Defining and operating security controls and security management strategies.
The purpose of security controls and management strategies is to:
Maintain the security, confidentiality, integrity, availability, and accountability of information systems
Ensure that information systems comply with laws, regulations, and relevant standards.
Activities may include, but are not limited to:
selecting, adopting, and adapting security controls
development, justification, and implementation of security management strategies
identifying risks in technical solution architectures
ensuring that safety principles are applied in design and development to reduce risk.
Examples of types of safety controls include, but are not limited to: physical controls
Procedural or administrative controls
Technical or logical controls legal and regulatory or compliance controls.
These activities are usually performed in collaboration with specialists in other areas, including - but not limited to - legal, technical infrastructure, auditing, architecture, and software development.
Information Security: Level 3
Applies and maintains specific security controls as required by organizational policy and local risk assessments. Communicates security risks and issues to business managers and others. Performs basic risk assessments for small information systems. Contributes to the identification of risks arising from potential technical solution architectures. Suggests alternative solutions or countermeasures to mitigate risks. Determines secure system configurations in accordance with intended architectures. Supports investigation of suspected attacks and security breaches.
Information Security: Level 4.
Provides guidance on the application and operation of elementary physical, procedural, and technical security controls. Explains the purpose of security controls and performs security risk and business impact analysis for medium complexity information systems. Identifies risks arising from potential technical solution architectures. Develops alternative solutions or countermeasures and ensures identified risks are mitigated. Investigates suspected attacks and supports security incident management.
Information Security: Level 5.
Provides advice and recommendations on security strategies to manage identified risks and ensure standards are adopted and enforced. Contributes to the development of information security policies, standards, and guidelines. Obtains vulnerability information and takes appropriate action, conducts security risk assessments, business impact analysis, and accreditation of complex information systems. Investigates major security breaches and recommends appropriate control improvements. Develops new architectures that mitigate risks associated with new technologies and business practices.
Information Security: Level 6.
Develops and disseminates corporate information security policies, standards, and guidelines. Ensures architectural principles are applied in design to mitigate risk. Ensures policies, standards, and guidelines are adopted and enforced. Contributes to the development of organizational strategies to meet information control requirements. Identifies and monitors environmental and market trends and proactively assesses their impact on business strategies, benefits and risks. Leads the provision of authoritative advice and recommendations on security control requirements in collaboration with subject matter experts.
Information Security: Level 7.
Leads the development, implementation, implementation, and maintenance of an enterprise information security strategy aligned with the business strategy. Ensures alignment between business strategies and information security. Leads the delivery of information security expertise, guidance, and systems necessary to execute strategic and operational plans. Provides organizational resources to implement information security strategy.