International Web Association (IWA)

Profile WSP-G3-016. Web Security Expert

This section is normative.

The profile sheet, listed below and described in appendix B, is an integral part of the document, “G3 Web Skills Profiles – version 1.0 – Generation 3 European ICT Professional Profiles”, official specification of 14 February 2013” [WSPG3-03].

Summary definition

Professional position that analyses the reference IT context, evaluates, and proposes a suitable security policy to match corporate policies and the specific context. He or she is responsible for periodically verifying the security of the system and for conducting appropriate tests (e.g. Penetration Test). Additionally, he or she is in charge of education and awareness about security topics.

Assignment

The Web Security Expert analyses the reference context, evaluates and proposes an appropriate security policy to be implemented in compliance with the corporate policies to protect applications, Web servers, data, and related processes. He or she analyses potential attack scenarios and defines the technical security requirements. He or she is responsible for verifying security during the various phases of developing a Web project and/or for various periodic verifications after release. He or she may personally implement the Security strategies by executing direct actions in various areas requiring protection such as architectures, networks, systems, or applications.

Documentation produced

Accountable

  • Periodic reports of security test results
  • Proposes user-driven maintenance and Change Requests that require the integration of new security controls
  • Writing of the Security Risk Management Policy
  • Writing of the Risk Management Policy
  • Writing of the Disaster Recovery Plan
  • Writing of the Digital Information Security Policy
  • Periodically analyse the occurrence of potential security risks for the IT infrastructure and data: evaluate technical vulnerabilities, analyse the impact, and where necessary propose solutions
  • Define the Recovery Plan to manage technical vulnerabilities and security risks, plan, support and approve recovery activities
  • Help write the technical security section of the Disaster Recovery plan, so as to ensure security and operational continuity in the event of a disaster.
  • Monitor the security of the IT infrastructure and data: supervise the security team (if present), periodically conduct security tests (e.g. through Penetration Tests or denial of service attacks) and write the related Reports
  • Train / educate / update the members of the organisation about security issues
  • C.2. Change Support: Level e-3
  • C.3. Service Delivery: Level e-3
  • D.9. Personnel Development: Level e-3
  • D.10. Information and Knowledge Management: Level e-4
  • E.7. Business Change Management: Level e-4
  • Knowledge of international security standards (e.g. ISO 27001, ISO 22301)
  • Knowledge of national data protection standards (e.g. Legislative Decree 196/2003) and sector regulations governing the application context (e.g. PCI-DSS)
  • Knowledge of security issues concerning IT networks (e.g. antivirus software and firewalls)
  • Knowledge of secrecy, encryption, authentication, non-repudiation, and data integrity issues (e.g. use of applications for secure authentication, secure password selection policies)
  • Knowledge of Vulnerability Assessment methods (e.g. ISECOM OSSTMM, OWASP)
  • Ability to harden processes, architectures, networks, systems, and applications
  • Ability to use Techniques and tools for Vulnerability Assessment and Penetration Tests
  • Team Management
  • Training
  • Security Policy Effectiveness
  • Cost/risk Analysis
  • Final impact of security incidents
  • European ICT Professional Profiles “ICT Security Specialist”
  • ISECOM OPST/OPSA/OPSE
  • OSCP
  • eCCPT
  • “CIW (Certified Internet Web Professional) –  Security Specialist” Certification
  • “CIW (Certified Internet Web Professional) –  Security Professional” Certification
  • Problem Solving
  • Working to meet objectives
  • Effective communication
  • Team Leading
  • Good knowledge of the national language or the language used by the working group – minimum level: C1 QCER.
  • Good knowledge of the English language – minimum level: A2 QCER

Responsible

Contributor

Primary duties

Assigned e-CF skills

Abilities, knowledge

Technical

Information Technology

For development

Area of application of the KPI

Qualifications and certifications

Personal aptitudes

Interpersonal and Organisational

Linguistic

Relationships and reporting lines

(This section is for informational purposes)

Interacts with

  • Business Analyst
  • DB Administrator
  • Frontend Web Developer
  • Server Side Web Developer
  • Web Server Administrator
  • Mobile Application Developer
  • Web Project Manager

Reports to


Appendices

Appendix A. Glossary

 

Informational

For the purposes of information and not required for compliance.

Note: The content required for compliance is referred to as “normative”.

Normative

Required for obtaining compliance.

Note: Content listed as “informational” or “non-normative” is never necessary for compliance.

Appendix B. Profile Sheet Structure

The Web skills profiles are identified by an unambiguous code and are structured in reference to paragraph 4.2 of the official CEN reference document, “European e- Competence Framework version 2.0 – CWA Part II: User guidelines for the application of the European e-Competence Framework 2.0” [CWA-01].

 

  • Profile Title. Name – including the identification code – of the Web skill profile according to the unambiguous international catalogue from the IWA/HWG.
  • Summary definition. Lists the primary purpose of the profile. The purpose is to give all stakeholders and users a brief, concise description of the specified Web skill profile, written in a form understandable by ICT professionals, managers, and Human Resources staff.
  • Assignment. Describes the basic assignment of the profile. The purpose is to specify the working role defined in the Web Skill Profile.
  • Documentation produced. Describes the documents produced by the job description as manager (guarantee), representative (support), and employee (contribution).
  • Primary duties. Provides a list of typical tasks carried out by the profile. A task is an action undertaken to achieve a result in a broadly defined context and contributing to the definition of the profile.
  • Assigned e-CF skills. Provides a list of the skills necessary (taken from the e-CF references) to carry out the assignment. A skill is the outcome of the previous definition of the Profile and helps to differentiate profiles.
  • Abilities, knowledge. A list of abilities and knowledge necessary for the definition of the profile, subdivided into technical, IT, and improving abilities (strengthening the profile).
  • Area of application of the KPI. Based on KPI (Key Performance Indicators), the area of application of the KPI is a more generic indicator, consistent with the grade level of the overall profile. It applies for adding depth to the assignment.
  • Qualifications and certifications. These are the recommended, but not essential, qualifications and certifications for carrying out the activities in the profile. However, these qualifications and certifications may be used for developing knowledge of specific skills within the profile.
  • Personal aptitudes. A list of aptitudes supporting the abilities and knowledge, subdivided into interpersonal/organisational and linguistic. This section reports references to the QCER [CE-01], which promotes the understanding of specific language certifications, purely for informational purposes.
  • Relationships and reporting lines. A list of Web skills profiles and not with whom the profile discusses (relationships) or reports (reporting lines). This section is for informational purposes.
  • [CC-01] Creative Commons Attribution – No derivative works – 3.0  (CC BY-ND 3.0)
    http://creativecommons.org/licenses/by-nd/3.0/
  • [CWA-01] CENEuropean e-Competence Framework version 2.0 – CWA Part II: User guidelines for the application of the European e-Competence Framework 2.0 (September 2010)
    http://www.ecompetences.eu/site/objects/download/5999_EUeCF2.0userguide.pdf
  • [WSPG3-01] IWA IWA Italy Web Skills Profiles Group

Appendix C. References

http://www.skillprofiles.eu

  • [WSPG3-02] IWA IWA Italy – International Webmasters Association Italia

http://iwa.it