The global skills and competency framework for the digital world

End to end operating model for security

Security is everyone's responsibility. SFIA provides comprehensive coverage of the skills and competency needed to make this happen.

An operating model where Security is everyone’s responsibility

SFIA 8 review
One action was to be communicate how the current, SFIA 7, framework supports an operating model and a culture where security is everyone's responsibility
Here we a look at a worked example to show how security-related responsibilities are to be found across the organisation.
We then map those responsibilities to SFIA skills and SFIA generic levels of responsibility.
We are exploring the interaction  between "security specialists" and the other roles where security is part of the day-to-day activities.
This work is informed by framework mappings and the analysis of all SFIA skills.

    • This model is not an organisation structure - its not describing reporting structures or team names or sizes.
    • It is used to illustrate the breadth of business and technology capabilities - where security must be built-in, by design and default not an afterthought
    • We can use this to map security-related responsibilities to each of these components
    • To execute those responsibilities, we need people with skills, knowledge and levels of competency
    • SFIA provides a single solution to describe specialist skills alongside the other skills needed to build in security

    PDF download.

    Individuals and organisations embed secure working practices into everything they do.

    • Security is embedded in the organisation’s culture.
    • Leaders role model required behaviours.
    • Security is a generally accepted part of every-day working and management practices.

    In SFIA - these expectations described in the Business skills dimension of SFIA's 7 levels of responsibility.

    Table of SFIA components to security responsibilities

    Security operating model component

    Specific security related responsibilities

    Addressed in SFIA by

    Relationship between security specialist

    All employees

    Employees receive regular cyber security awareness training, and know how to recognise and respond to security threats.

    Security is embedded in the organisation’s culture.

    Senior leaders role model required behaviours.

    Security is a generally accepted part of every-day working and management practices.

    SFIA generic levels of responsibility reference security for all levels 1 through 7

    Organisation design and implementation ORDI

    Performance management PEMT

    Learning and development management ETMG

    Competency assessment LEDA

    Learning design and development TMCR

    Learning delivery ETDL

    Professional development PDSV

    Broad suite of professional skills supporting a comprehensive security operating model

    Info Sec organisation provides advice, guidance and support .

     

    Info Sec specialists may be involved hands on in design and/or delivery of some education and awareness activity.

    Infrastructure, hosting, network platform

    Maintain inventory of the platform’s assets -

    Ensure infrastructure assets are secure during operations

    Define and implement controls necessary to protect platform assets in accordance with security requirements

    Document and enforce secure development lifecycle

    QA / Testing for security requirements

    Definition and management of identities and the access controls based on identities

    Understand the cause and effect of security vulnerabilities,

    Configuration management, patching, systems hardening

    Implement remedial actions to resolve vulnerabilities and recover from incidents – integrate with platform work queues

    Validated backup and recovery capability for critical data

    Monitor for potential security violations

     

    IT Management ITMG

    IT infrastructure ITOP

    Network design NTDS

    Network planning NTPL

    Network support NTAS

    Programming/software development PROG

    Testing TEST

    Systems integration and build SINT

    Configuration management CFMG

    Security administration SCAD

    Penetration testing PENT

    Problem management PBMG

    Storage management STMG

    Asset management ASMG

    Knowledge management KNOW

    Availability management AVMT

    Systems software SYSP

     

    Platform is responsible for day-to-day security activities and monitoring and reporting against security frameworks.  

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to the platform team

     

    Projects and programmes

    Early identification and engagement of security resources

    Security risk assessments and plans

    Security requirements included in solution and product design

    Threat modelling

    Project management PRMG

    Programme management PGMG

    Solution architecture ARCH

    Requirements definition and management REQM

    Business analysis BUAN

    Business modelling BSMO

    Methods and tools METL

    Business process testing BPTS

    Projects /programmes are responsible for day-to-day security activities and monitoring and reporting against security frameworks.  

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to projects /programmes .

    Product management

    Early identification and engagement of security resources

    Security risk assessments and plans

    Security requirements included in solution and product design

    Threat modelling

    Legal requirements (GDPR and Intellectual Property Rights)

    Integrity requirements (the ability to prevent a fraudster changing pricing information on a web site)

    Protection of brand including logos and web sites.

    Product management PGMG

    Solution architecture ARCH

    Requirements definition and management REQM

    Business analysis BUAN

    Methods and tools METL

    Information content publishing ICPM

    Information content authoring INCA

    User research URCH

    User experience analysis UNAN

    User experience design HCEV

    User experience evaluation USEV

    Customer service support

    Selling SALE

    Sales support SSUP

    Product management are responsible for day-to-day security activities and monitoring and reporting against security frameworks.  

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to product management teams.

    Identify and access management

    Defining and managing identities (for people, objects, and assets requiring access (information, technology, facilities)

    Defining and implementing access controls based on identities and access rights

    Including passwords, PINs, digital signatures, smart cards, biometrics

    Security administration SCAD

    Conformance review CORE

    Facilities management DCMA

    Identify and access management are responsible for day-to-day security activities and monitoring and reporting against security frameworks.  

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to Identify and access management.

    Application platform

    Maintain inventory of the platform’s assets

    Ensure platform assets are secure during operations

    Define and implement controls necessary to protect platform assets in accordance with security requirements

    Document and enforce secure development lifecycle

    QA / Testing for security requirements

    Definition and management of identities and the access controls based on identities

    Threat modelling - understand the cause and effect of security vulnerabilities,

    Configuration management, patching, systems hardening

    Monitor for potential security violations

    Implement remedial actions to resolve vulnerabilities and recover from incidents – integrate with platform work queues

    Systems development management DLMG

    Software design SWDN

    Programming/software development PROG

    Testing TEST

    Systems integration and build SINT

    Configuration management CFMG

    Application support ASUP

    Security administration SCAD

    Penetration testing PENT

    Problem management PBMG

    Asset management ASMG

    Knowledge management KNOW

    Availability management AVMT

    Platform is responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to the platform team

    DevOps

    Maintain inventory of assets

    Define and implement controls necessary to protect assets in accordance with security requirements

    Document and enforce secure development lifecycle and ensure assets are secure during operations

    DevSecOps - Implement security decisions and actions at the same scale and speed as dev and ops decisions & actions.

    Integrate security into suite of tools automating devops

    QA / Testing for security requirements

    Definition and management of identities and the access controls based on identities

    Threat modelling - understand the cause and effect of security vulnerabilities,

    Monitor for potential security violations

    Configuration management, patching, systems hardening

    Implement remedial actions to resolve vulnerabilities and recover from incidents – integrate and prioritise with team work queues

    Systems development management DLMG

    Software design SWDN

    Programming/software development PROG

    Testing TEST

    Systems integration and build SINT

    Configuration management CFMG

    Application support ASUP

    Security administration SCAD

    Penetration testing PENT

    Problem management PBMG

    Asset management ASMG

    Knowledge management KNOW

    Availability management AVMT

    IT Management ITMG

    IT infrastructure ITOP

    Network design NTDS

    Network planning NTPL

    Network support NTAS

    Methods and tools METL

     

    DevOps team is responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to the DevOps team

    Data platform

    Maintain inventory of information assets

    Designate, prioritise, and categorise information and vital assets - informed by the criticality and sensitivity of the information asset

    Create / maintain data model with visibility to the location of sensitive information

    Use metadata to manage sensitive data

    Ensure information assets are secure during operations

    Define and implement controls necessary to protect information assets in accordance with security requirements

    Document and enforce secure development lifecycle

    QA / Testing for security requirements

    Definition and management of identities and the access controls based on identities

    Threat modelling

    Monitor for potential security violations

    Understand the cause and effect of security vulnerabilities,

    Configuration management, patching, systems hardening

    Implement remedial actions to resolve vulnerabilities and recover from incidents – integrate with platform work queues

    Validated backup and recovery capability for critical data

    Information governance IRMG

    Data management DATM

    Storage management STMG

    Security administration SCAD

    Conformance review CORE

    Facilities management DCMA

    Data modelling and design DTAN

    Database design DBDS

    Database administration DBAD

    Programming/software development PROG

    Testing TEST

    Systems integration and build SINT

    Configuration management CFMG

    Application support ASUP

    Security administration SCAD

    Penetration testing PENT

    Problem management PBMG

    Asset management ASMG

    Availability management AVMT

    Platform is responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to the platform team

    IT management and governance

    Governance structures and processes

    Clear governance structures and defined lines of responsibility and accountability

    Board level commitment and involvement

    Measuring and monitoring of performance

    Continuous improvement of security capabilities and outcomes

    Create/maintain enterprise data model with visibility to the location of sensitive information

    Enterprise and IT governance GOVN

    Information security SCTY

    Organisation design and implementation ORDI

    Strategic planning ITSP

    Measurement MEAS

    Sourcing SORC

    Supplier management SUPP

    Enterprise and business architecture STPL

    Information governance IRMG

    Data management DATM

    IT management ITMG

    Systems development management DLMG

    Business risk management BURM

    Demand management DEMM

    Portfolio management POMG

    Quality management QUMG

    Organisational capability development OCDV

    IT management and governance  are responsible for day-to-day security activities and monitoring and reporting against security frameworks.  

     

    Integrate security into governance working practices. E.g. measurement and tracking

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to IT management and governance.

    Service management

    Managing security as a service

    Integrate  security best practices into service management best practices – to lower cost of maintaining acceptable security levels, effectively manage risks and reduce overall risk level

    Accrediting systems to from a security perspective to operate in the live environment

    appreciate the significance of changing the configuration and ensure that the impact on security is considered

    The security of the configuration system itself

    Include a security review into the formal release and deployment process

    Service level management SLMO

    Release and deployment RELM

    Service acceptance SEAC

    Configuration management CFMG

    Problem management PBMG

    Incident management USUP

    Availability management AVMT

    Capacity management CPMG

    Solution architecture ARCH

    Methods and tools METL

    Business process improvement BPRE

    Service management  are responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Integrate security into service management working practices.

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to service management.

    Risk

    Manage/address risks from poor information security in the same way all other business risk

    Information security risk management is the critical first area of ensuring an organisation designs, develops and implements IT systems that have security by design and default.

    Review security issues that might affect the organisation and reviewing them in light of the business requirements

    Develop a pragmatic, sensible and cost-effective solution managing the risk down to an level that is acceptable to the senior management.

    Independently review security measures on a regular basis,

    Ensure audit results are reviewed and assessed by senior management.

    Business risk management BURM

    Conformance review CORE

    Information assurance INAS

    Information security SCTY

    Info Sec specialists provide advice, guidance and support to service management.

    HR/Learning & development

    Recruitment and onboarding process

    Candidate vetting, Terms and conditions of employment, Acceptable use policies

    Generic or role based accountabilities in job descriptions

    Objective setting and performance management

    Effective job design and separation of duties

    Broad awareness education for security

    Developing, planning, coordinating, and evaluating training/education courses, methods, and techniques

    Developing and conducting training or education of the workforce

    Workforce plans, strategies, and guidance

    Performance management PEMT

    Resourcing RESC

    Relationship management RLMT

    Organisation design and implementation ORDI

    Learning and development management ETMG

    Competency assessment LEDA

    Learning design and development TMCR

    Learning delivery ETDL

    Professional development PDSV

    HR / Learning & development are responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Integrate security into HR / Learning & development working practices.

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to HR / Learning & development.

    Procurement/supplier management

    Management of 3rd party suppliers - cloud services, applications, ERP systems,

    RFPs, operational supplier management

    Supply chain risk assessment,

    Due diligence, contracting,

    Annual supplier assessment

    Sourcing SORC

    Supplier management SUPP

    Continuity planning COPL

    Contract management ITCM

    Relationship management RLMT

    Procurement/supplier management are responsible for day-to-day security activities and monitoring and reporting against security frameworks. 

     

    Integrate security into procurement/supplier management working practices.

     

    Info sec specialists have oversight of their security working practices to provide security assurance.

     

    Info Sec specialists provide advice, guidance and support to procurement/supplier management

    Information security governance

    Governance & Risk Management

    Board-level commitment and involvement

    Information Security - strategy, policies and processes

    Central inventory of relevant data regulations and the affected data subject area

    Security metrics, reporting and tracking

    Security architecture

    3rd party / managed security services

    Enterprise IT governance GOVN

    Information security SCTY

    Information assurance INAS

    Measurement MEAS

    Business risk management BURM

    Enterprise and business architecture STPL

    Supplier management SUPP

     

    Information security audit & assurance

    Compliance ensure that controls are adequate to meet security requirements

    Conduct security audit and  assessments

    External validation

    Support for internal and external audits

    Information assurance INAS

    Measurement MEAS

    Conformance review CORE

    Testing TEST

     

    Information security operations

    collating external and internal security intelligence,

    conducting situational awareness – reporting an operational view of the external environment

    analysing and managing threats to the organization’s information security

    security information and event management - real-time analysis of security alerts generated by network hardware and applications.

    log management – collecting and storing log messages and audit trails

    managing vulnerabilities, viruses, and malicious code

    providing a information security help desk.

    managing security incidents (detection, analysis, response, and recovery)

    communicating with internal stakeholders and external entities, as required

    Security administration SCAD

    Information security SCTY

    Specialist advice TECH

    Measurement MEAS

    Methods and tools  METL

    Incident management USUP

    Relationship management RLMT

    Continuity management COPL

    Business risk management BURM

    Supplier management SUPP

    IT infrastructure ITOP

    Network support NTAS

    Penetration testing PENT

    Knowledge management KNOW

     

    Security incident management /
    Major security incident response

    Planning for incident management and response, business continuity, service continuity and disaster recovery

    Performing and coordinating tests, exercises, and drills of response plans

    Problem management, root cause analysis, and reviews after security incidents

    Conducting forensic investigations.

    Working with law enforcement and other regulatory bodies during and following an incident.

    Communications with key internal and external stakeholders

    Manage PR and reputation

    Continuity planning COPL

    Business risk management BURM

    Incident management USUP

    Information security SCTY

    Information assurance INAS

    Relationship management RLMT

    Supplier management SUPP

    Contract management ITCM

    Digital forensics DGFS

     

    Information security improvement programme

    Identify, review, assess business functions that impact information security

    Develop, implement, and maintain an information security improvement programme, plan, and processes

    Define information security roles and responsibilities

    Allocate trained & skilled resources to implement the  programme

    Identify, manage, and maintain the work products required to deliver the programme

    Identify, involve, communicate with and report to internal and external stakeholders

    Allocate and manage funding for information security activities

    Measure and monitor cost, schedule, and performance against the information security plan

    Information security SCTY

    Programme management PGMG

    Project management PRMG

    Portfolio, programme and project support PROF

    Consultancy CNSL

    Organisational capability development OCDV

    Measurement MEAS

    Organisation design and implementation ORDI

    Relationship management RLMT

    Change implementation planning and management CIPM

    Benefits management BENM

    Learning design and development TMCR

    Learning delivery ETDL

    Competency assessment LEDA

    Professional development PDSV

     

    3rd party providers of security services and tools

    collating external and internal security intelligence,

    utilising machine learning, AI and other innovative tools to enhance the predictive capability of the organisation

    Using data visualisation to show how threats are being actioned to enable timely and effective business decision making

    conducting situational awareness – reporting an operational view of the external environment

    analysing and managing threats to the organization’s information security

    security information and event management - real-time analysis of security alerts generated by network hardware and applications.

    log management – collecting and storing log messages and audit trails

    Information security SCTY

    Emerging technology monitoring EMRG

    Consultancy CNSL

    Specialist advice TECH

    Methods and tools  METL

    Analytics INAN

    Data visualisation VISL

    Innovation INOV

    Penetration testing PENT

    Knowledge management KNOW

    Responsible for ad hoc or day-to-day security activities – contracted by the Info Sec organisation.

     

    Provide access to deep expertise , tools and skilled resources to enable the Info Sec organisation to meet its responsibilities.

    State-of-the-art security research

    Systematic creation of new knowledge by data gathering, innovation, experimentation, evaluation and dissemination.

    Determination of research goals and the method by which the research will be conducted.

    Participation in a community of researchers; communicating formally and informally through digital media, conferences, journals, books and seminars.

    Themes such as Secure systems and technology, verification and assurance, operational risk and analytics, identity, behaviour and ethics, national and international security and governance, human aspects of cyber security/human-centred computing

    Research RSCH

    Emerging technology monitoring EMRG

    Methods and tools  METL

    Analytics INAN

    Data visualisation VISL

    User research URCH

    The Info Sec organisation does not have or need the capability to perform original research into information security.

     

    It relies on its 3rd party suppliers or using secondary research and/or being part of security community to keep up to date with industry developments.