Identifies and categorises organisation-wide strategic and operational risks. Breaks down risks by sub-categories, such as compliance, architecture, environment, financial etc. and considers mitigation activities in the context of organisational risk appetite.
SFIA Skills: Strategy and architecture
Risk countermeasures and response (BURM) (Level Six)
Advises on the evaluation of identified risks (including probability/frequency of occurrence, impact and severity). Advises on appropriate action, including contingency planning, and countermeasures.
Governance (GOVN) (Level Six)
Leads reviews of governance practices with appropriate and sufficient independence from management activity. Within a defined area of accountability, determines the requirements for the appropriate governance of the specific domains, ensuring clarity of responsibilities and authority, goals and objectives.
Threat modelling (THIN) (Level 6)
Uses threat intelligence to develop attack trees.
Threat intelligence gathering (THIN) (Level 6)
Reviews threat intelligence capabilities. Sets direction, plans and leads the organisation’s approach for threat intelligence, including use of suppliers.
Tools and techniques (VURE)(Level Six)
Develops techniques and tools to analyse and expose vulnerabilities designing new vulnerability discovery techniques.
Research activities (VURE)(Level Six)
Plans and leads the organisation’s approach for vulnerability research. Identifies new and emerging threats and vulnerabilities.
Reporting (VURE)(Level Six)
Engages with, and influences, relevant stakeholders to communicate results of research and the required response.
Networking and communities (VURE)(Level Six)
Maintains a strong external network. Takes a leading part in external-facing professional activities to facilitate information gathering.
Body of knowledge (VURE)(Level Six)
Takes a leading role in the development of the security vulnerability research body of knowledge. Initiates frequent communications with peers in other organisations and in other countries, presents keynote papers at conferences, writes for high impact journals and major clients.
Strategy (INAS) (Level Seven)
Accountable for establishing and managing information assurance strategy and policies in accordance with the ISO/IEC 27000 series of standards and/or other external and internal guidance relevant to own organisation.
Influencing partners (INAS) (Level Seven)
Influences key partner organisations to maintain information assurance policies and practices in line with those of own organisation.
Implementation and processes (INAS) (Level Seven)
Ensures that the organisation implements processes to take forward the information assurance strategy and policies, and improve information security maturity.
Data privacy and information security culture (INAS) (Level Seven)
Obtains organisational commitment to data information security at the highest level. Establishes a culture where data and information security is the responsibility of every employee.
Business plans (INAS) (Level Seven)
Has significant input to development of business plans, ensuring that information assurance is integrated into business strategy and policies.
Advice and guidance (INAS) (Level Seven)
Leads and guides provision of information assurance requirements across all the organisation’s information and information systems.
Threats and breaches (SCTY) (Level Seven)
Leads the provision of information security resources, expertise, guidance and systems necessary to execute strategic and operational plans across all the organisation’s information systems. This includes executive responsibility and accountability for the management of threats to confidentiality, integrity, availability, accountability and relevant compliance, and for security control reviews, business risk assessments and reviews that follow significant breaches of security controls. In the case of breach, undertakes the duties of data protection officer to ensure that registration and notification of the breach is done in accordance with GDPR legislation.
Security expertise (SCTY) (Level Seven)
Takes responsibility for the delivery of IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law. Acts as the organisation’s data protection officer for the purposes of GDPR legislation.
Security architecture (SCTY) (Level Seven)
Leads the development of the corporate security architecture, securing business leadership support and commitment to deliver, maintain and continuously improve security practises to provide effective protection of corporate information and systems assets.
Policy and strategy (SCTY) (Level Seven)
Directs the development, implementation, delivery and support of an enterprise information security strategy aligned to the strategic requirements of the business, and consistent with relevant IT and business plans, budgets, strategies etc.
Compliance (SCTY) (Level Seven)
Accountable for business strategy compliance with information security policies. Takes steps to ensure the organisation complies with all relevant security regulations including GDPR.
Risk strategy, processes and monitoring (BURM) (Level 5)
Monitors status of risks, and reports status and need for action to key stakeholders.
Risk countermeasures and response (BURM) (Level 5)
Coordinates response to quantified risks, which may involve acceptance/retention, transfer, reduction or avoidance/elimination. Coordinates the development of countermeasures and contingency plans.
Financial awareness (BURM) (Level 5)
Demonstrates financial awareness as a part of risk management (e.g. cost-effectiveness analysis of proposed counter measures).
Assurance (GOVN) (Level Six)
Implements the governance framework to enable governance activity to be conducted. Undertakes and/or directs reviews as necessary to ensure management decision-making is transparent, and that an appropriate balance between benefits, opportunities, costs and risks can be demonstrated to principal stakeholders.
Tools and techniques (VURE)(Level Five)
Adopts and adapts vulnerability assessment techniques and tools to be used by others.
Research activities (VURE)(Level Five)
Plans and manages vulnerability research activities into new threats, attack vectors, risks and potential solutions.
Reporting (VURE)(Level Five)
Assesses and documents the impacts and threats to the organisation. Creates reports and shares knowledge and insights with others.
Networking and communities (VURE)(Level Five)
Maintains a strong external network within own area of specialism.
Body of knowledge (VURE)(Level Five)
Gathers information on new and emerging threats and vulnerabilities. Contributes research findings on security vulnerabilities, countermeasures, and mitigations to national and international vulnerability databases.
Strategy (INAS) (Level Six)
Develops strategies for information assurance, as part of corporate IT governance, including guidelines for information and network users and alignment to standard security frameworks. Defines target thresholds for information assurance maturity and oversees activities to achieve these.
Performance measures (INAS) (Level Six)
Identifies and develops metrics and measures for information assurance such as key risk indicators (KRIs) and key performance indicators (KPIs). Determines appropriate and practical performance measures, to ensure that information assurance priorities set by the business can be effectively monitored.
Influencing partners (INAS) (Level Six)
Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.
Implementation and processes (INAS) (Level Six)
Contributes to the development, implementation and monitoring of organisational policies and processes intended to maintain the availability, integrity and confidentiality of the organisation’s information assets.
Data privacy and information security culture (INAS) (Level Six)
Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and takes responsibility for actioning these.
Business continuity and resilience (INAS) (Level Six)
In the context of business continuity, assesses protection, detection and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.
Architectural principles (INAS) (Level Six)
Ensures architectural principles are applied during design to reduce risk, and advances assurance standards through ensuring rigorous security testing.
Advice and guidance (INAS) (Level Six)
Guides, encourages, leads and develops colleagues, in the disciplines of Information assurance. Supports employees to understand their role in the security of data and information.
Threats and breaches (SCTY) (Level Six)
Identifies and monitors environmental and market trends and proactively assesses impact on business strategies, benefits and risks. Manages assessment of threats to confidentiality, integrity, availability, accountability and relevant compliance. Takes ownership of security control reviews, business risk assessments, and reviews that follow significant breaches of security controls.
Security control service (SCTY) (Level Six)
Leads the operation of appropriate security controls as a production service to business system users.
Security architecture (SCTY) (Level Six)
Develops and communicates the corporate security architecture.
Security expertise (SCTY) (Level Six)
Leads the provision of authoritative advice and guidance on the requirements for security controls in collaboration with experts in other functions such as legal and technical support. Operates as a focus for IT security expertise for the organisation, providing authoritative advice and guidance on the application and operation of all types of security control, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.
Risks and vulnerability (SCTY) (Level Six)
Contributes to the development of organisational strategies that address information control requirements. Prepares and maintains a business strategy and plan for information security activities which addresses the evolving business risk and information control requirements, and is consistent with relevant IT and business plans, budgets, strategies etc.
Leadership and management (SCTY) (Level Six)
Manages IT security specialist staff, including approval of project and task definition and prioritisation, quality management and budgetary control, and management tasks such as recruitment and training when required.
Compliance (SCTY) (Level Six)
Ensures compliance between business strategies and information security. Takes steps to ensure the organisation complies with GDPR regulations.
Risk strategy, processes and monitoring (BURM) (Level 4)
Monitors status of risks, and reports status and need for action to senior colleagues.
Risk countermeasures and response (BURM) (Level 4)
Assists with development of agreed countermeasures and contingency plans.
Financial awareness (BURM) (Level 4)
Demonstrates financial awareness as a part of risk management (e.g. cost-effectiveness analysis of proposed counter measures).
Tools and techniques (VURE) (Level 4)
Specifies requirements for environment, data, resources, techniques and tools to perform vulnerability assessments.
Research activities (VURE) (Level 4)
Designs and executes complex vulnerability research activities into new threats, attack vectors, risks and potential solutions.
Reporting (VURE) (Level 4)
Reviews test results and modifies tests if necessary. Creates reports to communicate methodology, findings and conclusions.
Networking and communities (VURE) (Level 4)
Makes an active contribution to research communities.
Risk assessment (INAS) (Level Five)
Carries out risk assessments of complex information systems and infrastructure components control effectiveness. Contributes to classification of data types held and audits of information systems. Contributes to data breach planning.
Policies (INAS) (Level Five)
Interprets security and assurance policies and contributes to development of policies, standards and guidelines that comply with these, to enable effective assessment of risks to information availability, integrity, authentication and confidentiality.
Performance measures (INAS) (Level Five)
Ensures effective reporting of information assurance metrics. Undertakes activities pertaining to improvements in information security maturity.
Influencing partners (INAS) (Level Five)
Influences internal and external partners, including the supply chain, to ensure compliance with the organisation’s information security requirements.
Implementation and processes (INAS) (Level Five)
Implements effective information security processes to support the organisation’s information assurance strategy and policies.
Data privacy and information security culture (INAS) (Level Five)
Champions organisational commitment to data privacy and information security. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Identifies opportunities for improving the security culture and delivers awareness training where appropriate.
Business continuity and resilience (INAS) (Level Five)
In the context of business continuity, supports the assessment of the protection, detection, and reaction capabilities, to determine whether they are sufficient to support restoration of information systems in a secure manner.
Advice and guidance (INAS) (Level Five)
Advises information and network users on information assurance architecture and strategies to manage identified risk, and promotes awareness of policies and procedures. Acts to ensure that they are aware of obligations such as protecting the secrecy of passwords and accounts access details.
Threats and breaches (SCTY) (Level Five)
Investigates major breaches of security and recommends appropriate control improvements. Conducts investigation, analysis and review following breaches, and manages the investigation and resolution of security incidents, in accordance with established procedures including incident management procedures. Prepares recommendations for appropriate control improvements, involving other professionals as required.
Security expertise (SCTY) (Level Five)
Provides authoritative advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards. This includes advice on the application and operation of all types of security controls, including legislative or regulatory requirements such as data protection/GDPR and software copyright law.
Security control service (SCTY) (Level Five)
Manages the operation of appropriate security controls as a production service to business system users.
Security architecture (SCTY) (Level Five)
Designs the security components of systems architectures. Develops new architectures that manage the risks posed by new technologies and business practices.
Risks and vulnerability (SCTY) (Level Five)
Identifies threats to the confidentiality, integrity, availability, accountability and relevant compliance of information systems. Conducts risk, vulnerability and business impact assessments of business applications and computer installations and recommends appropriate action to management.
Policy and strategy (SCTY) (Level Five)
Contributes to development of information security policy, standards and guidelines.
Learning development (SCTY) (Level Five)
Delivers and contributes to the design and development of specialist IT security education and training to IT and system user management and staff.
Leadership and management (SCTY) (Level Five)
Plans and leads the work of small teams of security staff, and acts as project manager on complex IT security specialism projects.
Controls and reviews (SCTY) (Level Five)
Conducts security control reviews across a full range of control types and techniques, for business applications and computer installations. Seeks guidance from more experienced or specialised practitioners as required. Recommends appropriate action to management.
Compliance (SCTY) (Level Five)
Reviews compliance with information security policies and standards. Assesses configurations and security procedures for adherence to legal and regulatory requirements.
Risk strategy, processes and monitoring (BURM) (Level 3)
Maintains documentation of risks, threats, vulnerabilities and mitigation actions.
Tools and techniques (VURE) (Level 3)
Applies tools, such as disassemblers, debuggers and fuzzers, to the analysis of embedded devices and/or the reverse engineering of hardware or software.
Research activities (VURE) (Level 3)
Applies standard techniques and tools for vulnerability research into new threats, attack vectors, risks and potential solutions.
Reporting (VURE) (Level 3)
Analyses and reports on research activities and results.
Networking and communities (VURE) (Level 3)
Participates in research communities and uses available resources to maintain current knowledge of malware attacks and other cyber security threats.
Risk assessment (INAS) (Level Four)
Carries out risk assessment as directed, using standard processes for identifying potential risks to information systems and infrastructure components.
Policies (INAS) (Level Four)
Contributes to the development of, and implements, security and assurance policies relating to assessment of risks to information availability, integrity, authentication and confidentiality.
Performance measures (INAS) (Level Four)
Produces information assurance management reports.
Influencing partners (INAS) (Level Four)
Influences internal and external partners to ensure compliance with the organisation’s information security requirements.
Implementation and processes (INAS) (Level Four)
Contributes to the effective implementation of information security processes to support the organisation’s information assurance strategy and policies.
Data privacy and information security culture (INAS) (Level Four)
Champions organisational commitment to data privacy and information security in their areas of influence. Promotes and supports a culture where data privacy and information security are the responsibility of every employee. Delivers awareness training to improve the security culture.
Advice and guidance (INAS) (Level Four)
Provides advice and guidance to support and encourage adherence to information security principles.
Threats and breaches (SCTY) (Level Four)
Investigates suspected attacks and undertakes the investigation and resolution of security incidents, in accordance with established procedures including incident management procedures. Uses forensics where appropriate. Reports on findings and lessons learnt/improvement actions.
Security expertise (SCTY) (Level Four)
Explains the purpose of, and provides advice and guidance on, the application and operation of elementary physical, procedural and technical security controls (for example, the key controls defined in IS27002). Communicates information assurance risks and requirements effectively to users of systems and networks.
Security architecture (SCTY) (Level Four)
Delivers elements of the security components of system architectures.
Risks and vulnerability (SCTY) (Level Four)
Conducts business risk and vulnerability assessments and business impact analysis for medium-complexity information systems.
Network usage (SCTY) (Level Four)
Reviews network usage. Assesses the implications of any unacceptable usage and breaches of privileges or corporate policy. Recommends appropriate action.
Controls and reviews (SCTY) (Level Four)
Conducts security control reviews in well-defined areas. Assesses security of information and infrastructure components. Investigates and assesses risks of network attacks and recommends remedial action.
Compliance (SCTY) (Level Four)
Contributes to compliance reviews. Assists in the assessment of configuration and security procedures for adherence to legal and regulatory requirements.
Threat modelling (THIN) (Level 4)
Undertakes routine threat modelling tasks. Analyses the significance and implication of process intelligence to identify trends, potential threat sources and their capabilities.
Threat intelligence gathering (THIN) (Level 4)
Performs threat intelligence gathering tasks. Collates and analyses information for threat intelligence requirements from a variety of sources.
Source evaluation (THIN) (Level 4)
Evaluates the value, usefulness and impact of sources of threat intelligence sources.
Reporting (THIN) (Level 4)
Creates threat intelligence reports
Information review (THIN) (Level 4)
Contributes to reviewing, ranking and categorising qualitative threat intelligence information.
Advice (THIN) (Level 4)
Provides advice on threat intelligence activities to help others understand and mitigate vulnerabilities or to respond to security incidents.
Threat modelling (THIN) (Level 5)
Conducts complex threat modelling tasks. Predicts and prioritises threats to an organisation and their methods of attack.
Threat intelligence gathering (THIN) (Level 5)
Plans and manages threat intelligence activities. Identifies which are the most impactful threat categories and the types of information that can help defend against them.
Source evaluation (THIN) (Level 5)
Distributes information and obtains feedback about the value, usefulness and impact of the data.
Reporting (THIN) (Level 5)
Leads production and editing of threat intelligence reports that enhance the intelligence production workflow.
Information review (THIN) (Level 5)
Reviews, ranks and categorises qualitative threat intelligence information.