Overview Information in all its forms is a vital component of the digital environment in which we live and work. The protection of information in its physical form is well understood but the protection of digital information within systems and devices, and what needs to be protected, is less so. Information risk is concerned with the importance of information to the organisation and the harm that can be caused from the failure to manage, use or protect information in all its forms. Risk management allows an organisation to prioritise risks, deploy resources efficiently and to treat risks using a consistent and documented approach taking into account threats, vulnerabilities, assets and harm. System risk needs to be understood and actively foreseen and managed within this context. This role involves following the steps in the information risk assessment and management process. Ensuring that information risks are identified and assessed, that an impact assessment is undertaken, that risk treatment options are specified, appropriate controls selected and that there is ongoing monitoring and review. TECHIS60241 1
Performance criteria You must be able to: 1. correctly identify the range of response actions that may be used to mitigate/control risks in line with organisational 2. take decisive and timely action in the event of risks being realised and impacting the integrity of information systems in line with organisational 3. perform risk assessments that clearly identify and assess potential risks in terms of their probability of occurrence 4. analyse the identified risks to assess their potential impact on information assets and to determine whether they are within specified risk tolerance levels 5. contribute to the development and maintenance of risk management plans used to mitigate risks in accordance with relevant internal and external 6. assess and validate information on current and potential threats to the business, analysing trends and highlighting information security issues relevant to the organisation 7. predict and prioritise threats to an organisation and their methods of attack in line with organisational 8. analyse the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities 9. use human factor analysis in the assessment of threats in line with organisational 10. use threat intelligence to develop attack trees in line with organisational 11. prepare and disseminate intelligence reports providing threat indicators and warnings in line with organisational 12. scan information systems and networks for public domain vulnerabilities, reporting potential issues and mitigation options in line with organisational 13. make recommendations as to the specific actions that should be applied to mitigate risks and escalate risks that are outside agreed risk tolerance levels 14. review and apply the strategy, policies, procedures, tools and techniques relating to security risk assessment and 15. correctly identify and assist in the development of a risk contingency plan for a non complex system, based upon analysis of the probability and impact of potential risks to a specific information system 16. objectively analyse and clearly present the findings from risk assessment and to sponsors, stakeholders and external bodies TECHIS60241 2
TECHIS60241 3
Knowledge and understanding You need to know and understand: 1. information is an organisational asset that has a value, which may be relative depending on the perspective taken, and therefore can be classified to reflect its importance to an organisation or individual 2. information is vulnerable to threats in systems 3. information has attributes relating to confidentiality, possession or control, integrity, authenticity, availability, and utility, any of which can make it vulnerable to attack 4. information may need to be protected. and some of the reasons why that protection must occur, including legal and regulatory drivers, customer rights or organisational objectives 5. information has a lifecycle, from creation through to deletion, and protection may be required and may change throughout that lifecycle 6. that information risk assessment and management is a term referring to the process of documenting what information is at risk, the type and level of risk, and the impact of realisation 7. the value and role of risk management within a business information security strategy 8. the range of issues associated with information security risk assessment and 9. the range of approaches that can be taken to risk assessment and and their appropriateness in a range of business contexts 10. the internal and external factors that may impact on security risk 11. the regulations, legislation, internal and external that may apply to information security risk assessment and 12. who is responsible for leading/managing the risk assessment and 13. that risk should be planned as ongoing/cyclical activity 14. how to develop and maintain a risk management plan 15. the risk tolerance levels specified for managing risk 16. the need to be accountable for the successful management of security risks TECHIS60241 4
Developed by e-skills Version Number 1 Date Approved January 2016 Indicative Review Date Validity Status Originating Organisation Original URN Relevant Occupations Suite Keywords April 2019 Current Original The Tech Partnership TECHIS60241 Information and Communication Technology; Information and Communication Technology Officer; Information and Communication Technology Professionals Information Security Information security, cyber security, risk assessment, risk management TECHIS60241 5