Publication - Advice and guidance

Cyber security: operations

Find out about the job roles that comprise the cyber security operations family practice.

Cyber security: operations
Vulnerability management

Vulnerability management

Role summary

The role of Vulnerability Management is to triage vulnerabilities by relevance and criticality to the organisation. Vulnerability Management then identify mitigations for those vulnerabilities and advise on implementing them.

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession, Digital, Data and Technology Profession, or Analytics Profession

External: Suitable for an individual who has worked in penetration testing, application security and development security operations in the private sector

Skills required in vulnerability management

  • Penetration testing. Penetration testing is a method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the tools and techniques that an adversary might employ. Principles of the skill include contributing to the scoping and conduct of vulnerability assessments; knowing the tools and techniques needed to enumerate an environment and assess asset configuration; identifying and testing for public domain vulnerabilities, assessing the potential for exploitation, and conducting exploits where appropriate; reporting potential issues and mitigation options; contributing to the review and interpretation of reports; and coordinating and managing remediation action plan responses. This skill has broad applicability across many roles.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Threat intelligence and threat assessment. Threat intelligence and threat assessment encompasses evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging concern or risk that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making processes. Principles of the skill include assessing and validating information from several sources on current and potential cyber and information security threats to the business, analysing trends and highlighting information security issues relevant to the organisation, including security analytics for big data; processing, collating and exploiting data, taking into account relevance and reliability to develop and maintain ‘situational awareness’; predicting and prioritising threats to an organisation and their methods of attack; analysing the significance and implication of processed intelligence to identify significant trends, potential threat agents and their capabilities, predicting and prioritising threats to an organisation and their methods of attack; using human factor analysis in the assessment of threats; using threat intelligence to develop attack trees; and preparing and disseminating intelligence reports, providing threat indicators and warnings.
  • Cyber security operations. Cyber Security operations are the secure configuration and maintenance of information, controls and communications equipment in accordance with relevant security policies, standards and guidelines. This includes the configuration of information security devices (e.g. firewalls) and protective monitoring tools (e.g. Security Information and Event Management (SIEM)). Principles include implementing security policy (e.g. patching policies) and security operating procedures in respect of system and/or network management, maintaining security records and documentation in accordance with security operating procedures, and monitoring processes for violations of relevant security policies (e.g. acceptable use, security).
  • Threat understanding. Threat understanding encompasses evidence-based knowledge, including context, about an existing or emerging threat to assets that can be used to inform decisions.
  • Legal and regulatory environment and compliance. Legal and regulatory environment and compliance refers to an organisation’s adherence to laws, regulations, guidelines and specifications relevant to its business processes. It consists of a blend of compliance requirements and assurance capabilities. Principles of the skill include understanding the legal and regulatory environment within which the business operates, ensuring that information security governance arrangements are appropriate, and ensuring that the organisation complies with legal and regulatory requirements.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities

Vulnerability management associate

Typical role level expectations

  • Analyse complex information systems to understand the associated Cyber Security risks, audit requirements, and data value
  • Support the creation and implementation of vulnerability assessments of enterprise assets to a predefined scope and schedule using predetermined templates and test scripts, including but not limited to:
    • application vulnerability assessments
    • infrastructure vulnerability assessments
  • Assist in the prioritisation of those vulnerabilities through a risk-based approach
  • Triage and prioritise vulnerabilities, implement mitigating measures, and support in the life cycle of vulnerability management, providing standardised advice on ways to improve control mechanisms and mitigate risk
  • Collaborate with stakeholders to manage vulnerabilities and undertake remediation activities
  • Communicate common mitigation strategies such as patching and basic configuration change (system hardening)
  • Understand how local protective security measures can be applied to reduce vulnerability exposure
  • Demonstrate knowledge of common approaches and tooling to perform vulnerability assessment and to validate system configuration
  • Perform vulnerability assessments of enterprise assets with limited supervision to a predefined scope and schedule using predetermined templates and test scripts
  • Develop and implement schedules for performing vulnerability assessments to meet organisational objectives and compliance requirements

Skills needed for this role

  • Penetration testing (Relevant skill level: working). At this level you:
    • Explain the principles of penetration testing, the main components of an infrastructure penetration test and the high-level processes involved, to practitioners and non-practitioners alike
    • Provide pragmatic input to assist in the development of penetration testing policies, procedures and guidelines and understands their business context
    • Help ensure compliance of working practices by educating colleagues in basic penetration testing policies, procedures and guidelines
    • Perform basic tests or attack exercises by following documented principles and guidelines for penetration testing activities and interprets results, with little or no supervision
    • Use preconfigured commercial and bespoke tools to conduct vulnerability assessments and basic penetration tests without supervision and complex infrastructure penetration testing under supervision
    • Understand the potential risks of security testing in different operational environments and takes them into account while developing plans
    • Make contributions to assessment reports that are factual and literal, rather than interpretive
    • Have solid rather than wide platform knowledge being strong on a single platform (e.g. Windows, Mac)
    • Have achieved recognised qualifications in appropriate and relevant subjects, including Offensive Security Certified Professional, CHECK Team Member or equivalent
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Threat intelligence and threat assessment (Relevant skill level: working). At this level you:
    • Understand and can explain threat intelligence and threat assessment principles and concepts
    • Use prescribed tools and techniques to acquire, validate and analyse threat information from multiple sources
    • Under direction enrich threat information by providing context, assessing possible implications and summarising the behaviour, capabilities and activities of threat actors
    • Use approved techniques to model routine threats, under supervision, to identify common enterprise attack vector, identify critical organisational functions, and protect organisational assets and goals
    • Apply knowledge to prioritise remediation of identified vulnerabilities for a single asset or system
  • Cyber security operations (Relevant skill level: working). At this level you:
    • Demonstrate experience applying the principles of secure configuration of role-specific security components and devices in a training or academic environment, for example through participation in syndicate exercises, undertaking practical exercises, and/or passing a test or examination
    • Support the overall aims of a Cyber Security operations-related team, e.g. a monitoring team
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware, protection or vulnerability testing under direction/supervision
    • Develop and tests rules for detecting violations of security operating procedures under supervision
  • Threat understanding (Relevant skill level: working). At this level you:
    • Interpret sources of threat information for the local environment and applies knowledge of the external environment
    • Maintain understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context
    • Use local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant local stakeholders within the organisation
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

Vulnerability management lead 

Typical role level expectations

  • Manage complex information systems to understand and prioritise actions on Cyber Security risks, audit requirements and data value, and provide guidance to vulnerability management team members
  • Manage the creation and implementation and lead development of vulnerability assessments for IT estates, including but not limited to application vulnerability assessments and infrastructure vulnerability assessments
  • Drive prioritisation of those vulnerabilities through a risk-based approach, to meet common organisational objectives such as regulatory compliance and audit functions
  • Manage the triage of vulnerabilities, ensuring mitigation measures are implemented, and managing the life cycle of vulnerability management for a set of assets, providing tailored advice on ways to improve control mechanisms and mitigate risks
  • Recommend remediation strategies and provide advice on complex configuration changes in support of vulnerability remediation
  • Proactively identify and leverage threat intelligence sources to inform strategic vulnerability mitigation measures
  • Manage collaboration with stakeholders to create tactical plans relating to managing vulnerabilities, and oversee subsequent activities
  • Demonstrate developed knowledge and understanding of approaches and tooling for performing vulnerability assessment against large and complex infrastructure
  • Validate system configuration across multiple and complex interlinking systems
  • Translate vulnerability management standards and best practice into organisation-specific policies, procedures and guidelines and champion standards and best practice outside security functions
  • Explain the need for effective vulnerability management processes and implications of poor performances
  • Lead development and implementation of effective vulnerability management programs across the enterprise to meet organisational and regulatory and compliance requirements
  • Develop vulnerability assessment templates and test scripts to meet common organisational objectives such as regulatory compliance and internal audit functions

Skills needed for this role

  • Penetration testing (Relevant skill level: practitioner). At this level you:
    • Lead teams undertaking complex penetration tests
    • Follow documented principles and guidelines for high-complexity penetration testing activities
    • Design and implements test programmes for mid-complexity systems, products, applications or processes, selecting suitable techniques, tools and test strategies without supervision
    • Identify vulnerabilities, and determines whether they are exploitable, adapting testing approach based on findings
    • Detect and investigates result aberrations, or absences of expected results
    • Create assessment reports, confirming technology compliance with standards and policies and vulnerabilities, and provides suggested remediation actions
    • Advise others on penetration testing processes, the implications of testing, and sharing penetration testing best practice
    • Have a broader platform knowledge and conducts assessments from a multi-platform perspective
    • Have achieved recognised qualifications in appropriate and relevant subjects, to a high-functioning level, including CHECK Team Leader, CREST Certified Simulated Attack Specialist or equivalent
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Cyber security operations (Relevant skill level: practitioner). At this level you:
    • Develop security operating procedures for use across multiple information systems or maintains compliance with them
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware protection or vulnerability testing with autonomy
    • Develop and tests rules for detecting violations of security operating procedures with autonomy
    • Lead small teams managing Cyber Security operations within an organisation
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

​​​​​​​Vulnerability management principal ​​​​​​​

Typical role level expectations

  • Lead complex information systems to understand and prioritise actions on Cyber Security risks, audit requirements and data value, and provide specialist or complex guidance to vulnerability management teams and external senior stakeholders
  • Lead the development and implementation of multiple vulnerability assessments and enterprise-wide scanning strategies across multiple complex environments, while leading in prioritising those vulnerabilities through a risk-based approach
  • Lead the triage of vulnerabilities, ensuring mitigation measures are implemented, and oversee the life cycle of vulnerability management for a set of assets, providing tailored specialist or complex advice on ways to improve control mechanisms and mitigate risks
  • Lead senior stakeholder engagement across government to create strategic plans for managing vulnerabilities and remediation activities
  • Create organisational principles and vision that will provide the basis for triaging vulnerabilities
  • Provide advice to senior leadership on ways to improve control mechanisms, identify, evaluate, and mitigate risks
  • Develop bespoke templates and test scripts to meet uncommon or complex organisational objectives
  • Set the organisation’s vulnerability management strategy including people, process and technology elements
  • Ensure organisation-specific vulnerability management policies, procedures and guidelines are aligned with organisational objectives and risk appetite
  • Set direction and approve investment in strategic tooling and capability to address strategic enterprise-wide risk
  • Develop bespoke templates and test scripts to meet uncommon or complex organisational objectives

Skills needed for this role

  • Penetration testing (Relevant skill level: expert). At this level you:
    • Take a multi-customer approach to establishing penetration testing policies, procedures and guidelines, taking into account organisational and national level perspectives
    • Have responsibility for penetration testing services and drives organisational and business change to better comply with policies, procedures and guidelines
    • Ensure effective delivery of penetration testing assessments for organisational benefit
    • Lead organisational teams in various stages of test design, execution, and assessment, for multiple customers, potentially across multiple organisations, and that comply with policies, procedures and guidelines
    • Improve organisational penetration testing processes, achieving high standards of excellence
    • Champion the organisational recognition of value of penetration testing services, and the benefits of addressing the results
    • Authoritatively influence the organisational management regarding penetration testing concepts and activities
    • Build on, and advances, practitioner level skills for self and colleagues
    • Communicate complex issues at the appropriate level for the audience
    • Have achieved appropriate level of qualifications, including CREST Certified Simulated Attack Manager or equivalent
  • Information risk assessment and risk management (Relevant skill level: practitioner). At this level you:
    • Understand the organisation’s business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction and planning
    • Deliver or review risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems
    • Inspect and report on the security characteristics of systems with straightforward scope
    • Have a good understanding of how assessed risks are addressed as part of an approach to risk treatment
  • Threat intelligence and threat assessment (Relevant skill level: practitioner). At this level you:
    • Have an advanced understanding of threat intelligence and threat assessment principles and concepts, and leads threat intelligence and assessment activities
    • Identify sources of threat information and utilises a variety of techniques, without supervision, to acquire, validate and analyse threat information, enterprise attack vectors, and critical organisational functions from multiple sources. Synthesises and places intelligence in context
    • Apply expertise and insight to enrich threat information, including understanding the behaviour, capabilities and activities of threat actors and assessing possible implications, prioritising remediation of identified vulnerabilities for multiple systems
    • Disseminate enriched threat intelligence
    • Apply threat intelligence to model threats and protects organisational assets and goals, including informing the selection of security controls, developing indicators of compromise, detecting illicit behaviour (including evidence of fraud and crime), providing context for undertaking investigations and responding to events
    • Direct others in undertaking threat intelligence activities
  • Cyber security operations (Relevant skill level: practitioner). At this level you:
    • Develop security operating procedures for use across multiple information systems or maintains compliance with them
    • Apply routine security procedures appropriate to the role, such as patching, managing access rights, malware protection or vulnerability testing with autonomy
    • Develop and tests rules for detecting violations of security operating procedures with autonomy
    • Lead small teams managing Cyber Security operations within an organisation
  • Threat understanding (Relevant skill level: practitioner). At this level you:
    • Proactively identify, interprets and leverages a range of relevant sources of threat information, using a variety of techniques, to understand the threat environment (local and strategic), including its nature, capability, focuses of interest and other factors associated with relevant threats
    • Use lessons learned to maintain an understanding of the organisation’s attack surface, and uses local and strategic threat information in decision-making and planning
    • Communicate tailored threat information to relevant senior stakeholders across multiple sites and/or business functions
    • Combine external threat information, organisational context and situational awareness to provide a holistic threat understanding capability
  • Legal and regulatory environment and compliance (Relevant skill level: awareness). At this level you:
    • Describe the major legislative regulatory instruments relevant to security legislation and regulation relevant to the role
    • Maintain understanding of regulations that will impact the role
    • Follow documented procedures for compliance or regulations
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others

Contact

ddat@gov.scot