As a motive to writing your portfolio imagine a context, like a company or organisation you work for, for example consider the following scenario (you can pick another if you like as a frameork for your system security portfolio):
Oppression Watch is a rights organisation supplying legal advice, counselling and information to a vulnerable group. Having many political enemies, foreign and domestic, online and offline, the organisation is a high exposure target.
As a member of the software security and privacy task force you are to audit and make recommendations for the transformation of their systems, policies and processes.
You are to consider the areas of:
- Data storage, integrity, privacy, compliance.
- Secure communication for both organisational staff and clients
- System hardening, including servers, offices, and mobile devices
- Personnel and operational security
Your portfolio should include an understanding and appreciation of a range techniques related to the principles and technologies of cyber security in practical application. In particular you should demonstrate awareness of:
- Threat and vulnerability modelling, risk prioritisation
- Anticipation of emerging threats
- Access control, authorisation
- Defensive system design principles, in depth and breadth
- Scope, lifecycle, maintenance and sustainability
- Technologies, options for technical implementation
- Encryption for communications and storage
- Policies , monitoring, response plans
- Cost, roles, skills and human resources
- Trade-offs, compromises and push-backs
A 3000 word concise technical report will for the basis of your portfolio, and it may include screenshots, terminal logs, tables, lists, flow diagrams, or any other appropriate graphics or formulae summarising key techniques and considerations. Emphasise the practical execustion of auditing and hardening tasks and comment on difficulties or lessons learned.
Assessment criteria Your submission will be assessed against the following criteria:
|Criteria||Below threshold||Grade D||Grade C||Grade B||Grade A|
|Security Engineering principles||Little or no evidence of security thinking.
Contradictory, dangerous or misunderstood technique.
|Weak security engineering with partial understanding of some key issues.||Viable security thinking with understanding in most key areas. Fair understanding of risks and mitigations.||Good security thinking with some flair for grasping complex risk concepts and some defences.||Broad and deep understanding, holistic integrated approach, pragmatic and balanced. Evidence of complexity thinking. Informed by best practice and relevant policy. Insightful understanding of current and emerging threats.|
|No technological basis for implementing the process is shown.||Unrealistic implementation or poor choices of technologies. Misconfiguration or misunderstandings of tools.
No substantial plan.
|A plausible set of tools and technologies with proper description of their set-up and use. Some treatment of planning and test.||Extensive set of technical measures and ideas to deal with multiple threats. Evidence of research and understanding of the resources needed to deploy.||A textbook deployment of state-of-the-art solution. Comprehensive, well researched proposal, with milestones, test criteria, depth, redundancy, cost and skill-set needs.|
|Presentation and communication of ideas||Incoherent, unreadable report without structure, substantial content or references.||Poorly structured and written report, lacking strong communicative skills, no use of visual or tabulated data, few or no references, or poor quality research sources.||An adequate report that communicates the key ideas in an effective and concise way. References given as evidence of research reading.
|A good report that concisely but extensively deals with significant scope. Well researched, argued points. Good use of visuals and structure. Great referencing from well chosen high quality sources.||An excellent report with well written, well informed compelling arguments, concise and nicely structured. Clever use of compact visual devices. High quality, up to date research with excellent referencing.|