Security Analyst

Definition

Security Analyst

the role that is played when a person determines the security requirements of one or more systems, applications, components, or centers

Classification

As illustrated in the preceding figure, Security Analyst is part of the following inheritance hierarchy:

• Type: Concrete
• Superclass: Analyst
• Subclasses:
  • None

Responsibilities

The typical role-specific responsibilities of a Security Analyst are to:

• Develop, communicate, and enforce the security policy of the customer organization’s business enterprise.
• Perform a security (e.g., asset, attack, threat, risk, and vulnerability) analysis of the:
  • System(s).
  • Application(s).
  • Components:
    • Data Component(s).
    • Hardware Component(s).
    • Software Component(s).
  • Centers:
    • Contact Center(s).
    • Data Center(s).
    • Reuse Center(s).
• Elicit, analyze, specify, and manage the security requirements for individual applications, components, and centers.
• Perform security testing.
• Help trainers develop training materials in security.

Security Analyst typically inherits the general role responsibilities from the Role method component.

Personal Profile

To fulfill these responsibilities, a Security Analyst typically should have the following personal characteristics, expertise, training, and experience:

Personal Characteristics

A Security Analyst should typically have the following personal characteristics:

• The ability to think like an attacker.
• Strong analytical skills.
• Excellent verbal and written communication skills, and thus able to explain security goals and requirements to their diverse stakeholders.

Expertise

A Security Analyst typically should have the following expertise:

• Expert knowledge of and experience with security engineering tasks, techniques (e.g., passwords, encryption/decryption, digital signatures), and tools.
• Expert knowledge of security testing tasks, techniques, and tools.
• Solid knowledge of requirements engineering tasks, techniques, and tools (with emphasis on analyzing and specifying security requirements such as identification, authentication, authorization, content protection, privacy, integrity, intrusion detection, nonrepudiation, and system maintenance).
• Solid knowledge of security countermeasures (e.g., architectural mechanisms and components such as firewalls).
• Solid knowledge of applications, contact centers, and data centers.
• Basic knowledge of the customer’s business and application domain(s).

Training

A Security Analyst should typically have the following training:

• A bachelor’s degree in software engineering, computer science, or the equivalent.
• One of the following security certifications:
  • Certified Information Systems Auditors (CISA).
  • Certified Information Systems Security Professionals (CISSP).
  • Global Information Assurance Certification (GIAC).
  • System Security Certified Practitioner (SSCP).

Experience

A Security Analyst should typically have the following experience:

• A minimum of 2 year‘s experience working as a Security Engineer on similar endeavors.

Tasks

A Security Analyst typically performs the following role-specific tasks in an iterative, incremental, parallel, and time-boxed manner:

• Security Engineering:
  • Security Assessment
  • Security Policy Production
  • Security Enforcement
• Requirements Engineering:
  • Requirements Reuse
  • Requirements Identification
  • Requirements Analysis
  • Requirements Specification
• Security Testing:
  • Test Planning
  • Test Reuse
  • Test Design:
    • Perform security review of major software components and their code.
    • Perform security review of hardware architecture (production environment) for hardware placement, network addressing and segment, and application distribution.
  • Test Implementation
  • Test Execution:
    • Test physical security.
    • Scan ports to identify host-level and network-level vulnerabilities.
    • Analyze traffic to identify IP information about potential attackers.
    • Perform regression testing
  • Test Reporting
• Quality Control:
  • Quality Control - Architecture Evaluation

A Security Analyst typically inherits all of the common role tasks from the Role method component.

Teams

A Security Analyst typically performs these tasks as members of the following teams:

• Technology Strategy Team (security assessment and policy)
• Requirements Team (security requirements)
• Security Team (security testing)
• Architecture Evaluation Team

Work Products

As a member of these teams, a Security Analyst typically produces all or part of the following work products:

• Security Work Products:
  • Security Policy
  • Security Audit Report
  • Security Risk Assessment
• Requirements Work Products:
  • Requirements Executive Summary
  • System Requirements Specification (security requirements)
• Test Work Products:
  • Project Test Plan
  • Master Test List
  • Test Procedure
  • Test Report
  • Test Summary Report
  • Test Script
  • Test Suite
  • Test Case
  • Test Data
• Quality Work Products:
  • Inspection Report
  • Inspection Summary Report

Guidelines

The following guidelines have proven useful with regards to a Security Analyst:

• A Security Analyst should work closely with security architects and security engineers.
• On small projects, the same person may play the security analyst, security architect, and security engineer roles.
• Security Analyst typically inherits the common team guidelines from the Role method component.