JOB TASK ANALYSIS

Document Number: ISD57

XYZ Company

Job / Task Analysis:

Information Assurance Specialist

Creation Date: 19 October 2009

Last Update: 27 October 2009

Participant:
Travis Grant
tag09@fsu.edu

Introduction to Instructional Systems

EME5601
Professor Keller

This document is the work of ABC IDS Contractors of Surrey, U.K.,

and is the sole property of XYZ Company of London, U.K.

Page 1 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Table of Contents

1.0 Introduction...........................................................................................................................................3
1.1 Background........................................................................................................................................3
1.2 Setting................................................................................................................................................4
1.1.1 Department Structure................................................................................................................4
1.1.2 Statements of Commitment.......................................................................................................4
2.0 Procedure..............................................................................................................................................6
2.1 Preparation........................................................................................................................................6
2.2 Interviews and Observations...........................................................................................................10
2.3 Analysis............................................................................................................................................10
3.0 Results of Job / Task Analysis...............................................................................................................11
3.1 Description of job position (in brief)................................................................................................11
3.2 Task Listing.......................................................................................................................................12
3.3 Requisite Skills and Knowledge........................................................................................................15
3.4 Requisite Qualifications...................................................................................................................17
3.5 Summary Finding.............................................................................................................................17
Appendix 1.................................................................................................................................................18

Page 2 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

1.0 Introduction
1.1 Background

This document outlines a Job / Task Analysis performed for XYZ Company of London, UK. This analysis
has been performed on the Information Assurance Specialist (IA Specialists) position within the
Information Security Department (IS). The analysis was conduct on location at XYZ Company’s
headquarters located at: 8596 Tally Road, London, UK SW1P 1AE.

There are currently three occupied Information Assurance Specialist positions within the Information
Security Department.

 John Locke, IA SPECIALIST

 Cathy Booker, IA SPECIALIST
 Terry Chatworth, IA SPECIALIST

The immediate supervisor to all three IA Specialist employees is the Information Systems Security Officer
(ISSO).

 Kevin Tanner, ISSO

The three Information Assurance Specialists were interviewed and observed during the week of 12
October 2009. The ISSO was interviewed on 16 October 2009. This document represents an analysis of
the results of the four interviews and three observations, and it defines and classifies the major
functions, duties, and tasks the IA Specialists’ perform. In addition, the analysis was performed to
determine if reclassification of the position and its duties is necessary.

Note: Please see Chart 1 on the next page (p.4) for an organizational chart identifying the present
positioning of the IA Specialist position.

XYZ Company is in the process of developing an Information Security Program to provide a foundational
security direction for the company. Established in 1985, XYZ Company is a highly respected international
leader within the financial services industry. The company has a strong and well-developed customer
base that expects high-quality secure financial services with. A well-developed and maintained security
program will ensure that XYZ Company is successful in providing a foundation from which to build its
security infrastructure and maintain the security that its customers expect. In the process of developing
the Information Security Program it was determined that a job / task analysis was required to define and
classify the major functions, duties, and tasks of the IA Specialist position, and identify whether
reclassification of the position and its duties is necessary.

Note: Please see Appendix 1 for a current (as of 20 October 2009) job description of the Information
Assurance Specialist position.

Page 3 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

1.2 Setting

1.1.1 Department Structure

The Information Security (IS) Department is composed of four personnel. The Information Systems
Security Officer is the head of IS Department and reports to the Chief Executive Officer. The ISSO
oversees a total of three personnel. These three personal all go by the same title, Information Assurance
Specialist. The Information Assurance Specialists report directly to the ISSO, and work closely with
leaders from each business department.

Chart 1: Organizational chart identifying present positioning of the ISA position.

1.1.2 Statements of Commitment

The Information Security Department of XYZ Company is dedicated to maintaining the confidentiality,
integrity, and availability of corporate assets and customer information. This is accomplished in-line with
the company’s Statements of Commitment. The following guiding principles reflect the commitments of
XY Company employees to all of the company’s stakeholders (customers, suppliers, employees,
shareholders, governments and society).

Page 4 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Vision Statement (Global)

XYZ Company’s vision is to maintain its competitive advantage in the domestic and international
financial services industry by providing secure, valuable, and high quality services with expert employee
knowledge to our customers when they want them and where they want them.

Quality Statement (Global)

XYZ Company understands the value of continuous improvement. Our unwavering focus and steadfast
passion is to provide the highest quality customer service and financial products while consistently
exceed customer expectations. Our employees are committed to understanding and meeting customers'
evolving needs, and our company and service offerings are able to adapt quickly to changing
environments and competitive pressures.

Mission Statement (Global)

XYZ Company’s mission is to serve consumers and institutions with its well-established and unique
financial products and services.

Technology Statement (IS Department Specific)

XYZ Company’s use of technology is vital to its continued success. The technology mission of XYZ
Company’s security department is to maintain the confidentiality, integrity, and availability of
information assets and systems while delivering high quality, timely, and effective responses to
customer requirements (both internal and external) through technology and connectivity.

Page 5 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

2.0 Procedure

The procedure utilized in this Job / Task Analysis follows from preparation to interviewing to analysis.

2.1 Preparation

1) Collect Information:
a) Corporate-wide
i) Statements of Commitment
ii) Business goals
iii) Organizational structure
b) Departmental (Information Security Department)
i) Statements of Commitment
ii) Business goals
iii) Organizational structure
c) Position under analysis (Information Assurance Specialist)
i) Job description on file (current and past)
ii) Expectations from supervisors
iii) Entry qualifications
iv) Responsibilities
v) Certifications
vi) Compensation

2) Select the Sample for Interview

a) Sample Size
i) Four persons (more than one person must always be included in the sample)
(1) 3 IA SPECIALIST employees
(2) 1 supervisor (ISSO)

b) Sample Information:
i) Designation IA SPECIALIST #1
(1) Name: John Locke
(2) Gender: Male
(3) Current job title: Information Assurance Specialist
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 4 years

Page 6 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

(7) Education: B.S. in IT, Stanford University, Stanford, CA, USA

(a) M.S. in IA, Rockfurn University, UK
(8) Certifications: CISSP

ii) Designation IA SPECIALIST #2

(1) Name: Cathy Booker
(2) Gender: Female
(3) Current job title: Information Assurance Specialist
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 2 years
(7) Education: B.S. in IM, Stopwidth University, UK
(a) M.S. in IS, Blackburn University, UK
(8) Certifications: CISSP
iii) Designation IA SPECIALIST #3
(1) Name: Terry Chatworth
(2) Gender: Male
(3) Current job title: Information Assurance Specialist
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 1.5 years
(7) Education: B.S. in IT, Warick University, UK
(a) M.S. in IS, Blackburn University, UK
(8) Certifications: CISSP
iv) Designation ISSO #1
(1) Name: Kevin Tanner
(2) Gender: Male
(3) Current job title: Information Systems Security Officer
(4) Department/Company: Information Security / XYZ Company
(5) Job Location: London Office. London, UK
(6) Length of time in current position: 5 years
(7) Education: B.S. in IT, Stanford University, Stanford, CA
(a) M.S. in IS, Cambridge, UK
(8) Certifications: CISSP

3) Ensure appropriate permissions

a) Ensure that supervisor also contacts the interviewees
b) Ensure appropriate documentation (signed letter on company paper head) in hard and soft copy
notifying employees that you have been given permission to conduct the interviews and
observations

Page 7 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

4) Contact personnel to interview and observe

a) John Locke (IA SPECIALIST #1) – Contacted by phone call. Purpose of analysis explained during
call. Introduction to plan of analysis explained. Requested assistance by means of interview and
observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
b) Cathy Booker (IA SPECIALIST #2) - Contacted by phone call. Purpose of analysis explained during
call. Introduction to plan of analysis explained. Requested assistance by means of interview and
observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
c) Terry Chatworth (IA SPECIALIST #3) - Contacted by phone call. Purpose of analysis explained
during call. Introduction to plan of analysis explained. Requested assistance by means of
interview and observation. Approval given. Scheduled interview and observation.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview and observation times.
d) Kevin Tanner (ISSO #1) – Contacted in person. ISSO provided hard and soft copy of signed
permissions letter. Introduction to plan of analysis explained. Requested interview. Scheduled
interview.
i) Follow up: Sent email providing purpose of analysis, introduction to plan of analysis,
notification that approval was given, interview time.

Note: Please see Item 1 on the following page (p.9) for an outline of the email sent to the IA
Specialist interviewees.

Page 8 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Page 9 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Item 1: Outline of email sent to IA Specialist interviewees

1. The goal of the Job / Task Analysis

2. The purpose of the interview
3. The expected results of the analysis
a. Functions, duties, tasks, and subtasks (if necessary)
b. Knowledge and skills required to conduct certain complex tasks
c. List of qualifications necessary to perform will in the position
4. The scheduled time and date of the interview
5. Sample of questions that shall be asked during the interview
a. Questions about the work setting:
i. The mission, business goals and organizational structure of
XYZ Company
ii. The mission, business goals and organizational structure of
XYZ Company
iii. What business are you in? Yes, a financial services business,
but please be more specific.
b. Questions about your job
i. Would you please provide a general introduction to your
current job?
ii. What functions are required to perform your job?
iii. What duties are necessary to perform each function?
iv. Would you kindly breakdown complicated duties into a series
of tasks?
v. What is the most frequently performed function/duty/task?
vi. At what frequency are the remainder of the
functions/duties/tasks performed?
vii. What are the difficulties you encounter on your job?
viii. What kind of knowledge and skills are needed to perform
these tasks?
ix. What inputs are available to perform the job?
x. What results are being achieved by performing your job?
xi. Do you have any job performance standards?

Page 10 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

2.2 Interviews and Observations

The three Information Assurance Specialists were interviewed and observed during the week of 12
October 2009. The ISSO was interviewed on 16 October 2009. The Job / Task Analysis was developed
during the week of 19 October 2009.

 John Locke (IA SPECIALIST) – Interviewed on 12 October 2009 at 10:25. Observed on 12 October
2009 from 12:00 – 17:00.
 Cathy Booker (IA SPECIALIST) - Interviewed on 13 October 2009 at 08:25. Observed on 12
October 2009 from 10:00 – 17:45.
 Terry Chatworth (IA SPECIALIST) - Interviewed on 14 October 2009 at 09:00. Observed on 15
October 2009 from 8:00 – 17:00 and 16 October 2009 from 8:00 – 14:25.
 Kevin Tanner (ISSO) - Interviewed on 16 October 2009 at 14:45.

2.3 Analysis

Extensive notes were taken during the four interviews and three observation sessions. The notes were
first checked for potential inaccuracies, and then, consolidated. The consolidated notes were translated
into a hierarchical list of functions, duties, and tasks as deemed necessary to perform the job. Required
skills and knowledge for some frequently performed tasks were also identified.

Page 11 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

3.0 Results of Job / Task Analysis

The results of the analysis are a short description of the Information Assurance Specialist job position as
it was so described, the prerequisites that an IA Specialists should posses at XYZ Company, a list of
functions, duties, and tasks that are necessary to perform the job, and required skills and knowledge for
frequently performed tasks.

3.1 Description of job position (in brief)

The IA Specialists work both independently and as part of the Information Security Department team
under the leadership of the ISSO. The IA Specialists report directly to the ISSO as seen in Chart 1 (p.4). In
addition, IA Specialists work closely with leaders in other key business departments to ensure the
confidentiality, integrity, and availability of information assets and systems. IA Specialists are expected
to deliver high-quality, timely and effective responses to customer requirements (both internal and
external) through technology, connectivity, and communication.

Of note, the current job description on file matched with a high degree of accuracy the job
responsibilities and qualifications detailed by the ISSO and the IA Specialists.

To be successful as an IA Specialist, the following knowledge elements and capabilities have been
identified:

 Ability to develop and maintain security policies, standards, procedures and guidelines where
appropriate.
 Ability to develop security assessments, and develop and maintain security plans.
 Ability to participate in security investigations, incident response, and disaster recovery.
 Ability to develop and analyze the systems security.
 Knowledge of how to develop additional systems security documentation.
 Knowledge of how to develop and implement security policies, standards, procedures and
guidelines.
 Knowledge of security regulations and standards.
 Knowledge of technical and administrative information assurance issues.
 Technical and administrative skills for implementing security mechanisms and controls.

Page 12 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

3.2 Task Listing

There are five major functions for the IA Specialist position at XYZ Company: protect; monitor; analyze;
detect; and respond. Functions provide a means of distinguishing between different levels of work. The
functional level indicates the roles that employees perform.

Functions Duties Tasks Criticality Frequency

(1=Low / 5 = High) (Low / Moderate / High)
1.0 Protect 1.1 Develop security 1.1.1 Identify
policies, standards, security
procedures and guidelines requirements, goals,
and functions
1.1.2 Identify
3 Low
relevant security
regulations and
standards
1.1.3 Write security
documentation
1.2 Maintain security 1.2.1 Identify
policies, standards, changes to security
procedures and guidelines environment
3 Low
1.2.2 Update
security
documentation
1.3 Develop systems 1.3.1 Identify
security documentation security practices of
systems 3 Low
1.3.2 Write security
documentation
1.4 Maintain systems 1.4.1 Identify
security documentation changes to systems
1.4.2 Update 4 Moderate
security
documentation
1.5 Implement security 1.5.1 Show
mechanisms and controls knowledge of
security mechanisms
and control
1.5.2 Deploy
4 Moderate
security mechanisms
and controls
1.5.3 Configure
security mechanisms
and controls
1.6 Maintain security 1.6.1 Identify 4 High
mechanisms and controls changes to
environment

Page 13 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

1.6.2 Identify
updates to
mechanisms and
controls
1.6.3 Apply updates
1.6.4 Reconfigure
2.0 Monitor 2.1 Monitor security 2.1.1 Identify
mechanisms and controls suspicious
5 High
information asset
activities
3.0 Analyze 3.1 Analyze information 3.1.1 Show
security requirements knowledge of
organization
3.1.2 Show
3 Low
knowledge of
security best
practices, standards,
and regulations
3.2 Analyze security 3.2.1 Show
mechanism and control knowledge of
reports analysis procedures
5 High
3.2.2 Show
knowledge of alarms
and alerts
4.0 Detect 4.1 Identify information 4.1.1 Show
security threats knowledge of
security mechanism
and control alerts
5 Moderate
4.1.2 Identify
suspicious IT and
network systems
activity
4.2 Identify physical 4.2.1 Show
security threats knowledge of alarm
and surveillance
systems 4 Low
4.2.2 Identify
suspicious people
and activities
5.0 Respond 5.1 Participate in security 5.1.1 Respond to 5 Low
investigations incident
5.1.2 Aid in recovery
from incident
5.1.3 Restore
systems after
incident
5.1.4 Prepare
systems in case of
incident
5.1.5 Conduct
exercises to ensure

Page 14 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

preparation
5.2 Participate in incident 5.2.1 Respond to
response incident
5.2.2 Aid in recovery
from incident
5.2.3 Restore
systems after
incident 5 Moderate
5.2.4 Prepare
systems in case of
incident
5.2.5 Conduct
exercises to ensure
preparation
5.3 Participate in disaster 5.3.1 Respond to
recovery incident
5.3.2 Aid in recovery
from incident
5.3.3 Restore
systems after
incident 5 Low
5.3.4 Prepare
systems in case of
incident
5.3.5 Conduct
exercises to ensure
preparation

Page 15 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

3.3 Requisite Skills and Knowledge

This section identifies some of the requisite skills and knowledge required to perform the tasks
identified as “High Frequency” in the Task Listing.

Function: 1.0 Protect

Duty: 1.6 Maintain security mechanisms and controls

Task(s): 1.6.1 – 1.6.4

 1.6.1 Identify changes to environment

 1.6.2 Identify updates to mechanisms and controls
 1.6.3 Apply updates
 1.6.4 Reconfigure

Task(s) Skills and Knowledge

1.6.1 Identify changes to environment
1.6.2 Identify updates to mechanisms and controls
1.6.3 Apply updates
1.6.4 Reconfigure
a) Ability to gather data about Internet-wide
security environment
b) Ability to gather data about corporate-wide
security environment
a) Ability to gather data about updates to
mechanisms and controls
b) Knowledge of best practices of mechanisms and
controls
a) Working knowledge of mechanisms and controls
b) Ability to apply updates
a) Ability to configure mechanisms and controls
b) Ability to test configurations of mechanisms and
controls
c) Configuration knowledge of mechanisms and
controls

Page 16 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57
Function: 2.0 Monitor
Duty: 2.1 Monitor security mechanisms and controls
Task(s): 2.1.1 Identify suspicious activity
Task(s)
2.1.1 Identify suspicious information asset
activities
Function: 3.0 Analyze
Duty: 3.2 Analyze security mechanism and control reports
Task(s): 3.2.1 – 3.2.2
 3.2.1 Show knowledge of analysis procedures
 3.2.2 Show knowledge of alarms and alerts
Task(s)
3.2.1 Show knowledge of analysis procedures
3.2.2 Show knowledge of alarms and alerts
Page 17 of 20 Confidential – Internal Use Only
Skills and Knowledge
a) Ability to gather data on information assets
b) Ability to read and comprehend gathered data
c) Knowledge of what constitutes suspicious
activity
d) Knowledge of intrusion techniques and
defenses
Skills and Knowledge
a) Knowledge of application specific analysis
procedures
b) knowledge of corporate security analysis
procedures
a) Knowledge of information alarm sensor
locations
b) Knowledge of alarm triggers
c) Knowledge of how to activate an alarm
d) Knowledge of how to deactivate an alarm
d) Knowledge of what constitutes a false positive
e) Knowledge of what constitutes a false negative
f) Knowledge of how to verify an incident
Version 1.0
 JOB TASK ANALYSIS
Document Number: ISD57

3.4 Requisite Qualifications

This section identifies the requisite qualifications essentially needed to perform the functions, duties,
and tasks identified in the Task Listing.

 A thorough knowledge of IA processes to include but not limited to certification and

accreditation, computer network defense, and vulnerability assessments. Must be able to work
with changing and evolving requirements.
 A high-level security certification (CISSP, GSE, SCNA, or CISA) is required.
 Strong research and analysis skills as well as strong verbal/written communication skills.

3.5 Summary Finding

At this time it is not believed that a reclassification of the ISSO position and its duties is necessary.

Page 18 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Appendix 1

Job Description: Information Assurance Specialist

Last revised: 07 September 2009

XYZ Company is seeking an Information Assurance Specialist (IA SPECIALIST) to work in London, UK. The
IA SPECIALIST will work closely with other IA SPECIALIST employees, the ISSO, and leaders in Information
Technology, Human Resources and other departments to oversee and coordinate corporate information
security operations across 1 UK and 1 overseas office. The IA SPECIALIST will report directly to the CSO.
Aside from the qualifications listed below, the IA SPECIALIST must also have an in-depth understand of
the XYZ Company's business environment and have a strong background in information assurance. The
responsibilities of this position include but are not limited to the following:

Responsibilities:

 Develop and maintain security policies, standards, procedures and guidelines where
appropriate. Enforce established security policies, standards, procedures and guidelines.
 Perform IT security assessments, and develop and maintain security plans.
 Develop additional systems security documentation.
 Participate in secure systems development and analysis.
 Provide technical and administrative direction on information assurance issues.
 Provide technical and administrative guidance on implementing and monitoring security
mechanisms and controls.
 Identify regulations and standards and support company compliance.
 Support a security awareness-training program.
 Participate in security investigations, incident response, and disaster recovery.
 Other duties as assigned.

Qualifications:

 A bachelor’s degree is required in a related field. A master’s degree in a related field is

preferable.
 5+ years of experience in IT, IT Audit, or combined Information Assurance.
 Must have a thorough knowledge of IA processes to include but not limited to certification and
accreditation, computer network defense, and vulnerability assessments. Must be able to work
with changing and evolving requirements.
 A high-level security certification (CISSP or equivalent) is required.
 Must have strong research and analysis skills as well as verbal/written communication skills.
 Excellent oral and written communication skills.
 Project management skills preferred.

Page 19 of 20 Confidential – Internal Use Only Version 1.0

 JOB TASK ANALYSIS
Document Number: ISD57

Compensation:

 Annual salary of $80,000 US dollars.

 Full health care package.
 Starting 20 days of accrued vacation time.
 401k Plan.

Page 20 of 20 Confidential – Internal Use Only Version 1.0