SFIA Skills: Information security (SCTY)

Leads the provision of information security resources, expertise, guidance and systems necessary to execute strategic and operational plans across all the organisation’s information systems. This includes executive responsibility and accountability for the management of threats to confidentiality, integrity, availability, accountability and relevant compliance, and for security control reviews, business risk assessments and reviews that follow significant breaches of security controls. In the case of breach, undertakes the duties of data protection officer to ensure that registration and notification of the breach is done in accordance with GDPR legislation.

Takes responsibility for the delivery of IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law. Acts as the organisation’s data protection officer for the purposes of GDPR legislation.

Leads the development of the corporate security architecture, securing business leadership support and commitment to deliver, maintain and continuously improve security practises to provide effective protection of corporate information and systems assets.

Directs the development, implementation, delivery and support of an enterprise information security strategy aligned to the strategic requirements of the business, and consistent with relevant IT and business plans, budgets, strategies etc.

Accountable for business strategy compliance with information security policies. Takes steps to ensure the organisation complies with all relevant security regulations including GDPR.

Identifies and monitors environmental and market trends and proactively assesses impact on business strategies, benefits and risks. Manages assessment of threats to confidentiality, integrity, availability, accountability and relevant compliance. Takes ownership of security control reviews, business risk assessments, and reviews that follow significant breaches of security controls.

Leads the operation of appropriate security controls as a production service to business system users.

Develops and communicates the corporate security architecture.

Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions such as legal and technical support. Operates as a focus for IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.

Contributes to the development of organisational strategies that address information control requirements. Prepares and maintains a business strategy and plan for information security activities which addresses the evolving business risk and information control requirements, and is consistent with relevant IT and business plans, budgets, strategies etc.

Manages IT security specialist staff, including approval of project and task definition and prioritisation, quality management and budgetary control, and management tasks such as recruitment and training when required.

Ensures compliance between business strategies and information security. Takes steps to ensure the organisation complies with GDPR regulations.

Investigates major breaches of security and recommends appropriate control improvements. Conducts investigation, analysis and review following breaches, and manages the investigation and resolution of security incidents, in accordance with established procedures including incident management procedures. Prepares recommendations for appropriate control improvements, involving other professionals as required.

Provides authoritative advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. This includes advice on the application and operation of all types of security controls, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.

Manages the operation of appropriate security controls as a production service to business system users.

Designs the security components of systems architectures. Develops new architectures that manage the risks posed by new technologies and business practices.

Identifies threats to the confidentiality, integrity, availability, accountability and relevant compliance of information systems. Conducts risk, vulnerability and business impact assessments of business applications and computer installations and recommends appropriate action to management.

Contributes to development of information security policy, standards and guidelines.

Delivers and contributes to the design and development of specialist IT security education and training to IT and system user management and staff.

Plans and leads the work of small teams of security staff, and acts as project manager on complex IT security specialism projects.

Conducts security control reviews across a full range of control types and techniques, for business applications and computer installations. Seeks guidance from more experienced or specialised practitioners as required. Recommends appropriate action to management.

Reviews compliance with information security policies and standards. Assesses configurations and security procedures for adherence to legal and regulatory requirements.

Investigates suspected attacks and undertakes the investigation and resolution of security incidents, in accordance with established procedures including incident management procedures. Uses forensics where appropriate. Reports on findings and lessons learnt/improvement actions.

Explains the purpose of, and provides advice and guidance on, the application and operation of elementary physical, procedural and technical security controls (for example, the key controls defined in IS27002). Communicates information assurance risks and requirements effectively to users of systems and networks.

Delivers elements of the security components of system architectures.

Conducts business risk and vulnerability assessments and business impact analysis for medium-complexity information systems.

Reviews network usage. Assesses the implications of any unacceptable usage and breaches of privileges or corporate policy. Recommends appropriate action.

Conducts security control reviews in well-defined areas. Assesses security of information and infrastructure components. Investigates and assesses risks of network attacks and recommends remedial action.

Contributes to compliance reviews. Assists in the assessment of configuration and security procedures for adherence to legal and regulatory requirements.

Investigates suspected attacks. Recognises when an IT network/system has been attacked, e.g. by a remote host or by malicious code such as virus, worm or Trojan etc, or when a breach of security has occurred. Responds to security breaches in line with security policy and records the incidents and action taken. Takes immediate action to categorise and limit damage, according to the organisation’s security policy, which may include escalation to next level, and records the incident and action taken.

Communicates information security issues effectively to business managers and users of systems and networks.

Performs basic risk and vulnerability assessments for small information systems and may contribute to vulnerability assessments of medium-complexity information systems. Determines when potential security issues should be escalated.

Applies and maintains specific procedures and security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and infrastructure components.

Applies and maintains specific procedures and security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and infrastructure components.

Applies procedures to assess compliance with information security policies and standards. For example, assesses compliance of hardware and software configurations to policies, standards, and legal and regulatory requirements.