Skip to content.

Home Skills Strategy & architecture Information strategy Information security

SFIA Skill

Information security SCTY

The management of, and provision of expert advice on, the selection, design, justification, implementation and operation of information security controls and management strategies to maintain the confidentiality, integrity, availability, accountability and relevant compliance of information systems

Information security: Level 6

Provides leadership and guidelines on information assurance security expertise for the organisation, working effectively with strategic organisational functions such as legal experts and technical support to provide authoritative advice and guidance on the requirements for security controls. Provides for restoration of information systems by ensuring that protection, detection, and reaction capabilities are incorporated.

Information security: Level 5

Conducts security risk assessments for business applications and computer installations; provides authoritative advice and guidance on security strategies to manage the identified risk. Investigates major breaches of security, and recommends appropriate control improvements. Interprets security policy and contributes to development of standards and guidelines that comply with this. Performs risk assessment, business impact analysis and accreditation for all major information systems within the organisation.

Information security: Level 4

Conducts security risk assessments for defined business applications or IT installations in defined areas, and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls (e.g. the key controls defined in ISO27001). Performs risk assessment, and business impact analysis for medium size information systems. Investigates suspected attacks and recommends remedial action.

Information security: Level 3

Applies and maintains specific security controls as required by organisational policy and local risk assessments to maintain confidentiality, integrity and availability of business information systems and to enhance resilience to unauthorised access. Recognises when an IT network/system has been attacked, and takes immediate action to limit damage. Determines when security issues should be escalated to a higher level. Demonstrates effective communication of security issues to business managers and others. Performs basic risk assessments for small information systems.