October 2015 Issue No:1.1

Application Guidance - CCP Security and Information Risk Advisor Role,

Practitioner Level

Application Guidance – CCP Security and Information Risk Advisor Role, Practitioner Level

Issue No: 1.1 October 2015

This document is for the purposes of issuing advice to UK Government, public sector organisations and/or related organisations. The copying and use of this document for

any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.

The copyright of this document is reserved and vested in the Crown.

Document History

Version Date Comment

1.0 April 2015 First issue

1.1 October 2015 First public release

Page 1

Application Guidance - CCP S&IRA Role, Practitioner Level

Purpose & Intended Readership

This document is intended as a guide on how to structure evidence when applying for certification under the CESG Guidance for IA Professionals (CCP) scheme as a Security & Information Risk Advisor (S&IRA) at Practitioner level. It includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications.

Executive Summary

CESG has developed a framework for certifying Information Assurance (IA) Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Advisor Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Security & Information Risk Advisor (S&IRA) at Practitioner level.

Feedback CESG welcomes feedback and encourage readers to inform CESG of their experience, good or bad, in this document. Please email: enquiries@cesg.gsi.gov.uk

Page 2

Application Guidance - CCP S&IRA Role, Practitioner Level

Contents:

Overall Requirements for the S&IRA Role at Practitioner level ............................ 3

Key Principles .......................................................................................................... 3 Security and information risk advice ........................................................................ 3 Headline statement for the S&IRA role at Practitioner Level, SFIA Responsibility Level 2 ..................................................................................................................... 4 Applying for CCP Scheme Certification ................................................................... 4

Further information on the requirements for the S&IRA Role at Practitioner Level .......................................................................................................................... 8

Knowledge ............................................................................................................... 8 Skills ........................................................................................................................ 9 Experience ............................................................................................................. 16

The Certification Process ...................................................................................... 17

Next Steps ............................................................................................................. 17

The CCP Scheme Certification Learning Cycle ................................................... 19

References .............................................................................................................. 20

Page 3

Application Guidance - CCP S&IRA Role, Practitioner Level

Overall Requirements for the S&IRA Role at Practitioner level

Key Principles

This document is intended as a guide on how to structure evidence when applying for certification as a Security and Information Risk Advisor (S&IRA) at Practitioner level in the CESG Certification for IA Professionals (CCP) scheme. It includes suggestions of what you need to learn and know before applying and complements the ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications. Learning comes through acquiring skills and knowledge (from training, experience and learning from others doing the same job) and then putting these into practice. Most people will need a few years to acquire these, although in some cases this period may be longer or shorter. The section on skills provides prompts for the type of evidence which could demonstrate that you meet the required standards. You are encouraged to follow the advice in this section when completing your written submission of evidence.

Security and information risk advice

The S&IRA role is to provide business–driven advice on the management of security and information risk consistent with HMG IA policy or other sector specific guidance. In particular a S&IRA should:

provide a focal point for resolution of security and information risk matters

identify, analyse and evaluate information risks

explain to risk owners and other stakeholders the causes, likelihood and potential business impacts of information risks throughout the information system lifecycle

assist checking compliance with applicable regulations, standards, policies and guidance on information risk management

present risk management options to the business

support the development of appropriate and proportionate documentation to inform risk management decisions, ensuring these are expressed in terms meaningful to the business

investigate security incidents

Page 4

Application Guidance - CCP S&IRA Role, Practitioner Level

promote security awareness

provide threat guidance

Headline statement for the S&IRA role at Practitioner Level, SFIA Responsibility Level 2

Assists customers in the routine application and interpretation of security or IA policies and practices

Applying for CCP Scheme Certification

If you don’t feel that you can demonstrate all of the following required skills, knowledge and experience, agree a plan with your manager so that you can address any gaps – e.g. through placements, projects, training, mentoring – before you apply for CCP certification. You also need to check the website of the Certification Body (CB)1 you wish to use, to see if it specifies any additional requirements, for example an exam qualification. The following are examples consistent with the standards required to meet the role headline statement above. Other examples might also meet the same standard. Your evidence should show that you:

use a repeatable and consistent risk assessment technique to identify emerging information risks throughout the lifecycle of assigned information systems, services or business solutions

co–ordinate the identification of suitable risk treatment options in the context of the business and ensure these are traceable to risks

develop security evidence as required and specified by the business to enable the effective and consistent application of an organisation’s risk management process: ensuring these are necessary, proportionate and match the business requirement. Avoid producing unnecessary documentation

liaise with an Accreditor2 and/or Risk Owner to gain timely accreditation

1 The three Certification Bodies are APM Group - www.apmg-ia.com, BCS, The Chartered Institute for IT Professionals – www.bcs.org and IISP, RHUL & CREST

consortium – www.iisp.org . 2 Accreditor is a term which is mostly used within government organisations, for example if operating within an HMG accreditation framework. It denotes the person who impartially and independently assesses that the risks associated with an information system are acceptable to the organisation and who accredits that system on behalf of a Board.

Page 5

Application Guidance - CCP S&IRA Role, Practitioner Level

undertake preliminary or fact finding enquiries into security incidents

check or report compliance with applicable security standards and procedures

present security briefings to users and/or local management

contribute to security communications

draft requirements for IT Health Checks or audits

can provide examples showing that you are competent in the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework (see skills section). For skills at level 1 (awareness), this could be your contributions to teamwork. For level 2 (application) skills, wherever possible you should show personal ownership in your work

demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)3 at level 2. Alternatively you can show evidence of least level 1.5 for the IISP J skills - see the publication ‘Guidance to CESG Certification for IA Professionals’ (reference [b])

3 See ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) and the SFIA Foundation at www.sfia.org.uk .

Page 6

Application Guidance - CCP S&IRA Role, Practitioner Level

This diagram gives an overall picture of the different elements of Information Assurance and their interdependence. Within the overall context of Information Assurance, the S&IRA’s focus is to obtain the necessary information from others (e.g. architects, accreditors etc.) of how systems work, the organisation’s environment and risk appetite and to then present advice in a way that clients can understand, in order to achieve a proportionate level of information risk management.

Page 7

Application Guidance - CCP S&IRA Role, Practitioner Level

You need to understand the organisation’s business objectives, strategy and risk appetite. You will also need information from knowledgeable technical specialists who can explain at an appropriate level what the information systems do. You need people skills to ensure that you can explain security options in a way that non–specialists understand so that they implement your advice with the outcome that risks are managed appropriately and proportionately. In no priority order, you need: Skills in: –

Negotiating

Influencing

Communication – able to talk to non–specialists and specialists alike

Business writing (all the information needed for a decision, on 1 side of A4)

Working within business areas to personally build and then give tailored presentations

Stakeholder management

Familiarity with:–

Risk assessment and risk management methodologies

Security and information risk advice standards and policies

The ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications

Technical IA controls

And understanding of: –

Business risk appetite and how to apply proportionate risk management controls

Business strategy and the local business environment

How security incidents can occur

How to perform Protective Monitoring (PM), understand PM reports and carry out incident management

Page 8

Application Guidance - CCP S&IRA Role, Practitioner Level

Further information on the requirements for the S&IRA Role at Practitioner Level

Knowledge

The following gives more detail of the knowledge you need to acquire.

You need evidence that you understand and have appropriately applied your knowledge of, for example:

if carrying out IA work for Government or Government suppliers – the relevant elements of the HMG Security Policy Framework (SPF) and CESG guidance

the information security policies and standards relevant to your industry sector

your organisation’s information security policies and standards

best practice in producing appropriate and proportionate risk management controls

relevant legal issues – e.g. protection of personal and financial data

what information governance is, why it matters, who is responsible for it locally and how it works in practice

the strategic goals, threats and opportunities of the businesses you work in

what good and bad security in IA architecture looks like – e.g. protecting one layer but leaving an interface with another system vulnerable

how to develop IT systems with good IA – e.g. how to advise on the appropriate level of controls, taking into account governance and risk appetite

Page 9

Application Guidance - CCP S&IRA Role, Practitioner Level

Skills

When presenting your skills evidence, you are advised to use the ‘STAR’ format: ‘Situation, Task, Action, Result’

Use a narrative form, e.g. ‘I produced ...My decision was...’

Explain what security and information risk advice you gave and why, and how it was proportionate and effective

You must meet the required levels for 4 core skills from the following: A2, A3, A4, A6, B1, B2, F1, F2. The inclusion of at least one of the B Group skills is compulsory.

In addition, you must meet 75% of the non–core skills

A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one environment

The following table provides suggestions for starting points in evidence.

Technical Skills

SKILL EVIDENCE OF SKILL A1 – Governance Level 1

Understands local arrangements for Information Governance (IG)

Give examples of work you’ve done which took into account local information governance. What did your work achieve?

A2 – Policy & Standards Level 2 – core skill With supervision and aligned with business objectives, authors or provides advice on Information Security (IS) policy or standards

Give examples of how you’ve applied IS policies or standards. What impact did your work have? Were there occasions when you influenced policies/standards, e.g. by providing feedback?

Page 10

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL A3 – IS Strategy Level 1 – core skill Understands the purpose of IS strategy to realise business benefits

Give examples of how you’ve applied your organisation’s IS strategy to your work in a way which enabled business benefit (e.g. by saving time, improving quality, reducing costs etc).

A4 – Innovation & Business Improvement Level 1 – core skill Is aware of the business benefits of good IS

Give examples of innovative security and information risk advice and how that enabled a significant business improvement (e.g. by reducing reputational risk).

A5 – IS Awareness and Training Level 1 Understands the role of security awareness and training in maintaining IS

Give examples which show how you used your understanding of the importance of IS awareness and training.

A6 – Legal & Regulatory Environment, Level 1 – core skill Is aware of major pieces of legislation relevant to IS and of regulatory bodies relevant to the sector in which they work

Explain how your advice on information risk complied with relevant statutes or regulations.

A7 – Third Party Management4 Level 1 Is aware of the need for organisations to manage the information security of third parties

Give examples of how the scope of your information risk advice has included 3rd party information systems.

4 Skill only required if information systems or services are provided by a third party, for example if a design or development of an information system, or part of an information system is outsourced to a 3rd party.

Page 11

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL B1 – Risk Assessment Level 2 – core skill Understands how to produce information risk assessments

Give examples from different environments of risk assessments you’ve written. How did you decide which assets and threats were significant and what the threat levels were? How did you communicate your reports and what were the results of your work?

B2 – Risk Management Level 2 – core skill Contributes to management of risks to information systems with supervision

Give examples of advising organisations on how to manage risks. How did you address organisational requirements and risk appetite? What were the results of your work?

C1 – Security Architecture Level 1 Is aware of the concept of architecture to reduce information risk

Give examples of how you’ve taken a system architecture into account in your information risk advice.

C2 – Secure Development Level 1 Is aware of the benefits of addressing security during system development

Give examples of advice you’ve given on secure development in building IT systems. What were the results?

D1 – IA Methodologies Level 1 Is aware of the existence of methodologies, processes and standards for providing IA

Give examples of how you’ve applied your understanding of IA methodologies.

Page 12

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL D2 – Security Testing Level 1 Is aware of the role of testing to support IA

How has your advice influenced the scope of security testing?

E1 – Secure Operations Management Level 1 Is aware of the need for secure management of information systems

Give examples of advice you’ve given on secure operations management. What were the results?

E2 – Secure Ops & Service Delivery Level 1 Is aware of the need for information systems and services to be operated securely

How have you used your understanding of secure information system management in your advice on service delivery?

E3 – Vulnerability Assessment Level 1 Is aware of the need for vulnerability assessments to maintain IS

Give examples from different work environments of advice you’ve given which has influenced the scope of vulnerability assessments or the interpretation of their results.

F1 – Incident Management Level 2 – core skill Contributes to security incident management

Provide examples of reports or advice you’ve provided after a security incident, to enable a proportionate and effective response. What impact has your work made?

Page 13

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL F2 – Investigation Level 2 – core skill Contributes to investigations into security incidents

Give examples of how your advice has taken into account the requirements for investigations, or give examples of investigations you’ve influenced, carried out or contributed to.

F3 – Forensics Level 1 Is aware of the capability of forensics to support investigations

Give examples of information risk advice you’ve given which has taken into account the requirements for forensic evidence.

G1 – Audit and Review Level 1 Understands basic techniques for testing compliance with security criteria (policies, standards, legal and regulatory requirements)

Give examples to show how you’ve used your understanding of techniques for testing compliance with security criteria in your information risk advice.

H1 – Business Continuity Planning and H2 – Business Continuity Management Level 1 Understands how Business Continuity Planning & Management contributes to Information Security

Give examples from different work environments of how you considered business continuity in your information risk advice. How did your advice on information risk contribute to business continuity management? What were the outcomes of your work?

I1 – Research Level 1

Give examples of research you’ve used in the information risk advice you’ve provided or how you’ve researched whether your advice would be appropriate for an information system.

Page 14

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL

PEOPLE SKILLS ‘J skills’ (instead of SFIA levels) J1 – Teamwork and Leadership, Level 2 Is encouraging and supportive and provides a lead within the local area. Task–based team working

Give examples of ways in which you’ve encouraged others to develop their own competence and abilities.

J2 – Delivering Level 2 Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this

Give examples of prioritising tasks to ensure that local and organisational objectives were met.

J3 – Managing Customer Relationships Level 2 Negotiates with customers to improve the service to them and to manage their expectations

Describe occasions when you’ve negotiated different solutions from those originally requested.

J4 – Corporate Behaviour Level 2 Understands the aims of own and related areas across an organisation

Give examples of information risk advice which saved money or other resources and met the security requirements for a system.

J5 – Change and Innovation Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change

Give examples of changes you’ve introduced – what did you do? How did you consider the impact on other people and processes?

J6 – Analysis and Decision Making Level 2 Makes effective decisions in consultation with others and/or solves complex problems in immediate area

Give examples of breaking down (complex) problems. What was the outcome?

Page 15

Application Guidance - CCP S&IRA Role, Practitioner Level

SKILL EVIDENCE OF SKILL J7 – Communication and Knowledge Sharing Level 2 Encourages and contributes to discussion. Is proactive in sharing information in own work area

Give examples of how you’ve adapted your communication to suit different media, e.g. face to face, over the phone, emails, presentations and meetings. What outcomes have you achieved?

Page 16

Application Guidance - CCP S&IRA Role, Practitioner Level

Experience

Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below. If you are successful in your application, your CCP certification will assure employers that you are competent to advise on information risk. In order to provide sufficient evidence for your assessment, you will need to demonstrate experience of information risk advice, typically for at least 12 months or longer. You may also have had previous experience in related areas, e.g. work in an Information Technology support team or IT Help Desk. Your evidence should show that you have some experience of and can give examples of some of the following:

providing a focal point for resolution of security and information risk matters

identifying, analysing and evaluating information risks

explaining to risk owners and other stakeholders the causes, likelihood and potential business impacts of information risks throughout the information system lifecycle

assisting and checking compliance with applicable regulations, standards, policies and guidance on information risk management

presenting risk management options to the business

supporting the development of appropriate and proportionate documentation to inform risk management decisions, ensuring that these are expressed in terms that are meaningful to the business

investigating security incidents

promoting security awareness

providing threat guidance

Page 17

Application Guidance - CCP S&IRA Role, Practitioner Level

The Certification Process

Next Steps

This Application Guidance contains material designed to help individuals applying for CCP S&IRA at Practitioner level. The CB certification processes for the Practitioner level follow below.

Note:

1. If you are considering applying for CCP S&IRA at Senior level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels as detailed in the ‘CESG Certification for IA Professionals’ (reference [a]) publication. Supervisory experience to show evidence of coaching and developing other S&IRAs would also be helpful.

2. If you are applying for CCP S&IRA at Lead level, you will need to show that you influence and direct security and information risk advice strategy at an organisational or inter–organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise the Board with regard to security and information risk advice.

Page 18

Application Guidance - CCP S&IRA Role, Practitioner Level

3. There are 3 CBs: the APM Group (www.apmg–ia.com ), BCS (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.

Page 19

Application Guidance - CCP S&IRA Role, Practitioner Level

The CCP Scheme Certification Learning Cycle

If there is a gap against CCP requirements, make a time-bounded plan to develop skills and knowledge and how to make or find suitable opportunities to apply these.

Page 20

Application Guidance - CCP S&IRA Role, Practitioner Level

References

[a] CESG Certification for IA Professionals – www.beta.cesg.gov.uk/articles/cesg-certified-professional-scheme

[b] Guidance to CESG Certification for IA Professionals – www.beta.cesg.gov.uk/articles/cesg-certified-professional-scheme

CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.

CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: enquiries@cesg.gsi.gov.uk © Crown Copyright 2015