The Comsec Practitioner competencies
This Core Competency Profile (CCP) applies to a variety of roles set out in UK Government Infosec Standard No.4 Communications Security and Cryptography. Specifically, it covers the roles of CRYPTO, ACCSEC or CCI Custodian, Comsec Inspector, Controlling Authority, Crypto Network or Closed User Group Controller, Local Manager and Holder.
The Competency Clusters in this profile are expressed generically and in terms of transferable skills, to allow the competencies to be integrated with others already recognised in organisational appraisal schemes. Candidates studying for the Government Certificate of Infosec Competency (Comsec Practitioner) award are required to add job-specific details to these, in order to make them measurable Target Competencies.
Organisations adopting these competencies descriptions may in any case wish to add further details or illustrative examples to individual competencies' descriptions to provide a more accurate description of the competence level required by the organisation.
Only those skills which are directly relevant to Infosec activities have been included. Organisations may wish to combine these with others from local competency frameworks to complete the competency profile for a specific post.
The Core Competencies are arranged in numeric order below and are in three clusters: Infosec expertise, Business management and Dealing with people.
1 Infosec expertise
Acquiring and maintaining knowledge and skills relevant to implementing effective Information Security
1.1 Acquiring and Maintaining Knowledge
- Identifies and undertakes relevant professional development to ensure they maintain currency with the policy contained in Government Infosec Standard 4 and related UK government and local/departmental directives and recommended practice.
- Takes note of relevant CINRAS and related outputs (e.g. UNIRAS) and maintains sufficient knowledge to oversee or otherwise manage the operation of crypto and other Comsec technical equipments
1.2 Implementation of Government baseline requirements and compliance with relevant legislation
- Takes practical measures to ensure that secure communications systems within own area of responsibility comply with Government national, legislative and organisational baseline requirements, including Government Infosec Standard 4 and other relevant policies and directives.
1.3 Using Technical Security Measures
- Understands the technical aspects of implementing crypto equipment and key material, and principal Comsec management issues of accounting, account management and transfer of key material.
- Recognises ways in which Comsec can be integrated effectively with other security measures.
2 Business management
Integrating Infosec requirements with those of the business of the organisation; managing Infosec within the individual's sphere of activity
2.1 Business Focus
- Takes the initiative in satisfying the Comsec requirement in own area of responsibility, while meeting business needs in a secure manner.
- Provides guidance on Comsec in consultation with relevant organisational and/or Government authorities. Maintains accountable documentation of all their actions and communications relevant to the implementation, and protection, of Comsec and crypto elements.
- Promotes the business benefits of Comsec to the organisation through briefings and other representations.
2.2 Planning
- Produces and/or maintains plans for routine and exceptional contingency and Business Continuity, including establishing and exercising emergency action plans in accordance with HMG and/or organisational policy.
- Produces and/or maintains plans for acquiring, maintaining and disposing of crypto equipment and material.
2.3 Delivering Results
- Delivers effectively and on a timely basis, through Comsec application, communications systems with adequate and appropriate levels of confidentiality, integrity and availability. Takes whole or partial responsibility for ensuring that relevant staff meet their Comsec responsibilities.
- Utilises appropriate Comsec mechanisms and procedures to achieve organisational security goals.
- Provides clear and accountable documentation as required throughout the crypto material and equipment lifecycle, for items under their control.
2.4 Managing Resources & Value For Money (VFM)
- Manages crypto material and equipment to support business requirements. Within their area of work, seeks cost-effective use of Comsec resources and ensures these facilitate VFM, commensurate with the risk and aligned with Government Infosec Standard 4 and related local/departmental baseline policies.
2.5 Dealing With Change
- Demonstrates a practical and flexible approach in adapting to changing requirements for Comsec provision. Responds constructively to changes in Comsec policy and procedures that affect items under their control.
- Reacts promptly and provides timely management of Comsec as business or operational requirements dictate.
3 Dealing with people
Working with others, internally/externally, to establish and maintain appropriate levels of security within the organisation and its contractors
3.1 Infosec Teamwork
- Negotiates and/or facilitates the achievement and maintenance of Comsec baseline requirements and standards. Leads or cooperates within own area of work to achieve compliance with Government Infosec Standard 4 policy and related local/departmental directives and policies.
- Works effectively with other relevant security staff and project teams, recognising when to seek help in issues beyond their scope and identifying correctly appropriate sources of expertise.
3.2 Communicating and Influencing Infosec Issue
- Is influential in supporting Comsec requirements, in advising and communicating Comsec issues to all staff in the organisation, and externally.
- Reports in a timely manner Comsec issues to affected business, policy and/or technical areas.
- Promotes Comsec competence both in practical terms and in general awareness in those who manage or otherwise use crypto items under their control.
