Guidance to Cesg Certification for Ia Professionals

8/13/2019 Guidance to Cesg Certification for Ia Professionals

1/38

September 2012Issue No: 1.0

Guidance to

CESG Certification for IA Professionals


2/38

Guidance to CESG Certification for IA Professionals

Issue No: 1.0September 2012

The copyright of this document is reserved and vested in the Crown.

This document may not be reproduced or copied without specific permission fromCESG.

Document History

Version Date CommentVersion 1.0 September 2012 Comprises guidance chapters previously incorporated in

CESG Certification for IA Professionals., with variouschanges as listed.Change of role title from Security Architect to IA

ArchitectClarification of the differences between Practitioner,Senior Practitioner and Lead Practitionersee Chapter3Incorporation of Blooms revised taxonomy of knowledgeinto the skill assessmentssee Chapters 4 & 5

Revision to good evidence requirement and progression(paras 25 & 26) see Chapter 5Option for Certification Bodies to use IISP Skill Group Jin lieu of SFIA responsibility levelssee Chapter 5

Addition of guidance for applicantssee Chapter 6Addition of guidance for employers and clientsseeChapter 7

Addition of code of conductsee Chapter 8

Also includes changes made to the Certification forProfessionals document made at issues 1.1 and 1.2

The IA role definitions and IISP skills supplements will

be found in CESG Certification for IA Professionals v2.0


3/38

Page 3

Guidance to CESGCertification for IA

Professionals

Purpose & IntendedReadership

This document contains guidance onCESGs Certification for InformationAssurance (IA) Professionals v2.0(reference [a]). It is relevant to all IAProfessionals who work in, or for, thepublic sector and to those who recruit,

select, train or manage them.Parts of the framework may berelevant to IA Professionals working forthe private sector. The frameworkcontributes to Objective 4 of the UKCyber Security Strategy (reference[b]),building the UKs cross cuttingknowledge, skills and capability tounderpin all cyber security objectives.

Executive Summary

CESG has developed a framework forcertifying IA Professionals who meetcompetency and skill requirements forspecified IA roles. The purpose ofcertification is to enable bettermatching between public sectorrequirements for IA Professionals andthe competencies of the staff orcontractors undertaking common IAroles. The framework has beendeveloped in consultation withgovernment departments, academia,industry, the certification bodies, andmembers of the CESG Listed AdvisorScheme (CLAS), reference [c]). Theframework includes a set of IA roledefinitions and a certification process.

The set of role definitions:

Covers the IA roles most commonly

used across the public sector

Defines each of the IA roles atthree levels

Aligns each role level withresponsibility levels defined by TheSkills Framework for theInformation Age (SFIA), (reference[d])1

Describes each role in terms of itspurpose and the skills required ateach responsibility level

Uses the set of skills defined by theInstitute of Information SecurityProfessionals (IISP), (reference[e])

Supplements the IISP2 skilldefinitions to aid assessmentagainst them

Is detailed in CESG Certification forIA Professionals v2.0

The certification process:

Has been defined in detail and isoperated by three CertificationBodies (CBs) appointed by CESG:

APM Group www.apmg-ia.com

BCS, the Chartered Institutefor IT Professionals www.bcs.org

IISP, RHUL & CREST

consortium www.instisp.org

Assesses applicants against therequirements of the role definitions

1The Skills Framework for the Information Age is owned

by the SFIA Foundation: www.SFIA.org.uk

2The IISP Skills Framework is copyright The Institute of

Information Security Professionals. All rights reserved. TheInstitute of Information Security Professionals IISP

M.Inst.ISP and various IISP graphic logos aretrademarks owned by The Institute of Information SecurityProfessionals and may be used only with expresspermission of the Institute.


4/38

Page 4

Includes the issue of certificatesendorsed by CESG stating the IArole and responsibility level atwhich the applicant has beenassessed as being competent toperform

IA Professionals working in, or for, thepublic sector are encouraged to applyfor certification to demonstrate theircompetence in their IA role.


5/38

Page 5


Professionals

Contents:

Chapter 1 - Introduction ................... 7Chapter 2 - Concept of Operation ... 9Chapter 3 - Role Definitions ........... 11Chapter 4 - Skill Definitions ........... 15Chapter 5 - Guidance for

Certification Bodies ........................ 23Chapter 6Guidance for Applicants......................................................... 27Chapter 7Guidance for Employersand Clients of Certified IAProfessionals .................................. 29Chapter 8IA Practitioners Code ofConduct ........................................... 31References ...................................... 33Glossary .......................................... 34Customer Feedback ....................... 35


6/38

Page 6

THIS PAGE IS INTENTIONALLY LEFT BLANK


7/38

Page 7


Professionals

Chapter 1 - Introduction

Key Principles

Improving the level of professionalisation in IA is an objective of the UK CyberSecurity Strategy

Certification aims to improve matching between public sector requirements for IAexpertise and the competence of those recruited or contracted to provide thatexpertise

1. The public sector is accountable to Parliament for protecting a vast array ofsensitive data supporting many public services. The sophistication of the threatsto that data, the complexity of the information systems and the high potentialbusiness impacts of data loss, leave the public sector increasingly dependenton Information Assurance (IA) specialists to manage information risks. Thecomplexity of the skills and competencies required of these specialistscontinues to grow. Consequently, improved IA professionalisation is anobjective of the UK Cyber Security Strategy (reference[b]).

2. Whilst there is substantial overlap between public sector IA requirements andthose of other sectors, the former are determined by a distinct combination of

threats, business impacts and public expectations. The public sector thereforeneeds to articulate the competencies required of the IA Professionals workingwithin it, to formally recognise the IA skills of those who have them, and toencourage their continuous professional development. To meet this need,CESG has established a framework to certify the competence of IAProfessionals to perform common public sector IA roles. The framework isconsistent with ISO 17024, Conformity assessment - General requirements forbodies operating certification of persons(reference[f])and aims to improve thematching between public sector requirements for IA expertise and thecompetence of those recruited or contracted to provide that expertise.

3. If you are an IA specialist working in or for the public sector, the certificationprocess will give you the opportunity to have your competence to perform an IArole independently verified. The IA role definitions will also help you plan yourprofessional development. Chapter 6 provides guidance for applicants for IAcertification.

4. If you are involved in the recruitment, selection, management, development orpromotion of IA Professionals, the role definitions will provide templatespecifications of common IA roles. With refinements to meet any localrequirements, these can form the basis for job specifications, promotion criteriaor practitioner development requirements. The certification process gives you

the option of setting certification as a requirement for job applicants or as an


8/38

Page 8

objective forjobholders. Chapter 7 gives guidance for employers and clients ofcertified IA Professionals.

5. Certification Bodies (CBs) assess competence in a variety of ways dependingon the skills needed for a role. The assessment process will typically includereview of written evidence, knowledge testing, input from referees, an interview,recommendation from assessors, and a final decision by a ratifying panel. Themore senior the role, the more extensive the assessment is expected to be.Guidance for CBs and their assessors is at Chapter 5.


9/38

Page 9


Professionals

Chapter 2 - Concept of Operation

Key Principle

IA Professionals apply to Certification Bodies appointed by CESG for certificationagainst a role at a specific level

6. The components of the framework are illustrated in Figure 1. CESG owns theset of IA roles and supplemented skills defined in the companion document,CESG Certification for IA Professionals. These have been, and will continue tobe developed in consultation with advisory bodies drawn from governmentdepartments, industry, academia and CLAS.

Figure 1: Certification Framework

Certification Framework

Government

Departments

Academia &

Industry

CLAS

community

IA Practitioners

Certification

Bodies

Public Sector

OrganisationsIndustry

DefinesDevelops

Access

Select Certification

Bodies

Standards

Application

Certificate

Employed ByEmployed ByBecome aMember of

Advice &

feedback

Advice &

feedbackAdvice &

feedback

Role and Skill

DefinitionsIA Policy Portfolio


10/38

Page 10

7. CESG has appointed three CBs who will assess IA Professionals against therequirements of the role definitions. IA Professionals can use their certificatesas evidence to prospective employers, clients or promotion panels of theircompetence to perform the defined role at the level to which they have beencertified. CBs will charge IA Professionals for their certification. It is expectedthat contact details of those certified will be published by the CBs with links toappropriate websites provided from the CESG website:www.cesg.gov.uk.

8. It is intended that the role and skill definitions will drive professionaldevelopment of IA across the public sector. To assist the provision of training,CESG aspires to enable training providers to develop training courses based

upon material in CESGs IA Policy Portfolio (reference [f]), but has not beenable to resource development of this and the IA certification frameworkconcurrently.

9. The IA certification framework should:

a. Improve matching between public sector requirements for IA expertise andthe competence of employed and contracted IA Professionals.

b. Encourage IA practitioners to develop all the skills needed in order tobecome fully effective.

c. Provide assurance that certified IA Professionals meet the requirements ofthe IA role definitions.

d. Provide clearer definitions of the skills required for IA roles.

10. Further details on the implementation of the certification process will bepublished atwww.cesg.gov.ukas they are developed.
http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.cesg.gov.uk/


11/38


12/38

Page 12

c. Ensure that IA contributes to strategic business objectives.16. Lead Practitioners especially require strong SFIA responsibility attributes in

addition to IA skills to meet the role requirements. Just being an experiencedand competent Senior Practitioner is not sufficient to become a LeadPractitioner.5Additionally without some experience at Senior Practitioner level itwould be difficult to demonstrate IA competence at the Lead Practitioner level.

17. Each role definition includes the role purpose and a headline statement of theresponsibilities normally expected at each level. Illustrative duties consistentwith the headline statement are given plus an indicative set of informationsecurity skills.

18. The scope of the certification framework is the set of IA roles that are incommon use across the public sector and of which CESG has some ownership.The current list is at Table 1 below. The roles are derived from three sources:

a. Roles commonly undertaken by CLAS members.

b. Roles recognised in the HMG Security Policy Framework (SPF),(reference[h]).

c. Other roles believed to be widely used across the public sector.

19. Some roles can be readily grouped together as different levels of a moregeneric role. For this reason the roles of IT Security Officer (ITSO, as mandatedin the HMG SPF), Information System Security Manager and InformationSystem Security Officer have been grouped together. Similarly, the CryptoCustodian is a subset of the Communications Security Officer (ComSO) roleand consequently these two roles have been grouped together.

20. No hierarchy is intended among these roles. It is assumed that the ITSO andComSO will typically report to the Department Security Officer (DSO). The DSOrole is owned by Cabinet Office and currently outside the scope of thecertification framework.

21. The Accreditor will typically report to the SIRO, sometimes through amanagement chain. The SIRO role is owned by Cabinet Office and is alsooutside the scope of the certification framework.

22. There is no prescribed career path through these roles. Much IA knowledge iscommon to multiple roles and it would be natural for many IA Professionals toperform multiple roles in the course of a career. For small organisations, an IAspecialist may perform multiple roles in one post.

23. It is expected that further roles will be defined according to demand for

certification against them.

5Similarly, good project managers do not always make good programme managers and it is not essential for programme

managers to have been project managers.


13/38

Page 13


Professionals

Table 1: List of Roles and their Purpose

IA Role PurposeAccreditor To act as an impartial assessor of the risks that an

information system may be exposed to in the course ofmeeting the business requirement and to formally accreditthat system on behalf of the Board of Directors.

IA Auditor To assess compliance with security objectives, policies,standards and processes.

CommunicationsSecurity Officer / CryptoCustodian anddeputy/alternatecustodian

To manage cryptographic systems as detailed in HMG IAStandard No 4 (reference [i])and in relevant product specificsecurity procedures.

IT Security Officer/Information SecuritySystem Manager/Information SecuritySystem Officer

To provide governance, management and control of ITsecurity.

Security & Information

Risk Advisor

To provide business driven advice on the management of

security and information risk consistent with HMG IA policy,standards and guidance.

IA Architect To drive beneficial security change into the business throughthe development or review of architectures so that they:

fit business requirements for security

mitigate the risks and conform to the relevant securitypolicies

balance information risk against cost of countermeasures


14/38

Page 14



15/38

Page 15


Professionals

Chapter 4 - Skill Definitions

Key Principles

The IISPhas defined a set of Information Security skills and skill levels

These skill definitions have been supplemented to enable assessment against theskill levels

The IA roles may be defined in terms of other suitable skill sets if they become

available

24. CESG Certification for IA Professionals supplements the Institute of InformationSecurity Professionals (IISP) skill definitions in line with the IISP skill leveldefinitions shown in the table below. The skill definitions are supplemented intwo respects to aid assessment against each of the four IISP defined skill levels.These supplements have been developed in consultation with the advisorybodies drawn from government departments, academia, industry and CLAS.

a. Each IISP skill group is supplemented with a statement of the knowledge

most relevant to the skill.b. Each IISP skill is supplemented with a headline statement of what is

expected at each skill level followed by examples of behaviour that isconsistent with the headline statement.

25. The IA certification framework assumes a mapping between the knowledgerequirements in the IISP skill level definitions and Blooms revised taxonomy ofknowledge (reference[i]). This mapping is shown in Table 2. The taxonomy isdescribed further in Chapter 5.

26. For each skill, a headline statement is provided at each of the four skill levels.

These are summarised at Table 3. The headline statements are intended to beconsistent with the skill level definitions and the IISP principles and examplesgiven for each skill in the IISP Full Member Application Guidance Notes.

27. Examples of the kinds of behaviour, knowledge, competence, experience,versatility, autonomy or influence that are consistent with the headlinestatement are given in the Annex on skill definitions. These examples do notform an exhaustive list; other examples may also meet the headline statement.Essential requirements to meet the headline statement are denoted with theterm shall.


16/38

Page 16

28. The skill definitions are intended to be cumulative; ie. to meet the requirementsat levels 2, 3 or 4 entails meeting the requirements for lower levels. But, notethat role definitions are not cumulative; see Chapter 5.

Table 2: IISP Skills SummaryDefinitions for Levels

IISP Skill Level Applicable KnowledgeLevel from BloomsRevised Taxonomy

(reference[j])Level 1: (Awareness)

Understands the skill and its application. Has acquired andcan demonstrate basic knowledge associated with the skill.Understands how the skill should be applied but may haveno practical experience of its application.

Remembering/Understanding

Level 2: (Basic Application)

Understands the skill and applies it to basic tasks undersome supervision. Has acquired the basic knowledgeassociated with the skill, for example has acquired anacademic or professional qualification in the skill.Understands how the skills should be applied. Has

experience of applying the skill to a variety of basic tasks.Determines when problems should be escalated to a higherlevel. Contributes ideas in the application of the skill.Demonstrates awareness of recent developments in theskill.

Applying

Level 3: (Skilful Application)

Understands the skill and applies it to complex tasks with nosupervision. Has acquired a deep understanding of theknowledge associated with the skill. Understands how theskill should be applied. Has experience of applying the skillto a variety of complex tasks. Demonstrates significant

personal responsibility or autonomy, with little need forescalation. Contributes ideas in the application of the skill.Demonstrates awareness of recent developments in theskill. Contributes ideas for technical development and newareas for application of the skill.

Evaluating/ Analysing

Level 4: (Expert)

An authority who leads the development of the skill. Is anacknowledged expert by peers in the skill. Has experienceof applying the skill in circumstances without precedence.Proposes, conducts, and/or leads innovative work to

enhance the skill.

Creating


17/38

Page 17


Professionals

Table 3: Headline Skill Statements

IISP Skill Level 1 Level 2 Level 3 Level 4

A1Governance

Understandslocalarrangements forInformationGovernance (IG)

Applies IGstandards orprocesses to localarea and to clientsbeyond it

Develops IGstandards orprocesses; appliesIG principles acrossthe organisation

Leads developmentof IG at theorganisation level orhas influence atnational orinternationalstandards level

A2Policy &Standards

Understands theneed for policyand standards toachieveInformationSecurity (IS)

With supervisionand aligned withbusinessobjectives, authorsor provides adviceon IS policy orstandards

Withoutsupervision,advances businessobjectives throughdevelopment orinterpretation of arange of IS policiesor standards

A recognised expertin IS policy andstandarddevelopment

A3InformationSecurity

Strategy

Understands thepurpose of ISstrategy to

realise businessbenefits

Contributes todevelopment orimplementation of

IS strategy undersupervision

Influencesinvestmentdecisions or risk

appetites throughcontribution todevelopment orimplementation ofIS strategy

A recognised expertin IS strategydevelopment or

implementation

A4Innovation &BusinessImprovement

Is aware of thebusinessbenefits of goodIS

Applies IS toachieve businessobjectives withsome supervision

Supports realisationof strategicbusiness benefitsthrough innovativeapplication of IS

Develops andpromotes newconcepts forbusinessimprovementthrough IS which arewidely adopted

across the publicsector or an industrysector

A5ISAwarenessand Training

Understands therole of securityawareness andtraining inmaintaininginformationsecurity

Materiallycontributes toimproving securityawareness withsome supervision

Delivers, ormanages thedelivery of trainingon multiple aspectsof IS

A recognisedauthority on thedevelopment of IS

Awareness &Training


18/38

Page 18


A6Legal &RegulatoryEnvironment

Is aware of majorpieces oflegislation relevantto IS and ofregulatory bodiesrelevant to thesector in whichthey work

Understandsapplicablelegislation andregulations relatingto IS in the contextof own or clientorganisations

Influencesbusiness practicesaffecting ISthrough theapplication oflegislation andregulations

Is an authority onan area oflegislation orregulation relevantto IS

A7Third

PartyManagement

Is aware of the

need fororganisations tomanage theinformationsecurity of thirdparties

With supervision,

contributes todeveloping ormaintainingcompliance by thirdparties tocontractingauthoritys ISpolicies andstandards

Enhances

organisational ISthrough broadinfluence on thirdpartymanagement

Advances best

practice in thirdparty managementwith respect to IS

B1RiskAssessment

Demonstratesawareness of thecauses ofinformation riskand theirimplications

Understands howto produce riskassessments

Produces complexrisk assessmentsthat influencesenior riskowners, managersor otherstakeholders

Influencesdevelopment of riskassessmentmethodologiesacross and beyondan organisation

B2RiskManagement

Demonstratesawareness oftechniques tomanageinformation risk

Contributes tomanagement ofrisks to informationsystems withsupervision

Advisesmanagement oninformation riskacross a businessunit ororganisation

Advances thepractice ofinformation riskmanagementacross the publicsector or anindustry sector or

internationally

C1SecurityArchitecture

Is aware of theconcept ofarchitecture toreduce informationrisk

Appliesarchitecturalprinciples tosecurity design withsome supervision

Appliesarchitecturalprinciples tocomplex systemsor to bringstructure todisparate systems

Extends theinfluence of securityarchitectureprinciples acrossthe public sector oran industry sector


19/38

Page 19


Professionals


C2SecureDevelopment

Is aware of thebenefits ofaddressing securityduring systemdevelopment

Contributes to thedevelopment ofsecure systemswith somesupervision

Applies & improvessecuredevelopmentpractices usedacross multipleprojects, systemsor products

Is an authority onthe development ofsecure systems

D1IAMethodologies

Is aware of theexistence ofmethodologies,processes andstandards forprovidingInformation

Assurance

Applies an IAmethodology orstandard withsome supervision

Verifies riskmitigation using IAmethodologies

Enhances thecapability of IAmethodologies torealise businessbenefits across thepublic sector or anindustry sector

D2SecurityTesting

Is aware of the roleof testing tosupport IA

Effectively appliestestingmethodologies,tools or

techniques withsome supervision

Providesassurance on thesecurity of aproduct or process

through effectivetesting

Advancesassurancestandards across aproduct range,

technology, orindustry sectorthrough rigoroussecurity testing

E1SecureOperationsManagement

Is aware of theneed for securemanagement ofinformationsystems

Monitors theapplication ofSyOPS with somesupervision

Manages thedevelopment ofSyOPs for useacross multipleinformationsystems or

managescompliance withthem

An authority onSecurityOperationsManagement,working across thepublic sector or an

industry sector


20/38

Page 20


E2SecureOps & ServiceDelivery

Is aware of theneed forinformationsystems andservices to beoperated securely

Effectively appliesSyOPs with somesupervision

Develops SyOPsfor use acrossmultipleinformationsystems ormaintainscompliance withthem

Influences SyOPsused across thepublic sector or anindustry sector

E3

VulnerabilityAssessment

Is aware of the

need forvulnerabilityassessments tomaintainInformationSecurity

Obtains and acts

on vulnerabilityinformation inaccordance withSecurityOperationsProcedures

Ensures that

information riskmanagers respondappropriately torelevantvulnerabilityinformation

Is an authority on

the use or impactof vulnerabilityassessmentsacross the publicsector or anindustry sector

F1IncidentManagement

Is aware of thebenefits ofmanaging securityincidents

Contributes tosecurity incidentmanagement

Manages securityincidents

Is an authority onsecurity incidentmanagementacross the publicsector or anindustry sector

F2Investigation

Is aware of thebasic principles ofinvestigations

Contributes toinvestigations intosecurity incidents

Leadsinvestigations intosecurity incidentsor manages ateam ofinvestigators orprovides skilledsupport

Is an authority onsecurityinvestigations

F3Forensics Is aware of thecapability offorensics to supportinvestigations

Contributes toforensic activities,with somesupervision

Manages forensiccapability orprovides skilledsupport

Is an authority onforensics

G1Audit,Assuranceand Review

Understands basictechniques fortesting compliancewith security criteria(policies,standards, legaland regulatory

Audits compliancewith securitycriteria inaccordance withan appropriatemethodology

Influences seniorinformation riskowners orbusinessmanagers throughinformation riskdriven auditing

Advances theinfluence ofsecurity auditingacross the publicsector or across anindustry sector


21/38

Page 21


Professionals


H1&2BusinessContinuityManagement

Understands howBusinessContinuityPlanning &Managementcontributes toinformationsecurity

Contributes to thedefinition orimplementation ofbusiness continuityprocesses tomaintain informationsecurity

Leads definition orimplementation ofbusiness continuityprocesses to maintaininformation securityacross a business unitor organisation

Is an authorityon theinformationsecurityaspects ofBusinessContinuity


22/38

Page 22



23/38

Page 23


Professionals

Chapter 5 - Guidance for Certification Bodies

Key Principles

Certification Bodies have some discretion in how role definitions are interpreted

Assessments against the role definitions must be based on good evidence

29. For certification against a particular role and level, CBs must assess whether afuture employer or client of the applicant could have reasonable confidence thatthe applicant could repeat the level of competence claimed in similar

circumstances. CBs should consider the position of a recruitment consultantwho needs to decide whether to recommend an IA specialist to a client knowingthat they are only likely to gain further business if the client is satisfied.Certification should give the recruitment consultant justifiable confidence torecommend the certified IA specialist to a range of clients.

30. The crux of any assessment should be whether the applicant has goodevidence of meeting the relevant headline statement in the role definition. Theevidence of meeting the SFIA responsibility attributes and IISP skill levelsshould be seen as a strong guide to help assess how well the role headlinestatement has been met rather than as prescriptive criteria in their own right.

For this reason, CBs have some discretion in how much evidence is required.

31. As a guide, successful applicants should provide good evidence of meeting:

a. The standard in the role definition headline statement for the applicableresponsibility level.

b. The entire core IISP skill levels defined in the role definition (these are inboldin the skill tables) except as defined under the Security & InformationRisk Advisor role definition.

c. All mandatory requirements within core skill definitions (these are denoted

by the term shall).

d. Three-quarters of all skills required at level 1 or above.

e. All of the SFIA attributes of responsibility (autonomy, influence, complexityand business skills). Good evidence of only 3 of the 4 attributes can beaccepted if the candidate had limited opportunity to demonstrate the fourthattribute or the assessor had limited time to probe claims made and therewas no evidence that the applicant was actually weak in this attribute.However, see para 34 for an alternative to SFIA.


24/38

Page 24

The required Blooms (reference [i]) knowledge level for some of theknowledge listed in the knowledge statement applicable to each core IISPskill. This may be based on evidence from the applicants workexperience or through examination. Guidance on the meaning of Bloomsknowledge levels is given in Table 4.

Table 4: Blooms Knowledge Levels

BloomsRevised

LevelName Ability Typical Exam Question Style

1 Remembering Recall or rememberinformation but notnecessarily able to useor explain

Define, duplicate, list,memorize, recall, repeat,reproduce, state

2 Understanding Explain ideas orconcepts

Classify, describe, discuss,explain, identify, locate,recognize, report, select,

translate, paraphrase

3 Applying Use the information ina new way

Choose, demonstrate, employ,illustrate, interpret, operate,schedule, sketch, solve, use,write

4 Analysing Distinguish betweendifferent parts

Appraise, compare, contrast,criticize, differentiate,

discriminate, distinguish,examiner, question, test

5 Evaluating Justify a decision Appraise, argue, defend,judge, select, support, value,evaluate

6 Creating Provide a new point ofview

Assemble, contract, create,design, develop, formulate,write


25/38

Page 25


Professionals

32. Good evidence of meeting the role headline statement requires at least twoexamples of how the applicant applied their IA expertise to address a businessrequirement and what the outcome was. One piece of work may be used asevidence to support multiple skills or SFIA attributes but a variety of workexamples provides stronger evidence of deployability to a range of clients.

33. Good evidence will also withstand scrutiny, eg:

a. Was the evidence claimed supported by a referee and was the validity ofthe reference checked?

b. Was the candidate credible when probed at interview?

c. Was knowledge tested in accordance with the IISP skill level and theassociated knowledge level from Blooms revised taxonomy?

d. Were the example pieces of work sufficiently substantial to demonstratethe SFIA attributes at the claimed responsibility level?

e. Was the client contacted to confirm the applicants claims?

f. Are the examples claimed consistent with the career history described inthe application?

g. Are the skills or knowledge claimed supported by relevant qualifications,training and experience?

34. Certification Bodies have the option of assessing applicants against the IISPskill group J instead of using the SFIA responsibility levels. The recommendedtranslation between these two frameworks is given below.

Table 5: Translation between SFIA and IISP Frameworks

SFIA Responsibility LevelAverage Skill Level for IISP Skill

Group J

1 Not applicable

2 1.53 2.0

4 2.5

5 3.0

6 3.25

7 Not applicable

Except where stated otherwise, role definitions are not cumulative as oneprogresses from practitioner to lead practitioner; i.e. it is possible to certify anindividual as a senior or lead practitioner without good evidence of the individualbeing able to fill the role at lower level(s). The rationale behind this is that it ought

to be feasible to manage a team without having previously been a member of theteam. Notwithstanding, CBs would need evidence that the applicant has acquired


26/38

Page 26

sufficient, additional and pertinent competencies forthe required roleespeciallyif technical rather than managerial in nature. However, skill definitions arecumulative; see Chapter 4.

35. To support migration to the IA certification framework, at their discretion, until 1October 2013, CBs may accept Infosec Training Paths and Competencies(ITPC) (reference [k]) with a registered record of Continuous ProfessionalDevelopment as sufficient evidence for meeting the requirements of Security &Information Risk Advisor at Practitioner level.

Performance Monitoring

36. CBs are required to take reasonable opportunities to monitor the performanceof those that they have certified in order to maintain the credibility of thecertification process and their certificates.

Re-certification

37. CBs are required to state how long their certificates are valid for and what theprocess should be for re-certification. It is expected that some form of evidenceof Continuing Professional Development will be sufficient to avoid repeating thecomplete certification process.


27/38

Page 27


Professionals

Chapter 6Guidance for Applicants

Key Principles

Applicants are assessed on whether the evidence presented demonstratescompetence to perform the role at the level applied for

Good evidence explains how the applicant applied their IA expertise to helpachieve a business objective

38. CBs are tasked with assessing applicants against the role definitions based

upon the evidence presented. They do not attempt to assess how effective youare in your current work. CBs frequently either fail applications or return themfor further work because applicants have not presented adequate evidence. Toavoid this, please note the points below.

39. Applicants should ensure that the evidence presented supports the role(s) andlevel(s) applied for. Study the role and skill definitions carefully and target yourevidence accordingly. The crux is demonstrating work that meets the headlinestatement in the role definition at the responsibility level for which you areapplying.

40. Good evidence typically outlines a business objective, how you personallyapplied IA expertise to help achieve it and the impact your contribution made.Lists of personal qualities, jobs held or qualifications gained are not, on theirown, good evidence as they do not explain what you, as an IA practitioner, haveactually achieved or how you personally added value. They may add usefulcontext to actual evidence.

41. At Practitioner level, CBs will wish to see evidence of what you have actuallydone in the role and how you applied IA skills and the SFIA responsibilityattributes to fill the role.

42. At Senior Practitioner level, CBs will look for evidence of the ability to analysebusiness objectives and the associated IA issues, then apply IA expertise toenable some form of business benefit to be achieved.

43. At Lead Practitioner level, the CBs will look for evidence of applying IAexpertise at the organisational level to support strategic business objectives; e.g.reduced costs or risks, improved business agility or some form of competitiveadvantage. Lots of experience at Senior Practitioner level is not sufficient toreach Lead Practitioner level.

44. The level to which evidence may be scrutinised is described in Chapter 5 in the

guidance for CBs.


28/38

Page 28

45. CBs offer different approaches to assessment. In choosing a CB an applicantshould consider the assessment process, the costs and effort associated withachieving and maintaining certification, support for continued professionaldevelopment, and any benefits that a CB may offer.

46. CBs have some discretion in how much evidence they require. Details are inChapter 5.


29/38

Page 29


Professionals

Chapter 7Guidance for Employers and Clients ofCertified IA Professionals

47. The CESG Certification Standard can support organisations in selecting IAProfessionals for assignments and it can also be used to guide the professionaldevelopment of internal staff. Employers or clients who seek to select IAProfessionals for employment or contracts are advised to note the following:

a. IA certification does not eliminate the need for care when selecting IAProfessionals. IA Professionals of the same role and responsibility levelare not all the same. You will still need to consider how relevant theirexperience, culture, skills and knowledge is to your needs. The bigger thedifference, the longer it will typically take for them to be fully effective inyour environment.

b. Consider what profile of roles and responsibility levels you need. If youneed a team, consider the mix of roles and responsibility levels that wouldbest suit your requirements. For instance, one Senior Practitioner may be

able to supervise a handful of Practitioners ensuring that the SeniorPractitioners experience is only applied where it is most needed. In thisexample the Senior Practitioner will also need team leadership skills inaddition to their IA specialist skills.

c. IA is a broad and rapidly evolving field. Even within specific roles, nobodyhas knowledge and experience across the full scope of the role. Becareful not to assume knowledge or experience that your employee orcontractor does not have.

d. The certification framework aims to identify IA Professionals who havedemonstrated the role requirements and are sufficiently versatile to apply

them in a range of organisations. It still takes time to become effective ina new organisation and more time to become effective in a new sector.

e. If you are engaging an IA specialist to help to upskill your existing staffthen you should consider this skill and capability separately as this is notpart of the CESG Certification for IA Professionals although some CBsmay identify this capability as part of their assessment.

f. The CBs assess the IA Professionals against a common standard but inslightly different ways. You might like to familiarise yourself with thedifferent approaches to ensure that those attributes of the certificationprocess most important to you are employed.


30/38

Page 30



31/38

Page 31


Professionals

Chapter 8IA Practitioners Code of Conduct

48. CESG expects all practitioners undertaking work on the basis of its IAcertification framework to comply with the following code of conduct in order touphold the reputation and good standing of the framework.

Table 6: IA Practioners Code of Contact

Attribute Expected Behaviour Inappropriate Behaviour

Impartiality Act in the bestinterests of the clientorganisation at alltimes

Proposing or undertakingunnecessary or excessive work

Suppressing findings that theclient representative does not wishto hear

Recommending inappropriateproducts or services

Not declaring potential conflicts of

interestObjective Base advice onmaterial knowledge,facts, professionalexperience andevidence

Being influenced by personalrelationships or short termobjectives

Ignoring material facts

Confidentiality& Integrity

Protect informationreceived in the courseof work for a clientorganisation

Disclosing vulnerabilities in clientinformation systems to thirdparties

Sharing client information withthird parties without permission

Compliance Provide advice andensure that conduct isconsistent withapplicable laws,regulations and theHMG Security PolicyFramework (reference[h])

Recommending actions thatknowingly contravene applicablelaws, regulations or policies

Recommending actions whichconflict with CESG guidancewithout drawing the clientsattention to the conflict

Undertaking security testingwithout client permission


32/38

Page 32

Attribute Expected behaviour Inappropriate BehaviourCompetence Meet Certification

Body requirements forContinuingProfessionalDevelopment

Undertaking work which you knowyou are not competent toundertake

Presenting yourself as having ahigher level of competence than isactually the case

Proportionate Ensure advice isproportionate withbusiness objectives

and the level ofinformation risk

Recommending work that isdisproportionately large to businessrequirements

Recommending solutions that aregrossly inadequate to meet theintended business requirements

Reputation Preserve thereputation of the IAcertification framework

Conduct that may bring the IAcertification framework intodisrepute

Using the IA certification brandoutside its intended scope


33/38

Page 33


Professionals

References

[a] CESG Certification for IA Professionals -www.cesg.gov.uk/awarenesstraining/PET /pages/IA-certification.aspx

[b] The UK Cyber Security StrategyProtecting and promoting the UK in a digitalworld -www.cabinetoffice.gov.uk/resource-library/cyber-security-strategy

[c] CLAS - www.cesg.gov.uk

[d] SFIA -www.sfia.org.uk

[e] IISP - www.instisp.org.uk

[f] ISO 17024 - www.iso.org/iso/catalogue_detail?csnumber=29346

[g] CESG IA Policy Portfolio - http://cesgiap.gsi.gov.uk

[h] HMG Security Policy Framework -http://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdf

[i] HMG IA Standard No. 4, Management of Cryptographic Systems, Issue 5.1,April 2012. (UNCLASSIFIED)

[j] Anderson, L.W. & Krathwohl, D. R. (Eds) (2001). A taxonomy for Learning,teaching and assessing: A revision of Blooms taxonomy of educationalobjectives. New York: Addison Wesley Longman. April 2001

[k] Infosec Training Paths Competency schemewww.instip.org/SSLPage.aspx?pid=363
http://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspxhttp://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspxhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cesg.gov.uk/http://www.cesg.gov.uk/http://www.sfia.org.uk/http://www.sfia.org.uk/http://www.sfia.org.uk/http://www.instisp.org.uk/http://www.instisp.org.uk/http://www.iso.org/iso/catalogue_detail?csnumber=29346http://www.iso.org/iso/catalogue_detail?csnumber=29346http://cesgiap.gsi.gov.uk/http://cesgiap.gsi.gov.uk/http://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://www.cabinetoffice.gov.uk/media/207318/hmg_security_policy.pdfhttp://cesgiap.gsi.gov.uk/http://www.iso.org/iso/catalogue_detail?csnumber=29346http://www.instisp.org.uk/http://www.sfia.org.uk/http://www.cesg.gov.uk/http://www.cabinetoffice.gov.uk/resource-library/cyber-security-strategyhttp://www.cesg.gov.uk/awarenesstraining/PET%20/pages/IA-certification.aspx


34/38

Page 34

Glossary

CB Certification Body

CLAS CESG Listed Advisor Scheme

DSO Departmental Security Officer

IA Information Assurance

IISP Institute of Information Security Professionals

IS Information System

ITPC Infosec Training Paths and Competencies

ITSO Information Technology Security Officer

SFIA Skills Framework for the Information Age

SIRO Senior Information Risk Owner

SyOPs Security Operating Procedures


35/38


Professionals

Customer Feedback

CESG Information Assurance Guidance and Standards welcomes feedback andencourages readers to comment on the Role and Skill definition concept ofoperations outlined in this document. Please use this page to send your comments to:

Customer SupportCESGA2bHubble RoadCheltenham GL51 0EX

Fax: (01242) 709193 (for UNCLASSIFIED FAXES ONLY)Email:[email protected]

PLEASE PRINT

Your Name:

Department/Company Name and Address:

Phone number:Email address:

Comments:
mailto:[email protected]:[email protected]:[email protected]:[email protected]


36/38


37/38



38/38

IACESG

A3eHubble RoadCheltenhamGloucestershireGL51 0EX

Tel: +44 (0)1242 709141Fax: +44 (0)1242 709193Email: [email protected]

Documents

Guidance to Cesg Certification for Ia Professionals