Publication - Advice and guidance

Cyber security: operations

Find out about the job roles that comprise the cyber security operations family practice.

Cyber security: operations
Monitoring

Monitoring

Role summary

The role of Monitoring is to collect and analyse security event data arising from activity across the organisation, tune and improve rules generating security alerts, and follow up by investigating indicators of potentially malicious activity, escalating incidents or initiating responses..

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked as a Cyber Security intelligence analyst, monitoring specialist and/or response specialist, or in big data or data science, artificial intelligence or machine learning, or digital forensics, in the private sector

Skills required in monitoring

  • Intrusion detection and analysis. Intrusion detection and analysis consists of network and system activities to identify potential intrusion or other anomalous behaviour. Processes, methods and procedures include information analysis, security analytics including outputs from intelligence analysis, predictive research, and root cause analysis, vulnerability report analysis, and the production of warning materials. Further principles of the skill include monitoring, collating and filtering external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes, and ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available.
  • Threat intelligence and threat assessment. Threat intelligence and threat assessment encompasses evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging concern or risk that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Principles of the skill include assessing and validating information from several sources on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues relevant to the organisation, including security analytics for big data; processing, collating and exploiting data, taking into account relevance and reliability to develop and maintain ‘situational awareness’; predicting and prioritising threats to an organisation and their methods of attack; analysing the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities, predicting and prioritising threats to an organisation and their methods of attack; using human factor analysis in the assessment of threats; using threat intelligence to develop attack trees; and preparing and disseminating intelligence reports, providing threat indicators and warnings.
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.
  • Cyber security operations. Cyber Security operations are the secure configuration and maintenance of information, controls and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of information security devices (e.g. firewalls) and protective monitoring tools (e.g. Security Information and Event Management (SIEM)). Principles include implementing security policy (e.g. patching policies) and security operating procedures in respect of system and/or network management, maintaining security records and documentation in accordance with security operating procedures, and monitoring processes for violations of relevant security policies (e.g. acceptable use, security).
  • Secure operations management. Secure operations management refers to the ongoing operation, management and continuous improvement of security capabilities throughout an organisation through policies, procedures and guidelines. Principles of the skill include creating and maintaining system understanding, including hardware and software inventories; establishing processes for maintaining the security of information throughout its existence, including establishing and maintaining security operating procedures in accordance with security policies, standards and procedures; assessing and responding to new technical, physical, personnel or procedural vulnerabilities; engaging with suppliers, penetration testers and the change management process to ensure that vulnerabilities are mediated; and managing the implementation of information security programmes, co-ordinating security activities across the organisation.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Forensics. Forensics refers to the capture, analysis and reporting of evidence in accordance with legal guidelines, to minimise disruption to an organisation. The principles of the skill include securing the scene and capturing evidence in accordance with legal guidelines and in the most effective manner to minimise disruption to the business; maintaining evidential weight using specialist equipment as appropriate; analysing the evidence to identify breaches of policy, regulatory or law, including the presence of malware, and presenting evidence as appropriate; and acting as an expert witness as appropriate.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.

Monitoring associate

Typical role level expectations

  • Support implementation of the monitoring roadmap to enhance monitoring in line with requirements, policies and standards to govern all activities and outputs
  • Monitor, triage and investigate security alerts on protective monitoring platforms to identify security incidents and perform analysis of security event data to support the response, reporting or escalating where appropriate
  • Design, develop and support automated monitoring processes, using a variety of the latest SIEM (Security Information and Event Management) and network analysis tools, techniques and procedures to:
    • detect malicious activity
    • ensure continuous improvement through dashboard monitoring or retrospective assessment

Skills needed for this role

  • Intrusion detection and analysis (Relevant skill level: working). At this level you:
    • Understand and explain the basic principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour
    • Use information provided from various sources to identify, analyse, and report events that occur or might occur within the network. Uses a range of methods and procedures to identify, acquire, and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Understand the business context of the activities
    • Educate others on policies, procedures and guidelines relating to monitoring and analysing network and system activity
  • Threat intelligence and threat assessment (Relevant skill level: working). At this level you:
    • Understand and can explain threat intelligence and threat assessment principles and concepts
    • Use prescribed tools and techniques to acquire, validate and analyse threat information from multiple sources
    • Under direction enrich threat information by providing context, assessing possible implications and summarising the behaviour, capabilities and activities of threat actors
    • Use approved techniques to model routine threats, under supervision, to identify common enterprise attack vector, identify critical organisational functions, and protect organisational assets and goals
    • Apply knowledge to prioritise remediation of identified vulnerabilities for a single asset or system
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation
  • Cyber security operations (Relevant skill level: awareness). At this level you:
    • Recognise the need for information systems and services to be operated and monitored securely and can list some of the main policies and practices involved in achieving this
    • Explain the main principles of secure configuration of role specific security components and devices, including firewalls and protective monitoring tools (e.g. SIEM)
  • Secure operations management (Relevant skill level: awareness). At this level you:
    • Describe the basic principles of secure operations management
    • Follow documented principles and guidelines for secure operations management activities
    • Implement secure operations management processes and procedures
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Forensics (Relevant skill level: awareness). At this level you:
    • Describe basic forensic principles and are capable of using agreed tools and techniques in support of an investigation
    • Contribute to forensic activities with supervision
    • Follow documented forensic principles and guidelines such as those related to acquisition and handling of forensic artefacts and maintaining the chain of custody
    • Can identify suitable tools for use, and considers the impact on forensic integrity
    • Consider the difference in intelligence and evidential requirements
  • Information risk assessment and risk management (Relevant skill level: awareness). At this level you:
    • Demonstrate knowledge of risk assessment and risk management theory and approaches
    • Understand how risk management supports business or organisational objectives
    • Understand and can follow routine organisational governance processes for security and risk management

Monitoring lead

Typical role level expectations

  • Manage the implementation of the monitoring roadmap
  • Support the shaping of the monitoring strategy, ensuring requirements, policies and standards to govern all activities and outputs are met
  • Manage the monitoring, triaging, and investigation of security alerts on protective monitoring platforms to identify security incidents, and reviewing analysis of security event data to manage security incident response, reporting, or escalation where appropriate
  • Lead small monitoring teams in the design, development and enablement of automated monitoring processes, recommending and implementing the latest SIEM (Security
  • Information and Event Management) and network analysis tools, techniques and procedures to:
    • detect malicious activity
    • ensure continuous improvement through dashboard monitoring or retrospective assessment

Skills needed for this role

  • Intrusion detection and analysis (Relevant skill level: practitioner). At this level you:
    • Understand and explain advanced principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in investigations
    • Collect information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis) to identify, acquire, analyse and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Supervise and manage teams undertaking intrusion detection and analysis
    • Create policies, procedures and guidelines based on intrusion detection and analysis standards
    • Advise others on intrusion detection and analysis
    • Tailor and refine systems and processes to meet the organisation’s needs
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Cyber security operations (Relevant skill level: working). At this level you:
    • Demonstrate experience applying the principles of secure configuration of role-specific security components and devices in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination
    • Support the overall aims of a Cyber Security operations-related team, e.g. a monitoring team
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware, protection or vulnerability testing under direction/supervision
    • Develop and test rules for detecting violations of security operating procedures under supervision
  • Secure operations management (Relevant skill level: working). At this level you:
    • Explain the main processes for secure operations management
    • Understand the business context in which policies, procedures and guidelines sit
    • Implement secure operations management processes and procedures
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Forensics (Relevant skill level: awareness). At this level you:
    • Describe basic forensic principles and are capable of using agreed tools and techniques in support of an investigation
    • Contribute to forensic activities with supervision
    • Follow documented forensic principles and guidelines such as those related to acquisition and handling of forensic artefacts and maintaining the chain of custody
    • Can identify suitable tools for use, and considers the impact on forensic integrity
    • Consider the difference in intelligence and evidential requirements
  • Information risk assessment and risk management (Relevant skill level: awareness). At this level you:
    • Demonstrate knowledge of risk assessment and risk management theory and approaches
    • Understand how risk management supports business or organisational objectives
    • Understand and can follow routine organisational governance processes for security and risk management

​​​​​​​Monitoring principal

Typical role level expectations

  • Lead wider implementation of a monitoring strategy, ensuring roadmaps are achieved as expected, ensuring requirements, policies and standards to govern all activities and outputs are met
  • Lead monitoring, triaging, and investigation of security alerts on protective monitoring platforms to identify security incidents
  • Review high-priority or high-complexity analysis of security event data to manage security incident response, making key decisions on reporting or escalations for monitoring
  • Lead large, cross-functional monitoring teams in the design, development and enablement of automated monitoring processes, advising on the latest SIEM (Security Information and Event Management) and network analysis tools, techniques and procedures to detect malicious activity, while communicating directly with leadership on the progress and status of monitoring

Skills needed for this role

  • Intrusion detection and analysis (Relevant skill level: expert). At this level you:
    • Understand and explains advanced monitoring of network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in complex investigations
    • Collect or oversees collection of information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis), developing techniques and tools where necessary, to identify, acquire, analyse and preserve artefacts by means of specialist analytical and investigative techniques
    • Lead and oversee intrusion detection and analysis function and activities for an organisation
    • Shape intrusion detection and analysis strategy, policy, procedures and guidelines within the organisation and influences developments in the field at a national level
    • Advise and influence senior management on intrusion detection and analysis matters
    • Define, articulate and communicate required capabilities and tools
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Cyber security operations (Relevant skill level: working). At this level you:
    • Demonstrate experience applying the principles of secure configuration of role-specific security components and devices in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination
    • Support the overall aims of a Cyber Security operations-related team, e.g. a monitoring team
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware, protection or vulnerability testing under direction/supervision
    • Develop and test rules for detecting violations of security operating procedures under supervision
  • Secure operations management (Relevant skill level: working). At this level you:
    • Explain the main processes for secure operations management
    • Understand the business context in which policies, procedures and guidelines sit
    • Implement secure operations management processes and procedures
  • Protective security (Relevant skill level: working). At this level you:
    • Apply concepts of protective security within the context of the other specialisms/enablers, and keeps knowledge up to date
    • Champion protective security within the wider security function, providing advice to others
  • Forensics (Relevant skill level: awareness). At this level you:
    • Describe basic forensic principles and are capable of using agreed tools and techniques in support of an investigation
    • Contribute to forensic activities with supervision
    • Follow documented forensic principles and guidelines such as those related to acquisition and handling of forensic artefacts and maintaining the chain of custody
    • Can identify suitable tools for use, and considers the impact on forensic integrity
    • Consider the difference in intelligence and evidential requirements
  • Information risk assessment and risk management (Relevant skill level: awareness). At this level you:
    • Demonstrate knowledge of risk assessment and risk management theory and approaches
    • Understand how risk management supports business or organisational objectives
    • Understand and can follow routine organisational governance processes for security and risk management

Contact

ddat@gov.scot