iisp information security skills framework€¦ · page 1 of 22. the iisp skills framework –...

IISP INFORMATION

SECURITY SKILLS FRAMEWORK

This skills framework describes the range of competencies expected of Information Security and Information Assurance Professionals in the

effective performance of their roles. It was developed by collaboration between both private and public sector organisations and world-reknown academics and security leaders. It defines the skills and

capability expected of security professionals in practical application and not just an assessment of their knowledge. Not all roles require

detailed experience in all competency areas, and for more information about how the framework can be applied, please contact the Institute.

The framework is copyright of the Institute of Information Security

Professionals and may be used in whole or in part only by our membership, those aspiring to be members or those others expressly

licenced to use the material.

This is a maintained document and will continue to be updated based on the experience of our members and licenced users.

V6.3 July, 2010

About the Institute of Information Security Professionals (IISP) The Institute of Information Security Professionals was set up in 2006 in the UK as an independent member-owned organisation to further the development of knowledge, skills and professionalism in Information Security and Assurance. For employers and professionals we offer the professional accreditations of Associate and full member (M.Inst.ISP) of the Institute. We also provide services for competency measurement , job role definition and benchmarking and capability development to support our corporate members in their professional skills programmes.

We continue to develop in our role as the voice of the Information Security Profession. The Institute can be contacted at: Institute of Information Security Professionals Unit 28, Basepoint Business Park, Evesham, Worcs, WR11 1GP +44 (0) 2033 840 399 www.iisp.org email: [email protected]

The IISP Skills Framework – Scoring levels for Skills A-I Definitions for Levels

The following definitions should be used when assessing your score for competencies in the disciplines A – I. Level 1: (Awareness) Understands the skill and its application. Has acquired and can demonstrate basic knowledge associated with the skill. Understands how the skill should be applied but may have no practical experience of its application. Level 2: (Basic Application) Understands the skill and applies it to basic tasks under some supervision. Has acquired the basic knowledge associated with the skill, for example has acquired an academic or professional qualification in the skill. Understands how the skills should be applied. Has experience of applying the skill to a variety of basic tasks. Determines when problems should be escalated to a higher level. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Level 3: (Skilful Application) Understands the skill and applies it to complex tasks with no supervision. Has acquired a deep understanding of the knowledge associated with the skill. Understands how the skill should be applied. Has experience of applying the skill to a variety of complex tasks. Demonstrates significant personal responsibility or autonomy, with little need for escalation. Contributes ideas in the application of the skill. Demonstrates awareness of recent developments in the skill. Contributes ideas for technical development and new areas for application of the skill. Level 4: (Expert) An authority who leads the development of the skill. Is an acknowledged expert by peers in the skill. Has experience of applying the skill in circumstances without precedence. Proposes, conducts, and/or leads innovative work to enhance the skill.

IISP Skills Framework V6.3 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute.

Page 1 of 22

The IISP Skills Framework – Scoring levels for Skill J

The following definitions should be used when assessing your score for competencies in discipline J. Examples of experience within these disciplines are shown in Appendix B, and should be consulted before completion. Skill Level 1 Level 2 Level 3 Level 4 Teamwork and Works cooperatively Is encouraging and Encourages and challenges Inspires and involves others from Leadership and professionally with supportive and provides a others. Provides a lead inside and outside the

others. lead within the local area. across an organisation. organisation, environment in Task-based team working. which others may develop leadership qualities. Delivering Takes responsibility for Responsibility for an Responsible for ensuring Responsible for achievement of

completing own tasks. element of delivery against delivery is achieved against overall business goals in own one or more business a portfolio of business professional or functional area. objectives, balancing objectives, overcoming

priorities to achieve this. obstacles to achieve goals.

Managing Understands and aims Negotiates with customers Works with customers to Uses customer priorities to drive Customer to meet customer to improve the service to ensure that their needs organisations’ plans, resolving the Relationships requirements. them and to manage their drive business plans. conflicting demands of different

expectations. customers. Corporate Understands local Understands the aims of Takes action to achieve Develops strategy and ensures Behaviour objectives and own and related areas greater corporate efficiency, the long-term cost-effectiveness

organisations aims. Is across an organisation. in line with its strategic of an organisation by cost-effective in own aims. understanding the influences work. upon it. Change and Is positive about Generates creative ideas, Contributes to change Is innovative and radical. Innovation change, and suggests and demonstrates strategies and generates Champions considered, co-

improvements possible sensitivity in implementing new ideas or approaches, ordinated change through policy in own area. local change. going beyond the local area. and planning. Analysis and Is methodical when Makes effective decisions Makes effective decisions Makes effective strategic Decision Making making decisions and in consultation with others and / or solves complex decisions and / or solves complex

solves problems which and/or solves complex problems in uncertain problems with strategic impact, impact on own work. problems in immediate situations, or where the or no precedent. area. impact is greater than in the

immediate working area.

Communications Communicates clearly Encourages and Is a persuasive Is influential and diplomatic in and Knowledge and shares knowledge contributes to discussion. communicator. Sets a lead negotiations with other Sharing with colleagues Is proactive in sharing in sharing knowledge organisations and formulates

practice. information in own work- effectively in diverse areas knowledge-sharing. area. across an organisation.

IISP Skills Framework V6.3 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute. Page 2 of 22

The Institute of Information Security Professionals Skills Framework Skills Definitions A - I

SECTION A Security Discipline - Information Security Management Principle: Capable of determining, establishing and maintaining appropriate governance of (including processes, roles, awareness

strategies, legal environment and responsibilities), delivery of (including polices, standards and guidelines), and cost-effective solutions (including impact of third parties) for information security within a given organisation).

Skills Group Example Skills Claimed Skills

Group Competency

A1 - Establishing frameworks to develop and maintain appropriate information security expertise within an

Governance organisation.

Gaining management commitment and resources to support the governance structure.

Incorporating physical, personnel and procedural issues into the overall security governance process.

Relating an organisation’s business needs to their requirements for information security.

Encouraging an information risk awareness culture within an organisation. For example, raising

awareness of how the various forms of social engineering can be used to compromise information.

Establishing frameworks for maintaining the security of information throughout its lifecycle.

A2 - Policy & Developing and maintaining organisational security policies, standards and processes using recognised

Standards standards (such the ISO 27000 family) where appropriate.

Developing and maintaining standards for appropriate personnel screening.

Developing and maintaining standards for appropriate physical storage of information.

Providing advice on the interpretation of policy.

Undertaking a gap analysis against relevant external policies, standards and guidelines, and initiating

remedial action where appropriate.

A3 – Balancing of cost against security risk for the business.

Information

Interpreting external requirements and standards in terms relevant to an organisation.

IISP Skills Framework v6.3

Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute. Page 3 of 22

Security Balancing technical, physical, personnel and procedural controls to address information risks in the

Strategy

most effective way.

A4 – Recognises potential strategic application of information security and initiates investigation and

Innovation & development of innovative methods of protecting information assets, to the benefit of the organisation

Business and the interface between business and information security.

Improvement

Exploits opportunities for introducing more effective secure business and operational processes.

A5 – Identifying security awareness and training needs in line with security strategy, business needs and

Information strategic direction.

Security

Gaining management commitment and resources to support awareness and training in information

Awareness

security.

and Training

Identifying the education and delivery mechanisms needed to grow staff in information security

awareness and competence.

Managing the development or delivery of information security awareness and training programmes.

A6 –Legal & Familiar with legal and regulatory requirements that could affect organisation security policies, and

Regulatory where to turn for specific detail as needed.

Environment

Relating the legal and regulatory environment within which the business operates to the risk

management and security strategy tasks.

Ensuring security policies comply with all personal data protection laws and regulations relevant to the

business.

Ensuring security policies support compliance with corporate governance practices.

Identifying where security can provide business advantage by addressing specific legal or regulatory

needs.

A7 – Third Identifying and advising on the technical, physical, personnel and precedural risks associated with third

Party party relationships.

Management

Assessing the level of confidence that third party security capabilities/service operate as defined.



Section B Security Discipline - Information Risk Management Principle: Capable of articulating the different forms of threat to, and vulnerabilities of, information systems and assets. Comprehending and managing the risks relating to information systems and assets.


Group

Competency

B1 – Risk Identification of assets that require protection.

Assessment

Identification of relevant threats to the assets.

Identification of exploitable vulnerabilities.

Assessing the level of threat posed by potential threat agents.

Producing an information security risk assessment.

Determining the business impact of a risk being realised.

B2 – Risk Developing information risk management strategies to reduce the risk.

Management

Including information risk management strategies in business risk processes.

Gaining management commitment to the support of the information risk elements of business risk

management.

Adapting the risk management strategy to address changes in the threat environment and in

business risk.

Selecting the most appropriate tools and techniques for auditing effectiveness of mitigation

measures in place.

IISP Skills Framework v6.3 Copyright © The Institute of Information Security Professionals. All rights reserved. The Institute of Information Security Professionals® IISP®, M.Inst.ISP® and various IISP graphic logos are trademarks owned by The Institute of Information Security Professionals and may be used only with express permission of the Institute. Page 5 of 22

Section C Security Discipline - Implementing Secure Systems Principle: Comprehends the common technical security controls available to prevent, detect and recover from security incidents and to mitigate risk. Capable of articulating security architectures relating to business needs and commercial product development that can be realised using available tools, products, standards and protocols, delivering systems assured to have met their security profile using accepted methods


Group

Competency

C1 – Interpreting relevant security policies and risk profiles into secure architectural solutions that

Security mitigate the risks and conform to legislation.

Architecture

Presenting security architecture solutions as a view within broader IT architectures.

Relating security architectures to business needs and risks.

Working with recognised security architecture.

Devising standard solutions that address requirements delivering specific security functionality

whether for a business solution or for a product.

Minimising the risk to an asset or product through “standard” security architecture practices.

Delivering the security architecture that supports the risk management strategy using current

security technologies and techniques.

Maintain awareness of the security advantages and vulnerabilities of common products and

technologies.

Minimising the risk to an asset or product through the use of “standard” security technologies and

products.

Designing and developing processes for maintaining the security of an asset or product through its

full life cycle.

Maintain awareness of the security advantages and vulnerabilities of common products and

technologies.

Designing robust and fault-tolerant security mechanisms and components appropriate to the

perceived risks.

Selecting the appropriate security products, components and technologies to meet a security

requirement.

Selecting the most appropriate information interchange protocols that meet the security

requirements.



C2 – Secure Development

Implementing secure systems, products and components using an appropriate methodology. Defining and implementing secure development standards and practices including, where relevant, formal methods. Selecting and implementing appropriate test strategies to demonstrate security requirements are met. Defining and implementing appropriate processes for transfer of a product/system to operation/sale/live use. Defining and implementing appropriate secure change and fault management processes. Minimising the risk to an asset or product through the ‘standard’ design and development processes. Verifying that a developed component, product or system meets its security criteria (requirements and/or policy, standards & procedures). Analysing problem reports for signs of anomalous security issues, coordinating research into vulnerabilities and instigating corrective action where necessary. Specifying and/or implementing processes that maintain the required level of security of a component, product, or system through its lifecycle. Managing a system or component through a formal security assessment.


SECTION D Security Discipline - Information Assurance Methodologies and Testing

Principle: Develops and applies standards and strategies for verifying that measures taken mitigate identified risks.


Group

Competency

D1 – Developing methodologies for assessing the correct implementation of mitigation measures.

Information

Assessing the level of assurance provided by a security mechanism, system or product in

Assurance

accordance with one or more recognised methodologies and standards.

Methodologies

Assessing whether a process is “fit for purpose” and meets the security requirements.

D2 – Security Testing processes for vulnerabilities, highlighting those that are not addressed by security policies,

Testing standards and procedures and advising on corrective measures.

Applying recognised testing methodologies, tools and techniques, developing new ones where

appropriate.

Assessing the robustness of a system, product or technology against attack.

Applying commonly accepted governance practices and standards when testing in an operational

environment.


SECTION E Security Discipline - Operational Security Management Principle: Capable of managing all aspects of a security programme, including reacting to new threats and vulnerabilities, secure operational and service delivery consistent with security polices, standards and procedures, and handling security incidents of all types according to common principles and practices, consistent with legal constraints and obligations.


Group

Competency

E1 - Secure Establishing processes for maintaining the security of information throughout its existence.

Operations

Establishes and maintains Security Operating Procedures in accordance with security policies,

Management

standards and procedures.

Coordinating penetration testing on information processes against relevant policies.

Assessing and responding to new technical, physical, personnel or procedural vulnerabilities.

Managing implementation of information security programmes, and co-ordinating security

activities across the organisation.

E2 - Secure Securely configuring information and communications equipment in accordance with relevant

Operations & security policies, standards and guidelines.

Service

Maintaining security records and documentation in accordance with Security Operating Procedures.

Delivery

Administering logical and physical user access rights.

Monitoring processes for violations of relevant security policies (e.g. acceptable use, security, etc.)

E3 – Analysing internal problem reports for signs of anomalous security issues.

Vulnerability

Monitoring, collating and filtering external vulnerability reports for organisational relevance,

Assessment

ensuring that relevant vulnerabilities are rectified through formal change processes.

Engaging with the Change Management process to ensure that vulnerabilities are mediated.

Ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities

until appropriate remediation or mitigation is available.

Producing warning material in a manner that is both timely and intelligible to the target

audience(s).



SECTION F Security Discipline - Incident Management Principle: Capable of managing or investigating an information security incident at all levels.

F1 – Incident Engaging with the overall organisation Incident Management process to ensure that security

Management incidents are handled appropriately.

Defining and implementing processes and procedures for detecting breaches of security policy.

Defining and implementing processes for carrying out investigations into breaches of security

policy.

Establishing and maintaining a Computer Security Emergency Response Team or similar to deal

with breaches of security policy.

Co-ordinating the response to a breach of security policy.

Providing a full security response where third parties, managed service providers, etc. are

involved.

F2 – Working within the legal constraints imposed by the jurisdictions in which an organisation

Investigation operates.

Carrying out an investigation into a breach of information security using all relevant sources of

information including access logs, systems logs, camera footage, etc.

Assessing the need for Forensic activity, and coordinating the activities of specialist Forensic

personnel within the overall response activities.

Engaging with the organisational Problem Management processes to ensure that Forensic services

are deployed appropriately.

Providing a full security investigation capability where third parties, managed service providers,

etc are involved.


F3 - Forensics Seizing evidence in accordance with legal guidelines and in the most effective manner to minimise

disruption to the business and maintaining evidential weight.

Deploying specialist equipment to monitor for attempted system compromise.

Analysing system information (e.g. system logs, network traffic, hard disks, virtual memory, etc.) for evidence of breaches of security policy or law.

Analysing software for malicious intent (malware).

SECTION G Security Discipline - Audit, Assurance & Review Principle: Capable of defining and implementing the processes and techniques used in verifying compliance against security policies, standards, legal and regulatory requirements.

Skills Group Example Skills Claimed Skills Group Competency

G1 - Audit & Verifying that information processes meet the security criteria (requirements or policy, standards Review and procedures).

Defining and implementing processes to verify on-going conformance to security requirements.

Carrying out security compliance audits in accordance with an appropriate methodology.


SECTION H Security Discipline - Business Continuity Management

Principle: Capable of defining the need for, and of implementing processes for establishing business continuity.


Group

Competency

H1 - Business Establishing the need for a Business Continuity Management (BCM) Process or Function.

Continuity

Determining the events and external surroundings that can adversely affect an organisation.

Planning

Providing cost-benefit analysis to justify investment in controls to mitigate risks.

Determining and guiding the selection of possible business operating strategies for minimising

disruption.

Designing, developing, and implementing Business Continuity and Crisis Management Plans.

Preparing a programme to create and maintain corporate awareness and enhance the skills

required to develop and implement the Business Continuity Management Programme.

Developing processes that maintain the currency of continuity capabilities and plan documents in

accordance with the organisation’s strategic direction.

Developing, co-ordinating, and evaluating, plans to communicate with internal stakeholders,

external stakeholders and the media.

H2 - Business Developing and implementing procedures for responding to and stabilising the situation following

Continuity an incident or event.

Management

Establishing and managing an Emergency Operations Centre to be used as a command centre

during the emergency.

Mounting pre-plan and co-ordinate plan exercises, and evaluating and documenting plan exercise

results.

Verifying that the plan will prove effective by comparison with a suitable standard, and of

reporting results in a clear and concise manner.

Establishing applicable procedures and policies for co-ordinating continuity and restoration

activities with external agencies while ensuring compliance with applicable statutes or regulations.

Co-ordinating, evaluating, and exercising plans to communicate with internal stakeholders,

external stakeholders and the media.


SECTION I Security Discipline - Information Systems Research Principle: Original investigation in order to gain knowledge and understanding relating to information security, including the invention and generation of ideas, performances and artefacts where these lead to new or substantially improved insights; and the use of existing knowledge in experimental development to produce new or substantially improved devices, products and processes.

Skills Example Skills Claimed Skills

Group Group

Competency

I1 – Research Defines research goals and generates original and worthwhile ideas in a specialised field within

information security. Develops, reviews and constructively criticises ideas, makes observations and

conducts tests.

Presents papers at conferences, writes journal papers of publication quality and/or presents

reports of an equivalent technical standard to research clients – all relating to advancing

knowledge in one or more fields of information security.

Contributes to the development of the employing organisation’s research policy and supervises the

work of research functions.

I2 - Academic Development of new crypto algorithms.

Research

Development of improved theories of information.

Development of new ways for protecting information in specific environments (e.g. when being

communicated).

I3 – Applied Investigation of vulnerabilities in current and potential technologies and techniques.

Research

Development of secure development tools, such as formal methods tools.

Development of improved assurance methods.


The Institute of Information Security Professionals Skills Framework Skills Definition J

J

Skill Level 1 Level 2 Level 3 Level 4

J1 - Works cooperatively and Is encouraging and Encourages and challenges Inspires and involves others

Teamwork professionally with others. supportive and provides a others. Provides a lead across from inside and outside the

and For example…. lead within the local area. an organisation. For organisation. For example….

Leadership For example…. example….

♦ Is co-operative, and open ♦ Openly celebrates success, ♦ Challenges prejudice, ♦ Inspires others to achieve,

to requests and recognises intolerance, cynicism and and sets a good example

♦ Is aware of impact of own

accomplishments complacency in others ♦ Resolves major

organisational or

behaviour on others ♦ Empowers colleagues by ♦ Encourages others to take

professional conflicts in a

giving them the information sensible risks, and is

♦ Respects and values positive and constructive

and authority needed to supportive if honest mistakes

others for their qualities and manner

complete tasks result

differences and is sensitive

♦ Contributes to and / or

to their differing needs and ♦ Creates and leads formal, ♦ Encourages further

leads teams within their

views informal or virtual teams opportunities for flexible ways

profession

and/or creates collaborative of working

♦ Encourages and supports

links with related teams

♦ Provides technical

team spirit and morale, ♦ Encourages team identity

leadership in their

helping work to be ♦ Addresses, and seeks to and commitment in others

professional field at national

enjoyable and stimulating resolve, conflict within

♦ Initiates the setting up of and / or international level

for all teams

formal, informal or virtual

♦ Leads others in strategic

♦ Takes a lead when ♦ Provides support and teams or support and / or

decisions directly affecting

appropriate feedback to encourage and encourages others to do so;

them

develop colleagues follows through to conclusion

♦ Plays a full part and helps

♦ Ensures that the

everyone to achieve team ♦ Identifies and enables ♦ Contributes to multi-agency

organisation builds on and

goals development opportunities or cross-disciplinary teams

uses the differences and

for others

♦ Provides technical leadership strengths of the individuals

♦ Supports and encourages in their professional field within it

task-based team working within the organisation. ♦ Takes action to provide an

♦ Develops others through environment in which

coaching, mentoring and others may develop

advising colleagues leadership qualities



J2 -Delivering Responsible for completing

own tasks. For example….

♦ Monitors progress against objectives ♦ Shows a 'can-do', self-motivated attitude ♦ Takes responsibility for own actions and learns from mistakes ♦ Appreciates knock-on effect if work isn't finished on time ♦ Keeps calm under pressure ♦ Delivers high quality results to the best of ability, aiming for success, not merely the avoidance of failure

Responsible for an element

of delivery against one or

more business objectives,

balancing priorities to

achieve this. For example…. ♦ Tackles complex tasks and/or new problems, breaking down the task into discrete steps ♦ Plans, prioritises and sets milestones and deadlines, to ensure delivery of business objectives ♦ Manages time effectively, balancing competing demands ♦ Aligns work with business objectives ♦ Focuses on achieving the objective, using own professional and / or managerial knowledge and experience effectively ♦ Resolves problems, even if beyond direct responsibility ♦ Takes the initiative to obtain information necessary for delivery

Responsible for ensuring delivery is achieved against a portfolio of business objectives, overcoming obstacles to achieve goals. For example…. ♦ Plans ahead for self and / or others to achieve business objectives ♦ Identifies key performance criteria, to monitor effectiveness of the work ♦ Sets realistic deadlines, and warns early on if they cannot be met. ♦ Focuses on goals and is not set back by obstacles ♦ Identifies personal and / or team (formal, informal or virtual) objectives from the business plan ♦ Effectively uses diverse talents, technology and resources to deliver within agreed parameters ♦ Uses own professional and / or managerial knowledge and experience to drive forward delivery

Responsible for

achievement of overall

business goals in own

professional or functional

area. For example…. ♦ Puts in place mechanisms to identify problems and monitor progress against plans ♦ Plans for future skills, and

identifies training and

development and resourcing

needs in own area

♦ Ensures that organisational goals are identified in accordance with the corporate plan and reflected in own and others’ objectives ♦ Is prepared to take risks and be accountable for their own and others’ decisions and actions ♦ Uses own professional

and/or managerial

knowledge and experience

to shape delivery against

business objectives.


J3 - Managing Understands and aims to Customer meet customer Relationships requirements. For example….

♦ Seeks to quickly satisfy customers' needs

♦ Is responsive to customer requests

♦ Demonstrates knowledge of the customer-base and understands their requirements

♦ Makes realistic commitments to customers

♦ Explains when customer expectations cannot be met

Negotiates with customers to improve the service to them and to manage their expectations. For example…. ♦ Seeks to improve the provision of a high quality and tailored service ♦ Negotiates achievable and efficient solutions with customers ♦ Is open to new ways of serving customers if their needs require it ♦ Maintains regular contact with customers to understand and anticipate their needs ♦ Builds customer awareness of capability ♦ Explains to customers why their expectations cannot be met

Works with customers to ensure that their needs drive business plans. For example…. ♦ Works with customers to adopt a creative approach to exploit new opportunities ♦ Ensures that long- and short-term customer needs drive plans ♦ Works with customers to understand their aims and needs ♦ Actively manages customer base

Uses customer priorities to

drive organisational plans,

resolving the conflicting

demands of different

customers. For example…. ♦ Uses customers' strategic

goals and outcomes to drive

the area/Department's

policies and plans

♦ Demonstrates

understanding of the links

between customers'

strategic goals and policies

♦ Shows awareness of the pressures under which customers operate and their impact ♦ Identifies and seeks to

resolve conflicts between

different customers'

strategies and priorities


J4 - Understands local objectives Corporate and organisational aims. Is Behaviour cost-effective in own work. For example….

♦ Demonstrates knowledge of how own job contributes to the organisation’s aims.

♦ Appreciates organisational

aims, and the regulations

and laws that govern its

actions, and acts in

accordance with them

♦ Strives for excellence while ensuring best value and fitness for purpose♦

♦ Measures performance by value added, not resources consumed♦

Understands the aims of

own and related areas

across the organisation.

Maximises the cost-

effectiveness of area or

team. For example…. ♦ Works within organisational policies, procedures, security and legal constraints ♦ Identifies issues facing own and related work areas, and the organisation as a whole ♦ Ensures colleagues understand how their work contributes to Departmental aims ♦ Provides feedback on the costs and implications of proposals and issues ♦ Prioritises and monitors allocation of local resources and improves efficiency

Takes action to achieve greater corporate efficiency, in line with strategic aims. For example….

♦ Looks beyond local needs to the common good ♦ Seeks to be aware of issues that are of corporate importance ♦ Remains committed even when in personal disagreement with a policy ♦ Shows an understanding of, and interprets for others, relevant policy or security issues ♦ Builds extensive informal networks of contacts across the Department and / or external organisations ♦ Takes account of resources and strategic aims in making plans ♦ Seeks to maximise the benefits from activities ♦ Changes or stops activities that are no longer cost-effective

Develops strategy and ensures the long-term cost-effectiveness of the organisation by understanding the influences upon it. For example…. ♦ Contributes to policy and strategy formulation and the creation of programmes and projects in line with strategic plans. ♦ Demonstrates an understanding of, and acts on, vital strategic issues, responding appropriately to external threats and opportunities ♦ Builds a wide-ranging network of internal and external senior contacts, drawing on them as appropriate ♦ Keeps up-to-date with political influences on the organisation and information security profession ♦ Delivers greater efficiency through flexible use and monitoring of organisational resources.


J5 - Change Is positive about change, and and suggests improvements Innovation in own area. For example….

♦ Looks for opportunities to be innovative, suggesting how to do things better

♦ Responds constructively and flexibly to change or feedback

♦ Takes change forward when possible

♦ Readily picks up and applies relevant new skills, attending training if necessary

♦ Openly discusses mistakes to enable avoidance in the future

Generates creative ideas, and demonstrates sensitivity in implementing local change. For example…. ♦ Demonstrates personal commitment to change and is open-minded and forward looking ♦ Seeks to remove barriers to change ♦ Works effectively in uncertain circumstances or without clear parameters ♦ Contributes own learning (both formal and experience) to development of new ideas ♦ Generates innovative solutions to technical, managerial and / or organisational problems / issues, looking beyond the superficial ♦ Consults others, and

acknowledges their opinions

and feelings, in making and

communicating change

♦ Builds a positive, blame-free environment to encourage learning from mistakes

Contributes to change strategies and generates new ideas or approaches, going beyond the local area. For example…. ♦ Provides direction in times of uncertainty ♦ Builds in flexibility to cope with the unexpected ♦ Considers potential risks and implications in the design and / or implementation of new ideas or approaches ♦ Maintains own expertise and keeps up to date with developments in relevant areas ♦ Generates new and creative ideas or approaches (technical, managerial and / or organisational) in seeking to develop the organisation’s capability. ♦ Encourages others to innovate ♦ Manages change sensitively and positively, and encourages a positive attitude to change in others

Is innovative and radical. Champions considered, co-ordinated change through policy and planning. For example…. ♦ Encourages a culture in which people see change as natural and positive ♦ Contributes to organisational change, aiming to impact most on performance and reduce bureaucracy ♦ Ensures change is pertinent, co-ordinated, communicated and followed through ♦ Uses expertise to direct own and others' learning and development

♦ Identifies ways in which to increase innovation within area or organisation ♦ Thinks laterally. Is innovative and radical, breaking new ground

♦ Considers impact on others when planning new initiatives


J6 - Analysis Is methodical when making and Decision decisions and solves Making problems which impact on

own work. For example….

♦ Has an objective and methodical approach to analysis of information

♦ Identifies relevant information to contribute to the decision-making process

♦ Takes timely decisions, despite limited information, or when under pressure

♦ Draws on past experience to make an informed decision without being limited by preconceptions

♦ Uses others’ knowledge, capabilities and skills to achieve goals where appropriate

Makes effective decisions in consultation with others and or solves complex problems in immediate area. For example…. ♦ Seeks, identifies and exploits relevant information ♦ Interprets relevant data,

and key points, even

without a clearly identified

starting point, to make

recommendations and

support an argument ♦ Evaluates options, benefits and risks in making decisions ♦ Develops quality solutions based on an understanding of known requirements, limitations and constraints ♦ Enlists others' support, seeking willing agreement in making decisions ♦ Takes account of constructive feedback when revising decisions

Makes effective decisions and/or solves complex problems in uncertain situations, or where the impact is greater than in the immediate working area. For example…. ♦ Establishes policy guidelines that provide a sound basis for decisions ♦ Identifies, and is well-briefed on, issues likely to come to prominence ♦ Assimilates and interprets complex information to identify trends, inconsistencies and risks ♦ Uses knowledge and experience to assess requests and plans, and back up arguments ♦ Takes unpopular decisions when necessary to achieve the required outcome ♦ Judges when to empower others to make decisions

Makes effective strategic

decisions and/or solves

complex problems with

strategic impact, or no

precedent. For example…. ♦ Evaluates and challenges policy ♦ Considers the wider implications of decisions or proposals ♦ Grasps, and acts on, key points from a wide range of issues ♦ Makes decisions based on risk management, rather than risk avoidance


J7 - Communications and Knowledge Sharing

Communicates clearly and shares knowledge with colleagues. For example….

♦ Communicates accurately and clearly ♦ Writes in clear plain English ♦ Is constructive when challenging others' ideas or decisions ♦ Chooses the most effective communication method for the situation and individual ♦ Records and shares information and knowledge securely with all that can benefit from it ♦ Listens and learns effectively from others ♦ Follows corporate knowledge management guidance / good practice

Encourages and contributes to discussion. Is proactive in sharing information in own work-area. For example….

♦ Chooses content, language and style to suit the audience ♦ Produces work to a high standard, with well-reasoned arguments and clear conclusions ♦ Accurately relays key points of meetings or documents to others ♦ Encourages and makes useful contributions to open debate or complex discussions ♦ Willingly shares information, good practice, knowledge and expertise with those who could benefit at all levels ♦ Chooses or sets up appropriate methods of storage and dissemination of information which balance the need to share with the need to know

Is a persuasive communicator. Sets a lead in sharing knowledge effectively in diverse areas across the organisation. For example…. ♦ Uses persuasive logic to win support or change views ♦ Chairs meetings effectively and facilitates negotiated agreement ♦ Addresses and discusses issues and concerns, keeping key stakeholders informed

♦ Takes responsibility for conveying bad or unwelcome news diplomatically ♦ Uses, promotes and develops ways in which to capture and share knowledge and information effectively yet securely, within local areas or in diverse areas across the organisation ♦ Actively addresses problems associated with information flow, storage and overload.

Is influential and diplomatic

in negotiations with other

departments/organisations

and formulates knowledge-

sharing strategies. For

example…. ♦ Presents effectively and influentially to a range of audiences ♦ Is persuasive and diplomatic in inter-departmental discussions, or with other organisations or senior customers, without disclosing sensitive information ♦ Establishes clear fallback

positions in negotiation,

compromising where

necessary

♦ Brings in knowledge-sharing strategies and shares experiences with other business areas/organisations ♦ Articulates knowledge and experience to influence discussions on projects, programmes or policy ♦ Promotes, contributes to,

and enables departmental

communications and

knowledge sharing

initiatives


iisp information security skills framework€¦ · page 1 of 22. the iisp skills framework –...

Documents