a. Locates (in intranet, employee handbook security handbook or security protocols) organizational policies intended to maintain security and minimize risk and explains use. (BASIC; POLICY) b. Provides guidance to employees on how to access networks, set passwords, reduce security threats and provide defensive measures associated with searches, software downloads, email, internet, add-ons, software coding and transferred files. (ADVANCED; POLICY) c. Ensures that password characteristics are explained and enforced and that updates are required and enforced based on appropriate intervals. (BASIC; POLICY) d. Explains company or organization’s policies regarding the storage, use and transfer of sensitive date, including intellectual property and personally identifiable information. Identifies data life cycle, data storage facilities, technologies, and describes business continuity risks. (INTERMEDIATE; POLICY) e. Monitors compliance for information and security audits/reviews. (BASIC; CORE) f. Advise employees in the use of technologies that restrict or allow for remote access to the organization’s information technology network. (INTERMEDIATE; POLICY) g. Develops security compliance policies and protocols for external services (i.e. Cloud service provider, software services, external data centers). (ADVANCED; POLICY) h. Complies with incident response and handling methodologies. (ADVANCED; CORE) i. Articulates the business need or mission of the organization as it pertains to the use of IT systems and the storage of sensitive data. (INTERMEDIATE; CORE)

Diagnoses and resolves customer-reported cyber related incidents. (INTERMEDIATE; SECURITY OPERATIONS CENTER) 5. WORK PROCESS SCHEDULE (See below Work Process Schedule) 26 b. Audit accounts, network rights, and access to systems and equipment. (INTERMEDIATE; OPERATIONS) c. Architect security measures for uses in system and ensures that system designs incorporate security configuration guidelines. (ADVANCED; OPERATIONS)

Collaborates with system developers and users to assist in the selection of appropriate design solutions to ensure the compatibility of system components. (INTERMEDIATE; CORE) b. Audit or scan, network hubs, routers switches. (ADVANCED; OPERATIONS) c. Reviews and approves technology recovery plan and system recovery plan backup and recovery procedures. (INTERMEDIATE; OPERATIONS) d. Assist in the diagnoses or network connectivity problems. (BASIC; OPERATIONS) e. Scans for network vulnerabilities to ensure information is safeguarded against outside parties. (INTERMEDIATE; OPERATIONS) f. Establishes standards for adequate access controls based on principles of least privilege and need-to-know. (INTERMEDIATE; POLICY) g. Establish security standards for users in system and ensures that system designs incorporate security configuration guidelines. (BASIC; POLICY) h. Education and outreach on security best practices. (BASIC; CORE) i. Assess cloud security playbooks and standards to ensure secure cloud provisioning. (BASIC; CORE)

a. Sets the standards for group policies and access control lists and audits to ensure compliance with security standards. (ADVANCED; POLICY) b. Oversees compliance with or changes to system administration standard operating procedures. (INTERMEDIATE; OPERATIONS) c. Maintains baseline system security standards according to organizational policies. (INTERMEDIATE; POLICY) d. Audits accounts, network rights and access to systems and equipment. (BASIC; CORE) e. Validate data redundancy and system recovery procedures. (INTERMEDIATE; OPERATIONS) f. Assists in the coordination or installation of new or modified hardware, operating systems and other baseline software. (INTERMEDIATE; OPERATIONS) 27 g. Provides ongoing optimization and problem-solving support. (INTERMEDIATE; OPERATIONS) h. Establishes standards and audits access controls based on principles of least privilege, role-based access controls (RBAC) and need-to-know. (ADVANCED; POLICY)

a. Establish standards for cyber security detection, monitoring and threat management software. (INTERMEDIATE; SECURITY OPERATIONS CENTER) b. Coordinates with network administrators to administer the updating of rules and signatures for intrusion/detection protection system. (INTERMEDIATE; SECURITY OPERATIONS CENTER) c. Manages IP addresses based on current threat environment. (INTERMEDIATE; SECURITY OPERATIONS CENTER) d. Ensures application of security patches for commercial products integrated into system design. (BASIC; OPERATIONS) e. Uses computer network defense tools for continual monitoring and analysis of system activity to identify malicious activity. (ADVANCED; SECURITY OPERATIONS CENTER)

a. Applies security policies to meet security objectives of the system. (INTERMEDIATE; OPERATIONS) b. Performs scanning to ensure current defense applications are in place, including on Virtual Private Network devices. (INTERMEDIATE; SECURITY OPERATIONS CENTER) c. Validate data back up and restoration systems are functional and consistent with company’s document retention policy and business continuity needs. (INTERMEDIATE; OPERATIONS) d. Identifies potential conflicts with implementation of any computer network defense tools. Performs tool signature testing and optimization. (ADVANCED; OPERATIONS) e. Installs, manages and updates intrusion detection system. (ADVANCED; SECURITY OPERATIONS CENTER) f. Performs technical and non-technical risk and vulnerability assessments of relevant technology focus areas. (ADVANCED; CORE) g. Conducts authorized penetration testing (Wi-Fi, network perimeter, application security, cloud, mobile devices) and assesses results. (INTERMEDIATE; SECURITY OPERATONS CENTER) h. Documents systems security operations and maintenance activities. (INTERMEDIATE; CORE) i. Communicates potential risks or vulnerabilities to manager. Collaborates with others to recommend vulnerability corrections. (ADVANCED; CORE) j. Identifies information technology security program implications of new technologies or technology upgrades. 28 (ADVANCED; CORE) k. Approves System Security Plans. (INTERMEDIATE; CORE) l. Collaborate on the categorization and classification of data systems. (BASIC; CORE)

a. Identifies organizational trends with regard to the security posture of systems; identifies unusual patterns or activities. (BASIC; SECURITY OPERATIONS CENTER) b. Characterizes and analyzes network traffic to identify anomalous activity and potential threats; performs computer network defense trend analysis and reporting. (ADVANCED; SECURITY OPERATIONS CENTER) c. Receives and analyzes network alerts from various sources within the enterprise and determines possible causes of such alerts. (ADVANCED; SECURITY OPERATIONS CENTER) d. Runs tests to detect real or potential threats, viruses, malware, etc. (ADVANCED; SECURITY OPERATIONS CENTER) e. Assists in researching cost-effective security controls to mitigate risks. (INTERMEDIATE; CORE) f. Helps perform damage assessments in the event of an attack. (ADVANCED; CORE) g. Monitors network data to identify unusual activity, trends, unauthorized devices or other potential vulnerabilities. (ADVANCED; SECURITY OPERATIONS CENTER) h. Documents and escalates incidents that may cause immediate or long term impact to the environment. (INTERMEDIATE; CORE) i. Provides timely detection, identification and alerts of possible attacks and intrusions, anomalous activities, and distinguish these incidents and events from normal baseline activities. (ADVANCED; SECURITY OPERATIONS CENTER) j. Uses network monitoring tools to capture and analyze network traffic associated with malicious activity. (ADVANCED; SECURITY OPERATIONS CENTER) k. Performs intrusion analysis. (ADVANCED; SECURITY OPERATIONS CENTER) l. Sets containment blockers to align with company policy regarding computer use and web access. (ADVANCED; SECURITY OPERATIONS CENTER)

a. Assists in the development of appropriate courses of action in response to identified anomalous network activity. (ADVANCED; SECURITY OPERATIONS CENTER) b. Triages systems operations impact: malware, worms, man-in-the-middle attack, denial of service, rootkits, keystroke loggers, SQL injection and crosssite scripting. (ADVANCED; SECURITY OPERATIONS CENTER) 29 c. Reconstructs a malicious attack or activity based on network traffic. (ADVANCED; SECURITY OPERATIONS CENTER) d. Correlates incident data to identify specific vulnerabilities and make recommendations that enable expeditious remediation. (ADVANCED; SECURITY OPERATIONS CENTER) e. Monitors external data sources to maintain currency of Computer Network Defense threat condition and determines which security issues may have an impact on the enterprise. Performs file signature analysis. (ADVANCED; SECURITY OPERATIONS CENTER) f. Performs analysis of log files from a variety of sources to identify threats to network security; performs file signature analysis. (ADVANCED; SECURITY OPERATIONS CENTER) g. Performs computer network defense incident triage to include determining scope, urgency and potential impact; identifies the specific vulnerability; provides training recommendations; and makes recommendations that enable expeditious remediation. (ADVANCED; SECURITY OPERATIONS CENTER) h. Receives and analyzes network alerts from various sources within the enterprise and determines possible causes of such alerts. (ADVANCED; SECURITY OPERATIONS CENTER) i. Tracks and documents computer network defense incidents from initial detection through final resolution. (INTERMEDIATE; SECURITY OPERATIONS CENTER) j. Collects intrusion artifacts and uses discovered data to enable mitigation of potential computer network defense (CND) incidents. (ADVANCED; SECURITY OPERATIONS CENTER) k. Performs virus scanning on digital media. (BASIC; CORE)