We use cookies to collect anonymous data to help us improve your site browsing experience.

Click 'Accept all cookies' to agree to all cookies that collect anonymous data. To only allow the cookies that make the site work, click 'Use essential cookies only.' Visit 'Set cookie preferences' to control specific cookies.

Set cookie preferences

Your cookie preferences have been saved. You can change your cookie settings at any time.

Publication - Advice and guidance

Information Assurance and Security: Security and information risk

Published
13 October 2021
Directorate
Digital Directorate
Part of
Business, industry and innovation, Economy

Find out about the job roles that comprise the Information Assurance and Security – Security and information risk job family practice.

This document is part of a collection

Security and information risk

Role summary

Security and Information Risk Advisors support effective information security risk management by providing advice and guidance on the proportionate and effective specification, implementation, and operation of cyber security controls to protect the integrity, availability, authenticity, non-repudiation and confidentiality of Scottish Government information. They also provide guidance on the relevant compliance of information systems with legislation, regulation and relevant standards

Role levels are:

Entry routes

Internal: Suitable for an individual from the Government Security Profession or Digital, Data and Technology Profession

External: Suitable for an individual who has worked in the private sector in a technical capacity, especially from the information technology and governance sector

Skills required in security and information risk

  • Analysis. Able to visualise, articulate and solve complex problems and concepts by interrogating and using data or intelligence to formulate and influence plans. Able to interpret complex business and technical issues. Can identify and recognise a viable solution or control. Understands and links complex and diverse sets of information to inform the response and approach, for example identifying vulnerabilities and their impact.
  • Communicating between the technical and non-technical. Is able to communicate effectively across organisational, technical and political boundaries, understanding the context. Makes complex and technical information and language simple and accessible for non-technical audiences. Is able to advocate and communicate what a team does to create trust and authenticity, and can respond to challenge.
  • Design secure systems. Able to design secure system architectures through the application of patterns and principles, to meet user needs whilst managing risks. Able to identify security issues in system architectures.
  • Enabling and informing risk-based decisions. Capable of making and guiding effective decisions on risk, explaining clearly how the decision has been reached. Able to make decisions proportionate to the level of technical complexity and risk.
  • Research and innovation. Understands and can apply a range of user research methods correctly. Able to choose appropriate methods for different life cycle phases and situations.
  • Specific security technology and understanding. Knowledge of system architectures. Able to understand the risk impact of vulnerabilities on existing and future designs and systems, and identify how easy or difficult it will be to exploit these vulnerabilities.
  • Understanding security implications of transformation. Able to work with business and technology stakeholders to understand the security implications of business change. Can interpret and apply an understanding of policy and process, business architecture and legal and political implications to assist in the development of technical solutions or controls.

Security and information risk associate

Typical role level expectations

  • Provide basic advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
  • Obtain and act on vulnerability information and conducts security risk assessments and business impact analysis on basic information systems.
  • Investigate breaches of security, and recommend appropriate control improvements
  • Interpret information assurance and security policies and applies these in order to manage risks
  • Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines
  • Use control testing information to support information assurance assessments

Skills needed for this role

  • Analysis (Relevant skill level: working). At this level you:
    • Are able to apply the approach to real problems and consider all relevant information.
    • Apply appropriate rigour to ensure a full solution is designed and achieves the business outcome.
  • Communicating between the technical and non-technical (Relevant skill level: working). At this level you:
    • Are able to effectively translate and accurately communicate across technical and non-technical stakeholders as well as facilitating discussions within a multidisciplinary team, with potentially difficult dynamics.
    • Are able to advocate for the team externally and can manage differing perspectives.
  • Design secure systems (Relevant skill level: working). At this level you:
    • Design and review system architectures through the application of patterns and principles.
  • Enabling and informing risk-based decisions (Relevant skill level: working). At this level you:
    • Work with risk owners to advise and give feedback.
    • Advise on risk impact and whether this is within risk tolerance.
    • Understand different risk methodologies and how these are applied, as well as the proportionality of risk.
  • Research and innovation (Relevant skill level: awareness). At this level you:
    • Are aware of developments on security properties in technology.
    • Are able to identify new technologies and potential use of these in the business context.
  • Specific security technology and understanding (Relevant skill level: awareness). At this level you:
    • Have knowledge of basic system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing designs and systems, and is able to articulate a response.
    • Have some knowledge of a range of systems but may specialise in one.
  • Understanding security implications of transformation (Relevant skill level: awareness). At this level you:

Security and information risk advisor

Typical role level expectations

  • Provide advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
  • Obtain and act on vulnerability information and conducts security risk assessments and business impact analysis on complex information systems.
  • Investigate major breaches of security, and recommend appropriate control improvements
  • Contribute to development of information security policy, standards and guidelines.
  • Interpret information assurance and security policies and applies these in order to manage risks
  • Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines
  • Use control testing information to support information assurance assessments
  • Contribute to the development of policies, standards and guidelines

Skills needed for this role

  • Analysis (Relevant skill level: working). At this level you:
    • Are able to apply the approach to real problems and consider all relevant information.
    • Apply appropriate rigour to ensure a full solution is designed and achieves the business outcome.
  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Design secure systems (Relevant skill level: working). At this level you:
    • Design and review system architectures through the application of patterns and principles.
  • Enabling and informing risk-based decisions (Relevant skill level: practitioner). At this level you:
    • Work with higher impact or more complex risks.
    • Advise on the impact of these and whether this is within risk tolerance.
    • Are able to apply different risk methodologies in proportion to the risk in question.
  • Research and innovation (Relevant skill level: working). At this level you:
    • Are able to advise on developments on security properties in technology.
    • Are able to identify new technologies and design the use of these in the business context.
  • Specific security technology and understanding (Relevant skill level: working). At this level you:
    • Have knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs and systems, and are able to articulate a response.
    • Have broad knowledge of a range of systems but may specialise in one.
  • Understanding security implications of transformation (Relevant skill level: working). At this level you:
    • Can interpret and apply understanding of policy and process, business architecture, and legal and political implications in order to assist the development of technical solutions or controls.

Security and information risk lead

Typical role level expectations

  • Lead the provision of advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
  • Lead teams responsible for obtaining and acting on vulnerability information and security risk assessments and business impact analysis on complex information systems.
  • Investigate major breaches of security, and recommend appropriate control improvements
  • Development and consulting on the development of information security policy, standards and guidelines.
  • Interpret information assurance and security policies and applies these in order to manage risks
  • Provide advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines
  • Use control testing information to support information assurance assessments

Skills needed for this role

  • Analysis (Relevant skill level: expert). At this level you:
    • Provide direction and leads on change with regards to factors that feed into analysis.
    • Monitor changes in the technical environment and assesses whether risks are still at acceptable levels or whether previous decisions need to be revisited.
    • Direct and influence others on best practice and policy.
  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Design secure systems (Relevant skill level: practitioner). At this level you:
    • Design and review system architecture solutions through the development of patterns and principles.
  • Enabling and informing risk-based decisions (Relevant skill level: expert). At this level you:
    • Act as a point of escalation.
    • Are trusted by senior risk owners as an expert in security.
    • Are able to apply risk methodologies at the most complex levels of risk.
  • Research and innovation (Relevant skill level: practitioner). At this level you:
    • Are able to contribute to and inform developments on security properties in technology.
    • Are able to identify new technologies and design the use of these in the business context across the organisation.
    • Engage with the broader security community.
  • Specific security technology and understanding (Relevant skill level: expert). At this level you:
    • Have strong knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs, systems and how easy or difficult it will be to exploit these vulnerabilities.
    • Are acknowledged as an expert by peers in the broader security industry.
  • Understanding security implications of transformation (Relevant skill level: expert). At this level you:
    • Are able to challenge and lead changes to policy and processes to support business outcomes, business architecture and legal and political implications.

Security and information risk principal

Typical role level expectations

  • Oversee the provision of advice and guidance on security strategies to manage identified risks and ensure adoption and adherence to standards.
  • Oversee the function that obtains and acts on vulnerability information and conducts security risk assessments and business impact analysis on complex information systems.
  • Lead major investigations of breaches of security, and recommend appropriate control improvements
  • Have a significant leadership role in the development of information security policy, standards and guidelines.
  • Design and implement information assurance and security policies and applies these in order to manage risks
  • Oversee provision of advice and guidance to ensure adoption of and adherence to information assurance architectures, strategies, policies, standards and guidelines
  • Use control testing information to support information assurance assessments
  • Represent the organisation externally on matters of security policy and standards

Skills needed for this role

  • Analysis (Relevant skill level: expert). At this level you:
    • Provide direction and leads on change with regards to factors that feed into analysis.
    • Monitor changes in the technical environment and assesses whether risks are still at acceptable levels or whether previous decisions need to be revisited.
    • Direct and influence others on best practice and policy.
  • Communicating between the technical and non-technical (Relevant skill level: expert). At this level you:
    • Are able to mediate and mend relationships, communicating with stakeholders at all levels.
    • Are able to manage stakeholders’ expectations and facilitate discussions across high risk or complex topics, or under constrained timescales.
    • Are able to speak and represent the community to large audiences inside and outside of government.
  • Design secure systems (Relevant skill level: expert). At this level you:
    • Lead design and review solutions to complex problems with system architectures by defining and challenging patterns and principles.
    • Create precedents and set direction.
  • Enabling and informing risk-based decisions (Relevant skill level: expert). At this level you:
    • Act as a point of escalation.
    • Are trusted by senior risk owners as an expert in security.
    • Are able to apply risk methodologies at the most complex levels of risk.
  • Research and innovation (Relevant skill level: practitioner). At this level you:
    • Are able to contribute to and inform developments on security properties in technology.
    • Are able to identify new technologies and design the use of these in the business context across the organisation.
    • Engage with the broader security community.
  • Specific security technology and understanding (Relevant skill level: expert). At this level you:
    • Have strong knowledge of system architectures.
    • Are able to understand and articulate the impact of vulnerabilities on existing and future designs, systems and how easy or difficult it will be to exploit these vulnerabilities.
    • Are acknowledged as an expert by peers in the broader security industry.
  • Understanding security implications of transformation (Relevant skill level: expert). At this level you:
    • Are able to challenge and lead changes to policy and processes to support business outcomes, business architecture and legal and political implications.

Contact

ddat@gov.scot

Back to top