The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems with legislation, regulation and relevant standards.
Level 2 Assist
Applies and maintains specific security controls as required by organizational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and to enhance resilience to unauthorized access. Contributes to vulnerability assessments. Recognizes when an IT network/system has been attacked internally, by a remote host, or by malicious code, such as virus, worm or Trojan etc., or when a breach of security has occurred. Takes immediate action to limit damage, according to the organization’s security policy, which may include escalation to next level, and records the incident and action taken. Demonstrates effective communication of security issues to business managers and others. Performs basic risk assessments for small information systems.
Level 3 Apply
Conducts security risk and vulnerability assessments for defined business applications or IT installations in defined areas, and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls (e.g. the key controls defined in ISO27001). Performs risk and vulnerability assessments, and business impact analysis for medium size information systems. Investigates suspected attacks and manages security incidents.
Level 4 Enable
Obtains and acts on vulnerability information and conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. Investigates major breaches of security, and recommends appropriate control improvements. Interprets security policy and contributes to development of standards and guidelines that comply with this. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organization. Ensures proportionate response to vulnerability information, including appropriate use of forensics.
Level 5 Ensure, Advise
Provides leadership and guidelines on information assurance security expertise for the organization, working effectively with strategic organizational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated.
No comments:
Post a Comment