Publication - Advice and guidance

Cyber security: operations

Find out about the job roles that comprise the cyber security operations family practice.

Cyber security: operations
Cyber security analyst

Cyber security analyst

Role summary

Cyber security analysts are responsible for protecting the confidentiality, integrity, and availability of information and information systems used by government and Partners Across Government.

Role levels are:

Entry route

Internal: Suitable for an individual from the Government Security Profession, Digital Data and Technology Profession or other relevant profession (e.g.  Science and Engineering Profession)

External: Suitable for an individual with experience in cyber and information security

Skills required to be a cyber security analyst

  • Cyber security operations. Cyber Security operations are the secure configuration and maintenance of information, controls and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of information security devices (e.g. firewalls) and protective monitoring tools (e.g. Security Information and Event Management (SIEM)). Principles include implementing security policy (e.g. patching policies) and security operating procedures in respect of system and/or network management, maintaining security records and documentation in accordance with security operating procedures, and monitoring processes for violations of relevant security policies (e.g. acceptable use, security).
  • Incident management, incident investigation and response. Incident management, incident investigation and response refers to the set of processes, procedures and systems used to reduce the harm caused to victims of cyber incidents and deter future attacks. The principles of the skill include engagement with the overall organisation incident management process to ensure that information security incidents are handled appropriately, defining and implementing processes, procedures and configuring system policies for responding to and investigating information security incidents, establishing and maintaining a Computer Emergency Response Team (CERT) and systems to deal with information security incidents.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Penetration testing. Penetration testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the tools and techniques that an adversary might employ. Principles of the skill include contributing to the scoping and conduct of vulnerability assessments; knowing the tools and techniques needed to enumerate an environment and assess asset configuration; identifying and testing for public domain vulnerabilities, assessing the potential for exploitation, and conducting exploits where appropriate; reporting potential issues and mitigation options; contributing to the review and interpretation of reports; and coordinating and managing remediation action plan responses. This skill has broad applicability across many roles.
  • Specific security technology and understanding. Knowledge of system architectures. Able to understand the risk impact of vulnerabilities on existing and future designs and systems, and identify how easy or difficult it will be to exploit these vulnerabilities.

Cyber security analyst associate

Typical role level expectations

  • Communicates information security risks and issues to customers
  • Contributes to vulnerability assessments
  • Applies and maintains specific security controls as required by organisational policy and local risk assessments
  • Takes action to respond to low level security breaches in line with security policy and records the incidents and action taken
  • Undertakes analytical activities and delivers analysis outputs, in accordance with customer needs
  • Investigates minor security breaches in accordance with established procedures. Assists users in defining their access rights and privileges. Performs standard security administration tasks and resolves security administration issues.
  • Identifies and resolves issues with applications, following agreed procedures. Uses application management software and tools to collect agreed performance statistics. Carries out agreed applications maintenance tasks
  • Carries out agreed operational procedures, including network configuration, installation and maintenance
  • Conducts automated vulnerability assessments, documents flaws in security & prepares formal reports
  • Investigates problems in systems, processes and services and assists with the implementation of agreed remedies and preventative measures
  • Researches security vulnerabilities, counter-measures and mitigations

Skills needed for this role

  • Cyber security operations (Relevant skill level: working). At this level you:
    • Demonstrate experience applying the principles of secure configuration of role-specific security components and devices in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination
    • Support the overall aims of a Cyber Security operations-related team, e.g. a monitoring team
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware, protection or vulnerability testing under direction/supervision
    • Develop and tests rules for detecting violations of security operating procedures under supervision
  • Incident management, incident investigation and response (Relevant skill level: working). At this level you:
    • Contribute to incident management, incident investigation and response policy and/or incident management processes, procedures and systems
    • Follow documented principles and guidelines for incident management, incident investigation and response activities with limited direction/supervision
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Penetration testing (Relevant skill level: working). At this level you:
    • Explain the principles of penetration testing, the main components of an infrastructure penetration test and the high-level processes involved, to practitioners and non-practitioners alike
    • Provide pragmatic input to assist in the development of penetration testing policies, procedures and guidelines and understands their business context
    • Help ensure compliance of working practices by educating colleagues in basic penetration testing policies, procedures and guidelines
    • Perform basic tests or attack exercises by following documented principles and guidelines for penetration testing activities and interprets results, with little or no supervision
    • Use preconfigured commercial and bespoke tools to conduct vulnerability assessments and basic penetration tests without supervision and complex infrastructure penetration testing under supervision
    • Understand the potential risks of security testing in different operational environments and takes them into account while developing plans
    • Make contributions to assessment reports that are factual and literal, rather than interpretive
    • Have solid rather than wide platform knowledge being strong on a single platform (e.g. Windows, Mac)
    • Have achieved recognised qualifications in appropriate and relevant subjects, including Offensive Security Certified Professional, CHECK Team Member or equivalent
  • Specific security technology and understanding (Relevant skill level: working). At this level you:
    • Have knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs and systems, and are able to articulate a response.
    • Have broad knowledge of a range of systems but may specialise in one.

​​​​​​​Cyber security analyst

Typical role level expectations

  • Communicates information security risks and issues to business managers and others
  • Performs basic risk assessments for small information systems
  • Contributes to vulnerability assessments
  • Applies and maintains specific security controls as required by organisational policy and local risk assessments
  • Takes action to respond to security breaches in line with security policy and records the incidents and action taken
  • Investigates minor security breaches in accordance with established procedures. Assists users in defining their access rights and privileges
  • Carries out agreed operational procedures, including network configuration, installation and maintenance. Uses network management tools to collect and report on network load and performance statistics.
  • Contributes to the implementation of maintenance and installation work.
  • Uses standard procedures and tools to carry out defined system backups, restoring data where necessary.
  • Identifies operational problems and contributes to their resolution
  • Investigates problems in systems, processes and services. Assists with the implementation of agreed remedies and preventative measures.

Skills needed for this role

  • Cyber security operations (Relevant skill level: working). At this level you:
    • Demonstrate experience applying the principles of secure configuration of role-specific security components and devices in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination
    • Support the overall aims of a Cyber Security operations-related team, e.g. a monitoring team
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware, protection or vulnerability testing under direction/supervision
    • Develop and tests rules for detecting violations of security operating procedures under supervision
  • Incident management, incident investigation and response (Relevant skill level: practitioner). At this level you:
    • Define incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Follow documented principles and guidelines for incident management, incident investigation and response activities
    • Advise others on incident management, incident investigation and response processes
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Penetration testing (Relevant skill level: practitioner). At this level you:
    • Lead teams undertaking complex penetration tests
    • Follow documented principles and guidelines for high-complexity penetration testing activities
    • Design and implements test programmes for mid-complexity systems, products, applications or processes, selecting suitable techniques, tools and test strategies without supervision
    • Identify vulnerabilities, and determines whether they are exploitable, adapting testing approach based on findings
    • Detect and investigates result aberrations, or absences of expected results
    • Create assessment reports, confirming technology compliance with standards and policies and vulnerabilities, and provides suggested remediation actions
    • Advise others on penetration testing processes, the implications of testing, and sharing penetration testing best practice
    • Have a broader platform knowledge and conducts assessments from a multi-platform perspective
    • Have achieved recognised qualifications in appropriate and relevant subjects, to a high-functioning level, including CHECK Team Leader, CREST Certified Simulated Attack Specialist or equivalent
  • Specific security technology and understanding (Relevant skill level: working). At this level you:
    • Have knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs and systems, and are able to articulate a response.
    • Have broad knowledge of a range of systems but may specialise in one.

​​​​​​​Cyber security analyst senior

Typical role level expectations

  • Explains the purpose of and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls
  • Performs security risk, vulnerability assessments, and business impact analysis for medium complexity information systems
  • Investigates suspected attacks and manages security incidents including use of forensics where appropriate
  • Maintains security administration processes and checks that all requests for support are dealt with according to agreed procedures
  • Provides guidance in defining access rights and privileges
  • Investigates security breaches in accordance with established procedures and recommends required actions and supports / follows up to ensure these are implemented
  • Maintains current knowledge of malware attacks, and other cyber security threats
  • Creates test cases using in-depth technical analysis of risks and typical vulnerabilities
  • Produces test scripts, materials and test packs to test new and existing software or services
  • Specifies requirements for environment, data, resources and tools. Interprets, executes and documents complex test scripts using agreed methods and standards
  • Maintains knowledge of specific specialisms, provides detailed advice regarding their application and executes specialised tasks

Skills needed for this role

  • Cyber security operations (Relevant skill level: practitioner). At this level you:
    • Develop security operating procedures for use across multiple information systems or maintains compliance with them
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware protection or vulnerability testing with autonomy
    • Develop and tests rules for detecting violations of security operating procedures with autonomy
    • Lead small teams managing Cyber Security operations within an organisation
  • Incident management, incident investigation and response (Relevant skill level: practitioner). At this level you:
    • Define incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Follow documented principles and guidelines for incident management, incident investigation and response activities
    • Advise others on incident management, incident investigation and response processes
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Penetration testing (Relevant skill level: practitioner). At this level you:
    • Lead teams undertaking complex penetration tests
    • Follow documented principles and guidelines for high-complexity penetration testing activities
    • Design and implements test programmes for mid-complexity systems, products, applications or processes, selecting suitable techniques, tools and test strategies without supervision
    • Identify vulnerabilities, and determines whether they are exploitable, adapting testing approach based on findings
    • Detect and investigates result aberrations, or absences of expected results
    • Create assessment reports, confirming technology compliance with standards and policies and vulnerabilities, and provides suggested remediation actions
    • Advise others on penetration testing processes, the implications of testing, and sharing penetration testing best practice
    • Have a broader platform knowledge and conducts assessments from a multi-platform perspective
    • Have achieved recognised qualifications in appropriate and relevant subjects, to a high-functioning level, including CHECK Team Leader, CREST Certified Simulated Attack Specialist or equivalent
  • Specific security technology and understanding (Relevant skill level: practitioner). At this level you:
    • Have developed knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs and systems, and is able to provide insight into how these can be exploited.
    • Have developed knowledge of a range of systems and may specialise in a number of specific systems.

​​​​​​​Cyber security analyst lead

Typical role level expectations

  • Explains the purpose of and provides advice and guidance on the application and operation of elementary physical, procedural and technical security controls
  • Performs security risk, vulnerability assessments, and business impact analysis for complex information systems or risk based projects
  • Investigates suspected attacks and manages security incidents including use of forensics where appropriate
  • Has oversight of security administration processes and checks that all requests for support are dealt with according to agreed procedures
  • Provides guidance in defining access rights and privileges
  • Investigates security breaches in accordance with established procedures and recommends required actions and supports / follows up to ensure these are implemented
  • Maintains current knowledge of malware attacks, and other cyber security threats
  • Leads and directs Cyber Security Analysts to create test cases using in-depth technical analysis of risks and typical vulnerabilities
  • Leads and directs Cyber Security Analysts to produces test scripts, materials and test packs to test new and existing software or services
  • Specifies requirements for environment, data, resources and tools. Interprets, executes and documents complex test scripts using agreed methods and standards
  • Contributes to the development of cyber security policy, standards and guidelines appropriate to business, technology and legal requirements and in accordance with best professional and industry practice
  • Understands “voice of the customer” and develops mechanisms to proactively sense adoption and usage patterns of consumer technologies by end users so that policy can align with need

Skills needed for this role

  • Cyber security operations (Relevant skill level: expert). At this level you:
    • Lead teams managing Cyber Security operations within an organisation
    • Identify the need for, and implement, new security operating procedures and practices to meet changing requirements
    • Are a subject matter expert in developing and operationalising techniques for Cyber Security operations, e.g. detecting anomalous activity, automating orchestration and configuration of IT
  • Incident management, incident investigation and response (Relevant skill level: expert). At this level you:
    • Champion incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Shape incident management, system response, incident investigation and response principles and guidelines for incident management activities
    • Advise on corporate and systems response to an incident
    • Promote incident management, incident investigation and response best practice
    • Monitor the effectiveness of reporting
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Penetration testing (Relevant skill level: practitioner). At this level you:
    • Lead teams undertaking complex penetration tests
    • Follow documented principles and guidelines for high-complexity penetration testing activities
    • Design and implements test programmes for mid-complexity systems, products, applications or processes, selecting suitable techniques, tools and test strategies without supervision
    • Identify vulnerabilities, and determines whether they are exploitable, adapting testing approach based on findings
    • Detect and investigates result aberrations, or absences of expected results
    • Create assessment reports, confirming technology compliance with standards and policies and vulnerabilities, and provides suggested remediation actions
    • Advise others on penetration testing processes, the implications of testing, and sharing penetration testing best practice
    • Have a broader platform knowledge and conducts assessments from a multi-platform perspective
    • Have achieved recognised qualifications in appropriate and relevant subjects, to a high-functioning level, including CHECK Team Leader, CREST Certified Simulated Attack Specialist or equivalent
  • Specific security technology and understanding (Relevant skill level: practitioner). At this level you:
    • Have developed knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs and systems, and is able to provide insight into how these can be exploited.
    • Have developed knowledge of a range of systems and may specialise in a number of specific systems.

​​​​​​​Cyber security analyst principal

Typical role level expectations

  • Initiate and influence relationships with and between key stakeholders, in taking forward all aspects of cyber security, acting as a primary point of contact for senior stakeholders and influencers
  • Develop cyber security policy, standards and guidelines appropriate to business, technology and legal requirements and in accordance with best professional and industry practice
  • Deliver specific pieces of work resulting from the Cyber Security Strategy, related to cyber business risk and information control/protection requirements
  • Manage the assessment and response to cyber threats to maintain confidentiality, integrity, availability, accountability and relevant compliance
  • Operate as a focus for cyber security expertise for the organisation and the wider central government community, providing authoritative advice and guidance on the application and operation of all types of cyber security controls
  • Oversee the work of the cyber security function, including project and task definition and prioritisation, quality management and budgetary control, and management tasks such as recruitment and training
  • Understands “voice of the customer” and develops mechanisms to proactively sense adoption and usage patterns of consumer technologies by end users so that policy can align with need

Skills needed for this role

  • Cyber security operations (Relevant skill level: expert). At this level you:
    • Lead teams managing Cyber Security operations within an organisation
    • Identify the need for, and implement, new security operating procedures and practices to meet changing requirements
    • Are a subject matter expert in developing and operationalising techniques for Cyber Security operations, e.g. detecting anomalous activity, automating orchestration and configuration of IT
  • Incident management, incident investigation and response (Relevant skill level: expert). At this level you:
    • Champion incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Shape incident management, system response, incident investigation and response principles and guidelines for incident management activities
    • Advise on corporate and systems response to an incident
    • Promote incident management, incident investigation and response best practice
    • Monitor the effectiveness of reporting
  • Information risk assessment and risk management (Relevant skill level: expert). At this level you:
    • Enable the organisation to deliver balanced and cost-effective risk management decisions on situations with complex scope or significant risk.
    • Ensure that risk is embedded into corporate governance processes
    • Integrate risk management processes into appropriate business activities such as system development, security architecture or procurement
    • Develop approaches to effectively report risk (including through system life cycles) to management who are responsible for risk to a given system or capability. This includes the ability to interpret management risk direction to others (such as developers or other security professionals)
    • Deliver comprehensive risk assessments for complicated or novel scenarios, using methodologies appropriate to the situation. Understands in detail how the risk assessment output dovetails into the risk management process
    • Determine and understand the security characteristics of complicated or novel systems
  • Penetration testing (Relevant skill level: expert). At this level you:
    • Take a multi-customer approach to establishing penetration testing policies, procedures and guidelines, taking into account organisational and national level perspectives
    • Have responsibility for penetration testing services and drives organisational and business change to better comply with policies, procedures and guidelines
    • Ensure effective delivery of penetration testing assessments for organisational benefit
    • Lead organisational teams in various stages of test design, execution, and assessment, for multiple customers, potentially across multiple organisations, and that comply with policies, procedures and guidelines
    • Improve organisational penetration testing processes, achieving high standards of excellence
    • Champion the organisational recognition of value of penetration testing services, and the benefits of addressing the results
    • Authoritatively influence the organisational management regarding penetration testing concepts and activities
    • Build on, and advances, practitioner level skills for self and colleagues
    • Communicate complex issues at the appropriate level for the audience
    • Have achieved appropriate level of qualifications, including CREST Certified Simulated Attack Manager or equivalent
  • Specific security technology and understanding (Relevant skill level: expert). At this level you:
    • Have strong knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs, systems and how easy or difficult it will be to exploit these vulnerabilities.
    • Are acknowledged as an expert by peers in the broader security industry.

Contact

ddat@gov.scot