application guidance - apmg-ia.com
TRANSCRIPT
Application Guidance CCP Accreditor Role, Practitioner level
Issue No: 1.0 April 2014
This document is for the purposes of issuing advice to UK Government, public sector organisations and/or related organisations. The copying and use of this document for
any other purpose, such as for training purposes, is not permitted without the prior approval of CESG.
The copyright of this document is reserved and vested in the Crown.
Document History
Version Date Comment
1.0 April 2014 First issue
Page 1
Application Guidance CCP Accreditor Role, Practitioner level
Purpose & Intended Readership This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Accreditor at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard and the CESG ‘Guidance to Certification for IA Specialists’ document, to be found at http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx.
Executive Summary CESG has developed a framework for certifying IA Professionals who meet competency and skill requirements for specified IA roles. The purpose of certification is to enable better matching between requirements for IA Professionals and the competence and skills of those undertaking common IA roles. The framework was developed in consultation with Government departments, academia, industry, the certification bodies and members of the CESG Listed Adviser Scheme (CLAS). The framework includes a set of IA role definitions and a certification process. This document provides guidance for applicants for certification as a CCP Accreditor at Practitioner level.
Feedback CESG Information Assurance Guidance and Standards welcomes feedback and encourage readers to inform CESG of their experiences, good or bad in this document. Please email: [email protected]
Page 2
Application Guidance CCP Accreditor Role, Practitioner level
Contents:
Overall Requirements for the Accreditor Role at Practitioner level ..................... 3
Accreditation ............................................................................................................ 3 Headline statement for Accreditor at Practitioner level ............................................ 3 Applying for CCP Scheme certification .................................................................... 4
Further information on the requirements for the Accreditor Role at Practitioner level ........................................................................................................................... 9
Knowledge ............................................................................................................... 9 Skills ...................................................................................................................... 10 Experience ............................................................................................................. 17
The Certification Process ...................................................................................... 18
Next Steps ............................................................................................................. 18
The CCP Scheme Certification Learning Cycle ................................................... 20
References .............................................................................................................. 21
Page 3
Application Guidance CCP Accreditor Role, Practitioner level
Overall Requirements for the Accreditor Role at Practitioner level
Key Principles
This document is intended as a guide on how to structure evidence when applying for certification as a CESG Certified Professional (CCP) Accreditor at Practitioner level and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Specialists’ Standard and the CESG ‘Guidance to Certification for IA Specialists’ document, to be found at http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx Learning comes through acquiring skills and knowledge (from training, experience and by following other people) and putting these into practice. Most people will need 1-2 years to acquire these, although in some cases this may take a longer or shorter time. The section on skills (see below) provides prompts for the type of evidence required to demonstrate that you meet the standard for CCP Practitioner Accreditor. You are encouraged to follow the advice in this section when completing your written submission of evidence.
Accreditation
Accreditation is an independent assessment that an information system meets its Information Assurance (IA) requirements and that the residual risks are acceptable to the business, in the context of the business requirement. It is making sure that the appropriate things are done.
Headline statement for Accreditor at Practitioner level
Makes routine accreditation decisions, accepting residual risk on behalf of your organisation where it is clearly within the normal risk appetite
as declared by the Senior Information Risk Owner (SIRO). For example, you make accreditation sign-off decisions for your organisation or SIRO.
Page 4
Application Guidance CCP Accreditor Role, Practitioner level
Applying for CCP Scheme Certification
There may be different gaps in your skills, knowledge and experience, depending on whether you are at the start of your IA career or already an experienced professional. If you don’t feel that you can demonstrate all of the following required skills, knowledge and experience, agree a plan with your manager so that you can address any gaps – e.g. through placements, projects, training, coaching - before you apply for CCP certification. Your written submission must show that you:
meet the headline statement for the Accreditor role (see above)
follow the HMG Security Policy Framework (for public sector work) and local interpretations
review Risk Management Accreditation Document Sets to confirm that risk assessments and risk treatment plans are consistent with business requirements
recognise accreditation decisions that have implications beyond your level of responsibility, experience or delegated risk tolerance and escalate them appropriately
build constructive relationships with clients to build accreditation into business and project plans
justify your accreditation decisions to stakeholders in terms of the business objectives, threats, risks, vulnerabilities, controls and likelihood of business impacts
provide constructive and timely advice to systems developers on whether their proposed solutions are likely to gain accreditation
understand the normal risk appetite and the potential business impact of accepting risks either above or below it
sign off on accreditation decisions
accept residual risk at the appropriate level
Page 5
Application Guidance CCP Accreditor Role, Practitioner level
know when you need to consult others, e.g. those who understand the technologies (you are not expected to be an expert on all the systems you accredit)
demonstrate the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework
demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for the Information Age (SFIA)1 at level 3. Alternatively you can show evidence of least level 2 for the IISP J skills
you should check the website of the Certification Body (CB) you wish to use, to check if there are any additional conditions required by the CB.
1 See ‘Guidance to CESG Certification for IA Professionals’ http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx and the SFIA Foundation at
www.sfia.org.uk .
Page 7
Application Guidance CCP Accreditor Role, Practitioner level
The key to good accreditation is combining technical, business and people skills to provide appropriate security. You need to understand the business objectives and strategy and risk appetite and to have support from others who understand the technologies. You need people skills to ensure that you explain security options appropriately so that others understand the information you give them and can carry out your advice so that risk is managed in an appropriate and proportionate way. In no priority order, you need: Skills: - Negotiating Influencing Communication – able to talk to non-techies and techies alike Risk assessment and risk management Business writing (all the information needed for a decision, on 1 side of A4) Presentation Stakeholder management
Familiarity with:- Accreditation Methodologies Accreditation standards and policies The CESG Certification for IA Professionals and Guidance to CESG Certification for IA Professionals documents [http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ].,please insert link to Version 4 Standard and Version 2 Guidance
Technical IA controls
And understanding of: - The project management environment The risk appetite of the organisation Business strategy and your local business environment The fundamentals of how compromises can occur How to sign off on accreditation decisions How to perform Protective Monitoring (PM), understanding reports on PM and carrying out incident management how to write and review RMADS
Page 8
Application Guidance CCP Accreditor Role, Practitioner level
PRACTITIONER MAY BE STARTING TO GAIN EXPERIENCE TO MOVE TOWARDS SENIOR ROLE
Increasing experience and practice – learning on the
job
Gaining knowledge
Different working environments
Developing skills Training courses
Relatively straightforward systems increasingly complex systems
Page 9
Application Guidance CCP Accreditor Role, Practitioner level
Further information on the requirements for the Accreditor Role at Practitioner level
Knowledge
The following gives more detail of the knowledge you need to acquire. You can do this through a mixture of classroom-based courses, e-learning, mentoring, coaching, placements, briefings, background reading and on the job training, as agreed with your manager.
You must provide evidence that you understand and have appropriately applied your knowledge of:
the Mandatory Requirements of HMG Security Policy Framework (SPF), especially those relevant to your work*
the CESG portfolio*
at least HMG IA Standard No. 1&2 in detail and their local interpretations*
your organisation’s Information Security policies and standards
what information governance is, why it matters, and who is responsible for it locally
the strategic goals, threats and opportunities of the businesses you work in
what good and bad security in IA architecture looks like
how to develop IT systems with good IA
best practice in producing appropriate and proportionate RMADS
legal issues – protection of personal and financial data *if carrying out IA work for Government or Government suppliers
Page 10
Application Guidance CCP Accreditor Role, Practitioner level
Skills
When presenting your skills evidence, use the ‘STAR’ format: ‘Situation, Task, Action, Result’
Use a narrative form, e.g. ‘... I produced ...My decision was...’
Explain what accreditation decision you made and how the measures you required were proportionate and effective
You must meet the required levels at all 4 core skills (A6, B1, B2, D1)
You must meet 75% of the remaining skills
A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than one situation
The following table provides suggestions for starting points in evidence.
Technical Skills
SKILL EVIDENCE OF SKILL A1 – Governance Level 1
Understands local arrangements for Information Governance (IG)
Give examples of how you:
engaged with your organisation (or the organisation you work in) to understand IG arrangements. What standards did you apply and did you include any from outside the CESG portfolio? Explain if you had to adapt policy. What was the outcome?
reviewed and advised on RMADS and risk assessments
A2 – Policy & Standards Level 2 With supervision and aligned with business objectives, authors or provides advice on IS policy or standards
Give examples of how you:
interpreted the SPF or other guidance to ensure that IA policy benefitted the organisation you were working in. State the reasons why you decided on a particular route or decision and explain the outcomes and what lessons were learnt
took account of local IA policy in an accreditation process. How did this impact your process and what effect did your work have?
Page 11
Application Guidance CCP Accreditor Role, Practitioner level
SKILL EVIDENCE OF SKILL A3 – Information Security Strategy Level 2 Contributes to development or implementation of IS strategy under supervision
Give examples of how you:
reviewed parts of an organisation’s IA strategy, as part of a team. What benefit resulted?
advised or guided consultants/SIRO/Head of IT during an accreditation – what result did this have? What was the benefit to the organisation?
provided Accreditor subject matter advice during the development of IS strategy. What was the effect of this?
engaged with the business of an organisation and identified the key areas for testing – how did you do this and what was the outcome?
A4 – Innovation & Business Improvement Level 2 Applies IS to achieve business objectives with some supervision
Give examples from different environments of how you:
provided advice as an Accreditor on tolerances within risk appetite. What was the outcome?
worked with an organisation to help the business understand and integrate IA requirements into the early stage of a project. What was the impact?
A5 – IS Awareness and Training Level 1 Understands the role of security awareness and training in maintaining Information Security
Give examples of how you:
identified risks to IA because of poor security awareness
took into account policies/standards for IA and how these are maintained and followed, when making an accreditation decision. How did these affect your decision and why?
A6 – Legal & Regulatory Environment, Level 2 (core skill) Understands applicable legislation and regulations relating to IS in the context of own or client organisations
Give examples of how you:
detected non-compliance with relevant legislation/regulations. What did you do and what was the outcome?
engaged with IA teams on legal interpretations. How did these affect your accreditation decisions?
maintained your knowledge of changes to legislation, or new legislation – give an example of how this affected your accreditation decisions
SKILL EVIDENCE OF SKILL
Page 12
Application Guidance CCP Accreditor Role, Practitioner level
A7 – Third Party Management2 Level 1 Is aware of the need for organisations to manage the information security of third parties
Give examples of how you:
identified and addressed security weaknesses in 3rd party contracts. What did you do and what was the result?
used standards (e.g. an annual return) to gauge the IA maturity of a 3rd party. What was the result of your work?
used typical and proportionate controls to identify and manage threats
B1 – Risk Assessment Level 2 (core skill) Understands how to produce information risk assessments
Give examples of how you:
worked with SIROs or other risk owners to understand the organisation’s risk appetite and risk tolerance. How did this affect your methodology and what was the outcome of your work?
analysed a risk assessment against the organisation’s risk appetite. How did you decide whether the risk assessment was valid or deficient? What was the outcome?
B2 – Risk Management Level 2 (core skill) Contributes to management of risks to information systems with supervision
Give examples of how you:
reviewed a risk treatment plan for an organisation: how did you assess whether it met business requirements and risk appetite? What standards, policies and guidance did you apply? What was the result of your work?
contributed to the design of, or advised on a risk treatment plan. What local factors had to be taken into account? What was the outcome of your work?
C1 – Security Architecture Level 2 Applies architectural principles to security design with some supervision
Give examples of how you:
were involved in security designs of systems. How did you judge whether there were security weaknesses and what did you advise to overcome these? What was the outcome of your advice?
2 Skill only required if information systems or services are provided by a third party
Page 13
Application Guidance CCP Accreditor Role, Practitioner level
SKILL EVIDENCE OF SKILL C2 – Secure Development, Level 1 Is aware of the benefits of addressing security during system development
Give examples of:
early intervention in system development (e.g. through membership of a Security Working Group) – what was the result of your work? How did it benefit the security of the system?
outcomes of IT System Health Checks you have requested or been involved in
how early penetration tests on development instances improved secure developments
D1 – IA Methodologies Level 2 (core skill) Applies an IA methodology or standard with some supervision
Give examples over a range of environments of how you:
reviewed risk assessment and risk treatment plans – what standards/policy/guidance did you use? What was the outcome of your work?
had to adapt an IA methodology in order to meet the business need and risk tolerance in an appropriate and proportionate way. What was the result of your work?
D2 – Security Testing Level 2 Effectively applies testing methodologies, tools or techniques with some supervision
Give examples of how you:
assessed and interpreted test results and used these in your accreditation decisions. What was the outcome?
prepared or scoped security testing to identify vulnerabilities and then effectively engaged with expert testers. What was the result of your work?
E1 – Secure Operations Management Level 1 Is aware of the need for secure management of Information Systems
Give examples of:
processes and procedures you have carried out accreditation on – what deficiencies did you detect and how did you know what information you needed to be given by others in order to make your decision?
occasions when you have been dissatisfied with a system you were asked to accredit – how did you explain what needed to be remedied and what was the result of your work?
Page 14
Application Guidance CCP Accreditor Role, Practitioner level
SKILL EVIDENCE OF SKILL E2 – Secure Ops & Service Delivery Level 1 Is aware of the need for information systems and services to be operated securely
Give examples of:
typical checks and information you require from others in order to be able to accredit a system where there are unclassified and classified communities. What was the result of your work?
explaining to others what the impact on business would be if security vulnerabilities were not addressed. What was outcome of your actions?
E3 – Vulnerability Assessment Level 1 Is aware of the need for vulnerability assessments to maintain Information Security
Give examples from different work environments of how you:
included vulnerability assessments from others when pointing out issues which need to be addressed before accreditation can be granted. What was the outcome of your work?
influenced IA design in Information Systems
F1 – Incident Management Level 1 Is aware of the benefits of managing security incidents
Provide examples of how you:
took into account the impact of previous security incidents and the effect they could have on an organisation’s business, when carrying out accreditation work
F2 – Investigation Level 1 Is aware of basic principles of investigations
Give examples of:
gathering information about local policies for investigating incidents to inform your accreditation decisions. How did this affect your decision and what was the result of your work?
F3 – Forensics Level 1 Is aware of the capability of forensics to support investigations
Give examples of:
using the knowledge you had gained from understanding forensic tools and techniques to accredit a system/network/application
how you took into account the legal implications of local forensic policies and the goals of the organisation, to make an accreditation decision
Page 15
Application Guidance CCP Accreditor Role, Practitioner level
SKILL EVIDENCE OF SKILL G1 – Audit and Review, Level 2 Audits compliance with security criteria in accordance with an appropriate methodology
Give examples of:
the types of methodology you need to see in an audit when you are accrediting an Information System
H1 – Business Continuity Planning and H2 – Business Continuity Management Level 1 Understands how Business Continuity Planning & Management contributes to Information Security
Give examples, from different work environments, of how:
you considered business continuity in your accreditation decisions. What internal and external factors did you take into account? What was the outcome of your decision?
you explained to others the connection between business planning and continuity and information security and what outcomes have resulted.
PEOPLE SKILLS ‘J skills’ (instead of SFIA levels – see p4)
J1 - Teamwork and Leadership, Level 2
Is encouraging and supportive and provides a lead within the local area. Task-based team working
Give examples of:
providing a lead when you needed others to complete tasks. How did you address conflict when/if this arose?
J2 – Delivering Level 2 Responsibility for an element of delivery against one or more business objectives, balancing priorities to achieve this
Give examples of :
prioritising tasks to ensure that local and organisational objectives were met
engaging with stakeholders to assist prioritisation
Page 16
Application Guidance CCP Accreditor Role, Practitioner level
SKILL EVIDENCE OF SKILL
J3 – Managing Customer Relationships Level 2 Negotiates with customers to improve the service to them and to manage their expectations
Describe occasions when you have explained to customers why you cannot meet their expectations. What was the outcome? How have you influenced others to accept accreditation decisions which were not what they had hoped for?
J4 - Corporate Behaviour Level 2 Understands the aims of own and related areas across an organisation
Give examples of:
when you have escalated risk
when you have built compliance with a local policy into your accreditation process in an appropriate way
J5 – Change and Innovation Level 2 Generates creative ideas and demonstrates sensitivity in implementing local change
What changes have you introduced – what did you do, what techniques did you use and why? How did you consider the impact on other people and processes and try to find ways around problems?
J6 - Analysis and Decision Making Level 2 Makes effective decisions in consultation with others and/or solves complex problems in immediate area
Give examples of:
breaking down problems where there was a grey area or lack of clarity. What was the outcome of your decision?
J7 – Communication and Knowledge Sharing Level 2 Encourages and contributes to discussion. Is proactive in sharing information in own work area
Give examples of how you have adapted your communication to suit different media, including face to face, over the phone, emails, presentations and meetings: e.g.
publishing reports
stand-up briefings
Board presentations
Risk escalation processes
Participation in security working groups etc. What outcomes have you achieved?
Page 17
Application Guidance CCP Accreditor Role, Practitioner level
Experience
Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below.
Your evidence should show that you have:
reviewed Risk Management Accreditation Document Sets (RMADS) and ensured that the risk assessments and risk treatment plans fit the business objectives and risk appetite
recognised – or can recognise - when an accreditation decision must be escalated because of implications beyond your level of responsibility, experience or delegated risk tolerance
ensured that customers build accreditation into their business plans
understood and taken account of stakeholders’ priorities, so that you have been able to justify your accreditation decisions to stakeholders
provided timely advice to system developers on whether proposed solutions are likely to gain accreditation
Page 18
Application Guidance CCP Accreditor Role, Practitioner level
The Certification Process
Next Steps
This Application Guidance contains material designed to help individuals applying for CCP Accreditor at Practitioner level. The CB certification processes for the Practitioner level follow below.
Note:
1. If you are considering applying for CCP Accreditor at Senior level, you will need to show wider experience of more complex systems and satisfy the requirement for higher skill levels (see http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ). Supervisory experience to show evidence of coaching and developing other Accreditors would also be helpful.
2. If you are applying for CCP Accreditor at Lead level, you will need to show that you influence and direct accreditation strategy at an organisational or inter-organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise the Board with regard to accreditation. See http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx ).
Page 19
Application Guidance CCP Accreditor Role, Practitioner level
There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ). Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.
Page 20
Application Guidance CCP Accreditor Role, Practitioner level
The CCP Scheme Certification Learning Cycle
Page 21
Application Guidance CCP
Accreditor role, Practitioner level
References
[a] CESG ‘CESG Certification for IA Specialists’ Standard - (http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx )
[b] CESG ‘Guidance to Certification for IA Specialists’ (http://www.cesg.gov.uk/awarenesstraining/PET/Pages/Professional-IA-roles-.aspx)
IA CESG A3e Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Fax: +44 (0)1242 709193 Email: [email protected] © Crown Copyright 2014. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes.