application guidance - apmg-ia.com

April 2014 Issue No:1.0

Application Guidance CCP Accreditor Role,

Practitioner level

Application Guidance CCP Accreditor Role, Practitioner level

Issue No: 1.0 April 2014

This document is for the purposes of issuing advice to UK Government, public sector organisations and/or related organisations. The copying and use of this document for

any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.

The copyright of this document is reserved and vested in the Crown.

Document History

Version Date Comment

1.0 April 2014 First issue


Purpose & Intended Readership This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Accreditor at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard and the CESG ‘Guidance to Certification for IA Specialists’ document, to be found at http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx.

Executive Summary CESG has developed a framework for certifying IA Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Adviser Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Accreditor at Practitioner level.

Feedback CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their experiences, good or bad in this document. Please email: [email protected]

http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx




Contents:

Overall Requirements for the Accreditor Role at Practitioner level ..................... 3

Accreditation ............................................................................................................ 3 Headline statement for Accreditor at Practitioner level ............................................ 3 Applying for CCP Scheme certification .................................................................... 4

Further information on the requirements for the Accreditor Role at Practitioner level ........................................................................................................................... 9

Knowledge ............................................................................................................... 9 Skills ...................................................................................................................... 10 Experience ............................................................................................................. 17

The Certification Process ...................................................................................... 18

Next Steps ............................................................................................................. 18

The CCP Scheme Certification Learning Cycle ................................................... 20

References .............................................................................................................. 21


Overall Requirements for the Accreditor Role at Practitioner level

Key Principles

This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Accreditor at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard and the CESG ‘Guidance to Certification for IA Specialists’ document, to be found at http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx Learning comes through acquiring skills and knowledge (from training, experience and by following other people) and putting these into practice. Most people will need 1-2 years to acquire these, although in some cases this may take a longer or shorter time. The section on skills (see below) provides prompts for the type of evidence required to demonstrate that you meet the standard for CCP Practitioner Accreditor. You are encouraged to follow the advice in this section when completing your written submission of evidence.

Accreditation

Accreditation is an independent assessment that an information system meets its Information Assurance (IA) requirements and that the residual risks are acceptable to the business, in the context of the business requirement. It is making sure that the appropriate things are done.

Headline statement for Accreditor at Practitioner level

Makes routine accreditation decisions, accepting residual risk on behalf of your organisation where it is clearly within the normal risk appetite

as declared by the Senior Information Risk Owner (SIRO). For example, you make accreditation sign-off decisions for your organisation or SIRO.



Applying for CCP Scheme Certification

There may be different gaps in your skills, knowledge and experience, depending on whether you are at the start of your IA career or already an experienced professional. If you don’t feel that you can demonstrate all of the following required skills, knowledge and experience, agree a plan with your manager so that you can address any gaps – e.g. through placements, projects, training, coaching - before you apply for CCP certification. Your written submission must show that you:

meet the headline statement for the Accreditor role (see above)

follow the HMG Security Policy Framework (for public sector work) and local interpretations

review Risk Management Accreditation Document Sets to confirm that risk assessments and risk treatment plans are consistent with business requirements

recognise accreditation decisions that have implications beyond your level of responsibility, experience or delegated risk tolerance and escalate them appropriately

build constructive relationships with clients to build accreditation into business and project plans

justify your accreditation decisions to stakeholders in terms of the business objectives, threats, risks, vulnerabilities, controls and likelihood of business impacts

provide constructive and timely advice to systems developers on whether their proposed solutions are likely to gain accreditation

understand the normal risk appetite and the potential business impact of accepting risks either above or below it

sign off on accreditation decisions

accept residual risk at the appropriate level


know when you need to consult others, e.g. those who understand the technologies (you are not expected to be an expert on all the systems you accredit)

demonstrate the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework

demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)1 at level 3. Alternatively you can show evidence of least level 2 for the IISP J skills

you should check the website of the Certification Body (CB) you wish to use, to check if there are any additional conditions required by the CB.

1 See ‘Guidance to CESG Certification for IA Professionals’ http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx and the SFIA Foundation at

www.sfia.org.uk .


http://www.sfia.org.uk/


The key to good accreditation is combining technical, business and people skills to provide appropriate security. You need to understand the business objectives and strategy and risk appetite and to have support from others who understand the technologies. You need people skills to ensure that you explain security options appropriately so that others understand the information you give them and can carry out your advice so that risk is managed in an appropriate and proportionate way. In no priority order, you need: Skills: - Negotiating Influencing Communication – able to talk to non-techies and techies alike Risk assessment and risk management Business writing (all the information needed for a decision, on 1 side of A4) Presentation Stakeholder management

Familiarity with:- Accreditation Methodologies Accreditation standards and policies The CESG Certification for IA Professionals and Guidance to CESG Certification for IA Professionals documents [http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ].,please insert link to Version 4 Standard and Version 2 Guidance

Technical IA controls

And understanding of: - The project management environment The risk appetite of the organisation Business strategy and your local business environment The fundamentals of how compromises can occur How to sign off on accreditation decisions How to perform Protective Monitoring (PM), understanding reports on PM and carrying out incident management how to write and review RMADS



PRACTITIONER MAY BE STARTING TO GAIN EXPERIENCE TO MOVE TOWARDS SENIOR ROLE

Increasing experience and practice – learning on the

job

Gaining knowledge

Different working environments

Developing skills Training courses

Relatively straightforward systems increasingly complex systems


Further information on the requirements for the Accreditor Role at Practitioner level

Knowledge

The following gives more detail of the knowledge you need to acquire. You can do this through a mixture of classroom-based courses, e-learning, mentoring, coaching, placements, briefings, background reading and on the job training, as agreed with your manager.

You must provide evidence that you understand and have appropriately applied your knowledge of:

the Mandatory Requirements of HMG Security Policy Framework (SPF), especially those relevant to your work*

the CESG portfolio*

at least HMG IA Standard No. 1&2 in detail and their local interpretations*

your organisation’s Information Security policies and standards

what information governance is, why it matters, and who is responsible for it locally

the strategic goals, threats and opportunities of the businesses you work in

what good and bad security in IA architecture looks like

how to develop IT systems with good IA

best practice in producing appropriate and proportionate RMADS

legal issues – protection of personal and financial data *if carrying out IA work for Government or Government suppliers


Skills

When presenting your skills evidence, use the ‘STAR’ format: ‘Situation, Task, Action, Result’

Use a narrative form, e.g. ‘... I produced ...My decision was...’

Explain what accreditation decision you made and how the measures you required were proportionate and effective

You must meet the required levels at all 4 core skills (A6, B1, B2, D1)

You must meet 75% of the remaining skills

A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one situation

The following table provides suggestions for starting points in evidence.

Technical Skills

SKILL EVIDENCE OF SKILL A1 – Governance Level 1

Understands local arrangements for Information Governance (IG)

Give examples of how you:

engaged with your organisation (or the organisation you work in) to understand IG arrangements. What standards did you apply and did you include any from outside the CESG portfolio? Explain if you had to adapt policy. What was the outcome?

reviewed and advised on RMADS and risk assessments

A2 – Policy & Standards Level 2 With supervision and aligned with business objectives, authors or provides advice on IS policy or standards


interpreted the SPF or other guidance to ensure that IA policy benefitted the organisation you were working in. State the reasons why you decided on a particular route or decision and explain the outcomes and what lessons were learnt

took account of local IA policy in an accreditation process. How did this impact your process and what effect did your work have?


SKILL EVIDENCE OF SKILL A3 – Information Security Strategy Level 2 Contributes to development or implementation of IS strategy under supervision


reviewed parts of an organisation’s IA strategy, as part of a team. What benefit resulted?

advised or guided consultants/SIRO/Head of IT during an accreditation – what result did this have? What was the benefit to the organisation?

provided Accreditor subject matter advice during the development of IS strategy. What was the effect of this?

engaged with the business of an organisation and identified the key areas for testing – how did you do this and what was the outcome?

A4 – Innovation & Business Improvement Level 2 Applies IS to achieve business objectives with some supervision

Give examples from different environments of how you:

provided advice as an Accreditor on tolerances within risk appetite. What was the outcome?

worked with an organisation to help the business understand and integrate IA requirements into the early stage of a project. What was the impact?

A5 – IS Awareness and Training Level 1 Understands the role of security awareness and training in maintaining Information Security


identified risks to IA because of poor security awareness

took into account policies/standards for IA and how these are maintained and followed, when making an accreditation decision. How did these affect your decision and why?

A6 – Legal & Regulatory Environment, Level 2 (core skill) Understands applicable legislation and regulations relating to IS in the context of own or client organisations


detected non-compliance with relevant legislation/regulations. What did you do and what was the outcome?

engaged with IA teams on legal interpretations. How did these affect your accreditation decisions?

maintained your knowledge of changes to legislation, or new legislation – give an example of how this affected your accreditation decisions

SKILL EVIDENCE OF SKILL


A7 – Third Party Management2 Level 1 Is aware of the need for organisations to manage the information security of third parties


identified and addressed security weaknesses in 3rd party contracts. What did you do and what was the result?

used standards (e.g. an annual return) to gauge the IA maturity of a 3rd party. What was the result of your work?

used typical and proportionate controls to identify and manage threats

B1 – Risk Assessment Level 2 (core skill) Understands how to produce information risk assessments


worked with SIROs or other risk owners to understand the organisation’s risk appetite and risk tolerance. How did this affect your methodology and what was the outcome of your work?

analysed a risk assessment against the organisation’s risk appetite. How did you decide whether the risk assessment was valid or deficient? What was the outcome?

B2 – Risk Management Level 2 (core skill) Contributes to management of risks to information systems with supervision


reviewed a risk treatment plan for an organisation: how did you assess whether it met business requirements and risk appetite? What standards, policies and guidance did you apply? What was the result of your work?

contributed to the design of, or advised on a risk treatment plan. What local factors had to be taken into account? What was the outcome of your work?

C1 – Security Architecture Level 2 Applies architectural principles to security design with some supervision


were involved in security designs of systems. How did you judge whether there were security weaknesses and what did you advise to overcome these? What was the outcome of your advice?

2 Skill only required if information systems or services are provided by a third party


SKILL EVIDENCE OF SKILL C2 – Secure Development, Level 1 Is aware of the benefits of addressing security during system development

Give examples of:

early intervention in system development (e.g. through membership of a Security Working Group) – what was the result of your work? How did it benefit the security of the system?

outcomes of IT System Health Checks you have requested or been involved in

how early penetration tests on development instances improved secure developments

D1 – IA Methodologies Level 2 (core skill) Applies an IA methodology or standard with some supervision

Give examples over a range of environments of how you:

reviewed risk assessment and risk treatment plans – what standards/policy/guidance did you use? What was the outcome of your work?

had to adapt an IA methodology in order to meet the business need and risk tolerance in an appropriate and proportionate way. What was the result of your work?

D2 – Security Testing Level 2 Effectively applies testing methodologies, tools or techniques with some supervision


assessed and interpreted test results and used these in your accreditation decisions. What was the outcome?

prepared or scoped security testing to identify vulnerabilities and then effectively engaged with expert testers. What was the result of your work?

E1 – Secure Operations Management Level 1 Is aware of the need for secure management of Information Systems

Give examples of:

processes and procedures you have carried out accreditation on – what deficiencies did you detect and how did you know what information you needed to be given by others in order to make your decision?

occasions when you have been dissatisfied with a system you were asked to accredit – how did you explain what needed to be remedied and what was the result of your work?


SKILL EVIDENCE OF SKILL E2 – Secure Ops & Service Delivery Level 1 Is aware of the need for information systems and services to be operated securely

Give examples of:

typical checks and information you require from others in order to be able to accredit a system where there are unclassified and classified communities. What was the result of your work?

explaining to others what the impact on business would be if security vulnerabilities were not addressed. What was outcome of your actions?

E3 – Vulnerability Assessment Level 1 Is aware of the need for vulnerability assessments to maintain Information Security

Give examples from different work environments of how you:

included vulnerability assessments from others when pointing out issues which need to be addressed before accreditation can be granted. What was the outcome of your work?

influenced IA design in Information Systems

F1 – Incident Management Level 1 Is aware of the benefits of managing security incidents

Provide examples of how you:

took into account the impact of previous security incidents and the effect they could have on an organisation’s business, when carrying out accreditation work

F2 – Investigation Level 1 Is aware of basic principles of investigations

Give examples of:

gathering information about local policies for investigating incidents to inform your accreditation decisions. How did this affect your decision and what was the result of your work?

F3 – Forensics Level 1 Is aware of the capability of forensics to support investigations

Give examples of:

using the knowledge you had gained from understanding forensic tools and techniques to accredit a system/network/application

how you took into account the legal implications of local forensic policies and the goals of the organisation, to make an accreditation decision


SKILL EVIDENCE OF SKILL G1 – Audit and Review, Level 2 Audits compliance with security criteria in accordance with an appropriate methodology

Give examples of:

the types of methodology you need to see in an audit when you are accrediting an Information System

H1 – Business Continuity Planning and H2 – Business Continuity Management Level 1 Understands how Business Continuity Planning & Management contributes to Information Security

Give examples, from different work environments, of how:

you considered business continuity in your accreditation decisions. What internal and external factors did you take into account? What was the outcome of your decision?

you explained to others the connection between business planning and continuity and information security and what outcomes have resulted.

PEOPLE SKILLS ‘J skills’ (instead of SFIA levels – see p4)

J1 - Teamwork and Leadership, Level 2

Is encouraging and supportive and provides a lead within the local area. Task-based team working

Give examples of:

providing a lead when you needed others to complete tasks. How did you address conflict when/if this arose?

J2 – Delivering Level 2 Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this

Give examples of :

prioritising tasks to ensure that local and organisational objectives were met

engaging with stakeholders to assist prioritisation


SKILL EVIDENCE OF SKILL

J3 – Managing Customer Relationships Level 2 Negotiates with customers to improve the service to them and to manage their expectations

Describe occasions when you have explained to customers why you cannot meet their expectations. What was the outcome? How have you influenced others to accept accreditation decisions which were not what they had hoped for?

J4 - Corporate Behaviour Level 2 Understands the aims of own and related areas across an organisation

Give examples of:

when you have escalated risk

when you have built compliance with a local policy into your accreditation process in an appropriate way

J5 – Change and Innovation Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change

What changes have you introduced – what did you do, what techniques did you use and why? How did you consider the impact on other people and processes and try to find ways around problems?

J6 - Analysis and Decision Making Level 2 Makes effective decisions in consultation with others and/or solves complex problems in immediate area

Give examples of:

breaking down problems where there was a grey area or lack of clarity. What was the outcome of your decision?

J7 – Communication and Knowledge Sharing Level 2 Encourages and contributes to discussion. Is proactive in sharing information in own work area

Give examples of how you have adapted your communication to suit different media, including face to face, over the phone, emails, presentations and meetings: e.g.

publishing reports

stand-up briefings

Board presentations

Risk escalation processes

Participation in security working groups etc. What outcomes have you achieved?


Experience

Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below.

Your evidence should show that you have:

reviewed Risk Management Accreditation Document Sets (RMADS) and ensured that the risk assessments and risk treatment plans fit the business objectives and risk appetite

recognised – or can recognise - when an accreditation decision must be escalated because of implications beyond your level of responsibility, experience or delegated risk tolerance

ensured that customers build accreditation into their business plans

understood and taken account of stakeholders’ priorities, so that you have been able to justify your accreditation decisions to stakeholders

provided timely advice to system developers on whether proposed solutions are likely to gain accreditation


The Certification Process

Next Steps

This Application Guidance contains material designed to help individuals applying for CCP Accreditor at Practitioner level. The CB certification processes for the Practitioner level follow below.

Note:

1. If you are considering applying for CCP Accreditor at Senior level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels (see http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ). Supervisory experience to show evidence of coaching and developing other Accreditors would also be helpful.

2. If you are applying for CCP Accreditor at Lead level, you will need to show that you influence and direct accreditation strategy at an organisational or inter-organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise the Board with regard to accreditation. See http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ).




There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.

http://www.apmg-ia.com/

http://www.bcs.org/

http://www.iisp.org/


The CCP Scheme Certification Learning Cycle

Application Guidance CCP

Accreditor role, Practitioner level

References

[a] CESG ‘CESG Certification for IA Specialists’ Standard - (http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx )

[b] CESG ‘Guidance to Certification for IA Specialists’ (http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx)





IA CESG A3e Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709193 Email: [email protected] © Crown Copyright 2014. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes.

application guidance - apmg-ia.com

Documents