View
224
Download
0
Category
Preview:
Citation preview
8/13/2019 Guidance to Cesg Certification for Ia Professionals
1/38
September 2012Issue No: 1.0
Guidance to
CESG Certification for IA Professionals
8/13/2019 Guidance to Cesg Certification for Ia Professionals
2/38
Guidance to CESG Certification for IA Professionals
Issue No: 1.0September 2012
The copyright of this document is reserved and vested in the Crown.
This document may not be reproduced or copied without specific permission fromCESG.
Document History
Version Date CommentVersion 1.0 September 2012 Comprises guidance chapters previously incorporated in
CESG Certification for IA Professionals., with variouschanges as listed.Change of role title from Security Architect to IA
ArchitectClarification of the differences between Practitioner,Senior Practitioner and Lead Practitionersee Chapter3Incorporation of Blooms revised taxonomy of knowledgeinto the skill assessmentssee Chapters 4 & 5
Revision to good evidence requirement and progression(paras 25 & 26) see Chapter 5Option for Certification Bodies to use IISP Skill Group Jin lieu of SFIA responsibility levelssee Chapter 5
Addition of guidance for applicantssee Chapter 6Addition of guidance for employers and clientsseeChapter 7
Addition of code of conductsee Chapter 8
Also includes changes made to the Certification forProfessionals document made at issues 1.1 and 1.2
The IA role definitions and IISP skills supplements will
be found in CESG Certification for IA Professionals v2.0
8/13/2019 Guidance to Cesg Certification for Ia Professionals
3/38
Page 3
Guidance to CESGCertification for IA
Professionals
Purpose & IntendedReadership
This document contains guidance onCESGs Certification for InformationAssurance (IA) Professionals v2.0(reference [a]). It is relevant to all IAProfessionals who work in, or for, thepublic sector and to those who recruit,
select, train or manage them.Parts of the framework may berelevant to IA Professionals working forthe private sector. The frameworkcontributes to Objective 4 of the UKCyber Security Strategy (reference[b]),building the UKs cross cuttingknowledge, skills and capability tounderpin all cyber security objectives.
Executive Summary
CESG has developed a framework forcertifying IA Professionals who meetcompetency and skill requirements forspecified IA roles. The purpose ofcertification is to enable bettermatching between public sectorrequirements for IA Professionals andthe competencies of the staff orcontractors undertaking common IAroles. The framework has beendeveloped in consultation withgovernment departments, academia,industry, the certification bodies, andmembers of the CESG Listed AdvisorScheme (CLAS), reference [c]). Theframework includes a set of IA roledefinitions and a certification process.
The set of role definitions:
Covers the IA roles most commonly
used across the public sector
Defines each of the IA roles atthree levels
Aligns each role level withresponsibility levels defined by TheSkills Framework for theInformation Age (SFIA), (reference[d])1
Describes each role in terms of itspurpose and the skills required ateach responsibility level
Uses the set of skills defined by theInstitute of Information SecurityProfessionals (IISP), (reference[e])
Supplements the IISP2 skilldefinitions to aid assessmentagainst them
Is detailed in CESG Certification forIA Professionals v2.0
The certification process:
Has been defined in detail and isoperated by three CertificationBodies (CBs) appointed by CESG:
APM Group www.apmg-ia.com
BCS, the Chartered Institutefor IT Professionals www.bcs.org
IISP, RHUL & CREST
consortium www.instisp.org
Assesses applicants against therequirements of the role definitions
1The Skills Framework for the Information Age is owned
by the SFIA Foundation: www.SFIA.org.uk
2The IISP Skills Framework is copyright The Institute of
Information Security Professionals. All rights reserved. TheInstitute of Information Security Professionals IISP
M.Inst.ISP and various IISP graphic logos aretrademarks owned by The Institute of Information SecurityProfessionals and may be used only with expresspermission of the Institute.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
4/38
Page 4
Includes the issue of certificatesendorsed by CESG stating the IArole and responsibility level atwhich the applicant has beenassessed as being competent toperform
IA Professionals working in, or for, thepublic sector are encouraged to applyfor certification to demonstrate theircompetence in their IA role.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
5/38
Page 5
Guidance to CESGCertification for IA
Professionals
Contents:
Chapter 1 - Introduction ................... 7Chapter 2 - Concept of Operation ... 9Chapter 3 - Role Definitions ........... 11Chapter 4 - Skill Definitions ........... 15Chapter 5 - Guidance for
Certification Bodies ........................ 23Chapter 6Guidance for Applicants......................................................... 27Chapter 7Guidance for Employersand Clients of Certified IAProfessionals .................................. 29Chapter 8IA Practitioners Code ofConduct ........................................... 31References ...................................... 33Glossary .......................................... 34Customer Feedback ....................... 35
8/13/2019 Guidance to Cesg Certification for Ia Professionals
6/38
Page 6
THIS PAGE IS INTENTIONALLY LEFT BLANK
8/13/2019 Guidance to Cesg Certification for Ia Professionals
7/38
Page 7
Guidance to CESGCertification for IA
Professionals
Chapter 1 - Introduction
Key Principles
Improving the level of professionalisation in IA is an objective of the UK CyberSecurity Strategy
Certification aims to improve matching between public sector requirements for IAexpertise and the competence of those recruited or contracted to provide thatexpertise
1. The public sector is accountable to Parliament for protecting a vast array ofsensitive data supporting many public services. The sophistication of the threatsto that data, the complexity of the information systems and the high potentialbusiness impacts of data loss, leave the public sector increasingly dependenton Information Assurance (IA) specialists to manage information risks. Thecomplexity of the skills and competencies required of these specialistscontinues to grow. Consequently, improved IA professionalisation is anobjective of the UK Cyber Security Strategy (reference[b]).
2. Whilst there is substantial overlap between public sector IA requirements andthose of other sectors, the former are determined by a distinct combination of
threats, business impacts and public expectations. The public sector thereforeneeds to articulate the competencies required of the IA Professionals workingwithin it, to formally recognise the IA skills of those who have them, and toencourage their continuous professional development. To meet this need,CESG has established a framework to certify the competence of IAProfessionals to perform common public sector IA roles. The framework isconsistent with ISO 17024, Conformity assessment - General requirements forbodies operating certification of persons(reference[f])and aims to improve thematching between public sector requirements for IA expertise and thecompetence of those recruited or contracted to provide that expertise.
3. If you are an IA specialist working in or for the public sector, the certificationprocess will give you the opportunity to have your competence to perform an IArole independently verified. The IA role definitions will also help you plan yourprofessional development. Chapter 6 provides guidance for applicants for IAcertification.
4. If you are involved in the recruitment, selection, management, development orpromotion of IA Professionals, the role definitions will provide templatespecifications of common IA roles. With refinements to meet any localrequirements, these can form the basis for job specifications, promotion criteriaor practitioner development requirements. The certification process gives you
the option of setting certification as a requirement for job applicants or as an
8/13/2019 Guidance to Cesg Certification for Ia Professionals
8/38
Page 8
objective forjobholders. Chapter 7 gives guidance for employers and clients ofcertified IA Professionals.
5. Certification Bodies (CBs) assess competence in a variety of ways dependingon the skills needed for a role. The assessment process will typically includereview of written evidence, knowledge testing, input from referees, an interview,recommendation from assessors, and a final decision by a ratifying panel. Themore senior the role, the more extensive the assessment is expected to be.Guidance for CBs and their assessors is at Chapter 5.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
9/38
Page 9
Guidance to CESGCertification for IA
Professionals
Chapter 2 - Concept of Operation
Key Principle
IA Professionals apply to Certification Bodies appointed by CESG for certificationagainst a role at a specific level
6. The components of the framework are illustrated in Figure 1. CESG owns theset of IA roles and supplemented skills defined in the companion document,CESG Certification for IA Professionals. These have been, and will continue tobe developed in consultation with advisory bodies drawn from governmentdepartments, industry, academia and CLAS.
Figure 1: Certification Framework
Certification Framework
Government
Departments
Academia &
Industry
CLAS
community
IA Practitioners
Certification
Bodies
Public Sector
OrganisationsIndustry
DefinesDevelops
Access
Select Certification
Bodies
Standards
Application
Certificate
Employed ByEmployed ByBecome aMember of
Advice &
feedback
Advice &
feedbackAdvice &
feedback
Role and Skill
DefinitionsIA Policy Portfolio
8/13/2019 Guidance to Cesg Certification for Ia Professionals
10/38
Page 10
7. CESG has appointed three CBs who will assess IA Professionals against therequirements of the role definitions. IA Professionals can use their certificatesas evidence to prospective employers, clients or promotion panels of theircompetence to perform the defined role at the level to which they have beencertified. CBs will charge IA Professionals for their certification. It is expectedthat contact details of those certified will be published by the CBs with links toappropriate websites provided from the CESG website:www.cesg.gov.uk.
8. It is intended that the role and skill definitions will drive professionaldevelopment of IA across the public sector. To assist the provision of training,CESG aspires to enable training providers to develop training courses based
upon material in CESGs IA Policy Portfolio (reference [f]), but has not beenable to resource development of this and the IA certification frameworkconcurrently.
9. The IA certification framework should:
a. Improve matching between public sector requirements for IA expertise andthe competence of employed and contracted IA Professionals.
b. Encourage IA practitioners to develop all the skills needed in order tobecome fully effective.
c. Provide assurance that certified IA Professionals meet the requirements ofthe IA role definitions.
d. Provide clearer definitions of the skills required for IA roles.
10. Further details on the implementation of the certification process will bepublished atwww.cesg.gov.ukas they are developed.
http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/8/13/2019 Guidance to Cesg Certification for Ia Professionals
11/38
8/13/2019 Guidance to Cesg Certification for Ia Professionals
12/38
Page 12
c. Ensure that IA contributes to strategic business objectives.16. Lead Practitioners especially require strong SFIA responsibility attributes in
addition to IA skills to meet the role requirements. Just being an experiencedand competent Senior Practitioner is not sufficient to become a LeadPractitioner.5Additionally without some experience at Senior Practitioner level itwould be difficult to demonstrate IA competence at the Lead Practitioner level.
17. Each role definition includes the role purpose and a headline statement of theresponsibilities normally expected at each level. Illustrative duties consistentwith the headline statement are given plus an indicative set of informationsecurity skills.
18. The scope of the certification framework is the set of IA roles that are incommon use across the public sector and of which CESG has some ownership.The current list is at Table 1 below. The roles are derived from three sources:
a. Roles commonly undertaken by CLAS members.
b. Roles recognised in the HMG Security Policy Framework (SPF),(reference[h]).
c. Other roles believed to be widely used across the public sector.
19. Some roles can be readily grouped together as different levels of a moregeneric role. For this reason the roles of IT Security Officer (ITSO, as mandatedin the HMG SPF), Information System Security Manager and InformationSystem Security Officer have been grouped together. Similarly, the CryptoCustodian is a subset of the Communications Security Officer (ComSO) roleand consequently these two roles have been grouped together.
20. No hierarchy is intended among these roles. It is assumed that the ITSO andComSO will typically report to the Department Security Officer (DSO). The DSOrole is owned by Cabinet Office and currently outside the scope of thecertification framework.
21. The Accreditor will typically report to the SIRO, sometimes through amanagement chain. The SIRO role is owned by Cabinet Office and is alsooutside the scope of the certification framework.
22. There is no prescribed career path through these roles. Much IA knowledge iscommon to multiple roles and it would be natural for many IA Professionals toperform multiple roles in the course of a career. For small organisations, an IAspecialist may perform multiple roles in one post.
23. It is expected that further roles will be defined according to demand for
certification against them.
5Similarly, good project managers do not always make good programme managers and it is not essential for programme
managers to have been project managers.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
13/38
Page 13
Guidance to CESGCertification for IA
Professionals
Table 1: List of Roles and their Purpose
IA Role PurposeAccreditor To act as an impartial assessor of the risks that an
information system may be exposed to in the course ofmeeting the business requirement and to formally accreditthat system on behalf of the Board of Directors.
IA Auditor To assess compliance with security objectives, policies,standards and processes.
CommunicationsSecurity Officer / CryptoCustodian anddeputy/alternatecustodian
To manage cryptographic systems as detailed in HMG IAStandard No 4 (reference [i])and in relevant product specificsecurity procedures.
IT Security Officer/Information SecuritySystem Manager/Information SecuritySystem Officer
To provide governance, management and control of ITsecurity.
Security & Information
Risk Advisor
To provide business driven advice on the management of
security and information risk consistent with HMG IA policy,standards and guidance.
IA Architect To drive beneficial security change into the business throughthe development or review of architectures so that they:
fit business requirements for security
mitigate the risks and conform to the relevant securitypolicies
balance information risk against cost of countermeasures
8/13/2019 Guidance to Cesg Certification for Ia Professionals
14/38
Page 14
THIS PAGE IS INTENTIONALLY LEFT BLANK
8/13/2019 Guidance to Cesg Certification for Ia Professionals
15/38
Page 15
Guidance to CESGCertification for IA
Professionals
Chapter 4 - Skill Definitions
Key Principles
The IISPhas defined a set of Information Security skills and skill levels
These skill definitions have been supplemented to enable assessment against theskill levels
The IA roles may be defined in terms of other suitable skill sets if they become
available
24. CESG Certification for IA Professionals supplements the Institute of InformationSecurity Professionals (IISP) skill definitions in line with the IISP skill leveldefinitions shown in the table below. The skill definitions are supplemented intwo respects to aid assessment against each of the four IISP defined skill levels.These supplements have been developed in consultation with the advisorybodies drawn from government departments, academia, industry and CLAS.
a. Each IISP skill group is supplemented with a statement of the knowledge
most relevant to the skill.b. Each IISP skill is supplemented with a headline statement of what is
expected at each skill level followed by examples of behaviour that isconsistent with the headline statement.
25. The IA certification framework assumes a mapping between the knowledgerequirements in the IISP skill level definitions and Blooms revised taxonomy ofknowledge (reference[i]). This mapping is shown in Table 2. The taxonomy isdescribed further in Chapter 5.
26. For each skill, a headline statement is provided at each of the four skill levels.
These are summarised at Table 3. The headline statements are intended to beconsistent with the skill level definitions and the IISP principles and examplesgiven for each skill in the IISP Full Member Application Guidance Notes.
27. Examples of the kinds of behaviour, knowledge, competence, experience,versatility, autonomy or influence that are consistent with the headlinestatement are given in the Annex on skill definitions. These examples do notform an exhaustive list; other examples may also meet the headline statement.Essential requirements to meet the headline statement are denoted with theterm shall.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
16/38
Page 16
28. The skill definitions are intended to be cumulative; ie. to meet the requirementsat levels 2, 3 or 4 entails meeting the requirements for lower levels. But, notethat role definitions are not cumulative; see Chapter 5.
Table 2: IISP Skills SummaryDefinitions for Levels
IISP Skill Level Applicable KnowledgeLevel from BloomsRevised Taxonomy
(reference[j])Level 1: (Awareness)
Understands the skill and its application. Has acquired andcan demonstrate basic knowledge associated with the skill.Understands how the skill should be applied but may haveno practical experience of its application.
Remembering/Understanding
Level 2: (Basic Application)
Understands the skill and applies it to basic tasks undersome supervision. Has acquired the basic knowledgeassociated with the skill, for example has acquired anacademic or professional qualification in the skill.Understands how the skills should be applied. Has
experience of applying the skill to a variety of basic tasks.Determines when problems should be escalated to a higherlevel. Contributes ideas in the application of the skill.Demonstrates awareness of recent developments in theskill.
Applying
Level 3: (Skilful Application)
Understands the skill and applies it to complex tasks with nosupervision. Has acquired a deep understanding of theknowledge associated with the skill. Understands how theskill should be applied. Has experience of applying the skillto a variety of complex tasks. Demonstrates significant
personal responsibility or autonomy, with little need forescalation. Contributes ideas in the application of the skill.Demonstrates awareness of recent developments in theskill. Contributes ideas for technical development and newareas for application of the skill.
Evaluating/ Analysing
Level 4: (Expert)
An authority who leads the development of the skill. Is anacknowledged expert by peers in the skill. Has experienceof applying the skill in circumstances without precedence.Proposes, conducts, and/or leads innovative work to
enhance the skill.
Creating
8/13/2019 Guidance to Cesg Certification for Ia Professionals
17/38
Page 17
Guidance to CESGCertification for IA
Professionals
Table 3: Headline Skill Statements
IISP Skill Level 1 Level 2 Level 3 Level 4
A1Governance
Understandslocalarrangements forInformationGovernance (IG)
Applies IGstandards orprocesses to localarea and to clientsbeyond it
Develops IGstandards orprocesses; appliesIG principles acrossthe organisation
Leads developmentof IG at theorganisation level orhas influence atnational orinternationalstandards level
A2Policy &Standards
Understands theneed for policyand standards toachieveInformationSecurity (IS)
With supervisionand aligned withbusinessobjectives, authorsor provides adviceon IS policy orstandards
Withoutsupervision,advances businessobjectives throughdevelopment orinterpretation of arange of IS policiesor standards
A recognised expertin IS policy andstandarddevelopment
A3InformationSecurity
Strategy
Understands thepurpose of ISstrategy to
realise businessbenefits
Contributes todevelopment orimplementation of
IS strategy undersupervision
Influencesinvestmentdecisions or risk
appetites throughcontribution todevelopment orimplementation ofIS strategy
A recognised expertin IS strategydevelopment or
implementation
A4Innovation &BusinessImprovement
Is aware of thebusinessbenefits of goodIS
Applies IS toachieve businessobjectives withsome supervision
Supports realisationof strategicbusiness benefitsthrough innovativeapplication of IS
Develops andpromotes newconcepts forbusinessimprovementthrough IS which arewidely adopted
across the publicsector or an industrysector
A5ISAwarenessand Training
Understands therole of securityawareness andtraining inmaintaininginformationsecurity
Materiallycontributes toimproving securityawareness withsome supervision
Delivers, ormanages thedelivery of trainingon multiple aspectsof IS
A recognisedauthority on thedevelopment of IS
Awareness &Training
8/13/2019 Guidance to Cesg Certification for Ia Professionals
18/38
Page 18
IISP Skill Level 1 Level 2 Level 3 Level 4
A6Legal &RegulatoryEnvironment
Is aware of majorpieces oflegislation relevantto IS and ofregulatory bodiesrelevant to thesector in whichthey work
Understandsapplicablelegislation andregulations relatingto IS in the contextof own or clientorganisations
Influencesbusiness practicesaffecting ISthrough theapplication oflegislation andregulations
Is an authority onan area oflegislation orregulation relevantto IS
A7Third
PartyManagement
Is aware of the
need fororganisations tomanage theinformationsecurity of thirdparties
With supervision,
contributes todeveloping ormaintainingcompliance by thirdparties tocontractingauthoritys ISpolicies andstandards
Enhances
organisational ISthrough broadinfluence on thirdpartymanagement
Advances best
practice in thirdparty managementwith respect to IS
B1RiskAssessment
Demonstratesawareness of thecauses ofinformation riskand theirimplications
Understands howto produce riskassessments
Produces complexrisk assessmentsthat influencesenior riskowners, managersor otherstakeholders
Influencesdevelopment of riskassessmentmethodologiesacross and beyondan organisation
B2RiskManagement
Demonstratesawareness oftechniques tomanageinformation risk
Contributes tomanagement ofrisks to informationsystems withsupervision
Advisesmanagement oninformation riskacross a businessunit ororganisation
Advances thepractice ofinformation riskmanagementacross the publicsector or anindustry sector or
internationally
C1SecurityArchitecture
Is aware of theconcept ofarchitecture toreduce informationrisk
Appliesarchitecturalprinciples tosecurity design withsome supervision
Appliesarchitecturalprinciples tocomplex systemsor to bringstructure todisparate systems
Extends theinfluence of securityarchitectureprinciples acrossthe public sector oran industry sector
8/13/2019 Guidance to Cesg Certification for Ia Professionals
19/38
Page 19
Guidance to CESGCertification for IA
Professionals
IISP Skill Level 1 Level 2 Level 3 Level 4
C2SecureDevelopment
Is aware of thebenefits ofaddressing securityduring systemdevelopment
Contributes to thedevelopment ofsecure systemswith somesupervision
Applies & improvessecuredevelopmentpractices usedacross multipleprojects, systemsor products
Is an authority onthe development ofsecure systems
D1IAMethodologies
Is aware of theexistence ofmethodologies,processes andstandards forprovidingInformation
Assurance
Applies an IAmethodology orstandard withsome supervision
Verifies riskmitigation using IAmethodologies
Enhances thecapability of IAmethodologies torealise businessbenefits across thepublic sector or anindustry sector
D2SecurityTesting
Is aware of the roleof testing tosupport IA
Effectively appliestestingmethodologies,tools or
techniques withsome supervision
Providesassurance on thesecurity of aproduct or process
through effectivetesting
Advancesassurancestandards across aproduct range,
technology, orindustry sectorthrough rigoroussecurity testing
E1SecureOperationsManagement
Is aware of theneed for securemanagement ofinformationsystems
Monitors theapplication ofSyOPS with somesupervision
Manages thedevelopment ofSyOPs for useacross multipleinformationsystems or
managescompliance withthem
An authority onSecurityOperationsManagement,working across thepublic sector or an
industry sector
8/13/2019 Guidance to Cesg Certification for Ia Professionals
20/38
Page 20
IISP Skill Level 1 Level 2 Level 3 Level 4
E2SecureOps & ServiceDelivery
Is aware of theneed forinformationsystems andservices to beoperated securely
Effectively appliesSyOPs with somesupervision
Develops SyOPsfor use acrossmultipleinformationsystems ormaintainscompliance withthem
Influences SyOPsused across thepublic sector or anindustry sector
E3
VulnerabilityAssessment
Is aware of the
need forvulnerabilityassessments tomaintainInformationSecurity
Obtains and acts
on vulnerabilityinformation inaccordance withSecurityOperationsProcedures
Ensures that
information riskmanagers respondappropriately torelevantvulnerabilityinformation
Is an authority on
the use or impactof vulnerabilityassessmentsacross the publicsector or anindustry sector
F1IncidentManagement
Is aware of thebenefits ofmanaging securityincidents
Contributes tosecurity incidentmanagement
Manages securityincidents
Is an authority onsecurity incidentmanagementacross the publicsector or anindustry sector
F2Investigation
Is aware of thebasic principles ofinvestigations
Contributes toinvestigations intosecurity incidents
Leadsinvestigations intosecurity incidentsor manages ateam ofinvestigators orprovides skilledsupport
Is an authority onsecurityinvestigations
F3Forensics Is aware of thecapability offorensics to supportinvestigations
Contributes toforensic activities,with somesupervision
Manages forensiccapability orprovides skilledsupport
Is an authority onforensics
G1Audit,Assuranceand Review
Understands basictechniques fortesting compliancewith security criteria(policies,standards, legaland regulatory
Audits compliancewith securitycriteria inaccordance withan appropriatemethodology
Influences seniorinformation riskowners orbusinessmanagers throughinformation riskdriven auditing
Advances theinfluence ofsecurity auditingacross the publicsector or across anindustry sector
8/13/2019 Guidance to Cesg Certification for Ia Professionals
21/38
Page 21
Guidance to CESGCertification for IA
Professionals
IISP Skill Level 1 Level 2 Level 3 Level 4
H1&2BusinessContinuityManagement
Understands howBusinessContinuityPlanning &Managementcontributes toinformationsecurity
Contributes to thedefinition orimplementation ofbusiness continuityprocesses tomaintain informationsecurity
Leads definition orimplementation ofbusiness continuityprocesses to maintaininformation securityacross a business unitor organisation
Is an authorityon theinformationsecurityaspects ofBusinessContinuity
8/13/2019 Guidance to Cesg Certification for Ia Professionals
22/38
Page 22
THIS PAGE IS INTENTIONALLY LEFT BLANK
8/13/2019 Guidance to Cesg Certification for Ia Professionals
23/38
Page 23
Guidance to CESGCertification for IA
Professionals
Chapter 5 - Guidance for Certification Bodies
Key Principles
Certification Bodies have some discretion in how role definitions are interpreted
Assessments against the role definitions must be based on good evidence
29. For certification against a particular role and level, CBs must assess whether afuture employer or client of the applicant could have reasonable confidence thatthe applicant could repeat the level of competence claimed in similar
circumstances. CBs should consider the position of a recruitment consultantwho needs to decide whether to recommend an IA specialist to a client knowingthat they are only likely to gain further business if the client is satisfied.Certification should give the recruitment consultant justifiable confidence torecommend the certified IA specialist to a range of clients.
30. The crux of any assessment should be whether the applicant has goodevidence of meeting the relevant headline statement in the role definition. Theevidence of meeting the SFIA responsibility attributes and IISP skill levelsshould be seen as a strong guide to help assess how well the role headlinestatement has been met rather than as prescriptive criteria in their own right.
For this reason, CBs have some discretion in how much evidence is required.
31. As a guide, successful applicants should provide good evidence of meeting:
a. The standard in the role definition headline statement for the applicableresponsibility level.
b. The entire core IISP skill levels defined in the role definition (these are inboldin the skill tables) except as defined under the Security & InformationRisk Advisor role definition.
c. All mandatory requirements within core skill definitions (these are denoted
by the term shall).
d. Three-quarters of all skills required at level 1 or above.
e. All of the SFIA attributes of responsibility (autonomy, influence, complexityand business skills). Good evidence of only 3 of the 4 attributes can beaccepted if the candidate had limited opportunity to demonstrate the fourthattribute or the assessor had limited time to probe claims made and therewas no evidence that the applicant was actually weak in this attribute.However, see para 34 for an alternative to SFIA.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
24/38
Page 24
The required Blooms (reference [i]) knowledge level for some of theknowledge listed in the knowledge statement applicable to each core IISPskill. This may be based on evidence from the applicants workexperience or through examination. Guidance on the meaning of Bloomsknowledge levels is given in Table 4.
Table 4: Blooms Knowledge Levels
BloomsRevised
LevelName Ability Typical Exam Question Style
1 Remembering Recall or rememberinformation but notnecessarily able to useor explain
Define, duplicate, list,memorize, recall, repeat,reproduce, state
2 Understanding Explain ideas orconcepts
Classify, describe, discuss,explain, identify, locate,recognize, report, select,
translate, paraphrase
3 Applying Use the information ina new way
Choose, demonstrate, employ,illustrate, interpret, operate,schedule, sketch, solve, use,write
4 Analysing Distinguish betweendifferent parts
Appraise, compare, contrast,criticize, differentiate,
discriminate, distinguish,examiner, question, test
5 Evaluating Justify a decision Appraise, argue, defend,judge, select, support, value,evaluate
6 Creating Provide a new point ofview
Assemble, contract, create,design, develop, formulate,write
8/13/2019 Guidance to Cesg Certification for Ia Professionals
25/38
Page 25
Guidance to CESGCertification for IA
Professionals
32. Good evidence of meeting the role headline statement requires at least twoexamples of how the applicant applied their IA expertise to address a businessrequirement and what the outcome was. One piece of work may be used asevidence to support multiple skills or SFIA attributes but a variety of workexamples provides stronger evidence of deployability to a range of clients.
33. Good evidence will also withstand scrutiny, eg:
a. Was the evidence claimed supported by a referee and was the validity ofthe reference checked?
b. Was the candidate credible when probed at interview?
c. Was knowledge tested in accordance with the IISP skill level and theassociated knowledge level from Blooms revised taxonomy?
d. Were the example pieces of work sufficiently substantial to demonstratethe SFIA attributes at the claimed responsibility level?
e. Was the client contacted to confirm the applicants claims?
f. Are the examples claimed consistent with the career history described inthe application?
g. Are the skills or knowledge claimed supported by relevant qualifications,training and experience?
34. Certification Bodies have the option of assessing applicants against the IISPskill group J instead of using the SFIA responsibility levels. The recommendedtranslation between these two frameworks is given below.
Table 5: Translation between SFIA and IISP Frameworks
SFIA Responsibility LevelAverage Skill Level for IISP Skill
Group J
1 Not applicable
2 1.53 2.0
4 2.5
5 3.0
6 3.25
7 Not applicable
Except where stated otherwise, role definitions are not cumulative as oneprogresses from practitioner to lead practitioner; i.e. it is possible to certify anindividual as a senior or lead practitioner without good evidence of the individualbeing able to fill the role at lower level(s). The rationale behind this is that it ought
to be feasible to manage a team without having previously been a member of theteam. Notwithstanding, CBs would need evidence that the applicant has acquired
8/13/2019 Guidance to Cesg Certification for Ia Professionals
26/38
Page 26
sufficient, additional and pertinent competencies forthe required roleespeciallyif technical rather than managerial in nature. However, skill definitions arecumulative; see Chapter 4.
35. To support migration to the IA certification framework, at their discretion, until 1October 2013, CBs may accept Infosec Training Paths and Competencies(ITPC) (reference [k]) with a registered record of Continuous ProfessionalDevelopment as sufficient evidence for meeting the requirements of Security &Information Risk Advisor at Practitioner level.
Performance Monitoring
36. CBs are required to take reasonable opportunities to monitor the performanceof those that they have certified in order to maintain the credibility of thecertification process and their certificates.
Re-certification
37. CBs are required to state how long their certificates are valid for and what theprocess should be for re-certification. It is expected that some form of evidenceof Continuing Professional Development will be sufficient to avoid repeating thecomplete certification process.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
27/38
Page 27
Guidance to CESGCertification for IA
Professionals
Chapter 6Guidance for Applicants
Key Principles
Applicants are assessed on whether the evidence presented demonstratescompetence to perform the role at the level applied for
Good evidence explains how the applicant applied their IA expertise to helpachieve a business objective
38. CBs are tasked with assessing applicants against the role definitions based
upon the evidence presented. They do not attempt to assess how effective youare in your current work. CBs frequently either fail applications or return themfor further work because applicants have not presented adequate evidence. Toavoid this, please note the points below.
39. Applicants should ensure that the evidence presented supports the role(s) andlevel(s) applied for. Study the role and skill definitions carefully and target yourevidence accordingly. The crux is demonstrating work that meets the headlinestatement in the role definition at the responsibility level for which you areapplying.
40. Good evidence typically outlines a business objective, how you personallyapplied IA expertise to help achieve it and the impact your contribution made.Lists of personal qualities, jobs held or qualifications gained are not, on theirown, good evidence as they do not explain what you, as an IA practitioner, haveactually achieved or how you personally added value. They may add usefulcontext to actual evidence.
41. At Practitioner level, CBs will wish to see evidence of what you have actuallydone in the role and how you applied IA skills and the SFIA responsibilityattributes to fill the role.
42. At Senior Practitioner level, CBs will look for evidence of the ability to analysebusiness objectives and the associated IA issues, then apply IA expertise toenable some form of business benefit to be achieved.
43. At Lead Practitioner level, the CBs will look for evidence of applying IAexpertise at the organisational level to support strategic business objectives; e.g.reduced costs or risks, improved business agility or some form of competitiveadvantage. Lots of experience at Senior Practitioner level is not sufficient toreach Lead Practitioner level.
44. The level to which evidence may be scrutinised is described in Chapter 5 in the
guidance for CBs.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
28/38
Page 28
45. CBs offer different approaches to assessment. In choosing a CB an applicantshould consider the assessment process, the costs and effort associated withachieving and maintaining certification, support for continued professionaldevelopment, and any benefits that a CB may offer.
46. CBs have some discretion in how much evidence they require. Details are inChapter 5.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
29/38
Page 29
Guidance to CESGCertification for IA
Professionals
Chapter 7Guidance for Employers and Clients ofCertified IA Professionals
47. The CESG Certification Standard can support organisations in selecting IAProfessionals for assignments and it can also be used to guide the professionaldevelopment of internal staff. Employers or clients who seek to select IAProfessionals for employment or contracts are advised to note the following:
a. IA certification does not eliminate the need for care when selecting IAProfessionals. IA Professionals of the same role and responsibility levelare not all the same. You will still need to consider how relevant theirexperience, culture, skills and knowledge is to your needs. The bigger thedifference, the longer it will typically take for them to be fully effective inyour environment.
b. Consider what profile of roles and responsibility levels you need. If youneed a team, consider the mix of roles and responsibility levels that wouldbest suit your requirements. For instance, one Senior Practitioner may be
able to supervise a handful of Practitioners ensuring that the SeniorPractitioners experience is only applied where it is most needed. In thisexample the Senior Practitioner will also need team leadership skills inaddition to their IA specialist skills.
c. IA is a broad and rapidly evolving field. Even within specific roles, nobodyhas knowledge and experience across the full scope of the role. Becareful not to assume knowledge or experience that your employee orcontractor does not have.
d. The certification framework aims to identify IA Professionals who havedemonstrated the role requirements and are sufficiently versatile to apply
them in a range of organisations. It still takes time to become effective ina new organisation and more time to become effective in a new sector.
e. If you are engaging an IA specialist to help to upskill your existing staffthen you should consider this skill and capability separately as this is notpart of the CESG Certification for IA Professionals although some CBsmay identify this capability as part of their assessment.
f. The CBs assess the IA Professionals against a common standard but inslightly different ways. You might like to familiarise yourself with thedifferent approaches to ensure that those attributes of the certificationprocess most important to you are employed.
8/13/2019 Guidance to Cesg Certification for Ia Professionals
30/38
Page 30
THIS PAGE IS INTENTIONALLY LEFT BLANK
8/13/2019 Guidance to Cesg Certification for Ia Professionals
31/38
Page 31
Guidance to CESGCertification for IA
Professionals
Chapter 8IA Practitioners Code of Conduct
48. CESG expects all practitioners undertaking work on the basis of its IAcertification framework to comply with the following code of conduct in order touphold the reputation and good standing of the framework.
Table 6: IA Practioners Code of Contact
Attribute Expected Behaviour Inappropriate Behaviour
Impartiality Act in the bestinterests of the clientorganisation at alltimes
Proposing or undertakingunnecessary or excessive work
Suppressing findings that theclient representative does not wishto hear
Recommending inappropriateproducts or services
Not declaring potential conflicts of
interestObjective Base advice onmaterial knowledge,facts, professionalexperience andevidence
Being influenced by personalrelationships or short termobjectives
Ignoring material facts
Confidentiality& Integrity
Protect informationreceived in the courseof work for a clientorganisation
Disclosing vulnerabilities in clientinformation systems to thirdparties
Sharing client information withthird parties without permission
Compliance Provide advice andensure that conduct isconsistent withapplicable laws,regulations and theHMG Security PolicyFramework (reference[h])
Recommending actions thatknowingly contravene applicablelaws, regulations or policies
Recommending actions whichconflict with CESG guidancewithout drawing the clientsattention to the conflict
Undertaking security testingwithout client permission
8/13/2019 Guidance to Cesg Certification for Ia Professionals
32/38
Page 32
Attribute Expected behaviour Inappropriate BehaviourCompetence Meet Certification
Body requirements forContinuingProfessionalDevelopment
Undertaking work which you knowyou are not competent toundertake
Presenting yourself as having ahigher level of competence than isactually the case
Proportionate Ensure advice isproportionate withbusiness objectives
and the level ofinformation risk
Recommending work that isdisproportionately large to businessrequirements
Recommending solutions that aregrossly inadequate to meet theintended business requirements
Reputation Preserve thereputation of the IAcertification framework
Conduct that may bring the IAcertification framework intodisrepute
Using the IA certification brandoutside its intended scope
8/13/2019 Guidance to Cesg Certification for Ia Professionals
33/38
Page 33
Guidance to CESGCertification for IA
Professionals
References
[a] CESG Certification for IA Professionals -www.cesg.gov.uk/awarenesstraining/PET /pages/IA-certification.aspx
[b] The UK Cyber Security StrategyProtecting and promoting the UK in a digitalworld -www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy
[c] CLAS - www.cesg.gov.uk
[d] SFIA -www.sfia.org.uk
[e] IISP - www.instisp.org.uk
[f] ISO 17024 - www.iso.org/iso/catalogue_detail?csnumber=29346
[g] CESG IA Policy Portfolio - http://cesgiap.gsi.gov.uk
[h] HMG Security Policy Framework -http://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdf
[i] HMG IA Standard No. 4, Management of Cryptographic Systems, Issue 5.1,April 2012. (UNCLASSIFIED)
[j] Anderson, L.W. & Krathwohl, D. R. (Eds) (2001). A taxonomy for Learning,teaching and assessing: A revision of Blooms taxonomy of educationalobjectives. New York: Addison Wesley Longman. April 2001
[k] Infosec Training Paths Competency schemewww.instip.org/SSLPage.aspx?pid=363
http://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspxhttp://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspxhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.sfia.org.uk/http://www.sfia.org.uk/http://www.sfia.org.uk/http://www.instisp.org.uk/http://www.instisp.org.uk/http://www.iso.org/iso/catalogue_detail?csnumber=29346http://www.iso.org/iso/catalogue_detail?csnumber=29346http://cesgiap.gsi.gov.uk/http://cesgiap.gsi.gov.uk/http://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://cesgiap.gsi.gov.uk/http://www.iso.org/iso/catalogue_detail?csnumber=29346http://www.instisp.org.uk/http://www.sfia.org.uk/http://www.cesg.gov.uk/http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspx8/13/2019 Guidance to Cesg Certification for Ia Professionals
34/38
Page 34
Glossary
CB Certification Body
CLAS CESG Listed Advisor Scheme
DSO Departmental Security Officer
IA Information Assurance
IISP Institute of Information Security Professionals
IS Information System
ITPC Infosec Training Paths and Competencies
ITSO Information Technology Security Officer
SFIA Skills Framework for the Information Age
SIRO Senior Information Risk Owner
SyOPs Security Operating Procedures
8/13/2019 Guidance to Cesg Certification for Ia Professionals
35/38
Guidance to CESGCertification for IA
Professionals
Customer Feedback
CESG Information Assurance Guidance and Standards welcomes feedback andencourages readers to comment on the Role and Skill definition concept ofoperations outlined in this document. Please use this page to send your comments to:
Customer SupportCESGA2bHubble RoadCheltenham GL51 0EX
Fax: (01242) 709193 (for UNCLASSIFIED FAXES ONLY)Email:enquiries@cesg.gsi.gov.uk
PLEASE PRINT
Your Name:
Department/Company Name and Address:
Phone number:Email address:
Comments:
mailto:enquiries@cesg.gsi.gov.ukmailto:enquiries@cesg.gsi.gov.ukmailto:enquiries@cesg.gsi.gov.ukmailto:enquiries@cesg.gsi.gov.uk8/13/2019 Guidance to Cesg Certification for Ia Professionals
36/38
8/13/2019 Guidance to Cesg Certification for Ia Professionals
37/38
THIS PAGE IS INTENTIONALLY LEFT BLANK
8/13/2019 Guidance to Cesg Certification for Ia Professionals
38/38
IACESG
A3eHubble RoadCheltenhamGloucestershireGL51 0EX
Tel: +44 (0)1242 709141Fax: +44 (0)1242 709193Email: enquiries@cesg.gsi.gov.uk
Recommended