Publication - Advice and guidance

Cyber security: operations

Find out about the job roles that comprise the cyber security operations family practice.

Cyber security: operations
Response

Response

Role summary

The role of Response is to manage the response procedures and investigations of security events or incidents. Response colleagues must contain and remediate those incidents, identify potential process improvements, and maintain organisational readiness through preparedness exercises and co-ordinating red team activity. Response also advise product and service owners of potential mitigations.

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked as a Cyber Security intelligence analyst, or monitoring and response specialist, or in digital forensics, in the private or third sector

Skills required in response

  • Incident management, incident investigation and response. Incident management, incident investigation and response refers to the set of processes, procedures and systems used to reduce the harm caused to victims of cyber incidents and deter future attacks. The principles of the skill include engagement with the overall organisation incident management process to ensure that information security incidents are handled appropriately, defining and implementing processes, procedures and configuring system policies for responding to and investigating information security incidents, establishing and maintaining a Computer Emergency Response Team (CERT) and systems to deal with information security incidents.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Intrusion detection and analysis. Intrusion detection and analysis consists of network and system activities to identify potential intrusion or other anomalous behaviour. Processes, methods and procedures include information analysis, security analytics including outputs from intelligence analysis, predictive research, and root cause analysis, vulnerability report analysis, and the production of warning materials. Further principles of the skill include monitoring, collating and filtering external vulnerability reports for organisational relevance, ensuring that relevant vulnerabilities are rectified through formal change processes, and ensuring that disclosure processes are put in place to restrict the knowledge of new vulnerabilities until appropriate remediation or mitigation is available.
  • Threat intelligence and threat assessment. Threat intelligence and threat assessment encompasses evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging concern or risk that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Principles of the skill include assessing and validating information from several sources on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues relevant to the organisation, including security analytics for big data; processing, collating and exploiting data, taking into account relevance and reliability to develop and maintain ‘situational awareness’; predicting and prioritising threats to an organisation and their methods of attack; analysing the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities, predicting and prioritising threats to an organisation and their methods of attack; using human factor analysis in the assessment of threats; using threat intelligence to develop attack trees; and preparing and disseminating intelligence reports, providing threat indicators and warnings.
  • Applied security capability. Applied security capability is formed of a set of complementary security skills. Individual roles may have a requirement for a different profile across these skills. Applied security capability involves 4 elements:
  1. Security requirement elicitation: gathering and deriving meaningful security requirements to support an identified need
  2. Application of security capabilities: apply standardised or unique security capabilities to address security needs
  3. Provision or assurance and confidence: provide confidence that business priorities are appropriately protected
  4. Security and risk reporting: communicate security and risk effectively
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.

Response associate

Typical role level expectations

  • Carry out an organisation’s response policies and processes to meet the needs in line with appropriate standards
  • Help conduct incident response exercises including scoping, design, and governance of red teaming and threat-hunting activity
  • Communicate the results of investigations and risk mitigation outcomes, supporting an organisation to improve and maintain a robust response to new threats and attack vectors
  • Conduct post-incident review, including root cause analysis, to feed back information and so improve monitoring
  • Provide standardised advice on mitigation, escalating to a team leader where appropriate

Skills needed for this role

  • Incident management, incident investigation and response (Relevant skill level: practitioner). At this level you:
    • Define incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Follow documented principles and guidelines for incident management, incident investigation and response activities
    • Advise others on incident management, incident investigation and response processes
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Intrusion detection and analysis (Relevant skill level: working). At this level you:
    • Understand and explain the basic principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour
    • Use information provided from various sources to identify, analyse, and report events that occur or might occur within the network. Uses a range of methods and procedures to identify, acquire, and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Understand the business context of the activities
    • Educate others on policies, procedures and guidelines relating to monitoring and analysing network and system activity
  • Threat intelligence and threat assessment (Relevant skill level: working). At this level you:
    • Understand and can explain threat intelligence and threat assessment principles and concepts
    • Use prescribed tools and techniques to acquire, validate and analyse threat information from multiple sources
    • Under direction enrich threat information by providing context, assessing possible implications and summarising the behaviour, capabilities and activities of threat actors
    • Use approved techniques to model routine threats, under supervision, to identify common enterprise attack vector, identify critical organisational functions, and protect organisational assets and goals
    • Apply knowledge to prioritise remediation of identified vulnerabilities for a single asset or system
  • Applied security capability (Relevant skill level: awareness). At this level you:
    • Understand why security must support business needs and the importance of being able to demonstrate that relationship
    • Are aware of some key, well-understood, security principles and can demonstrate an awareness of some Cyber Security relevant technologies
    • Understand why it is important to gain confidence in security measures and can describe some straightforward mechanisms such as pen-tests
    • Understand and can describe basic security concepts
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: awareness). At this level you:
    • Describe specific threats and how they may manifest themselves in a local environment
    • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
    • Use local threat information in decision-making and planning
    • Demonstrate knowledge of current threats and trends affecting the landscape

Response lead

Typical role level expectations

  • Manage an organisation’s response policies and processes to meet the needs in line with appropriate standards
  • Manage incident response exercises and scoping, design and governance of red-teaming and threat-hunting activity
  • Communicate the significance of the results of investigations and risk mitigation outcomes, guiding the organisation in the improvement and maintenance of a robust response to new threats and attack vectors
  • Manage post-incident review, including root cause analysis, to feed back information and so improve monitoring
  • Provide specialist, tailored advice on mitigation, handling escalations with risk and service owners as appropriate

Skills needed for this role

  • Incident management, incident investigation and response (Relevant skill level: practitioner). At this level you:
    • Define incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Follow documented principles and guidelines for incident management, incident investigation and response activities
    • Advise others on incident management, incident investigation and response processes
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Intrusion detection and analysis (Relevant skill level: Practitioner). At this level you:
    • Understand and explain advanced principles of monitoring network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in investigations
    • Collect information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis) to identify, acquire, analyse and preserve artefacts by means of controlled and documented analytical and investigative techniques
    • Supervise and manage teams undertaking intrusion detection and analysis
    • Create policies, procedures and guidelines based on intrusion detection and analysis standards
    • Advise others on intrusion detection and analysis
    • Tailor and refine systems and processes to meet the organisation’s needs
  • Threat intelligence and threat assessment (Relevant skill level: working). At this level you:
    • Understand and can explain threat intelligence and threat assessment principles and concepts
    • Use prescribed tools and techniques to acquire, validate and analyse threat information from multiple sources
    • Under direction enrich threat information by providing context, assessing possible implications and summarising the behaviour, capabilities and activities of threat actors
    • Use approved techniques to model routine threats, under supervision, to identify common enterprise attack vector, identify critical organisational functions, and protect organisational assets and goals
    • Apply knowledge to prioritise remediation of identified vulnerabilities for a single asset or system
  • Applied security capability (Relevant skill level: working). At this level you:
    • Are aware of the need to provide traceability between business need and security requirements.
    • Gather and derive simple or obvious security requirements for highly standardised use cases, using well-established guidance that is unlikely to be contentious
    • Provide basic security advice to address standard security needs. Advice could be written or verbal. Knows the limitations and scope for what advice can be given and when to draw on others’ expertise
    • Are aware of and follows appropriate process such as quality control arrangements
    • Understand and can apply a range of basic approaches to assurance and understand their applicability
    • Able to meaningfully describe straightforward security concepts and their business applicability
    • Ensure security recommendations and risk statements developed are reasonably and well contextualised to the business need under consideration
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: awareness). At this level you:
    • Describe specific threats and how they may manifest themselves in a local environment
    • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
    • Use local threat information in decision-making and planning
    • Demonstrate knowledge of current threats and trends affecting the landscape

​​​​​​​​​​​​​​​​​​​​​Response principal

Typical role level expectations

  • Shape the entire organisation’s response policies and processes to ensure that these meet the organisation’s need, in line with appropriate standards
  • Communicate with a broad range of senior stakeholders and be responsible for defining the vision, principles and strategy for incident response
  • Aggregate and evaluate post-incident feedback to inform board-level reporting on security incidents
  • Be a recognised expert and adviser to investigators and senior leadership across government

Skills needed for this role

  • Incident management, incident investigation and response (Relevant skill level: expert). At this level you:
    • Champion incident management, incident investigation and response policy and/or incident management and investigation processes, procedures and systems
    • Shape incident management, system response, incident investigation and response principles and guidelines for incident management activities
    • Advise on corporate and systems response to an incident
    • Promote incident management, incident investigation and response best practice
    • Monitor the effectiveness of reporting
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspects and reports on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Intrusion detection and analysis (Relevant skill level: expert). At this level you:
    • Understand and explains advanced monitoring of network and system activity to identify potential intrusion or other anomalous behaviour and applies the results in complex investigations
    • Collect or oversees collection of information from a variety of sources (e.g. data from cyber defence tools, system logs) and uses it to identify, analyse, and report events that occur or might occur within the network. Uses a range of advanced methods and procedures (including intelligence analysis, predictive research, root cause analysis, vulnerability report analysis), developing techniques and tools where necessary, to identify, acquire, analyse and preserve artefacts by means of specialist analytical and investigative techniques
    • Lead and oversee intrusion detection and analysis function and activities for an organisation
    • Shape intrusion detection and analysis strategy, policy, procedures and guidelines within the organisation and influences developments in the field at a national level
    • Advise and influence senior management on intrusion detection and analysis matters
    • Define, articulate and communicate required capabilities and tools
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Applied security capability (Relevant skill level: working). At this level you:
    • Are aware of the need to provide traceability between business need and security requirements.
    • Gather and derive simple or obvious security requirements for highly standardised use cases, using well-established guidance that is unlikely to be contentious
    • Provide basic security advice to address standard security needs. Advice could be written or verbal. Knows the limitations and scope for what advice can be given and when to draw on others’ expertise
    • Are aware of and follows appropriate process such as quality control arrangements
    • Understand and can apply a range of basic approaches to assurance and understand their applicability
    • Able to meaningfully describe straightforward security concepts and their business applicability
    • Ensure security recommendations and risk statements developed are reasonably and well contextualised to the business need under consideration
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Threat understanding (Relevant skill level: awareness). At this level you:
    • Describe specific threats and how they may manifest themselves in a local environment
    • Maintain understanding of local threat environment and can apply to inform and provide context for wider activities
    • Use local threat information in decision-making and planning
    • Demonstrate knowledge of current threats and trends affecting the landscape

Contact

ddat@gov.scot