This snapshot taken on 05/09/2007, shows web content selected for preservation by The National Archives. External links, forms and search boxes may not work in archived websites.
This Core Competency Profile (CCP) applies to Departmental IT Security Officer (ITSOs) and other managers within UK Government who safeguard protectively marked information. It may also be applied more generally for other government practitioners, the police and CLAS consultants, by scoping the sphere of responsibility from e.g. 'organisation' to 'business area', 'team' or a nominated 'IT system'.
The Competency Clusters in this profile are expressed generically and in terms of transferable skills, to allow the competencies to be integrated with others already recognised in organisational appraisal schemes. Candidates studying for the Government Certificate of Infosec Competency (Government Practitioner) award are required to add job-specific details to these, in order to make them measurable Target Competencies.
Organisations adopting these competencies descriptions may in any case wish to add further details or illustrative examples to individual competencies' descriptions to provide a more accurate description of the competence level required by the organisation.
Only those skills which are directly relevant to Infosec activities have been included. Organisations may wish to combine these with others from local competency frameworks to complete the competency profile for a specific post.
The Core Competencies are arranged in numeric order below and are in three clusters: Infosec expertise, Business management and Dealing with people.
Acquiring and maintaining knowledge and skills relevant to implementing effective Information Security
Maintains currency of knowledge of Government baseline measures and recommended practices. Maintains broad practical security expertise extending beyond own work area; maintains awareness of Infosec implications of business activities
Ensures security policy addresses organisational, national and legislative requirements consistently and remains commensurate with the risk across the organisation. Formally accredits or ensures the accreditation of systems. Interfaces with national security, cryptographic, formal evaluation and/or professional bodies as required, to implement Government Infosec policy
Has broad knowledge of technical security issues, understands the principal security issues of IT platforms and applications; develops requirements for technical Infosec measures within own business area.
Integrating Infosec requirements with those of the business of the organisation; managing Infosec within the individual's sphere of activity
Understands business aims and objectives, and establishes, develops or advises on Infosec policy (and/or local working standards) that manage the risk to protect and enable these. Provides guidance on security in consultation with central organisational authorities and promotes business benefits of security awareness and Information Security
Contributes to and advises on the strategic application of Infosec policy. Ensures that the application of Infosec policy supports business needs. Examples may include appropriate business continuity plans and contingency measures.
Influences, contributes to or advises on the strategic direction taken on Infosec within own sphere of activity; utilises appropriate mechanisms to achieve organisational security goals. Examples include incident reporting procedures and training programs to review security and maintain awareness
Seeks VFM in the application of Infosec measures within own sphere of activity - for example, by judging the relative cost-effectiveness of technical and non-technical countermeasures in protective security strategies
Promotes and initiates change in the protective security requirement through compliance monitoring, reviewing the security requirement and reacting in a timely and proportionate way to developments in the threat, technology and its uses, and business practices
Working with others, internally/externally, to establish and maintain appropriate levels of security within the organisation and its contractors
Leads Infosec teams or organisational functions that have complex security aims or face significant challenges to achieving and maintaining Infosec. Negotiates and may maintain control or oversight of Infosec in outsourced and contracted projects
Influences Infosec policy/strategic negotiations within the organisation and/or externally; may include detailed security aspects of contract negotiations. Promotes Infosec knowledge and awareness through sponsorship of an effective education, training and awareness programme; may originate and present education and training events