Takes responsibility for specific assignments related to data quality as the leader of the team.
SFIA Skills: Strategy and architecture
Knowledge transfer (TECH) (Level 4)
Promotes transfer of knowledge and awareness of the importance of data quality to those in related areas.
Assignments (TECH) (Level 4)
Carries out specific assignments related to data quality, either alone or as part of a team or project.
Knowledge research (TECH) (Level 5)
Develops and maintains knowledge of current legislation, guidance and best practice in information governance and Caldicott Guardian matters at a high level by, for example, reading relevant literature, attending conferences and seminars, meeting and maintaining contact with others involved in the specialism, and through taking an active part in appropriate professional and trade bodies.
Personal information (PEDP) (Level 6)
Agrees and reviews protocols governing the disclosure of personal information across organisational boundaries, e.g. with social services and other partner organisations contributing to the local provision of care.
Incident response (PEDP) (Level 6)
Raises concerns about any inappropriate uses made of patient / service user information with the DPO where necessary.
Improvement plans (PEDP) (Level 6)
Agrees and presents annual outcome reports relating to issues of confidentiality and information sharing. Advises on annual improvement plans relating to issues of confidentiality and information protection.
Policies (INAS) (Level 6)
Reviews and agrees internal policies and protocols governing the protection and use of person-identifiable information by the organisation’s staff, ensuring that these address the requirements of national policy, guidance and the law, and that their operation is monitored. Ensures they are in an understandable format and available to staff.
Caldicott Guardian/SIRO and DPO advice and support (INAS) (Level 6)
Provides highly complex and strategic advice and support to the board, the senior management team and Senior Information Risk Owners. Provides support to the DPO.
Security consultancy (SCTY) (Level 7)
Manages a significant security consultancy practice, either stand-alone or within a larger business organisation.
Risk management of software as a medical device (BURM) (Level 6)
Assesses software products to determine whether they meet the criteria for classification as Software as a Medical Device (SaMD). Conducts hazard identification and risk assessments in accordance with ISO 14971. Produces and maintains documentation to demonstrate compliance with the UK Medical Device Regulation (MDR), including the creation and maintenance of the Risk Management File and supports the regulatory lead in the production and ongoing integrity of the technical file and Quality Management System. Manages updates to documentation and safety cases throughout the device lifecycle, ensuring post-market surveillance, incident reporting and change control processes are embedded to maintain ongoing regulatory compliance.
Risk management (BURM) (Level 6)
Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for clinical risk management associated with digital systems. Manages clinical safety risk assessment activities within the organisation. Develops clinical risk management processes and procedures, and identifies and deploys appropriate tools and techniques (e.g. SWIFT, FMEA).
Patient safety risk (BURM) (Level 6)
Appraises patient safety risk in the procurement, design, development, deployment and decommissioning of information systems and technologies and ensures that all risk is assessed and managed appropriately to minimise or avoid harm.
Implementation and resources (BURM) (Level 6)
Plans and manages the implementation of organisation-wide processes and procedures, tools and techniques for the identification, assessment, and management of clinical risk inherent in the operation of processes and of potential risks arising from planned IT-enabled change.
Guidance (BURM) (Level 6)
Provides clinical safety leadership across the organisation, guiding the development and implementation of clinical risk management strategies. Advises on the design and operation of the organisation-wide clinical risk management system.
Audit roadmap (AUDT) (Level 4)
Contributes to the development of the audit roadmap.
Stakeholder engagement (AUDT) (Level 4)
Engages with stakeholders to issue and review plans, reports, progress statements and approvals.
Risk assessment (AUDT) (Level 4)
Contributes to risk assessments and participates in risk reviews. Identifies, documents and communicates the root cause of issues found.
Audit scope and requirements (AUDT) (Level 4)
Contributes to, and/or leads, audit requirements definition on audits or conformance reviews. Confirms the scope and objectives of specific audit activity with management.
Audit prioritisation (AUDT) (Level 4)
Participates in, or facilitates, stakeholder workshops to review requirements for planned audits, agree priorities, timescales, information disclosure approach and audit frequency. Documents agreements made.
Audit point resolution (AUDT) (Level 4)
Runs the action plan following a completed audit. Prepares response within agreed timescales. Tracks all actions until completed.
Audit planning (AUDT) (Level 4)
Takes responsibility for the planning and resourcing of audits and/or conformance reviews of existing and planned clinical coding processes, systems and services.
Audit execution (AUDT) (Level 4)
As part of an audit team, or as the lead, coordinates all stakeholders and conducts audits within planned timescales.
Resources (Level 6) (AIDE)
Allocates resources to support the organisation’s commitment to ethical practices. Ensures the organisation has resources and skills for ethical assurance.
Governance (Level 6) (AIDE)
Defines governance processes to ensure compliance with ethical standards.
Impact assessment (Level 5) (AIDE)
Reviews and approves impact assessments and audits carried out by others.
Governance (Level 5) (AIDE)
Oversees governance and assurance activities.
Risk strategy, processes and monitoring (BURM) (Level Six)
Identifies and categorises organisation-wide strategic and operational risks. Breaks down risks by sub-categories, such as compliance, architecture, environment, financial etc. and considers mitigation activities in the context of organisational risk appetite.
Risk countermeasures and response (BURM) (Level Six)
Advises on the evaluation of identified risks (including probability/frequency of occurrence, impact and severity). Advises on appropriate action, including contingency planning, and countermeasures.
Governance (GOVN) (Level Six)
Leads reviews of governance practices with appropriate and sufficient independence from management activity. Within a defined area of accountability, determines the requirements for the appropriate governance of the specific domains, ensuring clarity of responsibilities and authority, goals and objectives.
Threat modelling (THIN) (Level 6)
Uses threat intelligence to develop attack trees.
Threat intelligence gathering (THIN) (Level 6)
Reviews threat intelligence capabilities. Sets direction, plans and leads the organisation’s approach for threat intelligence, including use of suppliers.
Tools and techniques (VURE)(Level Six)
Develops techniques and tools to analyse and expose vulnerabilities designing new vulnerability discovery techniques.
Research activities (VURE)(Level Six)
Plans and leads the organisation’s approach for vulnerability research. Identifies new and emerging threats and vulnerabilities.
Reporting (VURE)(Level Six)
Engages with, and influences, relevant stakeholders to communicate results of research and the required response.
Networking and communities (VURE)(Level Six)
Maintains a strong external network. Takes a leading part in external-facing professional activities to facilitate information gathering.
Body of knowledge (VURE)(Level Six)
Takes a leading role in the development of the security vulnerability research body of knowledge. Initiates frequent communications with peers in other organisations and in other countries, presents keynote papers at conferences, writes for high impact journals and major clients.
Strategy (INAS) (Level Seven)
Accountable for establishing and managing information assurance strategy and policies in accordance with the ISO/IEC 27000 series of standards and/or other external and internal guidance relevant to own organisation.
Influencing partners (INAS) (Level Seven)
Influences key partner organisations to maintain information assurance policies and practices in line with those of own organisation.
Implementation and processes (INAS) (Level Seven)
Ensures that the organisation implements processes to take forward the information assurance strategy and policies, and improve information security maturity.
Data privacy and information security culture (INAS) (Level Seven)
Obtains organisational commitment to data information security at the highest level. Establishes a culture where data and information security is the responsibility of every employee.
Business plans (INAS) (Level Seven)
Has significant input to development of business plans, ensuring that information assurance is integrated into business strategy and policies.
Advice and guidance (INAS) (Level Seven)
Leads and guides provision of information assurance requirements across all the organisation’s information and information systems.
Threats and breaches (SCTY) (Level Seven)
Leads the provision of information security resources, expertise, guidance and systems necessary to execute strategic and operational plans across all the organisation’s information systems. This includes executive responsibility and accountability for the management of threats to confidentiality, integrity, availability, accountability and relevant compliance, and for security control reviews, business risk assessments and reviews that follow significant breaches of security controls. In the case of breach, undertakes the duties of data protection officer to ensure that registration and notification of the breach is done in accordance with GDPR legislation.
Security expertise (SCTY) (Level Seven)
Takes responsibility for the delivery of IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law. Acts as the organisation’s data protection officer for the purposes of GDPR legislation.
Security architecture (SCTY) (Level Seven)
Leads the development of the corporate security architecture, securing business leadership support and commitment to deliver, maintain and continuously improve security practises to provide effective protection of corporate information and systems assets.
Policy and strategy (SCTY) (Level Seven)
Directs the development, implementation, delivery and support of an enterprise information security strategy aligned to the strategic requirements of the business, and consistent with relevant IT and business plans, budgets, strategies etc.
Compliance (SCTY) (Level Seven)
Accountable for business strategy compliance with information security policies. Takes steps to ensure the organisation complies with all relevant security regulations including GDPR.
Risk strategy, processes and monitoring (BURM) (Level 5)
Monitors status of risks, and reports status and need for action to key stakeholders.
Risk countermeasures and response (BURM) (Level 5)
Coordinates response to quantified risks, which may involve acceptance/retention, transfer, reduction or avoidance/elimination. Coordinates the development of countermeasures and contingency plans.
Financial awareness (BURM) (Level 5)
Demonstrates financial awareness as a part of risk management (e.g. cost-effectiveness analysis of proposed counter measures).
Assurance (GOVN) (Level Six)
Implements the governance framework to enable governance activity to be conducted. Undertakes and/or directs reviews as necessary to ensure management decision-making is transparent, and that an appropriate balance between benefits, opportunities, costs and risks can be demonstrated to principal stakeholders.
Tools and techniques (VURE)(Level Five)
Adopts and adapts vulnerability assessment techniques and tools to be used by others.
Research activities (VURE)(Level Five)
Plans and manages vulnerability research activities into new threats, attack vectors, risks and potential solutions.
Reporting (VURE)(Level Five)
Assesses and documents the impacts and threats to the organisation. Creates reports and shares knowledge and insights with others.
Networking and communities (VURE)(Level Five)
Maintains a strong external network within own area of specialism.
Body of knowledge (VURE)(Level Five)
Gathers information on new and emerging threats and vulnerabilities. Contributes research findings on security vulnerabilities, countermeasures, and mitigations to national and international vulnerability databases.
Strategy (INAS) (Level Six)
Develops strategies for information assurance, as part of corporate IT governance, including guidelines for information and network users and alignment to standard security frameworks. Defines target thresholds for information assurance maturity and oversees activities to achieve these.
Performance measures (INAS) (Level Six)
Identifies and develops metrics and measures for information assurance such as key risk indicators (KRIs) and key performance indicators (KPIs). Determines appropriate and practical performance measures, to ensure that information assurance priorities set by the business can be effectively monitored.
Influencing partners (INAS) (Level Six)
Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.
Implementation and processes (INAS) (Level Six)
Contributes to the development, implementation and monitoring of organisational policies and processes intended to maintain the availability, integrity and confidentiality of the organisation’s information assets.
Data privacy and information security culture (INAS) (Level Six)
Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and takes responsibility for actioning these.
Business continuity and resilience (INAS) (Level Six)
In the context of business continuity, assesses protection, detection and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.
Architectural principles (INAS) (Level Six)
Ensures architectural principles are applied during design to reduce risk, and advances assurance standards through ensuring rigorous security testing.
Advice and guidance (INAS) (Level Six)
Guides, encourages, leads and develops colleagues, in the disciplines of Information assurance. Supports employees to understand their role in the security of data and information.
Threats and breaches (SCTY) (Level Six)
Identifies and monitors environmental and market trends and proactively assesses impact on business strategies, benefits and risks. Manages assessment of threats to confidentiality, integrity, availability, accountability and relevant compliance. Takes ownership of security control reviews, business risk assessments, and reviews that follow significant breaches of security controls.
Security control service (SCTY) (Level Six)
Leads the operation of appropriate security controls as a production service to business system users.
Security architecture (SCTY) (Level Six)
Develops and communicates the corporate security architecture.
Security expertise (SCTY) (Level Six)
Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions such as legal and technical support. Operates as a focus for IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.
Risks and vulnerability (SCTY) (Level Six)
Contributes to the development of organisational strategies that address information control requirements. Prepares and maintains a business strategy and plan for information security activities which addresses the evolving business risk and information control requirements, and is consistent with relevant IT and business plans, budgets, strategies etc.
Leadership and management (SCTY) (Level Six)
Manages IT security specialist staff, including approval of project and task definition and prioritisation, quality management and budgetary control, and management tasks such as recruitment and training when required.
Compliance (SCTY) (Level Six)
Ensures compliance between business strategies and information security. Takes steps to ensure the organisation complies with GDPR regulations.
Risk strategy, processes and monitoring (BURM) (Level 4)
Monitors status of risks, and reports status and need for action to senior colleagues.
Risk countermeasures and response (BURM) (Level 4)
Assists with development of agreed countermeasures and contingency plans.
Financial awareness (BURM) (Level 4)
Demonstrates financial awareness as a part of risk management (e.g. cost-effectiveness analysis of proposed counter measures).
Tools and techniques (VURE) (Level 4)
Specifies requirements for environment, data, resources, techniques and tools to perform vulnerability assessments.
Research activities (VURE) (Level 4)
Designs and executes complex vulnerability research activities into new threats, attack vectors, risks and potential solutions.
Reporting (VURE) (Level 4)
Reviews test results and modifies tests if necessary. Creates reports to communicate methodology, findings and conclusions.
Networking and communities (VURE) (Level 4)
Makes an active contribution to research communities.
Risk assessment (INAS) (Level Five)
Carries out risk assessments of complex information systems and infrastructure components control effectiveness. Contributes to classification of data types held and audits of information systems. Contributes to data breach planning.
Policies (INAS) (Level Five)
Interprets security and assurance policies and contributes to development of policies, standards and guidelines that comply with these, to enable effective assessment of risks to information availability, integrity, authentication and confidentiality.
Performance measures (INAS) (Level Five)
Ensures effective reporting of information assurance metrics. Undertakes activities pertaining to improvements in information security maturity.
Influencing partners (INAS) (Level Five)
Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.
Implementation and processes (INAS) (Level Five)
Implements effective information security processes to support the organisation’s information assurance strategy and policies.
Data privacy and information security culture (INAS) (Level Five)
Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and delivers awareness training where appropriate.
Business continuity and resilience (INAS) (Level Five)
In the context of business continuity, supports the assessment of the protection, detection, and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.
Advice and guidance (INAS) (Level Five)
Advises information and network users on information assurance architecture and strategies to manage identified risk, and promotes awareness of policies and procedures. Acts to ensure that they are aware of obligations such as protecting the secrecy of passwords and accounts access details.
Threats and breaches (SCTY) (Level Five)
Investigates major breaches of security and recommends appropriate control improvements. Conducts investigation, analysis and review following breaches, and manages the investigation and resolution of security incidents, in accordance with established procedures including incident management procedures. Prepares recommendations for appropriate control improvements, involving other professionals as required.
Security expertise (SCTY) (Level Five)
Provides authoritative advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. This includes advice on the application and operation of all types of security controls, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.
Security control service (SCTY) (Level Five)
Manages the operation of appropriate security controls as a production service to business system users.
Security architecture (SCTY) (Level Five)
Designs the security components of systems architectures. Develops new architectures that manage the risks posed by new technologies and business practices.
Risks and vulnerability (SCTY) (Level Five)
Identifies threats to the confidentiality, integrity, availability, accountability and relevant compliance of information systems. Conducts risk, vulnerability and business impact assessments of business applications and computer installations and recommends appropriate action to management.
Policy and strategy (SCTY) (Level Five)
Contributes to development of information security policy, standards and guidelines.
Learning development (SCTY) (Level Five)
Delivers and contributes to the design and development of specialist IT security education and training to IT and system user management and staff.
Leadership and management (SCTY) (Level Five)
Plans and leads the work of small teams of security staff, and acts as project manager on complex IT security specialism projects.
Controls and reviews (SCTY) (Level Five)
Conducts security control reviews across a full range of control types and techniques, for business applications and computer installations. Seeks guidance from more experienced or specialised practitioners as required. Recommends appropriate action to management.
Compliance (SCTY) (Level Five)
Reviews compliance with information security policies and standards. Assesses configurations and security procedures for adherence to legal and regulatory requirements.
Risk strategy, processes and monitoring (BURM) (Level 3)
Maintains documentation of risks, threats, vulnerabilities and mitigation actions.
Tools and techniques (VURE) (Level 3)
Applies tools, such as disassemblers, debuggers and fuzzers, to the analysis of embedded devices and/or the reverse engineering of hardware or software.
Research activities (VURE) (Level 3)
Applies standard techniques and tools for vulnerability research into new threats, attack vectors, risks and potential solutions.