Information

Cyber security: operations

Find out about the job roles that comprise the cyber security operations family practice.

This document is part of a collection


Digital forensics

Role summary

The role of Digital Forensics is to scope, co-ordinate and undertake forensic activity to gather forensic evidence from devices, systems and the internet in compliance with law and organisational investigation requirements.

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked in digital forensics in the private sector

Skills required to be in digital forensics

  • Forensics. Forensics refers to the capture, analysis and reporting of evidence in accordance with legal guidelines, to minimise disruption to an organisation. The principles of the skill include securing the scene and capturing evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business; maintaining evidential weight using specialist equipment as appropriate; analysing the evidence to identify breaches of policy, regulatory or law, including the presence of malware, and presenting evidence as appropriate; and acting as an expert witness as appropriate.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Intrusion detection and analysis. Intrusion detection and analysis consists of network and system activities to identify potential intrusion or other anomalous behaviour. Processes, methods and procedures include information analysis, security analytics including outputs from intelligence analysis, predictive research, and root cause analysis, vulnerability report analysis, and the production of warning materials. Further principles of the skill include monitoring, collating and filtering external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes, and ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available.
  • Threat intelligence and threat assessment. Threat intelligence and threat assessment encompasses evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging concern or risk that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Principles of the skill include assessing and validating information from several sources on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues relevant to the organisation, including security analytics for big data; processing, collating and exploiting data, taking into account relevance and reliability to develop and maintain ‘situational awareness’; predicting and prioritising threats to an organisation and their methods of attack; analysing the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities, predicting and prioritising threats to an organisation and their methods of attack; using human factor analysis in the assessment of threats; using threat intelligence to develop attack trees; and preparing and disseminating intelligence reports, providing threat indicators and warnings.
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.
  • Legal and regulatory environment and compliance. Legal and regulatory environment and compliance refers to an organisation’s adherence to laws, regulations, guidelines and specifications relevant to its business processes. It consists of a blend of compliance requirements and assurance capabilities. Principles of the skill include understanding the legal and regulatory environment within which the business operates, ensuring that information security governance arrangements are appropriate, and ensuring that the organisation complies with legal and regulatory requirements.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.

Digital forensics associate 

Typical role level expectations

  • Conduct forensic activity using specialist equipment as appropriate, following the relevant organisational processes
  • Work with specialist forensic personnel or a wider team to support the digital aspects of their investigation
  • Support the application of forensic readiness policy and work with other teams to ensure its implementation
  • Analyse evidence to identify breaches of policy, regulation or law
  • Present evidence as appropriate, acting as an expert witness if necessary

Skills needed for this role

  • Forensics (Relevant skill level: working). At this level you:
    • Analyse digital evidence and investigates computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
    • Understand legislative requirements and implications of actions within the organisation context
    • Undertake real-time analysis of ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
    • Are able to identify suspicious software, including potential malware sources
    • Secure the scene of an incident, with little requirement for supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained
    • Present conclusions in a manner suited to the context (written or oral), and is able to effectively defend conclusions, and provide evidence and testimony as required
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Intrusion detection and analysis (Relevant skill level: working). At this level you:
    • Understand and explain the basic principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour
    • Use information provided from various sources to identify, analyse, and report events that occur or might occur within the network. Uses a range of methods and procedures to identify, acquire, and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Understand the business context of the activities
    • Educate others on policies, procedures and guidelines relating to monitoring and analysing network and system activity
  • Threat intelligence and threat assessment (Relevant skill level: working). At this level you:
    • Understand and can explain threat intelligence and threat assessment principles and concepts
    • Use prescribed tools and techniques to acquire, validate and analyse threat information from multiple sources
    • Under direction enrich threat information by providing context, assessing possible implications and summarising the behaviour, capabilities and activities of threat actors
    • Use approved techniques to model routine threats, under supervision, to identify common enterprise attack vector, identify critical organisational functions, and protect organisational assets and goals
    • Apply knowledge to prioritise remediation of identified vulnerabilities for a single asset or system
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

Digital forensics lead 

Typical role level expectations

  • Assess the need for (and co-ordinate) forensic activity within the overall response initiative, including managing a team, ensuring that forensic services are deployed appropriately
  • Manage forensic readiness policy and work with other teams to ensure appropriate implementation
  • Co-ordinate team scene investigation and capture evidence in accordance with legal guidelines to minimise disruption to the business and preserve evidentiary integrity, using specialist equipment as appropriate
  • Review evidence to identify breaches of policy, regulation or law
  • Present evidence as appropriate, acting as an expert witness if necessary

Skills needed for this role

  • Forensics (Relevant skill level: practitioner). At this level you:
    • Supervise others and manage teams in undertaking complex forensic investigations, and defines working procedures
    • Analyse technically complex digital evidence and investigates complicated computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
    • Undertake real-time analysis of sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
    • Secure the scene of an incident, without supervision, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained
    • Adapt techniques, modify tools and creates scripts to address atypical situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies
    • Identify indicators of compromise on an infrastructure, malicious software and any Tactics, Techniques and Procedures (TTPs) associated
    • Collate artefacts from a wide range of sources to develop conclusions
    • Present conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny
    • Provide clear explanations to senior stakeholders, detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Intrusion detection and analysis (Relevant skill level: practitioner). At this level you:
    • Understand and explain advanced principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in investigations
    • Collect information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis) to identify, acquire, analyse and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Supervise and manage teams undertaking intrusion detection and analysis
    • Create policies, procedures and guidelines based on intrusion detection and analysis standards
    • Advise others on intrusion detection and analysis
    • Tailor and refine systems and processes to meet the organisation’s needs
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

​​​​​​​Digital forensics principal 

Typical role level expectations

  • Define and lead digital forensics strategy through the assessment and communication of forensic requirements within an organisation
  • Define the organisational approach to evidence capture in line with legal guidelines, to minimise disruption to the business and preserve evidentiary integrity, using specialist equipment as appropriate
  • Lead forensic readiness policy and guide teams to ensure its implementation
  • Provide thought leadership and deliver specialist advice to others within and beyond the organisation
  • Present evidence as appropriate, acting as an expert witness if necessary

Skills needed for this role

  • Forensics (Relevant skill level: expert). At this level you:
    • Set direction within the organisation for all aspects of computer forensic activity. Defines policy and formulates the overarching digital forensics strategy, engaging with other relevant departments and stakeholders
    • Lead forensic teams
    • Contribute to the development of the field
    • Analyse technically complex digital evidence and investigates highly complicated and novel computer security incidents to derive information required to help resolve security incidents, and/or identify breaches of policy, regulation or law
    • Undertake and oversee real-time analysis of very sophisticated ongoing incidents on live systems to identify relevant artefacts, understand the incident and facilitate resolution
    • Secure or oversee the securing of the scene of an incident, acquiring and handling evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business, ensuring that the chain of custody is maintained, compliant with relevant standards, policies, procedures and legislation
    • Create and adapt techniques and tools to address atypical and novel situations. Addresses forensic requirements arising from Cloud and distributed environments, and emerging technologies
    • Reverse engineer malware to further investigative and intelligence opportunities
    • Present conclusions in a manner suited to the context (written or oral), and effectively defends conclusions under scrutiny
    • Provide clear explanations to senior stakeholders (including the highest levels of management), detailed explanations to technical specialists and, if required, provides testimony and evidence as an expert witness in legal cases (including cases that break new ground and set precedent in terms of forensic evidence)
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Intrusion detection and analysis (Relevant skill level: expert). At this level you:
    • Understand and explains advanced monitoring of network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in complex investigations
    • Collect or oversees collection of information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis), developing techniques and tools where necessary, to identify, acquire, analyse and preserve artefacts by means of specialist analytical and investigative techniques
    • Lead and oversee intrusion detection and analysis function and activities for an organisation
    • Shape intrusion detection and analysis strategy, policy, procedures and guidelines within the organisation and influences developments in the field at a national level
    • Advise and influence senior management on intrusion detection and analysis matters
    • Define, articulate and communicate required capabilities and tools
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

Contact

ddat@gov.scot

Back to top