application guidance - ccp security and … · october 2015 issue no:1.1 application guidance - ccp...
TRANSCRIPT
October 2015 Issue No:1.1
Application Guidance - CCP Security and Information Risk Advisor Role,
Practitioner Level
Application Guidance – CCP Security and Information Risk Advisor Role, Practitioner Level
Issue No: 1.1 October 2015
This document is for the purposes of issuing advice to UK Government, public sector organisations and/or related organisations. The copying and use of this document for
any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.
The copyright of this document is reserved and vested in the Crown.
Document History
Version Date Comment
1.0 April 2015 First issue
1.1 October 2015 First public release
Page 1
Application Guidance - CCP S&IRA Role, Practitioner Level
Purpose & Intended Readership
This document is intended as a guide on how to structure evidence when applying for certification under the CESG Guidance for IA Professionals (CCP) scheme as a Security & Information Risk Advisor (S&IRA) at Practitioner level. It includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications.
Executive Summary
CESG has developed a framework for certifying Information Assurance (IA) Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Advisor Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Security & Information Risk Advisor (S&IRA) at Practitioner level.
Feedback CESG welcomes feedback and encourage readers to inform CESG of their experience, good or bad, in this document. Please email: [email protected]
Page 2
Application Guidance - CCP S&IRA Role, Practitioner Level
Contents:
Overall Requirements for the S&IRA Role at Practitioner level ............................ 3
Key Principles .......................................................................................................... 3 Security and information risk advice ........................................................................ 3 Headline statement for the S&IRA role at Practitioner Level, SFIA Responsibility Level 2 ..................................................................................................................... 4 Applying for CCP Scheme Certification ................................................................... 4
Further information on the requirements for the S&IRA Role at Practitioner Level .......................................................................................................................... 8
Knowledge ............................................................................................................... 8 Skills ........................................................................................................................ 9 Experience ............................................................................................................. 16
The Certification Process ...................................................................................... 17
Next Steps ............................................................................................................. 17
The CCP Scheme Certification Learning Cycle ................................................... 19
References .............................................................................................................. 20
Page 3
Application Guidance - CCP S&IRA Role, Practitioner Level
Overall Requirements for the S&IRA Role at Practitioner level
Key Principles
This document is intended as a guide on how to structure evidence when applying for certification as a Security and Information Risk Advisor (S&IRA) at Practitioner level in the CESG Certification for IA Professionals (CCP) scheme. It includes suggestions of what you need to learn and know before applying and complements the ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications. Learning comes through acquiring skills and knowledge (from training, experience and learning from others doing the same job) and then putting these into practice. Most people will need a few years to acquire these, although in some cases this period may be longer or shorter. The section on skills provides prompts for the type of evidence which could demonstrate that you meet the required standards. You are encouraged to follow the advice in this section when completing your written submission of evidence.
Security and information risk advice
The S&IRA role is to provide business–driven advice on the management of security and information risk consistent with HMG IA policy or other sector specific guidance. In particular a S&IRA should:
provide a focal point for resolution of security and information risk matters
identify, analyse and evaluate information risks
explain to risk owners and other stakeholders the causes, likelihood and potential business impacts of information risks throughout the information system lifecycle
assist checking compliance with applicable regulations, standards, policies and guidance on information risk management
present risk management options to the business
support the development of appropriate and proportionate documentation to inform risk management decisions, ensuring these are expressed in terms meaningful to the business
investigate security incidents
Page 4
Application Guidance - CCP S&IRA Role, Practitioner Level
promote security awareness
provide threat guidance
Headline statement for the S&IRA role at Practitioner Level, SFIA Responsibility Level 2
Assists customers in the routine application and interpretation of security or IA policies and practices
Applying for CCP Scheme Certification
If you don’t feel that you can demonstrate all of the following required skills, knowledge and experience, agree a plan with your manager so that you can address any gaps – e.g. through placements, projects, training, mentoring – before you apply for CCP certification. You also need to check the website of the Certification Body (CB)1 you wish to use, to see if it specifies any additional requirements, for example an exam qualification. The following are examples consistent with the standards required to meet the role headline statement above. Other examples might also meet the same standard. Your evidence should show that you:
use a repeatable and consistent risk assessment technique to identify emerging information risks throughout the lifecycle of assigned information systems, services or business solutions
co–ordinate the identification of suitable risk treatment options in the context of the business and ensure these are traceable to risks
develop security evidence as required and specified by the business to enable the effective and consistent application of an organisation’s risk management process: ensuring these are necessary, proportionate and match the business requirement. Avoid producing unnecessary documentation
liaise with an Accreditor2 and/or Risk Owner to gain timely accreditation
1 The three Certification Bodies are APM Group - www.apmg-ia.com, BCS, The Chartered Institute for IT Professionals – www.bcs.org and IISP, RHUL & CREST
consortium – www.iisp.org . 2 Accreditor is a term which is mostly used within government organisations, for example if operating within an HMG accreditation framework. It denotes the person who impartially and independently assesses that the risks associated with an information system are acceptable to the organisation and who accredits that system on behalf of a Board.
Page 5
Application Guidance - CCP S&IRA Role, Practitioner Level
undertake preliminary or fact finding enquiries into security incidents
check or report compliance with applicable security standards and procedures
present security briefings to users and/or local management
contribute to security communications
draft requirements for IT Health Checks or audits
can provide examples showing that you are competent in the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework (see skills section). For skills at level 1 (awareness), this could be your contributions to teamwork. For level 2 (application) skills, wherever possible you should show personal ownership in your work
demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)3 at level 2. Alternatively you can show evidence of least level 1.5 for the IISP J skills - see the publication ‘Guidance to CESG Certification for IA Professionals’ (reference [b])
3 See ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) and the SFIA Foundation at www.sfia.org.uk .
Page 6
Application Guidance - CCP S&IRA Role, Practitioner Level
This diagram gives an overall picture of the different elements of Information Assurance and their interdependence. Within the overall context of Information Assurance, the S&IRA’s focus is to obtain the necessary information from others (e.g. architects, accreditors etc.) of how systems work, the organisation’s environment and risk appetite and to then present advice in a way that clients can understand, in order to achieve a proportionate level of information risk management.
Page 7
Application Guidance - CCP S&IRA Role, Practitioner Level
You need to understand the organisation’s business objectives, strategy and risk appetite. You will also need information from knowledgeable technical specialists who can explain at an appropriate level what the information systems do. You need people skills to ensure that you can explain security options in a way that non–specialists understand so that they implement your advice with the outcome that risks are managed appropriately and proportionately. In no priority order, you need: Skills in: –
Negotiating
Influencing
Communication – able to talk to non–specialists and specialists alike
Business writing (all the information needed for a decision, on 1 side of A4)
Working within business areas to personally build and then give tailored presentations
Stakeholder management
Familiarity with:–
Risk assessment and risk management methodologies
Security and information risk advice standards and policies
The ‘CESG Certification for IA Professionals’ (reference [a]) and ‘Guidance to CESG Certification for IA Professionals’ (reference [b]) publications
Technical IA controls
And understanding of: –
Business risk appetite and how to apply proportionate risk management controls
Business strategy and the local business environment
How security incidents can occur
How to perform Protective Monitoring (PM), understand PM reports and carry out incident management
Page 8
Application Guidance - CCP S&IRA Role, Practitioner Level
Further information on the requirements for the S&IRA Role at Practitioner Level
Knowledge
The following gives more detail of the knowledge you need to acquire.
You need evidence that you understand and have appropriately applied your knowledge of, for example:
if carrying out IA work for Government or Government suppliers – the relevant elements of the HMG Security Policy Framework (SPF) and CESG guidance
the information security policies and standards relevant to your industry sector
your organisation’s information security policies and standards
best practice in producing appropriate and proportionate risk management controls
relevant legal issues – e.g. protection of personal and financial data
what information governance is, why it matters, who is responsible for it locally and how it works in practice
the strategic goals, threats and opportunities of the businesses you work in
what good and bad security in IA architecture looks like – e.g. protecting one layer but leaving an interface with another system vulnerable
how to develop IT systems with good IA – e.g. how to advise on the appropriate level of controls, taking into account governance and risk appetite
Page 9
Application Guidance - CCP S&IRA Role, Practitioner Level
Skills
When presenting your skills evidence, you are advised to use the ‘STAR’ format: ‘Situation, Task, Action, Result’
Use a narrative form, e.g. ‘I produced ...My decision was...’
Explain what security and information risk advice you gave and why, and how it was proportionate and effective
You must meet the required levels for 4 core skills from the following: A2, A3, A4, A6, B1, B2, F1, F2. The inclusion of at least one of the B Group skills is compulsory.
In addition, you must meet 75% of the non–core skills
A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one environment
The following table provides suggestions for starting points in evidence.
Technical Skills
SKILL EVIDENCE OF SKILL A1 – Governance Level 1
Understands local arrangements for Information Governance (IG)
Give examples of work you’ve done which took into account local information governance. What did your work achieve?
A2 – Policy & Standards Level 2 – core skill With supervision and aligned with business objectives, authors or provides advice on Information Security (IS) policy or standards
Give examples of how you’ve applied IS policies or standards. What impact did your work have? Were there occasions when you influenced policies/standards, e.g. by providing feedback?
Page 10
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL A3 – IS Strategy Level 1 – core skill Understands the purpose of IS strategy to realise business benefits
Give examples of how you’ve applied your organisation’s IS strategy to your work in a way which enabled business benefit (e.g. by saving time, improving quality, reducing costs etc).
A4 – Innovation & Business Improvement Level 1 – core skill Is aware of the business benefits of good IS
Give examples of innovative security and information risk advice and how that enabled a significant business improvement (e.g. by reducing reputational risk).
A5 – IS Awareness and Training Level 1 Understands the role of security awareness and training in maintaining IS
Give examples which show how you used your understanding of the importance of IS awareness and training.
A6 – Legal & Regulatory Environment, Level 1 – core skill Is aware of major pieces of legislation relevant to IS and of regulatory bodies relevant to the sector in which they work
Explain how your advice on information risk complied with relevant statutes or regulations.
A7 – Third Party Management4 Level 1 Is aware of the need for organisations to manage the information security of third parties
Give examples of how the scope of your information risk advice has included 3rd party information systems.
4 Skill only required if information systems or services are provided by a third party, for example if a design or development of an information system, or part of an information system is outsourced to a 3rd party.
Page 11
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL B1 – Risk Assessment Level 2 – core skill Understands how to produce information risk assessments
Give examples from different environments of risk assessments you’ve written. How did you decide which assets and threats were significant and what the threat levels were? How did you communicate your reports and what were the results of your work?
B2 – Risk Management Level 2 – core skill Contributes to management of risks to information systems with supervision
Give examples of advising organisations on how to manage risks. How did you address organisational requirements and risk appetite? What were the results of your work?
C1 – Security Architecture Level 1 Is aware of the concept of architecture to reduce information risk
Give examples of how you’ve taken a system architecture into account in your information risk advice.
C2 – Secure Development Level 1 Is aware of the benefits of addressing security during system development
Give examples of advice you’ve given on secure development in building IT systems. What were the results?
D1 – IA Methodologies Level 1 Is aware of the existence of methodologies, processes and standards for providing IA
Give examples of how you’ve applied your understanding of IA methodologies.
Page 12
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL D2 – Security Testing Level 1 Is aware of the role of testing to support IA
How has your advice influenced the scope of security testing?
E1 – Secure Operations Management Level 1 Is aware of the need for secure management of information systems
Give examples of advice you’ve given on secure operations management. What were the results?
E2 – Secure Ops & Service Delivery Level 1 Is aware of the need for information systems and services to be operated securely
How have you used your understanding of secure information system management in your advice on service delivery?
E3 – Vulnerability Assessment Level 1 Is aware of the need for vulnerability assessments to maintain IS
Give examples from different work environments of advice you’ve given which has influenced the scope of vulnerability assessments or the interpretation of their results.
F1 – Incident Management Level 2 – core skill Contributes to security incident management
Provide examples of reports or advice you’ve provided after a security incident, to enable a proportionate and effective response. What impact has your work made?
Page 13
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL F2 – Investigation Level 2 – core skill Contributes to investigations into security incidents
Give examples of how your advice has taken into account the requirements for investigations, or give examples of investigations you’ve influenced, carried out or contributed to.
F3 – Forensics Level 1 Is aware of the capability of forensics to support investigations
Give examples of information risk advice you’ve given which has taken into account the requirements for forensic evidence.
G1 – Audit and Review Level 1 Understands basic techniques for testing compliance with security criteria (policies, standards, legal and regulatory requirements)
Give examples to show how you’ve used your understanding of techniques for testing compliance with security criteria in your information risk advice.
H1 – Business Continuity Planning and H2 – Business Continuity Management Level 1 Understands how Business Continuity Planning & Management contributes to Information Security
Give examples from different work environments of how you considered business continuity in your information risk advice. How did your advice on information risk contribute to business continuity management? What were the outcomes of your work?
I1 – Research Level 1
Give examples of research you’ve used in the information risk advice you’ve provided or how you’ve researched whether your advice would be appropriate for an information system.
Page 14
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL
PEOPLE SKILLS ‘J skills’ (instead of SFIA levels) J1 – Teamwork and Leadership, Level 2 Is encouraging and supportive and provides a lead within the local area. Task–based team working
Give examples of ways in which you’ve encouraged others to develop their own competence and abilities.
J2 – Delivering Level 2 Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this
Give examples of prioritising tasks to ensure that local and organisational objectives were met.
J3 – Managing Customer Relationships Level 2 Negotiates with customers to improve the service to them and to manage their expectations
Describe occasions when you’ve negotiated different solutions from those originally requested.
J4 – Corporate Behaviour Level 2 Understands the aims of own and related areas across an organisation
Give examples of information risk advice which saved money or other resources and met the security requirements for a system.
J5 – Change and Innovation Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change
Give examples of changes you’ve introduced – what did you do? How did you consider the impact on other people and processes?
J6 – Analysis and Decision Making Level 2 Makes effective decisions in consultation with others and/or solves complex problems in immediate area
Give examples of breaking down (complex) problems. What was the outcome?
Page 15
Application Guidance - CCP S&IRA Role, Practitioner Level
SKILL EVIDENCE OF SKILL J7 – Communication and Knowledge Sharing Level 2 Encourages and contributes to discussion. Is proactive in sharing information in own work area
Give examples of how you’ve adapted your communication to suit different media, e.g. face to face, over the phone, emails, presentations and meetings. What outcomes have you achieved?
Page 16
Application Guidance - CCP S&IRA Role, Practitioner Level
Experience
Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below. If you are successful in your application, your CCP certification will assure employers that you are competent to advise on information risk. In order to provide sufficient evidence for your assessment, you will need to demonstrate experience of information risk advice, typically for at least 12 months or longer. You may also have had previous experience in related areas, e.g. work in an Information Technology support team or IT Help Desk. Your evidence should show that you have some experience of and can give examples of some of the following:
providing a focal point for resolution of security and information risk matters
identifying, analysing and evaluating information risks
explaining to risk owners and other stakeholders the causes, likelihood and potential business impacts of information risks throughout the information system lifecycle
assisting and checking compliance with applicable regulations, standards, policies and guidance on information risk management
presenting risk management options to the business
supporting the development of appropriate and proportionate documentation to inform risk management decisions, ensuring that these are expressed in terms that are meaningful to the business
investigating security incidents
promoting security awareness
providing threat guidance
Page 17
Application Guidance - CCP S&IRA Role, Practitioner Level
The Certification Process
Next Steps
This Application Guidance contains material designed to help individuals applying for CCP S&IRA at Practitioner level. The CB certification processes for the Practitioner level follow below.
Note:
1. If you are considering applying for CCP S&IRA at Senior level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels as detailed in the ‘CESG Certification for IA Professionals’ (reference [a]) publication. Supervisory experience to show evidence of coaching and developing other S&IRAs would also be helpful.
2. If you are applying for CCP S&IRA at Lead level, you will need to show that you influence and direct security and information risk advice strategy at an organisational or inter–organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise the Board with regard to security and information risk advice.
Page 18
Application Guidance - CCP S&IRA Role, Practitioner Level
3. There are 3 CBs: the APM Group (www.apmg–ia.com ), BCS (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.
Page 19
Application Guidance - CCP S&IRA Role, Practitioner Level
The CCP Scheme Certification Learning Cycle
If there is a gap against CCP requirements, make a time-bounded plan to develop skills and knowledge and how to make or find suitable opportunities to apply these.
Page 20
Application Guidance - CCP S&IRA Role, Practitioner Level
References
[a] CESG Certification for IA Professionals – www.beta.cesg.gov.uk/articles/cesg-certified-professional-scheme
[b] Guidance to CESG Certification for IA Professionals – www.beta.cesg.gov.uk/articles/cesg-certified-professional-scheme
CESG provides advice and assistance on information security in support of UK Government. Unless otherwise stated, all material published on this website has been produced by CESG and is considered general guidance only. It is not intended to cover all scenarios or to be tailored to particular organisations or individuals. It is not a substitute for seeking appropriate tailored advice.
CESG Enquiries Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2015