#53 Information Security - Minor change around risk and consideration of security architect change request accepted
This change identifies a minor change to wording and also raises a couple of points about the security architect role.
From Australian Public Sector SFIA Cyber Security and Digital Workshop Oct12:
- Infosec Level 7 – suggest a minor modification to include risk management in addition to “…the strategic requirements of the business.”
- In relation to the role of a Security Architect, the goal is to manage risk rather than to simply comply with the business goals – and this is a key differentiator between Solutions Architects and Security Architects.
- In the “Blockchain and IOT (Internet of Things)” discussions, the Solution Architect may focus on the potential business advantages and benefits from early adoption, whereas Security Architect analysis and advice would focus on assisting with the implementation of this technology, if management so wished, to ensure that the implementation was appropriately risk managed throughout. Risk is an enterprise wide issue, hence the much broader remit that Security Architects have across the entire agency at multiple levels of the technology stack compared to a solution architect focussed on a particular deliverable.
Proposed change applies to Information security
Current status of this request: accepted
What we decided
Accepted into broader review of security skills for SFIA 8.
What we changed
For SFIA 8 - Risk management has been made more generic to be applicable to secruity and Vulnerability assessment added as a skill.