Project report, knowledge test, scenarios, professional discussion.
Assessment Method 4: Combined Professional Discussion (underpinned by portfolio) & Questioning part of the Scenarios
Your professional discussion is a 90-minute long professional discussion which is underpinned by the portfolio.
The professional discussion will consist of a minimum of 12 questions with 2 questions focusing on ‘Law & Regulation’ (K8) & 1 question on ‘Ethics’ (K9)
The questioning part of the scenario & demonstration assessment will follow on from the professional discussion so that you only meet with the IEPA (Independent End Point Assessor) once.
Below is a typical questions in a question bank you may get during your professional discussion/questioning. This is not a definitive list, but gives you enough preparation to be able to show your understanding and competency within the discussion with the EPAO.
Professional Discussion Questions:
Professional Discussion which is underpinned by the portfolio.
| KSB’S | Questions |
| K3 Section 1 | Explain what security assurance is and how it can be achieved. Explain What Penetration Testing / Horizon Scanning is – Are these areas which are used in your workplace? Explain the impact of Risks/Threats to your workplace should you not keep up to date with threat/vulnerability/risk management or intelligence? Give an example of work that you performed to achieve security assurance. |
| K6 Section 5 / research | What is a cryptographic key life cycle and management of this. What encryption do you use in the workplace. What service management lifecycle do you use? Where do you and your team fit into the lifecycle? How does this impact the next stage with the work that you do? |
| K7 Section 6 | Explain how you advised others on cyber security incident processes to support incident investigation. Give an example of an incident given to you where you have had to investigate or assist as part of the process? |
| K8 Section 3 | Tell me which cyber security standard you adhere to in the workplace and how it is applied. What other cyber legislations and laws are you aware of? Explain the types of information that are governed by GDPR and Data Protection Act 2018 and give some examples. |
| K9 Section 3 | Explain the codes of good practice of a cyber security professional body which you follow in your workplace. Describe the ethical responsibilities of a cyber security professional and how you apply this in your job role? |
| K15 Section 6 | Explain the concept of a Cyber Security Management system within your workplace and how it achieves the intended security outcome. How does the function of the cyber security management system enable the team to provide the best result/resolution? |
| S6 Section 2 | Explain the approach you took when you independently explored and investigated a security case analysis. Were there other solutions that you found with regards to the risk and issue you looked into? If so, what were they? Why didn’t these go ahead and the end solution was chosen? |
| S7 Section 5 | Tell me about a situation where you delivered a task to meet a Service Level Agreement (SLA) or performance target. How did you ensure that you met the SLA or performance target? What tasks do you carry out daily as part of your role? What is the impact that these have if you don’t carry these out? |
| S9 Section 4 | Tell me about work you have done to recommend security improvements to the organisation, including the potential impact of your recommendations. (Future Technologies / Think about additional technologies as well as the ones in your portfolio piece) How could future technologies improve the business further? What could be implemented and why would this benefit your workplace? |
| S15 Section 4 | Explain the steps you have taken to prevent a breach to digital system security. Who was involved? How did you approach it? What was the outcome of the investigation? What tools do you use to prevent breaches? Explain how they are used and what information they are used for? When would be the best time to use these tools? |
| B3 Any examples | How have you demonstrated your ability to work independently in your role whilst complying with the organisation’s policies and procedures? Give an example of when you have worked independently in your role to complete a project/task given? |
| B4 Any examples | Tell me about a time when you demonstrated problem solving skills to complete a task. Give an example of using logical thinking to resolve a problem? (Straight forward open and closed issue – step by step) Give an example of using creative thinking to resolve a problem? (A more complex problem, may have had to escalate the issue, look at alternative solutions) |
| B5 Any examples | How have you planned your work tasks in order to comply with your employer’s timeline requirements? What tools/applications/trackers do you use to plan your work tasks in a timely manner? |
| B6 Any examples | How have you demonstrated the principles of inclusion and diversity in your working relationships? How do you ensure that your team feels included and can work together? |
| B7 Any examples | Explain how you would adapt your communication with others to meet the needs of different audience types. What types of communication do you use in the workplace? How do you change the method of communication dependent on situation? Give an example. |
| B8 Any examples | How do you keep track of work in progress, in order to meet the requirements of your role? How do you plan your time? What time management techniques do you use? Pomodoro Technique? In carrying out your role, how would you ensure that the working environment is secure and complies with the organisation’s policies and procedures? |
| K3 Section 1 | Explain what constitutes “risks” and the benefits of mitigating risks. Give an example of a risk within the workplace and how you have helped/recommended mitigation for this. Explain what a threat is? What threat intelligence sources can be used? Given a threat (of your choice) what would the impact of that threat being exploited in the workplace? Explain the steps you would take to implement security assurance in a specific situation. |
| K6 Section 5 | Explain an example of a security incident life cycle – Which security management lifecycle do you adhere to in the workplace? What are the different stages of the life cycles? How does this align with the teams/processes in your workplace? |
| K7 Section 6 | Tell me about a time when you advised others involved in a security incident. What was your role? What steps did you take? What actions did you take when investigating an incident? |
| K8 Section 3 | Explain the main cyber security laws and regulation and why they are required. Give examples of the type of information covered by GDPR and Data Protection Act 2018. |
| K9 Section 3 | Considering the work of a cyber security professional body, tell me about their code of good practice. What are the main ethical responsibilities of a cyber security professional? Why is it important to follow cyber security principles and good practice as a cyber security professional? |
| K15 Section 6 | Describe the features of a cyber security management system and how they work together to achieve the intended security outcome. What security management system is used in your workplace? How does this help to enforce the processes/procedures in place to help achieve the security outcome and prevent/mitigate incidents? |
| S6 Section 2 | Explain how you worked, without supervision, to analyse a security case. What security objectives did you need to consider when building your security case? |
| S7 Section 5 | Describe your organisation’s Service Level Agreement (SLA) or performance targets and give an example of how you have followed the requirements/met these. Explain a time when SLA/Deadlines/Timeframe may not have been met? What is the impact/implications of this? What was the reason for the failure to meet the target? |
| S9 Section 4 | Thinking about a time when you examined a cyber security posture, explain any relevant future trends that you identified or recommendations you made. (Future Technologies) How are cyber security technologies used within your workplace? What are the risks with those technologies? What other cyber security technologies could be used within your workplace to benefit/improve it? |
| S15 Section 4 | Explain the tools and methods you have used to prevent a breach to digital system security – Give an example of a breach/investigation/check you dealt with. What were the steps you had to carry out to come to a resolution/conclusion for this? |
| B3 Any examples | Describe a situation where you independently completed a task in line with your employer’s policies and procedures. Explain a task you have been given to work on independently as part of a bigger supporting project? |
| B4 Any examples | Give an example of when you used your own initiative to solve a problem. When have you noticed an issue and had to raise this & then follow up with an investigation? |
| B5 Any examples | What approach have you taken to ensure that your work is done effectively and meets timelines set by your employer? How do you manage your time to ensure timelines/deadlines are met by your employer? |
| B6 Any examples | How have you demonstrated the principles of inclusion and diversity when interacting with others? Does your workplace have anything in place to include different cultures / religions etc to bring everyone together for support/celebration? For example: Eid, Ramadan, Christmas etc? |
| B7 Any examples | Give an example of how you adapted your language when communicating an issue to a technical and non-technical stakeholder. Give an example of when you have been part of a team meeting and you have offered advice/opinion as part of the discussion? |
| B8 Any examples | Thinking about working productively and professionally in your role, what approach would you take to achieve this? How would you ensure that the working environment is secure and reflects the organisation’s policies and procedures? |
Scenario & Demonstration Questioning
These are all based on the 4 scenarios which will be carried out within EPA –
- Attack and Threat Research 1hour 45 minutes
- Risk Assessment 2 hours
- Set up and configure a system with security features 3 hours
- Computer programme/script writing 1 hour
| KSB’S | Questions |
| K2 | Explain how the security features built into Operating Systems are used in your organisation. Explain the how the functionality of Operating Systems can be used to ensure the integrity and confidentiality of data. |
| K4 | Explain how human behaviour can impact on the security of data. Explain how an insider threat can impact on an organisation. Explain what a DDoS attack is. Describe the measures that can be used to mitigate against a DDoS attack. |
| K5 | Explain why it is important to identify trends in Cyber security threats. Describe the benefits of undertaking an analysis of information to identify emerging threats. Explain how you would identify trends in Cyber security threats. |
| K10 | Describe how you gather and analyse information to allow security objectives to be set. Explain the considerations that you take into account when developing security objectives. |
| K11 | Explain how horizon scanning can be used by organisations. Describe the sources of threat intelligence and vulnerabilities that are used in your organisation. |
| K12 | Describe how access control lists (ACLs) can be used to enhance security. Explain how you would reduce the attack surface of a server. Explain why security architecture patterns should be used. |
| K14 | Describe two audit methodologies that can be used by organisations. Describe how the threat intelligence lifecycle is used in your organisation. Explain the role of the risk owner in contrast with other stakeholders. |
| K16 | Explain how SQL injection can be used to compromise security. Describe how a process vulnerability can impact on security. |
| K17 | Explain why you chose to develop the application using this programming language. |