Summary
A security architect creates and designs security for a system or service, maintains security documentation and develops architecture patterns and security approaches to new technologies.
At this role level, you will:
-
recommend security controls and identify solutions that support a business objective
-
provide specialist advice and recommend approaches across teams and various stakeholders
-
communicate widely with other stakeholders
-
advise on important security-related technologies and assess the risk associated with proposed changes
-
inspire and influence others to execute security principles
-
help review other people’s work
Background
Background Components
Description | Background |
---|---|
Is familiar with the principles and practices involved in development and maintenance and in service delivery. Has good technical understanding and the aptitude to remain up to date with IT security and developments. Possesses a general understanding of the business applications of IT. Is effective and persuasive in both written and oral communication. |
Prior Knowledge and Skills |
Work Activity Components
Title | Details |
---|---|
Evaluation and selection |
Identifies and evaluates alternative architectures and the trade-offs in cost, performance and scalability. |
Compliance |
Contributes to compliance reviews. Assists in the assessment of configuration and security procedures for adherence to legal and regulatory requirements |
Risks and vulnerability |
Conducts business risk and vulnerability assessments and business impact analysis for medium- complexity information systems. |
Security architecture development |
Contributes to the development of security architectures in specific business or functional areas, using appropriate tools and methods. |
Security assurance |
Participates in quality reviews (e.g. fitness for purpose, quality attributes, non-functional requirements, risk) of security architecture components. |
Knowledge/Skills
Knowledge/Skills Components
Title | Depth | Details | Type |
---|---|---|---|
Analytical Thinking |
Acquiring a proper understanding of a problem or situation by breaking it down systematically into its component parts and identifying the relationships between these parts. Selecting the appropriate method/tool to resolve the problem and reflecting critically on the result, so that what is learnt is identified and assimilated. |
Behavioural Skills |
|
Attention to Detail |
Applying specific quality standards to all tasks undertaken to ensure that deliverables are accurate and complete. |
Behavioural Skills |
|
Cross-Functional and Inter-Disciplinary Awareness |
Understanding the needs, objectives and constraints of those in other disciplines and functions. |
Behavioural Skills |
|
Interacting with People |
Establishing relationships, contributing to an open culture and maintaining contacts with people from a variety of backgrounds and disciplines. Effective, approachable and sensitive communicator in different communities and cultures. Ability to adapt style and approach to meet the needs of different audiences. |
Behavioural Skills |
|
Teamwork |
Working collaboratively with others to achieve a common goal. |
Behavioural |
|
Application Systems |
Aware of |
Technical or functional understanding of Commercial Off-the-Shelf (COTS) applications and/or other bespoke software deployed within the organisation in order to provide system configuration, audit, technical, and/or functional support. |
Technical Knowledge and Skills |
National/International Standards |
Familiar with |
Current and emerging standards associated with IT practice nationally and internationally, published by authorities such as IEEE, IEC, BSI, ISO. |
Technical Knowledge and Skills |
Networking and Communications |
Familiar with |
The planning and management of the interaction between two or more networking systems, computers or other intelligent devices. |
Technical Knowledge and Skills |
Operational/Service Architecture |
Familiar with |
Knowledge of the IT/IS infrastructure and the IT applications and service processes used within own organisation, including those associated with sustainability and efficiency. |
Technical Knowledge and Skills |
IT Audit |
Aware of |
Principles, practices, tools and techniques of IT auditing. |
Technical Knowledge and Skills |
Access Control Systems |
Proficient in |
Any tool or system which provides security access control (i.e. prevents unauthorised access to systems). |
Technical Knowledge and Skills |
Business Environment |
Familiar with |
The business environment relating to own sphere of work (own organisation and/or closely associated organisations, such as customers, suppliers, partners and competitors), in particular those aspects of the business that the specialism is to support (i.e. localised organisational awareness from a technical perspective). |
Technical Knowledge and Skills |
Big Data |
Aware of |
The discipline associated with data sets so large and/or complex that traditional data processing applications are inadequate. The data files may include structured, unstructured and/or semi-structured data, such as unstructured text, audio, video, etc. Challenges include analysis, capture, curation, search, sharing, storage, transfer, manipulation, analysis, visualization and information privacy. |
Technical Knowledge and Skills |
Cloud/Virtualisation |
Familiar with |
The principles and application of cloud/ virtualisation (including ownership, responsibilities and security implications). Use of tools and systems to manage virtualised environments. |
Technical Knowledge and Skills |
BYOD |
Familiar with |
The policy of permitting employees to bring personally owned mobile devices (laptops, tablets, smart phones etc) to their workplace, and the implications of using those devices to access privileged company information and applications consistent with safeguarding corporate systems and data taking account of security and confidentiality requirements. Also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC). |
Technical Knowledge and Skills |
Network Data Security |
Proficient in |
Network security and threat mitigation, including physical, electronic, firewalling, encryption, access, and authorisation; protecting data at rest and in transit; defending against viruses and malware; the impact of Big Data; and the integration of robust security controls into enterprise services and policies. |
Technical Knowledge and Skills |
Infrastructure/System Security |
Proficient in |
The security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components, and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents affecting system hardware, software and other infrastructure components. |
Technical Knowledge and Skills |
Techniques for Effective Meetings |
Aware of |
Methods and techniques for running effective meetings and for understanding and influencing the roles played by participants. |
Other Knowledge and Skills |
Standards Writing Techniques |
Aware of |
Principles, methods and techniques for establishing, documenting, and maintaining standards. |
Other Knowledge and Skills |
Training Activities
Training Components
Title | Details |
---|---|
Project Planning and Control |
Project planning and control methods and techniques including budgeting and financial control. |
Software Configuration |
Installation, configuration and tuning of applications or systems software. |
Security Software |
Understanding the security threats and vulnerabilities that impact and/or emanate from system hardware, software and other infrastructure components and relevant strategies, controls and activities to prevent, mitigate, detect and resolve security incidents. For example access control software like Active Directory (AD). |
Solution Architecture |
Methods, tools and techniques for architecture design and development to provide an understanding of the critical architecture terms and concepts and how to apply them across typical architecture domains — business, applications, data and infrastructure. |
PDAs
PDA Components
Title | Details |
---|---|
Deputising |
Standing in for supervisor or manager on a temporary basis during periods of absence. |
Job Shadowing and Special Assignments |
Undertaking temporary periods or secondments in other roles, inside or outside IT, particularly those that offer a new perspective on own function or exposure to other environments and cultures. |
Research Assignments |
Exploring a topic which is not part of own normal responsibilities and presenting findings to colleagues and/or management |
Gaining Knowledge of Activities of Employing Organisation |
Developing an understanding of the potentially diverse range of activities (service, governance, administrative, regulatory, commercial, charitable, industrial, etc.) undertaken by the employing organisation. |
Gaining Knowledge of IT Concepts and Techniques |
Undertaking study, learning and, where possible, practice in IT concepts and techniques external to own function. |
Participation in Professional Body Affairs |
Taking an active part in professional body affairs at branch, specialist group, committee or board level. |
Negotiating and Influencing |
Undertaking learning and practice of negotiating with and influencing others. |
Qualifications
Qualification Components
Title | Awarding Body |
---|---|
CISSP Certified Information Systems Security Professional |
(ISC)2 International Information Systems Security Certification Consortium |
Registered IT Technician (RITTech) |
BCS – The Chartered Institute for IT |
FEDIP Practitioner |
FEDIP |
Organisation Skills
Framework » Organisation Category » Subcategory |
Skill Name and Description | Level |
---|---|---|
DDaT » Security Architect |
Security Architect – Analysis You can visualise and articulate complex problems and concepts by interrogating and using data or intelligence, formulating and influencing solutions and plans. You can interpret complex business and technical issues and identify a viable solution or control. You can understand and link complex and diverse sets of information to inform the response and approach (for example, identifying vulnerabilities and their impact). |
2 – Working You can apply the approach to real problems and consider all relevant information. You can apply appropriate rigour to ensure a full solution is designed and achieves the business outcome. |
DDaT » Security Architect |
Security Architect – Communication (security architect) You can understand security concepts deeply enough to engage with security technologists and communicate in language that’s appropriate to your audience. You can successfully respond to challenges. |
3 – Practitioner You can demonstrate a deep understanding of security concepts and can apply them to a technical level. You can effectively translate and accurately communicate security and risk implications to technical and non-technical stakeholders. You can successfully respond to challenges. You can manage stakeholder expectations and be flexible, adapting to stakeholder reactions to reach consensus. |
DDaT » Security Architect |
Security Architect – Designing secure systems You can design secure system architectures through the application of patterns and principles, to meet user needs while managing risks. You can identify security issues in system architectures. |
2 – Working You can design and review system architectures through the application of patterns and principles. |
DDaT » Security Architect |
Security Architect – Enabling and informing risk-based decisions You can make and guide effective decisions on risk, explaining clearly how the decision has been reached. You can make decisions proportionate to the level of technical complexity and risk. |
2 – Working You can work with risk owners to advise and give feedback. You can advise on risk impact and whether this is within risk tolerance. You can describe different risk methodologies and how these are applied, as well as the proportionality of risk. |
DDaT » Security Architect |
Security Architect – Research and innovation You can understand and correctly apply a range of user research methods. You can choose appropriate methods for different situations or phases of a product life cycle. |
2 – Working You can advise on developments to security properties in technology. You can identify new technologies and design their use in a business context. |
DDaT » Security Architect |
Security Architect – Security technology You can demonstrate knowledge of system architectures. You can understand the risk impact of vulnerabilities on existing and future designs and systems. You can identify how easy or difficult it will be to exploit these vulnerabilities. |
2 – Working You can demonstrate knowledge of system architectures. You can understand and articulate the impact of vulnerabilities on existing and future designs and systems, and can articulate a response. You can demonstrate broad knowledge of a range of systems, but may |
DDaT » Security Architect |
Security Architect – Understanding security implications of transformations You can work with business and technology stakeholders to understand the security implications of business change. You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist in the development of technical solutions or controls. |
2 – Working You can interpret and apply an understanding of policy and process, business architecture, and legal and political implications to assist the development of technical solutions or controls. |
This job role profile was created in collaboration with BCS, using Role Model Plus. BCS is the professional body that has the responsibility of updating this job family.