TECHIS60231
Information in all its forms is a vital component of the digital environment in which we live and work.
Information risk is concerned with the importance of information to the organisation and the harm that can be caused from the failure to manage, use or protect information in all its forms. Risk management allows an organisation to prioritise risks, deploy resources efficiently and to treat risks using a consistent and documented approach taking into account threats, vulnerabilities, assets and harm. System risk needs to be understood and actively foreseen and managed within this context.
This role involves ensuring that information is classified according to its attributes, value to the organisation and its security status. This includes determining confidentiality, integrity and availability requirements, and defining access management controls.
Performance Criteria
1.
undertake a security risk assessment for a simple system and propose basic remediation advice in line with organisational standards
2.
conduct risk assessments to identify potential vulnerabilities to specified information assets taking account of known threats
3.
identify the sources and nature of risks and threats to specified information assets and systems
4.
identify and document potential vulnerabilities and threats to the organisation's information assets
5.
review internal and external standards and other sources of up to date information to ensure that newly emerging threats and risks are identified in a timely manner
6.
follow an appropriate risk methodology in line with organisational procedures
7.
regularly review and assess potential threats and vulnerabilities in terms of their risk potential, probability and potential impact on information assets
8.
identify the range of management controls that are used to mitigate information security risks
9.
review risks against the stated risk tolerance levels and act in a timely manner to mitigate/control or escalate risks that exceed tolerance levels as appropriate
10.
carry out risk assessment and management activities in line with organisational standards
Knowledge and Understanding
1.
what is meant by risk assessment, risk management, risk mitigation and risk control and what these entail
2.
the concept of a risk landscape, its dynamic nature and how to create a landscape for an organisation
3.
the causes of risk to information assets and how to identify information assets at risk
4.
how to classify threats and risk
5.
the concept of residual risk and what it means for an organisation
6.
that criteria can be used to assess the suitability of risk management approaches for an organisation, including quantitative approaches such as ARO, SLE & ALE and qualitative expressions of risk such as heat maps and Likert scales
7.
the fact that certain information assets may be more valuable than others and as such require increased levels of protection/assurance
8.
how risks to information assets can be caused by both accidental/negligent behaviour and also malicious activity
9.
the importance of identifying and assessing risks in terms of both their potential impact and their probability to occur
10.
where to source information on the threats and vulnerabilities on information assets
11.
the policies, processes, and standards that exist for risk assessment and management and how to apply them
12.
how to use and apply appropriate risk assessment and management methodologies and tools
13.
how to establish the prioritisation, probability and likely impact of risks

TECHIS60241
Information in all its forms is a vital component of the digital environment in which we live and work.
Information risk is concerned with the importance of information to the organisation and the harm that can be caused from the failure to manage, use or protect information in all its forms. Risk management allows an organisation to prioritise risks, deploy resources efficiently and to treat risks using a consistent and documented approach taking into account threats, vulnerabilities, assets and harm. System risk needs to be understood and actively foreseen and managed within this context.
This role involves following the steps in the information risk assessment and management process.
Ensuring that information risks are identified and assessed, that an impact assessment is undertaken, that risk treatment options are specified, appropriate controls selected and that there is ongoing monitoring and review.
Performance Criteria
1.
correctly identify the range of response actions that may be used to mitigate/control risks in line with organisational standards
2.
take decisive and timely action in the event of risks being realised and impacting the integrity of information systems in line with organisational standards
3.
perform risk assessments that clearly identify and assess potential risks in terms of their probability of occurrence
4.
analyse the identified risks to assess their potential impact on information assets and to determine whether they are within specified risk tolerance levels
5.
contribute to the development and maintenance of risk management plans used to mitigate risks in accordance with relevant internal and external standards
6.
assess and validate information on current and potential threats to the organisation, analysing trends and highlighting relevant information security issues
7.
use human factor analysis in the assessment of threats in line with organisational standards
8.
use threat intelligence to develop attack trees in line with organisational standards
9.
prepare and disseminate intelligence reports providing threat indicators and warnings in line with organisational standards
10.
scan information systems and networks for public domain vulnerabilities, reporting potential issues and mitigation options in line with organisational standards
11.
make recommendations as to the specific actions that should be applied to mitigate risks and escalate risks that are outside agreed risk tolerance levels
12.
review and apply the strategy, policies, procedures, tools and techniques relating to security risk assessment and management activities
13.
identify and assist in the development of a risk contingency plan for a non complex system, based upon analysis of the probability and impact of potential risks to a specific information system
14.
objectively analyse and clearly present the findings from risk assessment and management activities to sponsors, stakeholders and external bodies
Knowledge and Understanding
1.
information is an organisational asset that has a value, which may be relative depending on the perspective taken, and therefore can be classified to reflect its importance to an organisation or individual
2.
information is vulnerable to threats in systems
3.
information has attributes relating to confidentiality, possession or control, integrity, authenticity, availability, and utility, any of which can make it vulnerable to attack
4.
information may need to be protected. and some of the reasons why that protection must occur, including legal and regulatory drivers, customer rights or organisational objectives
5.
information has a lifecycle, from creation through to deletion, and protection may be required and may change throughout that lifecycle

6.
that information risk assessment and management is a term referring to the process of documenting what information is at risk, the type and level of risk, and the impact of realisation
7.
the value and role of risk management within a business information security strategy
8.
the range of issues associated with information security risk assessment and management activities
9.
the range of approaches that can be taken to risk assessment and management activities and their appropriateness in a range of business contexts
10.
the internal and external factors that may impact on security risk management activities
11.
the regulations, legislation, internal and external standards that may apply to information security risk assessment and management activities
12.
who is responsible for leading/managing the risk assessment and management activities
13.
that risk management activities should be planned as ongoing/cyclical activity
14.
how to develop and maintain a risk management plan
15.
the risk tolerance levels specified for managing risk
16.
the need to be accountable for the successful management of security risks

TECHIS60251
Information in all its forms is a vital component of the digital environment in which we live and work.
Information risk is concerned with the importance of information to the organisation and the harm that can be caused from the failure to manage, use or protect information in all its forms. Risk management allows an organisation to prioritise risks, deploy resources efficiently and to treat risks using a consistent and documented approach taking into account threats, vulnerabilities, assets and harm. System risk needs to be understood and actively foreseen and managed within this context.
This role covers the competencies concerned with conducting risk management activities on information systems, information assets and digital process control systems. It includes following the processes for managing, communicating and responding to risks on information systems, information assets and digital process control systems.
Performance Criteria
1.
produce risk assessments for enterprise information systems in line with organisational standards
2.
review and apply the strategy, policies, tools and techniques relating to information security risk assessment and management activities in line with organisational standards
3.
correctly develop risk contingency plans, based upon analysis of the probability and impact of potential risks to information systems in line with organisational requirements
4.
undertake threat assessments and vulnerability testing to inform risk assessments in line with organisational standards
5.
contribute to the development and maintenance of information risk assessment processes in accordance with relevant internal and external standards
6.
identify and document the range of response actions that may be used to mitigate risks
7.
take decisive and timely action in the event of risks being realised and impacting the integrity of information systems
8.
communicate risk assessments and their deliverables to a wide range of sponsors, stakeholders and other individuals and confirm their understanding
Knowledge and Understanding
1.
what are the available methods, tools and techniques used to conduct risk assessment activities
2.
how to complete a detailed risk assessment for complex information systems, conducting business impact analysis on the risks identified
3.
how to use and apply information and data from threat analysis and assessments, IT health checks and vulnerability testing tools into risk assessments
4.
how to provide advice and guidance to less experienced staff
5.
how to analyse, document and present risk assessment activities and outcomes
6.
what are the range of methods for performing information security risk assessments in terms of usability, flexibility, and their outputs
7.
the detailed application risk assessment processes used to objectively determine which security controls are most appropriate
8.
the importance of monitoring the quality and effectiveness of risk assessment activities
9.
how to identify and implement improvements to the risk assessment processes and procedures
10.
the need to ensure that risk assessments are undertaken professionally

TECHIS60261
Information in all its forms is a vital component of the digital environment in which we live and work.
Information risk is concerned with the importance of information to the organisation and the harm that can be caused from the failure to manage, use or protect information in all its forms. Risk management allows an organisation to prioritise risks, deploy resources efficiently and to treat risks using a consistent and documented approach taking into account threats, vulnerabilities, assets and harm. System risk needs to be understood and actively foreseen and managed within this context.
This standard covers the competencies concerned with directing risk assessment and risk management activities. It includes setting the strategy and policies for risk assessment and risk management, and being fully accountable for successful information security risk assessment and management operations.
Performance Criteria
1.
define the information security risk assessment and management strategy, policies and standards
2.
design procedures, tools and techniques relating to risk assessment and management activities
3.
be fully accountable for successful information security risk assessment and management
4.
correctly identify the potential implications of emerging risks on the wider business operations and business strategy
5.
provide timely and objective advice and guidance to others on all aspects of risk assessment and management frameworks and activities including best practice and the application of lessons learned
6.
direct resource allocation and professional development strategy for information security risk assessment and management activities
7.
make effective and timely decisions to improve the quality and effectiveness of risk assessment and management activities within an organisation
8.
provide thought leadership on the discipline of risk assessment and management, contributing to internal best practice and to externally recognised publications, white papers etc.
Knowledge and Understanding
1.
how to manage the implications and consequences of failure to mitigate/control risks that arise
2.
the need to advise and guide others on all aspects of strategic risk assessment and management activities
3.
how lessons learned may be applied to the risk management activities of other programmes
4.
sources of best practice in risk assessment and management activities
5.
how to design and develop the strategy, policies plans and standards to ensure the alignment with business requirements and all relevant legislation regulations and external standards
6.
the importance of using lessons learned in order to inform the risk management activities of future activities