Transcription
IISP INFORMATIONSECURITY SKILLSFRAMEWORKThis skills framework describes the range of competencies expected ofInformation Security and Information Assurance Professionals in theeffective performance of their roles. It was developed by collaborationbetween both private and public sector organisations and worldreknown academics and security leaders. It defines the skills andcapability expected of security professionals in practical applicationand not just an assessment of their knowledge. Not all roles requiredetailed experience in all competency areas, and for more informationabout how the framework can be applied, please contact the Institute.The framework is copyright of the Institute of Information SecurityProfessionals and may be used in whole or in part only by ourmembership, those aspiring to be members or those others expresslylicenced to use the material.This is a maintained document and will continue to be updated basedon the experience of our members and licenced users.V6.3 July, 2010About the Institute of Information Security Professionals (IISP)The Institute of Information Security Professionals was set up in 2006 in the UKas an independent member-owned organisation to further the development ofknowledge, skills and professionalism in Information Security and Assurance. Foremployers and professionals we offer the professional accreditations of Associateand full member (M.Inst.ISP) of the Institute. We also provide services forcompetency measurement , job role definition and benchmarking and capabilitydevelopment to support our corporate members in their professional skillsprogrammes.We continue to develop in our role as the voice of the Information SecurityProfession.The Institute can be contacted at:Institute of Information Security ProfessionalsUnit 28, Basepoint Business Park, Evesham,Worcs, WR11 1GP 44 (0) 2033 840 399www.iisp.orgemail: info@iisp.org
The IISP Skills Framework – Scoring levels for Skills A-IDefinitions for LevelsThe following definitions should be used when assessing your scorefor competencies in the disciplines A – I.Level 1: (Awareness)Understands the skill and its application. Has acquired and can demonstrate basicknowledge associated with the skill. Understands how the skill should be applied butmay have no practical experience of its application.Level 2: (Basic Application)Understands the skill and applies it to basic tasks under some supervision. Hasacquired the basic knowledge associated with the skill, for example has acquired anacademic or professional qualification in the skill. Understands how the skills shouldbe applied. Has experience of applying the skill to a variety of basic tasks.Determines when problems should be escalated to a higher level. Contributes ideasin the application of the skill. Demonstrates awareness of recent developments in theskill.Level 3: (Skilful Application)Understands the skill and applies it to complex tasks with no supervision. Hasacquired a deep understanding of the knowledge associated with the skill.Understands how the skill should be applied. Has experience of applying the skill to avariety of complex tasks. Demonstrates significant personal responsibility orautonomy, with little need for escalation. Contributes ideas in the application of theskill. Demonstrates awareness of recent developments in the skill. Contributes ideasfor technical development and new areas for application of the skill.Level 4: (Expert)An authority who leads the development of the skill. Is an acknowledged expert bypeers in the skill. Has experience of applying the skill in circumstances withoutprecedence. Proposes, conducts, and/or leads innovative work to enhance the skill.IISP Skills Framework V6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos aretrademarks owned by The Institute of Information Security Professionals and may be used only withexpress permission of the Institute.Page 1 of 22
The IISP Skills Framework – Scoring levels for Skill JThe following definitions should be used when assessing your score for competencies in discipline J. Examples of experience within thesedisciplines are shown in Appendix B, and should be consulted before completion.SkillLevel 1Level 2Level 3Level 4Teamwork andWorks cooperativelyIs encouraging andEncourages and challengesInspires and involves others fromLeadershipand professionally withsupportive and provides aothers. Provides a leadinside and outside theothers.lead within the local area.across an organisation.organisation, environment inTask-based team working.which others may developleadership qualities.DeliveringTakes responsibility forResponsibility for anResponsible for ensuringResponsible for achievement ofcompleting own tasks.element of delivery against delivery is achieved againstoverall business goals in ownone or more businessa portfolio of businessprofessional or functional area.objectives, balancingobjectives, overcomingpriorities to achieve this.obstacles to achieve goals.ManagingUnderstands and aimsNegotiates with customersWorks with customers toUses customer priorities to driveCustomerto meet customerto improve the service toensure that their needsorganisations’ plans, resolving theRelationshipsrequirements.them and to manage theirdrive business plans.conflicting demands of ds localUnderstands the aims ofTakes action to achieveDevelops strategy and ensuresBehaviourobjectives andown and related areasgreater corporate efficiency, the long-term cost-effectivenessorganisations aims. Isacross an organisation.in line with its strategicof an organisation bycost-effective in ownaims.understanding the influenceswork.upon it.Change andIs positive aboutGenerates creative ideas,Contributes to changeIs innovative and radical.Innovationchange, and suggestsand demonstratesstrategies and generatesChampions considered, coimprovements possiblesensitivity in implementing new ideas or approaches,ordinated change through policyin own area.local change.going beyond the local area. and planning.Analysis andIs methodical whenMakes effective decisionsMakes effective decisionsMakes effective strategicDecision Making making decisions andin consultation with othersand / or solves complexdecisions and / or solves complexsolves problems whichand/or solves complexproblems in uncertainproblems with strategic impact,impact on own work.problems in immediatesituations, or where theor no precedent.area.impact is greater than in theimmediate working area.Communications Communicates clearlyEncourages andIs a persuasiveIs influential and diplomatic inand Knowledgeand shares knowledgecontributes to discussion.communicator. Sets a leadnegotiations with otherSharingwith colleaguesIs proactive in sharingin sharing knowledgeorganisations and formulatespractice.information in own workeffectively in diverse areasknowledge-sharing.area.across an organisation.IISP Skills Framework V6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only withexpress permission of the Institute. Page 2 of 22
The Institute of Information Security Professionals Skills Framework Skills Definitions A - ISECTION A Security Discipline - Information Security ManagementPrinciple:Capable of determining, establishing and maintaining appropriate governance of (including processes, roles, awarenessstrategies, legal environment and responsibilities), delivery of (including polices, standards and guidelines), and cost-effectivesolutions (including impact of third parties) for information security within a given organisation).Skills GroupExample SkillsA1 GovernanceEstablishing frameworks to develop and maintain appropriate information security expertise within anorganisation.Claimed SkillsGroup CompetencyGaining management commitment and resources to support the governance structure.Incorporating physical, personnel and procedural issues into the overall security governance process.Relating an organisation’s business needs to their requirements for information security.Encouraging an information risk awareness culture within an organisation. For example, raisingawareness of how the various forms of social engineering can be used to compromise information.Establishing frameworks for maintaining the security of information throughout its lifecycle.A2 - Policy &StandardsDeveloping and maintaining organisational security policies, standards and processes using recognisedstandards (such the ISO 27000 family) where appropriate.Developing and maintaining standards for appropriate personnel screening.Developing and maintaining standards for appropriate physical storage of information.Providing advice on the interpretation of policy.Undertaking a gap analysis against relevant external policies, standards and guidelines, and initiatingremedial action where appropriate.A3 –InformationBalancing of cost against security risk for the business.Interpreting external requirements and standards in terms relevant to an organisation.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 3 of 22
SecurityStrategyBalancing technical, physical, personnel and procedural controls to address information risks in themost effective way.A4 –Innovation &BusinessImprovementRecognises potential strategic application of information security and initiates investigation anddevelopment of innovative methods of protecting information assets, to the benefit of the organisationand the interface between business and information security.A5 –InformationSecurityAwarenessand TrainingIdentifying security awareness and training needs in line with security strategy, business needs andstrategic direction.Exploits opportunities for introducing more effective secure business and operational processes.Gaining management commitment and resources to support awareness and training in informationsecurity.Identifying the education and delivery mechanisms needed to grow staff in information securityawareness and competence.Managing the development or delivery of information security awareness and training programmes.A6 –Legal &RegulatoryEnvironmentFamiliar with legal and regulatory requirements that could affect organisation security policies, andwhere to turn for specific detail as needed.Relating the legal and regulatory environment within which the business operates to the riskmanagement and security strategy tasks.Ensuring security policies comply with all personal data protection laws and regulations relevant to thebusiness.Ensuring security policies support compliance with corporate governance practices.Identifying where security can provide business advantage by addressing specific legal or regulatoryneeds.A7 – ThirdPartyManagementIdentifying and advising on the technical, physical, personnel and precedural risks associated with thirdparty relationships.Assessing the level of confidence that third party security capabilities/service operate as defined.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 4 of 22
Section B Security Discipline - Information Risk ManagementPrinciple:Capable of articulating the different forms of threat to, and vulnerabilities of,Comprehending and managing the risks relating to information systems and assets.information systems and assets.Skills Group Example SkillsB1 – RiskAssessmentClaimed SkillsGroupCompetencyIdentification of assets that require protection.Identification of relevant threats to the assets.Identification of exploitable vulnerabilities.Assessing the level of threat posed by potential threat agents.Producing an information security risk assessment.Determining the business impact of a risk being realised.B2 – RiskManagementDeveloping information risk management strategies to reduce the risk.Including information risk management strategies in business risk processes.Gaining management commitment to the support of the information risk elements of business riskmanagement.Adapting the risk management strategy to address changes in the threat environment and inbusiness risk.Selecting the most appropriate tools and techniques for auditing effectiveness of mitigationmeasures in place.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 5 of 22
Section C Security Discipline - Implementing Secure SystemsPrinciple:Comprehends the common technical security controls available to prevent, detect and recover from security incidents andto mitigate risk. Capable of articulating security architectures relating to business needs and commercial productdevelopment that can be realised using available tools, products, standards and protocols, delivering systems assured tohave met their security profile using accepted methodsSkills Group Example SkillsC1 –SecurityArchitectureClaimed SkillsGroupCompetencyInterpreting relevant security policies and risk profiles into secure architectural solutions thatmitigate the risks and conform to legislation.Presenting security architecture solutions as a view within broader IT architectures.Relating security architectures to business needs and risks.Working with recognised security architecture.Devising standard solutions that address requirements delivering specific security functionalitywhether for a business solution or for a product.Minimising the risk to an asset or product through “standard” security architecture practices.Delivering the security architecture that supports the risk management strategy using currentsecurity technologies and techniques.Maintain awareness of the security advantages and vulnerabilities of common products andtechnologies.Minimising the risk to an asset or product through the use of “standard” security technologies andproducts.Designing and developing processes for maintaining the security of an asset or product through itsfull life cycle.Maintain awareness of the security advantages and vulnerabilities of common products andtechnologies.Designing robust and fault-tolerant security mechanisms and components appropriate to theperceived risks.Selecting the appropriate security products, components and technologies to meet a securityrequirement.Selecting the most appropriate information interchange protocols that meet the securityrequirements.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 6 of 22
C2 – SecureDevelopmentImplementing secure systems, products and components using an appropriate methodology.Defining and implementing secure development standards and practices including, where relevant,formal methods.Selecting and implementing appropriate test strategies to demonstrate security requirementsare met.Defining and implementing appropriate processes for transfer of a product/system tooperation/sale/live use.Defining and implementing appropriate secure change and fault management processes.Minimising the risk to an asset or product through the ‘standard’ design anddevelopment processes.Verifying that a developed component, product or system meets its security criteria(requirements and/or policy, standards & procedures).Analysing problem reports for signs of anomalous security issues, coordinating researchinto vulnerabilities and instigating corrective action where necessary.Specifying and/or implementing processes that maintain the required level of security of acomponent, product, or system through its lifecycle.Managing a system or component through a formal security assessment.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 7 of 22
SECTION DSecurity Discipline - Information Assurance Methodologies and TestingPrinciple:Develops and applies standards and strategies for verifying that measures taken mitigate identified risks.Skills GroupExample SkillsD1 –InformationAssuranceMethodologiesDeveloping methodologies for assessing the correct implementation of mitigation measures.Claimed SkillsGroupCompetencyAssessing the level of assurance provided by a security mechanism, system or product inaccordance with one or more recognised methodologies and standards.Assessing whether a process is “fit for purpose” and meets the security requirements.D2 – SecurityTestingTesting processes for vulnerabilities, highlighting those that are not addressed by security policies,standards and procedures and advising on corrective measures.Applying recognised testing methodologies, tools and techniques, developing new ones whereappropriate.Assessing the robustness of a system, product or technology against attack.Applying commonly accepted governance practices and standards when testing in an operationalenvironment.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 8 of 22
SECTION E Security Discipline - Operational Security ManagementPrinciple:Capable of managing all aspects of a security programme, including reacting to new threats and vulnerabilities, secureoperational and service delivery consistent with security polices, standards and procedures, and handling securityincidents of all types according to common principles and practices, consistent with legal constraints and obligations.Skills GroupExample SkillsE1 - SecureOperationsManagementEstablishing processes for maintaining the security of information throughout its existence.Claimed SkillsGroupCompetencyEstablishes and maintains Security Operating Procedures in accordance with security policies,standards and procedures.Coordinating penetration testing on information processes against relevant policies.Assessing and responding to new technical, physical, personnel or procedural vulnerabilities.Managing implementation of information security programmes, and co-ordinating securityactivities across the organisation.E2 - SecureOperations &ServiceDeliverySecurely configuring information and communications equipment in accordance with relevantsecurity policies, standards and guidelines.Maintaining security records and documentation in accordance with Security Operating Procedures.Administering logical and physical user access rights.Monitoring processes for violations of relevant security policies (e.g. acceptable use, security, etc.)E3 –VulnerabilityAssessmentAnalysing internal problem reports for signs of anomalous security issues.Monitoring, collating and filtering external vulnerability reports for organisational relevance,ensuring that relevant vulnerabilities are rectified through formal change processes.Engaging with the Change Management process to ensure that vulnerabilities are mediated.Ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilitiesuntil appropriate remediation or mitigation is available.Producing warning material in a manner that is both timely and intelligible to the targetaudience(s).IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 9 of 22
SECTION F Security Discipline - Incident ManagementPrinciple:Capable of managing or investigating an information security incident at all levels.F1 – IncidentManagementEngaging with the overall organisation Incident Management process to ensure that securityincidents are handled appropriately.Defining and implementing processes and procedures for detecting breaches of security policy.Defining and implementing processes for carrying out investigations into breaches of securitypolicy.Establishing and maintaining a Computer Security Emergency Response Team or similar to dealwith breaches of security policy.Co-ordinating the response to a breach of security policy.Providing a full security response where third parties, managed service providers, etc. areinvolved.F2 –InvestigationWorking within the legal constraints imposed by the jurisdictions in which an organisationoperates.Carrying out an investigation into a breach of information security using all relevant sources ofinformation including access logs, systems logs, camera footage, etc.Assessing the need for Forensic activity, and coordinating the activities of specialist Forensicpersonnel within the overall response activities.Engaging with the organisational Problem Management processes to ensure that Forensic servicesare deployed appropriately.Providing a full security investigation capability where third parties, managed service providers,etc are involved.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 10 of 22
F3 - Forensics Seizing evidence in accordance with legal guidelines and in the most effective manner to minimisedisruption to the business and maintaining evidential weight.Deploying specialist equipment to monitor for attempted system compromise.Analysing system information (e.g. system logs, network traffic, hard disks, virtual memory, etc.)for evidence of breaches of security policy or law.Analysing software for malicious intent (malware).SECTION G Security Discipline - Audit, Assurance & ReviewPrinciple:Capable of defining and implementing the processes and techniques used in verifying compliance against securitypolicies, standards, legal and regulatory requirements.Skills GroupExample SkillsG1 - Audit &ReviewVerifying that information processes meet the security criteria (requirements or policy, standardsand procedures).Claimed SkillsGroupCompetencyDefining and implementing processes to verify on-going conformance to security requirements.Carrying out security compliance audits in accordance with an appropriate methodology.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 11 of 22
SECTION HSecurity Discipline - Business Continuity ManagementPrinciple:Capable of defining the need for, and of implementing processes for establishing business continuity.Skills GroupExample SkillsH1 - BusinessContinuityPlanningEstablishing the need for a Business Continuity Management (BCM) Process or Function.Claimed SkillsGroupCompetencyDetermining the events and external surroundings that can adversely affect an organisation.Providing cost-benefit analysis to justify investment in controls to mitigate risks.Determining and guiding the selection of possible business operating strategies for minimisingdisruption.Designing, developing, and implementing Business Continuity and Crisis Management Plans.Preparing a programme to create and maintain corporate awareness and enhance the skillsrequired to develop and implement the Business Continuity Management Programme.Developing processes that maintain the currency of continuity capabilities and plan documents inaccordance with the organisation’s strategic direction.Developing, co-ordinating, and evaluating, plans to communicate with internal stakeholders,external stakeholders and the media.H2 - BusinessContinuityManagementDeveloping and implementing procedures for responding to and stabilising the situation followingan incident or event.Establishing and managing an Emergency Operations Centre to be used as a command centreduring the emergency.Mounting pre-plan and co-ordinate plan exercises, and evaluating and documenting plan exerciseresults.Verifying that the plan will prove effective by comparison with a suitable standard, and ofreporting results in a clear and concise manner.Establishing applicable procedures and policies for co-ordinating continuity and restorationactivities with external agencies while ensuring compliance with applicable statutes or regulations.Co-ordinating, evaluating, and exercising plans to communicate with internal stakeholders,external stakeholders and the media.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 12 of 22
SECTION I Security Discipline - Information Systems ResearchPrinciple:Original investigation in order to gain knowledge and understanding relating to information security, including theinvention and generation of ideas, performances and artefacts where these lead to new or substantially improvedinsights; and the use of existing knowledge in experimental development to produce new or substantially improveddevices, products and processes.SkillsGroupExample SkillsI1 – ResearchDefines research goals and generates original and worthwhile ideas in a specialised field withininformation security. Develops, reviews and constructively criticises ideas, makes observations andconducts tests.Claimed SkillsGroupCompetencyPresents papers at conferences, writes journal papers of publication quality and/or presentsreports of an equivalent technical standard to research clients – all relating to advancingknowledge in one or more fields of information security.Contributes to the development of the employing organisation’s research policy and supervises thework of research functions.I2 - AcademicResearchDevelopment of new crypto algorithms.Development of improved theories of information.Development of new ways for protecting information in specific environments (e.g. when beingcommunicated).I3 – AppliedResearchInvestigation of vulnerabilities in current and potential technologies and techniques.Development of secure development tools, such as formal methods tools.Development of improved assurance methods.IISP Skills Framework v6.3Copyright The Institute of Information Security Professionals. All rights reserved.The Institute of Information Security Professionals IISP , M.Inst.ISP and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used onlywith express permission of the Institute. Page 13 of 22
The Institute of Information Security Professionals Skills Framework Skills Definition JJSkillLevel 1Level 2Level 3Level 4J1 TeamworkandLeadershipWorks cooperatively andprofessionally with others.For example .Is encouraging andsupportive and provides alead within the local area.For example .Encourages and challengesothers. Provides a lead acrossan organisation. Forexample .Inspires and involves othersfrom inside and outside theorganisation. For example . Is co-operative, and opento requests Openly celebrates success,and recognisesaccomplishments Challenges prejudice,intolerance, cynicism andcomplacency in others Empowers colleagues bygiving them the informationand authority needed tocomplete tasks Encourages others to takesensible risks, and issupportive if honest mistakesresult Inspires others to achieve,and sets a good example Resolves majororganisational orprofessional conflicts in apositive and constructivemanner Creates and leads formal,informal or virtual teamsand/or creates collaborativelinks with related teams Encourages furtheropportunities for flexible waysof working Is aware of impact of ownbehaviour on others Respects and valuesothers for their qualities anddifferences and is sensitiveto their differing needs andviews Encourages and supportsteam spirit and morale,helping work to beenjoyable and stimulatingfor all Takes a lead whenappr
The following definitions should be used when assessing your score for competencies in the disciplines A – I. Level 1: (Awareness) Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may
