security requirements to ensure requirements are met for all systems and/or applications.
T0466Develop mitigation strategies to address cost, schedule, performance, and security risks.
T0509Perform an information security risk assessment.
T0518Perform security reviews and identify security gaps in architecture.
T0527Provide input to implementation plans and standard operating procedures as they relate to information systems security.
T0541Trace system requirements to design components and perform gap analysis.
T0544Verify stability, interoperability, portability, and/or scalability of system architecture.