The Accreditor / Comsec Accreditor competencies
This Core Competency Profile (CCP) supports the roles, currently specified in MPS and Government Infosec Standards 2 and 4, of the systems Accreditor and the Comsec Accreditor.
The Competency Clusters in this profile are expressed generically and in terms of transferable skills, to allow the competencies to be integrated with others already recognised in organisational appraisal schemes. Candidates studying for the Government Certificate of Infosec Competency (Accreditor / Comsec Accreditor) award are required to add job-specific details to these, in order to make them measurable Target Competencies.
Organisations adopting these competencies descriptions may in any case wish to add further details or illustrative examples to individual competencies' descriptions to provide a more accurate description of the competence level required by the organisation.
Only those skills which are directly relevant to Infosec activities have been included. Organisations may wish to combine these with others from local competency frameworks to complete the competency profile for a specific post.
The Core Competencies are arranged in numeric order below and are in three clusters: Infosec expertise, Business management and Dealing with people.
1 Infosec expertise
Acquiring and maintaining knowledge and skills relevant to implementing effective Information Security
1.1 Acquiring and Maintaining Knowledge
- Understands and remains current with the scope and content of Government baseline policy requirements (as laid out in the Manual of Protective Security, its supporting documents and their local derivatives)
- Maintains currency with relevant aspects of legislation and industry standards. For example: the pivotal role of risk assessment, and the business need and implementation requirements for Business Continuity.
1.2 Implementation of Government baseline requirements and compliance with relevant legislation
- Assesses that the boundaries and scope of the target of accreditation are valid
- Ensures that the risk has been assessed accurately and that the security strategy meets relevant Government baseline policy (and best practice recommendations where appropriate)
- Develops risk management strategies to meet business requirements
- Ensures the security strategy provides appropriate ISO/IEC 17799 and legislative compliance
Provides Accreditation Aftercare to ensure the continuing validity of accredited status
1.3 Using Technical Security Measures
- Understands the principles of technical security in applications
- Assesses the appropriate applications and their technical security measures
- Ensures that technical security measures integrate with other security measures to meet the assessed security requirement
- Identifies the threats and vulnerabilities to information and communications systems assets and the likelihood of impacts on the Confidentiality, Integrity and Availability of those assets; recognises where these require technical expertise and seeks ways to utilise such support
2 Business management
Integrating Infosec requirements with those of the business of the organisation; managing Infosec within the individual's sphere of activity
2.1 Business Focus
- Ensures key players in the organisation are engaged to understand both the business and the security requirements
- Works in partnership with relevant personnel to assess and implement security strategies which a\re commensurate with the risk and the business requirement and meet national baseline policy where relevant.
- Maintains accountable documentation of all their decisions and communications relevant to the accreditation process
2.2 Planning
- Plans accreditation activities to integrate with project schedules and business needs
- Prioritises activities and resources according to the importance of accreditation relative to the business need
- Remains focused on relevant accreditation and security issues
- Makes timely and objective decisions based on best available evidence and sound analysis.
2.3 Delivering Results
- Provides clear and accountable documented recommendations, independent of external pressures
- Is resilient, is not put off by setbacks and displays drive and energy to achieve results
- Ensures work is planned, prioritised and delivered to meet requirements
- Understands appropriate management techniques and uses them when applicable
- Considers options to accept, transfer, avoid or limit risks, and ensures security mechanisms and countermeasures are managed to keep delivery of security objectives on track
2.4 Managing Resources & Value For Money (VFM)
- Evaluates the cost-effectiveness of proposed security strategies, individual measures and/or business transactions
- Provides an accreditation service to the Business in an effective, efficient and economic manner. Identifies where existing protective security measures can be utilised in system security strategies, and balances technical with non-technical measures
- Negotiates and appropriately distributes resources to meet accreditation objectives
- May monitor and evaluate security suppliers' performance and ensure adherence to contract terms
- Implements cost effective risk management, utilising identified security strategies and balancing technical and non-technical measures
2.5 Dealing With Change
- Advises and negotiates to counter opposition to change, in order to protect business and security objectives
- Is open to new ways of working and adapts flexibly to change
- Is prepared to initiate and implement change and encourages a positive attitude in others
- Ensures accredited status is maintained against change in technology, policy or standards, the risk and business operations and thereby contributes, via advice and negotiation, to business continuity protection
- Ensures they are consulted where configuration management, change control or other system management operations may affect the security status of the subject of accreditation
- Ensures that changes to IT or communications systems risks and conflicting priorities are successfully managed throughout the lifecycle of the system.
3 Dealing with people
Working with others, internally/externally, to establish and maintain appropriate levels of security within the organisation and its contractors
3.1 Infosec Teamwork
- Negotiates and/or facilitates the achievement and maintenance of Infosec baseline requirements and standards across organisational boundaries with differing business cultures, where appropriate
- Works effectively with other relevant security staff, project teams or Accreditation Panels to ensure the security of systems for which they have particular responsibility is commensurate with the risk to those systems
- Knows when to seek help from and involve others, listens and takes account of diverse needs and objectives
- Resolves conflicts effectively and gives confidence to others.
3.2 Communicating and Influencing Infosec Issue
- Can adapt the expression of accreditation issues and requirements to a variety of audiences both within and outside the organisation such that the message is clearly understood
- Influences and advises projects on security and accreditation issues
- Produces clear and accountable documentation of all actions taken in the accreditation process
- Influences security outcomes through a risk management approach to accreditation
