We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Information Assurance and Security: Information assurance and data protection

Published
13 October 2021
Directorate
Digital Directorate
Topic
Business, industry and innovation, Economy

Find out about the job roles that comprise the information assurance and data protection job family practice.

Information assurance and data protection

Role summary

The role of Information Assurance and Data Protection Advisor provides policy, guidance and advice on the security and protection of personal data and the management of information assets. They provide specialist advice and guidance to protect the security of personal data and information, and manage risk by recommending controls to business areas to help them achieve their objectives.

Role levels are:

Entry routes

Internal: Suitable for an individual from the Digital, Data and Technology Profession from roles in information assurance, information governance, and cyber defence

External: Suitable for an individual qualified or with extensive experience in relevant field

Skills required to be an Information Assurance and Data Protection Advisor

  • Communicating between the technical and non-technical. Is able to communicate effectively across organisational, technical and political boundaries, understanding the context. Makes complex and technical information and language simple and accessible for non-technical audiences. Is able to advocate and communicate what a team does to create trust and authenticity, and can respond to challenge.
  • Enabling and informing risk-based decisions. Capable of making and guiding effective decisions on risk, explaining clearly how the decision has been reached. Able to make decisions proportionate to the level of technical complexity and risk.
  • Information risk assessment and risk management. Information risk assessment and risk management identifies and evaluates security risks to information, systems, and processes owned by the organisation, and proactively provides appropriate advice, drawing on a wide variety of sources, to stakeholders across the organisation and at a variety of levels.
  • Legal and regulatory environment and compliance. Legal and regulatory environment and compliance refers to an organisation’s adherence to laws, regulations, guidelines and specifications relevant to its business processes. It consists of a blend of compliance requirements and assurance capabilities. Principles of the skill include understanding the legal and regulatory environment within which the business operates, ensuring that information security governance arrangements are appropriate, and ensuring that the organisation complies with legal and regulatory requirements.
  • Protective security. Protective security encompasses the combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to help identify and respond to any attack. Security requirements will change accordingly with the locally identified threats and vulnerabilities.
  • Relationship management. Identifies, analyses, manages and monitors relationships with and between stakeholders. Clarifies mutual needs and commitments through consultation and consideration of impacts. For example, the coordination of all promotional activities to one or more customers to achieve satisfaction for the customer and an acceptable return for the supplier; assistance to the customer to ensure that maximum benefit is gained from products and services supplied.
  • Strategic thinking. Able to have an overall perspective on business issues, events, activities and an understanding of their wider implications and long-term impact. This could include determining patterns, standards, policies, roadmaps and vision statements. Can focus on outcomes rather than solutions and activities.

Information assurance and data protection advisor

Typical role level expectations

  • Devise policies and guidance, and deliver advice to secure and protect personal data and information assets
  • Review and provide feedback on data protection impact assessments
  • Investigate security incidents involving personal data and suggest containment and mitigation actions
  • Maintain a corporate register of information assets
  • Provide training and communications to inspire and influence others to execute security principles
  • Cultivate key contacts in relevant business areas to share good practice in securing and protecting personal data and information assets

Skills needed for this role

  • Communicating between the technical and non-technical (Relevant skill level: working). At this level you:
    • Are able to effectively translate and accurately communicate across technical and non-technical stakeholders as well as facilitating discussions within a multidisciplinary team, with potentially difficult dynamics.
    • Are able to advocate for the team externally and can manage differing perspectives.
  • Enabling and informing risk-based decisions (Relevant skill level: working). At this level you:
    • Work with risk owners to advise and give feedback.
    • Advise on risk impact and whether this is within risk tolerance.
    • Understand different risk methodologies and how these are applied, as well as the proportionality of risk.
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Legal and regulatory environment and compliance (Relevant skill level: working). At this level you:
    • Explain the principal requirements of major legislation and regulations relevant to security, and the legal and regulatory instruments relevant to the role
    • Review and implements alterations to operating procedures in response to changes in regulations
    • Educate/provide guidance on the implementation of regulations
    • Report residual non-compliance to management in accordance with organisation procedures
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Relationship management (Relevant skill level: working). At this level you:
    • Identify key stakeholders and relationships and works with teams to build these.
    • Understand how to work with stakeholders and contributes to improving these relationships.
  • Strategic thinking (Relevant skill level: working). At this level you:
    • Are able to work within a strategic context and communicate how activities meet strategic goals.
    • Contribute to the development of strategy and policies

Information assurance and data protection advisor senior

Typical role level expectations

  • Manage a team of Data Protection and Information Assets advisors
  • Devise policies and guidance, and deliver advice to secure and protect personal data and information assets
  • Review and provide feedback on data protection impact assessments
  • Investigate security incidents involving personal data and suggest containment and mitigation actions
  • Maintain a corporate register of information assets
  • Provide training and communications to inspire and influence others to execute security principles
  • Cultivate key contacts in relevant business areas to share good practice in securing and protecting personal data and information assets

Skills needed for this role

  • Communicating between the technical and non-technical (Relevant skill level: practitioner). At this level you:
  • Enabling and informing risk-based decisions (Relevant skill level: working). At this level you:
    • Work with risk owners to advise and give feedback.
    • Advise on risk impact and whether this is within risk tolerance.
    • Understand different risk methodologies and how these are applied, as well as the proportionality of risk.
  • Information risk assessment and risk management (Relevant skill level: working). At this level you:
    • Support security professionals in carrying out risk assessments and developing mitigation strategies for relatively common and well-understood scenarios
    • Have an understanding of, and can apply, the fundamental principles of risk assessment, risk management processes and decision-making
  • Legal and regulatory environment and compliance (Relevant skill level: practitioner). At this level you:
    • Advise others on the principal requirements of major legislation and regulations relevant to security, and the legal and regulatory instruments relevant to the role
    • Provide oversight of the range of regulations that impact the security function and the interactions between them
    • Design and lead implementation of business change, where required by regulation
    • Lead the implementation of regulations within the security function
    • Report residual non-compliance to senior management in accordance with organisational procedures
  • Protective security (Relevant skill level: awareness). At this level you:
    • Maintain an up-to-date understanding of fundamentals of all areas of security (especially in the context of government), and appreciates the importance of making use of a combination and multi-layering of appropriate and proportionate Physical, Personnel and Cyber Security measures to protect assets
    • Identify aspects from across the breadth of the security field
    • Promote protective security, providing advice to others
  • Relationship management (Relevant skill level: practitioner). At this level you:
    • Influence stakeholders and manages relationships effectively.
    • Build long term strategic relationships.
    • Facilitate and deliver the business outcomes.
  • Strategic thinking (Relevant skill level: working). At this level you:
    • Are able to work within a strategic context and communicate how activities meet strategic goals.
    • Contribute to the development of strategy and policies

Contact

ddat@gov.scot

Back to top