SFIA Skills: Information assurance (INAS)

Accountable for establishing and managing information assurance strategy and policies in accordance with the ISO/IEC 27000 series of standards and/or other external and internal guidance relevant to own organisation.

Influences key partner organisations to maintain information assurance policies and practices in line with those of own organisation.

Ensures that the organisation implements processes to take forward the information assurance strategy and policies, and improve information security maturity.

Obtains organisational commitment to data information security at the highest level. Establishes a culture where data and information security is the responsibility of every employee.

Has significant input to development of business plans, ensuring that information assurance is integrated into business strategy and policies.

Leads and guides provision of information assurance requirements across all the organisation’s information and information systems.

Develops strategies for information assurance, as part of corporate IT governance, including guidelines for information and network users and alignment to standard security frameworks. Defines target thresholds for information assurance maturity and oversees activities to achieve these.

Identifies and develops metrics and measures for information assurance such as key risk indicators (KRIs) and key performance indicators (KPIs). Determines appropriate and practical performance measures, to ensure that information assurance priorities set by the business can be effectively monitored.

Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.

Contributes to the development, implementation and monitoring of organisational policies and processes intended to maintain the availability, integrity and confidentiality of the organisation’s information assets.

Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and takes responsibility for actioning these.

In the context of business continuity, assesses protection, detection and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.

Ensures architectural principles are applied during design to reduce risk, and advances assurance standards through ensuring rigorous security testing.

Guides, encourages, leads and develops colleagues, in the disciplines of Information assurance. Supports employees to understand their role in the security of data and information.

Carries out risk assessments of complex information systems and infrastructure components control effectiveness. Contributes to classification of data types held and audits of information systems. Contributes to data breach planning.

Interprets security and assurance policies and contributes to development of policies, standards and guidelines that comply with these, to enable effective assessment of risks to information availability, integrity, authentication and confidentiality.

Ensures effective reporting of information assurance metrics. Undertakes activities pertaining to improvements in information security maturity.

Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.

Implements effective information security processes to support the organisation’s information assurance strategy and policies.

Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and delivers awareness training where appropriate.

In the context of business continuity, supports the assessment of the protection, detection, and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.

Advises information and network users on information assurance architecture and strategies to manage identified risk, and promotes awareness of policies and procedures. Acts to ensure that they are aware of obligations such as protecting the secrecy of passwords and accounts access details.

Carries out risk assessment as directed, using standard processes for identifying potential risks to information systems and infrastructure components.

Contributes to the development of, and implements, security and assurance policies relating to assessment of risks to information availability, integrity, authentication and confidentiality.

Produces information assurance management reports.

Influences internal and external partners to ensure compliance with the organisation’s information security requirements.

Contributes to the effective implementation of information security processes to support the organisation’s information assurance strategy and policies.

Champions organisational commitment to data privacy and information security in their areas of influence. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Delivers awareness training to improve the security culture.

Provides advice and guidance to support and encourage adherence to information security principles.

Assesses legal and best practice issues, and promotes awareness of national and international laws, including those relating to confidentiality, privacy and copyright.