IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "IT Professional Standards. Information Security Discipline. Sub-discipline 605 Information Security Testing and Information Assurance Methodologies"

Transcription

1 IT Professional Standards Information Security Discipline Sub-discipline 605 Information Security Testing and Information Assurance Methodologies December 2012 Draft Version 0.6

2 DOCUMENT REVIEW Document Information Document Title : Document Reference : Document Version : Document Date : Last updated: Sub-discipline 605 Information Security Testing and Information Assurance Methodologies /12/ /01/2013 Draft Version 0.6

3 Sub-discipline 605 Information Security Testing and Information Assurance Methodologies Sub discipline 3 assist 4 perform 5 manage 6 set strategy Information Security Testing Assist information security testing, under supervision Conduct information security testing, under supervision Manage information security testing Direct information security testing Information Assurance Methodologies Assist information assurance, under supervision Implement information assurance, under supervision Manage Information assurance methodologies Direct information assurance methodologies Information Security Testing Level 3 Competence ( ): Assist information security testing, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Able to assist in determining responses to a range of standard security scans and tests on network devices and information systems and components b) Use a range of appropriate methods, tools and techniques, as directed by superiors, to conduct information security testing c) Undertake a range of basic penetration tests, under controlled conditions, to assess vulnerabilities and compliance against information assurance criteria and standards d) Assist with the development of accurate and clear security test scripts to ensure that information assurance requirements can be tested against relevant standards e) Objectively assess the results of information security testing and vulnerability assessment against the acceptance criteria f) Accurately collate and clearly document the outcomes from information security tests and vulnerability assessment providing prioritised rudimentary mitigation information and advice g) Report potential issues and risks arising from information security testing to superiors Competent performance requires Knowledge ( K) of: a) The range of threats and vulnerabilities that need to be considered within information security testing design and development activities b) When and how to schedule information security testing c) The range of formal testing methods/standards that are available d) What are acceptable results from information security testing Draft Version 0.6 Page 1 of 10

4 e) How to use and apply specified penetration testing techniques under supervision f) How to develop information security test plans and schedules g) How to design and apply a range of tests to ensure compliance with the information assurance standards used by the organisation h) The need to ensure that information security tests are carried out under controlled conditions i) How to assess the results from information security testing objectively j) The need to accurately record and store relevant information and data relating to the results of information security tests Competent performance requires Understanding ( U) of: a) What is meant by information security testing b) What are the different types of information security testing that can be conducted and their purpose c) What is the role of penetration testing in information security testing d) That the purpose of information security testing is about attaining levels of confidence in the resilience properties of information systems e) How to apply a few conventional, accepted penetration testing techniques f) That information security testing does not guarantee information security, simply that a device, information systems or component meets a minimum threshold of security robustness g) That there are a range of different testing methods and standards that can be associated with and applied to each stage of software or hardware life cycle h) How to apply an established testing method to assure information systems i) The need to ensure that compliance with information security standards is tested prior to the launch of any developed information system or solution j) The importance of conducting information security tests routinely on existing services within the organisation Level 4 Competence ( ): Conduct information security testing under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Undertake information security tests, under controlled conditions, to assess vulnerabilities and compliance against relevant internal and/or external standards b) Use a range of appropriate methods, tools and techniques to conduct penetration testing c) Clearly and accurately scope and plan the information security test approach, prioritising testing activity to proactively target the most significant threats and vulnerabilities first d) Interpret information assurance requirements to produce information security test acceptance criteria e) Carefully plan a context driven test approach to systematically test a system in order to validate its information security status f) Design and develop accurate and clear test scripts, plans and acceptance criteria to ensure that information assurance requirements can be tested against relevant internal and/or external standards Draft Version 0.6 Page 2 of 10

5 g) Critically review the results of penetration testing and accurately identify specific vulnerabilities within any Information system h) Prioritise outcomes and recommend specific and timely action to address vulnerabilities identified as a result of information security testing i) Clearly report on and communicate the results of information security testing, recommending mitigation actions j) Ensure information security testing reports are high quality and relevant to the audience Competent performance requires Knowledge ( K) of: a) The specific threats that may be of particular importance to any particular information system b) How to organise an information security testing approach following standard procedures c) How to use the range of tools and techniques that can be applied for penetration testing d) Relevant UK legislation and its impact on penetration testing, including but not limited to: Computer Misuse Act 1990 Human Rights Act 1998 Data Protection Act 1998 Police and Justice Act 2006 e) The latest information and data on a wide range of information security vulnerabilities Competent performance requires Understanding ( U) of: a) The importance of ensuring that security testing is designed to ensure testing of all aspects of information systems across the core principles: confidentiality integrity availability authorisation authentication non repudiation b) The potential impact of the vulnerabilities identified on any information system and on the organisation c) What are the different types of information security testing that can be conducted and their purpose d) What are the benefits of penetration testing e) The detailed steps involved in undertaking a full penetration testing assessment f) How to analyse detailed penetration testing results and assess vulnerabilities in order to provide advice on how to respond g) The interests of relevant stakeholders for information security testing h) The need to ensure that the design of tests incorporates the range of threats that may present themselves to the organisation i) How to scope, plan and manage the security testing activities conducted on any particular Information system or solution j) The need to identify and prioritise specific vulnerabilities for an Information system or solution k) The need to communicate the business implications of the limitations of information security testing programmes effectively Draft Version 0.6 Page 3 of 10

6 l) How to develop and implement test programmes to assess information effectiveness through the life of a system Level 5 Competence ( ): Manage information security testing This competence will be demonstrated by the following Performance Criteria ( C): a) Be responsible for penetration testing in own area of work b) Design, Implement and maintain the standards processes, procedures, methods, tools and techniques to conduct information security assessments c) Design, simulate, and execute controlled attacks on networks and systems as part of a comprehensive penetration testing approach d) Apply existing and emerging methods to test and identify vulnerabilities to network and information systems e) Select and specify the most appropriate tools to be used during penetration testing f) Clearly and accurately define the scope of any penetration testing assignment aligned to the context of the test scenario g) Lead and manage a penetration testing team, prioritising resource allocation and capability management ensuring that appropriate ongoing training and development is in place h) Source, gather and collate information and data about the vulnerabilities identified as a result of penetration testing and the potential impact on the organisation s information systems and assets i) Critically review the results of penetration testing, identifying priorities for action where appropriate j) Communicate the results of information security testing to a range of audiences justifying and evidencing any recommendations on security failures and non compliance k) Review and update information security testing processes and standards where appropriate to reflect the changing nature of security threats and risks l) Make decisions to implement improvements to the organisation s information systems and assets to reduce the risks associated with identified vulnerabilities Competent performance requires Understanding ( U) of: a) What information security testing can test for and the limitations b) How to use the range of tools and techniques that can be applied for information security testing c) The role and importance of proactive activities, such as penetration testing to identify vulnerabilities within the organisation s network and information systems infrastructure and assets d) How to translate the target vulnerabilities into test plans and scripts e) The results and outcomes of information security testing activities in identifying security issues and iinforming and directing f) The importance in ensuring that information security testing is conducted proactively and routinely/regularly through the lifecycle and lifetime of network and information systems Draft Version 0.6 Page 4 of 10

7 Competent performance requires Knowledge ( K) of: How to: a) The range of scanning and testing activities that can be used to identify vulnerabilities in an organisation s network and information system b) The range of current, identified vulnerabilities that exist and need to be tested for c) The external standards, best practice frameworks and codes of conduct that an organisation s information systems infrastructure assets should comply with d) Ensure that processes and procedures are implemented and followed to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available e) Distribute warning material relating to information security vulnerabilities in a timely manner and suitable for the target audience f) Design, develop and implement metrics for monitoring the level of vulnerabilities through penetration testing g) Identify the potential business impacts if vulnerabilities are exploited h) Maintain lists of authorised or banned applications or devices for use on protective monitoring systems Level 6 Competence ( ): Direct information security testing This competence will be demonstrated by the following Performance Criteria ( C): a) Be fully accountable for all penetration and information security testing activities, results and recommendations for mitigation b) Design, develop, implement and maintain the policy and standards to provide a detailed information security testing framework for use within the organisation c) Review, improve and update penetration testing methods and tools to continue to provide effective testing services d) Ensure penetration testing activities and reports are clearly documented e) Design, develop, implement and maintain resourcing and training strategy and plans to retain and develop appropriate penetration and information security testing expertise within the organisation f) Continually monitor information security threat trends and keep aware of the latest information providing informed guidance to penetration testing activities g) Monitor the quality and effectiveness of penetration testing activities, critically reviewing the approach and process and making recommendations for improvement where appropriate h) Provide timely and objective advice and guidance to others on all aspects of information security testing activities including penetration testing best practice and the application of lessons learned i) Maintain an authoritative position on proactive information security testing to identify and disseminate new threats to contribute to the body of knowledge j) Develop communication processes for internal and external parties (e.g. customers) relating to penetration testing activities and results k) Authorise the issue of formal reports to management on the effectiveness and efficiency of information security testing Draft Version 0.6 Page 5 of 10

8 l) Provide thought leadership on the discipline of information security testing, contributing to internal best practice and to externally recognised publications, white papers etc m) Take timely and decisive action in the event of information security testing activities and their deliverables not complying with relevant legislation, regulations, and internal and external standards Competent performance requires Understanding ( U) of: a) The scope of information assurance governance within the organisation b) The importance of establishing effective capabilities for the assurance of information assets with the organisation c) The need to have effective and coordinated governance of a range of activities, including risk management, information security, vulnerability assessments, security education and awareness training d) The need to ensure that timely and effective independent review of information security testing activities takes place e) How to objectively analyse the findings from independent review of information security testing activities and report recommendations to sponsors and stakeholders f) How to design and develop strategy, policies plans and standards to ensure the alignment with all relevant legislation, regulations and external standards g) The importance of using lessons learned in order to inform future information security testing Competent performance requires Knowledge ( K) of: a) Who are the executive sponsors and stakeholder of information security testing activities within the organisation b) The need to advise and guide others on all aspects of information security testing activities c) How to manage the implications and consequences: o o of failure to identify and mitigate/control risks that arise of information security testing activities failing to meet the expectations of the business d) Sources of best practice in information security testing activities e) The importance of analysing the results gained from monitoring the alignment of information security testing activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards Draft Version 0.6 Page 6 of 10

9 Information assurance methodologies Level 3 Competence ( ): Assist information assurance, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Correctly follow the strategy, policies, plans and standards relating information assurance activities b) Follow an appropriate information assurance methodology under supervision c) Use a range of appropriate tools and techniques, as directed by superiors, to conduct information assurance activities d) Operate with integrity and confidentiality during information assurance activities e) Identify when and how to seek advice and guidance from other individuals during information assurance activities f) Complete, to defined standards and timelines, own assigned tasks and activities during information assurance activities Competent performance requires Knowledge ( K) of: a) The processes, tools and techniques relating to information assurance and their deliverables b) The legislation, regulations, strategy, policies and internal and external standards that are relevant to information assurance activities c) The fact that information assurance includes the following core information security principles: confidentiality integrity availability authorisation authentication non repudiation d) The range of information assurance methodologies that are available e) How to interpret policy and standards that apply to information assurance activities Competent performance requires Understanding ( U) of: a) What is meant by information assurance b) Why the assurance and security of information assets is critical for the organisation c) How an information assurance methodology can be applied to assure information systems d) What are the roles and responsibilities of the information assurance and information security functions within the organisation e) How information assurance activities fit within the development lifecycle f) How information assurance activities fit within the service lifecycle g) What are the processes, procedures, methods, tools and techniques used to conduct information assurance activities within the organisation Draft Version 0.6 Page 7 of 10

10 Level 4 h) The need for information assurance activities to be carried out in accordance with any codes of conduct and organisational standards Competence ( ): Implement information assurance, under supervision This competence will be demonstrated by the following Performance Criteria ( C): a) Clearly identify and accurately document the organisation requirements with respect to information assurance methodology implementation b) Clearly scope and plan the approach for introducing an information assurance methodology, including any impacts internally and on third parties c) Accurately source, gather and collate information and data relating to the implementation of information assurance methodologies d) Implement and apply an information assurance methodology to own and extended business enterprise assurance under direction e) Critically assess the implementation of information assurance methodologies and/or approaches against the requirements of the organisation f) Communicate effectively the outcomes and deliverables of information assurance methodologies g) Ensure that all necessary processes, procedures, tools and techniques supporting the methodology are documented Competent performance requires Understanding ( U) of: a) The importance of having clear and understandable methodologies for information assurance b) The importance of ensuring that methodologies for information assurance are aligned with the development lifecycle and service lifecycle c) The internal and external factors that may impact on the effectiveness of any information assurance methodology Competent performance requires Knowledge ( K) of: a) The range of information assurance approaches and methodologies that may be available and their suitability to the needs of the organisation b) What is contained within any information assurance methodology c) What the advantages and limitation of adopting an information assurance methodology within an organisation d) How to identify and select the most appropriate information assurance methodology for any particular organisation to verify that information assurance risks are mitigated to acceptable levels Level 5 Competence ( ): Manage information assurance methodologies This competence will be demonstrated by the following Performance Criteria ( C): a) Be responsible for information assurance on all types of information systems Draft Version 0.6 Page 8 of 10

11 b) Provide leadership on information assurance for the organisation, working effectively with strategic organisational functions to provide authoritative advice and guidance c) Clearly align the scope of information assurance to the context of the business d) Plan, schedule and manage information assurance of the organisation s information systems and assets e) Select and apply the most appropriate methodology for information assurance f) Accurately identify, document and communicate the selection of the most appropriate information assurance methodology to verify that information assurance risks are mitigated to acceptable levels g) Clearly identify and accurately document roles and responsibilities for information assurance h) Rigorously monitor the implementation and adoption of the information assurance methodology within the organisation i) Monitor the quality and effectiveness of information assurance activities, making recommendations for improvement where appropriate m) Identify, source and secure the most appropriate resources and skills from within the organisation to conduct information assurance activities Competent performance requires Understanding ( U) of: a) Why the quality and effectiveness of information assurance activities need to be managed and monitored b) What are the limitations of information assurance and the capabilities of an information assurance methodology c) What the results and outcomes of information assurance mean to the organisation in terms of the confidence in information security d) The latest external standards, best practice frameworks and codes of conduct for information assurance that an organisation s IT/Technology infrastructure assets should comply with Competent performance requires Knowledge ( K) of: a) The range information assurance methodologies and their strengths and weaknesses b) The latest information on and developments in information assurance methodologies c) How to analyse and assess internal problem reports for signs of anomalous information security issues that impact information assurance d) The need to monitor and assess information in external reports for relevance to the organisation, ensuring that information assurance activities are updated through formal change processes e) How to conduct reviews of information assurance policies and procedures Level 6 Competence ( ): Direct information assurance methodologies This competence will be demonstrated by the following Performance Criteria ( C): a) Be fully accountable for the information assurance methodology b) Design, implement and maintain the information assurance governance mechanisms for the organisation Draft Version 0.6 Page 9 of 10

12 c) Design and develop, improved information assurance methodologies to reflect changing requirements d) Design, develop, implement and maintain the policy and standards for information assurance within the organisation e) Monitor the alignment of information assurance activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards f) Take timely and decisive action in the event of information assurance activities and their deliverables not complying with relevant legislation, regulations, and internal and external standards g) Create and maintain an information risk awareness culture within the organisation, ensuring everyone understands their role and responsibilities in maintaining information assurance throughout the organisation h) Advise and support others on all aspects of information assurance methodology including best practice and the application of lessons learned i) Provide thought leadership on the discipline of information assurance, contributing to internal best practice and to externally recognised publications, white papers etc Competent performance requires Understanding ( U) of: a) The scope of information assurance governance within the organisation b) The importance of establishing effective governance bodies for the assurance of information assets with the organisation Competent performance requires Knowledge ( K) of: a) The role and responsibilities of information assurance governance bodies b) The executive sponsors and stakeholder of information assurance activities within the organisation c) How to analyse the results gained from monitoring the alignment of information assurance activities and their deliverables with all relevant legislation, regulation, internal and external standards, in line with organisational strategy, policies and standards Draft Version 0.6 Page 10 of 10

ESKISP6055.01 Manage security testing

ESKISP6055.01 Manage security testing Overview This standard covers the competencies concerning with managing security testing activities. Including managing resources activities and deliverables. This includes planning, conducting and reporting

More information

ESKISP6054.01 Conduct security testing, under supervision

ESKISP6054.01 Conduct security testing, under supervision Overview This standard covers the competencies required to conduct security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

Overview TECHIS60441. Carry out security testing activities

Overview TECHIS60441. Carry out security testing activities Overview Information, services and systems can be attacked in various ways. Understanding the technical and social perspectives, how attacks work, the technologies and approaches used are key to being

More information

ESKISP6056.01 Direct security testing

ESKISP6056.01 Direct security testing Direct security testing Overview This standard covers the competencies concerning with directing security testing activities. It includes setting the strategy and policies for security testing, and being

More information

ESKISP6053.01 Assist security testing, under supervision

ESKISP6053.01 Assist security testing, under supervision Overview This standard covers the competencies required to assist security testing under supervision. In order to contribute to the determination of the level of resilience of an information system to

More information

ESKITP6026 IT Security Management Level 6 Role

ESKITP6026 IT Security Management Level 6 Role Overview This sub-discipline is about the competencies required to ensure the security of all aspects of Information Technology services, systems and assets within an organisation. This includes the data,

More information

ESKISP6064.03 Conducts vulnerability assessment under supervision

ESKISP6064.03 Conducts vulnerability assessment under supervision Conducts vulnerability assessment under supervision Overview This standard covers the competencies required to conduct vulnerability assessments under supervision. This includes following processes for

More information

ESKITP6036 IT Disaster Recovery Level 5 Role

ESKITP6036 IT Disaster Recovery Level 5 Role Overview This sub-discipline is about the competencies required in order to manage all aspect of Disaster Recovery (DR), as it applies to IT within an organisation. ESKITP6036 1 Performance criteria You

More information

ESKITP7025 IT/Technology Service Help Desk and Incident Management Level 5 Role

ESKITP7025 IT/Technology Service Help Desk and Incident Management Level 5 Role IT/Technology Service Help Desk and Incident Management Level 5 Role Overview This sub-discipline is about the competencies required to manage the contacts made by customers of IT/technology systems, services

More information

ESKITP6034 IT Disaster Recovery Level 4 Role

ESKITP6034 IT Disaster Recovery Level 4 Role Overview This sub-discipline is about the competencies required in order to manage all aspect of Disaster Recovery (DR), as it applies to IT within an organisation. ESKITP6034 1 Performance criteria You

More information

ESKITP7102 IT/Technology Asset and Configuration Management Level 2 Role

ESKITP7102 IT/Technology Asset and Configuration Management Level 2 Role IT/Technology Asset and Configuration Management Level 2 Role Overview This sub-discipline is about the competencies required to maintain the integrity and consistency of the IT/technology configuration

More information

ESKITP7072 IT/Technology Capacity Management Level 2 Role

ESKITP7072 IT/Technology Capacity Management Level 2 Role Overview This sub-discipline is about the competencies required to manage the capacity of IT/technology services, systems and assets that support an organisation. Capacity management covers a range of

More information

Service Management. 702 IT/Technology Service Help Desk and Incident Management

Service Management. 702 IT/Technology Service Help Desk and Incident Management 702 IT/Technology Service Help Desk and Incident Management This sub-discipline is about the competencies required to manage the contacts made by customers of IT/technology systems, services and assets,

More information

Overview TECHIS60241. Carry out risk assessment and management activities

Overview TECHIS60241. Carry out risk assessment and management activities Overview Information in all its forms is a vital component of the digital environment in which we live and work. The protection of information in its physical form is well understood but the protection

More information

ESKITP4082 IT/Technology Infrastructure Design and Planning Level 2 Role

ESKITP4082 IT/Technology Infrastructure Design and Planning Level 2 Role IT/Technology Infrastructure Design and Planning Level 2 Role Overview This sub-discipline is part of overall service design. It concerns the design of, and planning for, resilient IT/ technology infrastructure

More information

ESKISP6046.02 Direct security architecture development

ESKISP6046.02 Direct security architecture development Overview This standard covers the competencies concerned with directing security architecture activities. It includes setting the strategy and policies for security architecture, and being fully accountable

More information

ESKITP5023 Software Development Level 3 Role

ESKITP5023 Software Development Level 3 Role Overview This sub discipline covers the core competencies required to create software to address the needs of business problems and opportunities, resulting in a variety of software solutions, ranging

More information

ESKITP2034.03 Assist in the preparation of change management plans and assignments for IT enabled systems 1

ESKITP2034.03 Assist in the preparation of change management plans and assignments for IT enabled systems 1 Assist in the preparation of change management plans and assignments for IT Overview This sub-discipline, Change Management (203) is concerned with the competencies required to manage the introduction

More information

ESKITP7145.01 Manage IT service delivery performance metrics

ESKITP7145.01 Manage IT service delivery performance metrics Overview This sub-discipline covers the competencies required to manage the monitoring, analysis and communication of IT service delivery performance metrics. Monitoring service level performance is a

More information

702 IT/Technology Service Help Desk and Incident Management

702 IT/Technology Service Help Desk and Incident Management 702 IT/Technology Service Help Desk and Incident Management This sub-discipline is about the competencies required to manage the contacts made by customers of IT/technology systems, services and assets,

More information

Contribute to IT architecture work

Contribute to IT architecture work Overview This sub-discipline is concerned with the competencies required to create, maintain and manage IT architecture models representing the operating model for an organisation and their lower level

More information

CFAM&LBB2 Develop, maintain and evaluate business continuity plans and arrangements

CFAM&LBB2 Develop, maintain and evaluate business continuity plans and arrangements Develop, maintain and evaluate business continuity plans and arrangements Overview This standard is about developing, maintaining and evaluating business continuity plans to ensure that organisations continue

More information

ESKITP7052 IT/Technology Management and Support Level 2 Role

ESKITP7052 IT/Technology Management and Support Level 2 Role Overview This sub-discipline is about the competencies required to ensure that the infrastructure required to support the delivery of IT/technology systems, services and assets for an organisation remain

More information

National Occupational Standards. Compliance

National Occupational Standards. Compliance National Occupational Standards Compliance NOTES ABOUT NATIONAL OCCUPATIONAL STANDARDS What are National Occupational Standards, and why should you use them? National Occupational Standards (NOS) are statements

More information

ESKITP5064 Software Development Process Improvement Level 4 Role

ESKITP5064 Software Development Process Improvement Level 4 Role Software Development Process Improvement Level 4 Role Overview This sub-discipline covers the competencies required by an information technology and/or telecoms organisation to ensure that appropriate

More information

ESKITP714401 Implement procedures and standards relating to metrics for IT service delivery

ESKITP714401 Implement procedures and standards relating to metrics for IT service delivery Overview This sub-discipline covers the competencies required to perform performance metrics. Monitoring service level performance is a complex task requiring collection of data, detailed analysis, and

More information

{Add company name} {Add geographical location} {Add/edit as required} Enterprise Architect. {Add local information}

{Add company name} {Add geographical location} {Add/edit as required} Enterprise Architect. {Add local information} Job Description Business Analyst Organisation: Location: Reports to: Supervises: Working conditions: Last updated: {Add company name} {Add geographical location} {Add/edit as required} Enterprise Architect

More information

ESKITP6032 IT Disaster Recovery Level 2 Role

ESKITP6032 IT Disaster Recovery Level 2 Role Overview This sub-discipline is about the competencies required in order to manage all aspect of Disaster Recovery (DR), as it applies to IT within an. ESKITP6032 1 Performance criteria You must be able

More information

Aberdeen City Council IT Security (Network and perimeter)

Aberdeen City Council IT Security (Network and perimeter) Aberdeen City Council IT Security (Network and perimeter) Internal Audit Report 2014/2015 for Aberdeen City Council August 2014 Internal Audit KPIs Target Dates Actual Dates Red/Amber/Green Commentary

More information

Committees Date: Subject: Public Report of: For Information Summary

Committees Date: Subject: Public Report of: For Information Summary Committees Audit & Risk Management Committee Finance Committee Subject: Cyber Security Risks Report of: Chamberlain Date: 17 September 2015 22 September 2015 Public For Information Summary Cyber security

More information

ESKITP7022 IT/Technology Service Help Desk and Incident Management Level 2 Role

ESKITP7022 IT/Technology Service Help Desk and Incident Management Level 2 Role IT/Technology Service Help Desk and Incident Management Level 2 Role Overview This sub-discipline is about the competencies required to manage the contacts made by customers of IT/technology systems, services

More information

Government Communication Professional Competency Framework

Government Communication Professional Competency Framework Government Communication Professional Competency Framework April 2013 Introduction Every day, government communicators deliver great work which supports communities and helps citizens understand their

More information

Risk Management & Business Continuity Manual 2011-2014

Risk Management & Business Continuity Manual 2011-2014 ANNEX C Risk Management & Business Continuity Manual 2011-2014 Produced by the Risk Produced and by the Business Risk and Business Continuity Continuity Team Team February 2011 April 2011 Draft V.10 Page

More information

ESKITP5022 Software Development Level 2 Role

ESKITP5022 Software Development Level 2 Role Overview This sub discipline covers the core competencies required to create software to address the needs of business problems and opportunities, resulting in a variety of software solutions, ranging

More information

GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY. 1. Occupational Health and Safety Policy Statement 1

GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY. 1. Occupational Health and Safety Policy Statement 1 GLASGOW SCHOOL OF ART OCCUPATIONAL HEALTH AND SAFETY POLICY CONTENTS PAGE 1. Occupational Health and Safety Policy Statement 1 2. Occupational Health and Safety Management System 2 3. Organisational Management

More information

ESKITP5065 Software Development Process Improvement Level 5 Role

ESKITP5065 Software Development Process Improvement Level 5 Role Software Development Process Improvement Level 5 Role Overview This sub-discipline covers the competencies required by an information technology and/or telecoms organisation to ensure that appropriate

More information

NOS for Data Management (801) September 2014 V1.3

NOS for Data Management (801) September 2014 V1.3 NOS for Data Management (801) September 2014 V1.3 NOS Reference ESKITP801301 ESKITP801401 ESKITP801501 ESKITP801601 NOS Title Assist in Delivering the Data Management Infrastructure to Support Data Analysis

More information

The ICMCI CMC Competence Framework - Overview

The ICMCI CMC Competence Framework - Overview This CMC Competence Framework specifies the cluster of related abilities, commitments, knowledge, and skills that a management consultant should demonstrate in practice in order to successfully complete

More information

JOB DESCRIPTION CONTRACTUAL POSITION

JOB DESCRIPTION CONTRACTUAL POSITION Ref #: IT/P /01 JOB DESCRIPTION CONTRACTUAL POSITION JOB TITLE: INFORMATION AND COMMUNICATIONS TECHNOLOGY (ICT) SECURITY SPECIALIST JOB SUMMARY: The incumbent is required to provide specialized technical

More information

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager

Digital Asset Manager, Digital Curator. Cultural Informatics, Cultural/ Art ICT Manager Role title Digital Cultural Asset Manager Also known as Relevant professions Summary statement Mission Digital Asset Manager, Digital Curator Cultural Informatics, Cultural/ Art ICT Manager Deals with

More information

NOS for Network Support (903)

NOS for Network Support (903) NOS for Network Support (903) November 2014 V1.1 NOS Reference ESKITP903301 ESKITP903401 ESKITP903501 ESKITP903601 NOS Title Assist with Installation, Implementation and Handover of Network Infrastructure

More information

ESKITP7082 Change and Release Management Level 2 role

ESKITP7082 Change and Release Management Level 2 role Overview This sub-discipline is about the competencies required for the management of changes required to the operational IT/technology configuration and environment in which it operates. The competencies

More information

ESKITP7042 IT Application Management / Support Level 2 Role

ESKITP7042 IT Application Management / Support Level 2 Role Overview This sub-discipline is about the competencies required to ensure that application systems/services that support specific business functions and processes for an organisation remain available,

More information

The purpose of this Unit is to develop an awareness of the knowledge and skills used by ethical and malicious hackers.

The purpose of this Unit is to develop an awareness of the knowledge and skills used by ethical and malicious hackers. National Unit specification General information Unit code: H9HY 45 Superclass: CC Publication date: September 2015 Source: Scottish Qualifications Authority Version: 02 Unit purpose The purpose of this

More information

ESKITP714601 Authorise strategy, policies and standards relating to IT service delivery performance metrics management

ESKITP714601 Authorise strategy, policies and standards relating to IT service delivery performance metrics management service delivery performance metrics Overview This sub-discipline covers the competencies required to direct the monitoring, analysis and communication of IT service delivery performance metrics. Monitoring

More information

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager

Middlesbrough Manager Competency Framework. Behaviours Business Skills Middlesbrough Manager Middlesbrough Manager Competency Framework + = Behaviours Business Skills Middlesbrough Manager Middlesbrough Manager Competency Framework Background Middlesbrough Council is going through significant

More information

Achieve. Performance objectives

Achieve. Performance objectives Achieve Performance objectives Performance objectives are benchmarks of effective performance that describe the types of work activities students and affiliates will be involved in as trainee accountants.

More information

1.0 Policy Statement / Intentions (FOIA - Open)

1.0 Policy Statement / Intentions (FOIA - Open) Force Policy & Procedure Reference Number Business Continuity Management D269 Policy Version Date 23 July 2015 Review Date 23 July 2016 Policy Ownership Portfolio Holder Links or overlaps with other policies

More information

University of Liverpool

University of Liverpool University of Liverpool Information Security Review Policy Reference Number Title CSD-014 Information Security Review Policy Version Number 1.2 Document Status Document Classification Active Open Effective

More information

ESKITP7146.01 Authorise strategy, policies and standards relating to IT service delivery performance metrics management

ESKITP7146.01 Authorise strategy, policies and standards relating to IT service delivery performance metrics management service delivery performance metrics Overview This sub-discipline covers the competencies required to direct the monitoring, analysis and communication of IT service delivery performance metrics. Monitoring

More information

G-Cloud III Services Service Definition Accenture Cloud Security Services

G-Cloud III Services Service Definition Accenture Cloud Security Services G-Cloud III Services Service Definition Accenture Cloud Security Services 1 Table of contents 1. Scope of our services... 3 2. Approach... 3 3. Assets and tools... 4 4. Outcomes... 5 5. Pricing... 5 6.

More information

IT Governance Charter

IT Governance Charter Version : 1.01 Date : 16 September 2009 IT Governance Network South Africa USA UK Switzerland www.itgovernance.co.za info@itgovernance.co.za 0825588732 IT Governance Network, Copyright 2009 Page 1 1 Terms

More information

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid.

All CCG staff. This policy is due for review on the latest date shown above. After this date, policy and process documents may become invalid. Policy Type Information Governance Corporate Standing Operating Procedure Human Resources X Policy Name CCG IG03 Information Governance & Information Risk Policy Status Committee approved by Final Governance,

More information

STAGE 1 COMPETENCY STANDARD FOR ENGINEERING ASSOCIATE

STAGE 1 COMPETENCY STANDARD FOR ENGINEERING ASSOCIATE STAGE 1 STANDARD FOR ENGINEERING ASSOCIATE ROLE DESCRIPTION THE MATURE ENGINEERING ASSOCIATE The following characterises the senior practice role that the mature, Engineering Associate may be expected

More information

Gateway review guidebook. for project owners and review teams

Gateway review guidebook. for project owners and review teams Gateway review guidebook for project owners and review teams The State of Queensland (Queensland Treasury and Trade) 2013. First published by the Queensland Government, Department of Infrastructure and

More information

National Approach to Information Assurance 2014-2017

National Approach to Information Assurance 2014-2017 Document Name File Name National Approach to Information Assurance 2014-2017 National Approach to Information Assurance v1.doc Author David Critchley, Dave Jamieson Authorisation PIAB and IMBA Signed version

More information

Assessment Strategy for. Audit Practice, Tax Practice, Management Consulting Practice and Business Accounting Practice.

Assessment Strategy for. Audit Practice, Tax Practice, Management Consulting Practice and Business Accounting Practice. Assessment Strategy for Audit Practice, Tax Practice, Management Consulting Practice and Business Accounting Practice December 2013 Introduction This Assessment Strategy has been designed to apply to qualifications

More information

Risk Management Policy

Risk Management Policy 1 Purpose Risk management relates to the culture, processes and structures directed towards the effective management of potential opportunities and adverse effects within the University s environment.

More information

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions

Committee on Payments and Market Infrastructures. Board of the International Organization of Securities Commissions Committee on Payments and Market Infrastructures Board of the International Organization of Securities Commissions Principles for financial market infrastructures: Assessment methodology for the oversight

More information

Overview TECHIS60851. Manage information security business resilience activities

Overview TECHIS60851. Manage information security business resilience activities Overview Information security business resilience encompasses business continuity and disaster recovery from information security threats. As well as addressing the consequences of a major security incident,

More information

Business Analyst Position Description

Business Analyst Position Description Analyst Position Description September 4, 2015 Analysis Position Description September 4, 2015 Page i Table of Contents General Characteristics... 1 Career Path... 2 Explanation of Proficiency Level Definitions...

More information

JOB DESCRIPTION. Contract Management and Business Intelligence

JOB DESCRIPTION. Contract Management and Business Intelligence JOB DESCRIPTION DIRECTORATE: DEPARTMENT: JOB TITLE: Contract Management and Business Intelligence Business Intelligence Business Insight Manager BAND: 7 BASE: REPORTS TO: Various Business Intelligence

More information

Corporate Risk Management Policy

Corporate Risk Management Policy Corporate Risk Management Policy Managing the Risk and Realising the Opportunity www.reading.gov.uk Risk Management is Good Management Page 1 of 19 Contents 1. Our Risk Management Vision 3 2. Introduction

More information

Career proposition for software developers and web operations engineers

Career proposition for software developers and web operations engineers Career proposition for software developers and web operations engineers Introduction The Government Digital Service is at the centre of the digital transformation of government, making information and

More information

Vale of Glamorgan. Overview Report: Review of HR and Workforce Planning. November 2011

Vale of Glamorgan. Overview Report: Review of HR and Workforce Planning. November 2011 Vale of Glamorgan Overview Report: Review of HR and Workforce Planning November 2011 Content 1 Introduction 1 2. Review Findings 3 3. The Way Forward 17 2012 Grant Thornton UK LLP. All rights reserved.

More information

ESKITP2035.01 Identify change management opportunities and options for IT enabled systems 1

ESKITP2035.01 Identify change management opportunities and options for IT enabled systems 1 Identify change management opportunities and options for IT enabled Overview This sub-discipline, Change Management (203) is concerned with the competencies required to manage the introduction of business

More information

Procuring Penetration Testing Services

Procuring Penetration Testing Services Procuring Penetration Testing Services Introduction Organisations like yours have the evolving task of securing complex IT environments whilst delivering their business and brand objectives. The threat

More information

SFJCCAD2 Promote business continuity management

SFJCCAD2 Promote business continuity management Overview This unit is about providing advice and assistance on business continuity management, including general advice for the business and voluntary sectors, and specific advice and assistance to individual

More information

Change Management Office Benefits and Structure

Change Management Office Benefits and Structure Change Management Office Benefits and Structure Author Melanie Franklin Director Agile Change Management Limited Contents Introduction 3 The Purpose of a Change Management Office 3 The Authority of a Change

More information

Security Testing for Web Applications and Network Resources. (Banking).

Security Testing for Web Applications and Network Resources. (Banking). 2011 Security Testing for Web Applications and Network Resources (Banking). The Client, a UK based bank offering secure, online payment and banking services to its customers. The client wanted to assess

More information

Job description - Business Improvement Manager

Job description - Business Improvement Manager Job description - Business Improvement Manager Main Purpose of job The post has lead responsibility for optimising operational performance within the Operations directorate, and across the Society for

More information

SCHOOL ONLINE SAFETY SELF REVIEW TOOL

SCHOOL ONLINE SAFETY SELF REVIEW TOOL SCHOOL ONLINE SAFETY SELF REVIEW TOOL UPDATED February 2016 The South West Grid for Learning, Belvedere House, Woodwater Park, Pynes Hill, Exeter, EX2 5WS. Tel: 0844 381 4772 Email: esafety@swgfl.org.uk

More information

Northern Ireland Social Care Council. Job Description

Northern Ireland Social Care Council. Job Description Northern Ireland Social Care Council Job Description Post: Location: Band: Reporting to: Responsible to: Head of Workforce Development Northern Ireland Social Care Council, 7 th Floor, Millennium House,

More information

Reputation, Brand & Communications

Reputation, Brand & Communications Group Standard Reputation, Brand & Communications Serco is committed to building a positive reputation with its stakeholders, wherever we operate SMS-GS-BC4 Reputation, Brand and Communication December

More information

Business Plan 2012/13

Business Plan 2012/13 Business Plan 2012/13 Contents Introduction 3 About the NFA..4 Priorities for 2012/13 4 Resources.6 Reporting Arrangements.6 Objective 1 7 To raise the profile and awareness of fraud among individuals,

More information

LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012

LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012 106 LEICESTERSHIRE COUNTY COUNCIL RISK MANAGEMENT POLICY STATEMENT 2011-2012 Leicestershire County Council believes that managing current and future risk, both opportunity and threat, is increasingly vital

More information

2 Gabi Siboni, 1 Senior Research Fellow and Director,

2 Gabi Siboni, 1 Senior Research Fellow and Director, Cyber Security Build-up of India s National Force 2 Gabi Siboni, 1 Senior Research Fellow and Director, Military and Strategic Affairs and Cyber Security Programs, Institute for National Security Studies,

More information

Department of Health & Human Services

Department of Health & Human Services Department of Health & Human Services Position Description Senior Project Officer Data, Quality and Funding (Clinical Supervision / Simulation portfolio) The Senior Project Officer, Data, Quality and Funding

More information

PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3)

PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3) PORTFOLIO, PROGRAMME & PROJECT MANAGEMENT MATURITY MODEL (P3M3) 1st February 2006 Version 1.0 1 P3M3 Version 1.0 The OGC logo is a Registered Trade Mark of the Office of Government Commerce This is a Value

More information

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT

CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT Public Sector Auditing.. Private Sector Thinking CENTRAL LINCOLNSHIRE LOCAL PLAN HIGHLIGHT REPORT Date: 7 th November 2014 Author: Rachel Abbott Principal Auditor Introduction & Scope The National Planning

More information

IPDS. Green Book Employees. An Integrated Performance Management, Pay and Grading System. Technical 2. Making West Midlands Safer. www.wmfs.

IPDS. Green Book Employees. An Integrated Performance Management, Pay and Grading System. Technical 2. Making West Midlands Safer. www.wmfs. An Integrated Performance Management, Pay and Grading System Technical 2 Making West Midlands Safer Prevention Protection Response www.wmfs.net Role Profile Role Title Technical 2 Role Ref T2 Overall Purpose

More information

ESKITP5022v2 Perform software development activities under direction

ESKITP5022v2 Perform software development activities under direction Perform development activities under direction Overview This sub discipline covers the core competencies required to create to address business problems and realise opportunities, resulting in a variety

More information

Guideline on Vulnerability and Patch Management

Guideline on Vulnerability and Patch Management CMSGu2014-03 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Vulnerability and Patch Management National Computer Board

More information

Guide to the National Safety and Quality Health Service Standards for health service organisation boards

Guide to the National Safety and Quality Health Service Standards for health service organisation boards Guide to the National Safety and Quality Health Service Standards for health service organisation boards April 2015 ISBN Print: 978-1-925224-10-8 Electronic: 978-1-925224-11-5 Suggested citation: Australian

More information

Job Description and Person Specification. Post Number: HCI.C24 JE Ref: JE028

Job Description and Person Specification. Post Number: HCI.C24 JE Ref: JE028 Job Description and Person Specification Job Title: Business Analyst Post Number: HCI.C24 JE Ref: JE028 Grade: PO1 (SCP 35 39) Other payments: Service: Progression: Hours per week: Accountable to: N/A

More information

JOB PROFILE. Collaborate and work effectively with team members within the section and the rest of the Transformation Service.

JOB PROFILE. Collaborate and work effectively with team members within the section and the rest of the Transformation Service. JOB PROFILE Job Title: Principal Commissioning Officer Consultant 3 Department: Corporate Resources Ref: DCC/14/0344 Section: Transformation Service Job Family: Transformation Job grade: 12 Purpose of

More information

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13

Cyber Security Consultancy Standard. Version 0.2 Crown Copyright 2015 All Rights Reserved. Page 1 of 13 Cyber Security Consultancy Standard Version 0.2 Crown Copyright 2015 All Rights Reserved Page 1 of 13 Contents 1. Overview... 3 2. Assessment approach... 4 3. Requirements... 5 3.1 Service description...

More information

Job Description. Industry business analyst. Salary Band: Purpose of Job

Job Description. Industry business analyst. Salary Band: Purpose of Job Job Description Job Title: Industry business analyst Division/Company: Industry Policy/Payments UK Reporting To: Director of Industry Policy Salary and: C Purpose of Job To provide thought leadership and

More information

SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE

SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE SABPP IT GOVERNANCE COMMITTEE TERMS OF REFERENCE PREAMBLE The purpose of the IT Governance Committee is to ensure that IT is effectively governed at SABPP in accordance with the King III Code of Governance

More information

Business Continuity Business Continuity Management Policy

Business Continuity Business Continuity Management Policy Business Continuity Business Continuity Management Policy : Date of Issue: 28 January 2009 Version no: 1.1 Review Date: January 2010 Document Owner: Patricia Hughes Document Authoriser: Tony Curtis 1 Version

More information

Role Activity Grade 5 PAS Professional Officer

Role Activity Grade 5 PAS Professional Officer Role Activity Grade 5 PAS Generic Post Job Title: Market Insight Officer Title: Reporting to: Head of Market Insight School/ External & Community Relations Department: Job Family: Professional and Administrative

More information

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers

7 Directorate Performance Managers. 7 Performance Reporting and Data Quality Officer. 8 Responsible Officers Contents Page 1 Introduction 2 2 Objectives of the Strategy 2 3 Data Quality Standards 3 4 The National Indicator Set 3 5 Structure of this Strategy 3 5.1 Awareness 4 5.2 Definitions 4 5.3 Recording 4

More information

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions

Consultative report. Committee on Payment and Settlement Systems. Board of the International Organization of Securities Commissions Committee on Payment and Settlement Systems Board of the International Organization of Securities Commissions Consultative report Principles for financial market infrastructures: Assessment methodology

More information

Business Continuity Policy

Business Continuity Policy Business Continuity Policy St Mary Magdalene Academy V1.0 / September 2014 Document Control Document Details Document Title Document Type Business Continuity Policy Policy Version 2.0 Effective From 1st

More information

Qualification details

Qualification details Outcome Statement Qualification details Title New Zealand Certificate in Organisational Risk and Compliance (Level 4) Version 1 Qualification type Certificate Level 4 Credits 60 NZSCED 080317 Quality Management

More information

Information governance strategy 2014-16

Information governance strategy 2014-16 Information Commissioner s Office Information governance strategy 2014-16 Page 1 of 16 Contents 1.0 Executive summary 2.0 Introduction 3.0 ICO s corporate plan 2014-17 4.0 Regulatory environment 5.0 Scope

More information

Cisco Security Optimization Service

Cisco Security Optimization Service Cisco Security Optimization Service Proactively strengthen your network to better respond to evolving security threats and planned and unplanned events. Service Overview Optimize Your Network for Borderless

More information

ISO 27001 Information Security Management Services (Lot 4)

ISO 27001 Information Security Management Services (Lot 4) ISO 27001 Information Security Management Services (Lot 4) CONTENTS 1. WHY LEICESTERSHIRE HEALTH INFORMATICS SERVICE?... 3 2. LHIS TECHNICAL ASSURANCE SERVICES... 3 3. SERVICE OVERVIEW... 4 4. EXPERIENCE...

More information

ICAICT704A Direct ICT in a supply chain

ICAICT704A Direct ICT in a supply chain ICAICT704A Direct ICT in a supply chain Release: 1 ICAICT704A Direct ICT in a supply chain Modification History Release Release 1 Comments This Unit first released with ICA11 Information and Communications

More information

Software Application Control and SDLC

Software Application Control and SDLC Software Application Control and SDLC Albert J. Marcella, Jr., Ph.D., CISA, CISM 1 The most effective way to achieve secure software is for its development life cycle processes to rigorously conform to

More information