May 2015
Issue No:1.0
Application Guidance CCP IA Architect Role,
Practitioner Level
Application Guidance - CCP IA Architect Role,
Practitioner Level
Issue No: 1.0
May 2015
This document is for the purposes of issuing advice to UK Government, public sector
organisations and/or related organisations. The copying and use of this document for
any other purpose, such as for training purposes, is not permitted without the prior
approval of CESG.
The copyright of this document is reserved and vested in the Crown.
Document History
Version
1.0
Date
May 2015
Comment
First issue
Application Guidance – CCP IA Architect Role,
Practitioner Level
Purpose & Intended
Readership
Executive Summary
CESG has developed a framework for
certifying IA Professionals who meet
competency and skill requirements for
specified IA roles. The purpose of
certification is to enable better
matching between requirements for IA
Professionals and the competence and
skills of those undertaking common IA
roles. The framework was developed
in consultation with Government
departments, academia, industry, the
certification bodies and members of
the CESG Listed Advisor Scheme
(CLAS). The framework includes a set
of IA role definitions and a certification
process. This document provides
guidance for applicants for certification
as a CCP Architect at Practitioner level.
This document is intended as a guide
on how to structure evidence when
applying for certification under the
CESG Certification for IA Professionals
(CCP) scheme as an IA Architect at
Practitioner
level and includes
suggestions of what you need to learn
and
know before applying.
It
complements
CESG’s
‘CESG
Certification for IA Professionals’
(reference [a]) and ‘Guidance to CESG
Certification for IA Professionals’
(reference [b]) publications, to be
found
at:
http://www.cesg.gov.uk/
awarenesstraining/certifiedprofessionals/Pages/index.aspx.
Feedback
CESG Information Assurance Standards and Guidance welcomes feedback and
encourage readers to inform CESG of their opinions, positive or otherwise, in respect
to this document. Please email: [email protected]
Page 1
Application Guidance – CCP IA Architect Role,
Practitioner Level
Contents:
Overall Requirements for the Architect Role at Practitioner level ....................... 3
IA Architect Role Definition ...................................................................................... 3
Headline statement for the Architect role at Practitioner level, SFIA Responsibility
Level 2 ..................................................................................................................... 3
Applying for CCP Scheme Certification ................................................................... 4
Further information on the requirements for the Architect Role at Practitioner
level ........................................................................................................................... 7
Knowledge ............................................................................................................... 7
Skills ........................................................................................................................ 8
Experience............................................................................................................. 15
The Certification Process ...................................................................................... 16
Next Steps ............................................................................................................. 16
The CCP Scheme Certification Learning Cycle ................................................... 18
References .............................................................................................................. 19
Page 2
Application Guidance - CCP IA Architect Role,
Practitioner Level
Overall Requirements for the Architect Role at Practitioner level
Key Principles
This document is intended as a guide on how to structure evidence when applying for CCP certification as an IA Architect at Practitioner level
and includes suggestions of what you need to learn and know before applying. It complements the ‘CESG Certification for IA Professionals’
and ‘Guidance to CESG Certification for IA Professionals’ publications – see http://www.cesg.gov.uk/awarenesstraining/certifiedprofessionals/Pages/index.aspx.
Learning comes through acquiring skills and knowledge (from training, experience and learning from others doing the same job) and then
putting these into practice. Most people will need a few years to acquire these, although in some cases this period may be longer or shorter.
The section on skills provides prompts for the type of evidence which could demonstrate that you meet the required standards. You are
encouraged to follow the advice in this section when completing your written submission of evidence.
IA Architect Role Definition
The Architect’s role is to drive beneficial security change into the business through the development or review of architectures so that they:



Fit business requirements for security
Mitigate the risks and conform to the relevant security policies
Balance information risk against the cost of countermeasures
Headline statement for the Architect role at Practitioner level, SFIA Responsibility Level 2
Represents security requirements in the design and implementation of IS architectures
Page 3
Application Guidance - CCP IA Architect Role,
Practitioner Level
Applying for CCP Scheme Certification
If you don’t feel that you can demonstrate all of the following required skills, knowledge and experience, agree a plan with your manager so
that you can address any gaps – e.g. through placements, projects, training, mentoring - before you apply for CCP certification. You also need
to check the website of the Certification Body (CB) you wish to use, to see if it specifies any additional requirements, for example an exam
qualification.
CCP certification lasts for 3 years and provides assurance to employers that you reliably perform the certified technical, business and people
skills to the required levels. It is a substantial and significant certification of competence. You need to provide evidence of your skills,
knowledge and experience and your written submission is likely to run to several pages. You may find it useful to set aside an hour a day for a
number of days or weeks. You must also provide references, so make sure your referees are familiar with your work and can justifiably
support your statements. If you are interviewed, your ability to relate your technical knowledge appropriately to an organisation’s objectives
and requirements will be further tested.
Your evidence must show that you:

understand an organisation’s environment and the information risks that systems of interest are subject to

assist senior Security Architects in the identification of information risks that arise from potential solution architectures

propose alternate architectures or countermeasures to mitigate risks from initial solution architectures

assist with the secure configuration of ICT systems in compliance with the intended architecture

demonstrate the required skill levels from the Institute of Information Security Professionals (IISP) Skills Framework (see section
on skills below)

demonstrate all of the attributes of responsibility (autonomy, influence, complexity and business skills) from the Skills Framework for
the Information Age (SFIA) 1 at level 2. Alternatively you can show evidence of least level 1.5 for the IISP J skills (see
http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx)
See ‘Guidance to CESG Certification for IA Professionals’ http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx and the SFIA Foundation
at www.sfia.org.uk .
1
Page 4
Application Guidance - CCP IA Architect Role,
Practitioner Level
This diagram gives an overall
picture of the different elements of
information assurance and their
interdependence. IA Architects
need to gain the necessary
information from others about, for
example,
the
organisation’s
environment, behaviours, threat
levels and risk appetite in order to
build or advise on appropriate
architectures.
Page 5
Application Guidance - CCP IA Architect Role,
Practitioner Level
In no priority order, you need:
Skills:

Negotiating

Influencing

Communication – able to talk to specialists and non-specialists alike

Business writing (all the information needed for a decision, on 1 side of A4)

Presentation

Stakeholder management
Familiarity with:

Information Assurance methodologies

IA architectural patterns to solve common problems

IA standards and policies for the industry sectors you work in

The ‘CESG Certification for IA Professionals’ and ‘Guidance to CESG Certification for IA Professionals’ documents

Technical IA controls
And understanding of:

The organisation’s risk appetite and how to apply proportionate risk management controls

Business strategy and your local business environment

The fundamentals of how compromises can occur

Technical skills e.g. good knowledge of networking technologies, enterprise IT, how systems are built, developed and deployed,
different IT technologies and their use to develop an end-to-end process

IT system secure management and deployment
Page 6
Application Guidance - CCP IA Architect Role,
Practitioner Level
Further information on the requirements for the Architect Role at Practitioner level
Knowledge
The following gives more detail of the knowledge you need to acquire. You must also show that you keep your security architecture and
technical knowledge up to date.
You must provide evidence that you understand and have appropriately
applied your knowledge of:









information security policies, standards and controls relevant to your
industry sector
your organisation’s IA policies and standards
the strategic goals, threats and opportunities of the organisations you work
in
your organisation’s approach to developing, building and deploying
technology
relevant elements of the HMG Security Policy Framework (SPF) and
CESG guidance* and the different technologies used within your
organisation and their security properties
best practice in secure architectures and techniques which mitigate
security risks
what good and bad security in IA architecture looks like
relevant legal issues – e.g. protection of personal and financial data
what information governance is, why it matters, who is responsible for it
locally and how it works in practice
* if carrying out IA work for Government or Government suppliers
Page 7
Application Guidance - CCP IA Architect Role,
Practitioner Level
Skills






When presenting your skills evidence, you are advised to use the ‘STAR’ format: ‘Situation, Task, Action, Result’
Use a narrative form, e.g. ‘I produced ...My decision was...’
Explain what security and information risk advice you gave and why, and how it was proportionate and effective
You must meet the required levels for the following 4 core skills: A4, C1, C2 and D1
You must meet 75% of the remaining, non-core skills
A single piece of work may be used for several skills, but a variety of examples gives better evidence of being able to work in more than
one situation
The following table provides suggestions for starting points in evidence.
SKILL
A1 – Governance
Level 1
Technical Skills
EVIDENCE OF SKILL
Give examples of how your advice fitted in with overall governance and what effect it had.
Understands local arrangements for Information
Governance (IG)
A2 – Policy & Standards
Level 2
Give an example of how you’ve applied IS policy and standards and if possible feedback you’ve
provided for IS policy and standards.
With supervision and aligned with business
objectives, authors or provides advice on IS
policy or standards
Page 8
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
A3 – Information Security Strategy
Level 1
Give an example of how your work fits within the IS strategy of your organisation or how you have
applied your understanding of your organisation’s IS strategy to your work.
Understands the purpose of IS strategy to
realise business benefits
A4 – Innovation & Business Improvement
Level 1 – core skill
Give examples of an innovative security architecture and/or how that enabled a significant
business improvement.
Is aware of the business benefits of good IS
A5 – Information Security Awareness & Training
Level 1
Give examples which show your understanding of the importance of IS awareness and training.
Understands the role of security awareness and
training in maintaining Information Security
A6 – Legal & Regulatory Environment
Level 1
Explain how you’ve ensured that your work complied with the relevant legal and regulatory
requirements.
Is aware of major pieces of legislation relevant
to Information Security and of regulatory bodies
relevant to the sector in which they work
A7 – Third Party Management2
Level 1
Give examples of how you have contributed to 3rd party information systems and/or your
understanding of the role of 3rd party systems in the overall architecture.
Is aware of the need for organisations to
manage the information security of third parties
2
Skill only required if information systems or services are provided by a third party
Page 9
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
B1 – Risk Assessment
Level 2
Give examples of different risk assessments you’ve written or influenced. How did you decide which
assets and threats were significant and how to assess the threat levels to the business objectives?
How did you communicate your findings and what were the results of your work?
Understands how to produce information risk
assessments
B2 – Risk Management
Level 2
Contributes to management of risks to
information systems with supervision
C1 – Security Architecture
Level 2 – core skill
Applies architectural principles to security
design with some supervision
C2 – Secure Development
Level 1 – core skill
Is aware of the benefits of addressing
security during system development
D1 – IA Methodologies
Level 1 – core skill
Give examples of how you’ve helped the organisation manage risks which you identified. What were
the results of your work?
Give examples of designs you’ve worked on and how you identified risks, and advice you’ve
given on those. Explain how you’ve used common security technologies to manage the risks
you’ve identified.
Give examples to show how you used your understanding of secure development in building IT
systems. Explain how you’ve taken secure development into account or given advice regarding
secure development.
Give examples of understanding and applying IA methodologies to different situations.
Is aware of the existence of methodologies,
processes and standards for providing
Information Assurance
Page 10
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
D2 – Security Testing
Level 1
Give examples of influencing the scope of security testing and the interpretation of the results.
Is aware of the role of testing to support IA
E1 – Secure Operations Management
Level 1
Give examples of how you’ve influenced or advised on secure operations management.
Is aware of the need for secure management of
Information Systems
E2 – Secure Operations & Service Delivery
Level 1
Provide examples of how you’ve applied your understanding of how information systems are managed
securely and any advice you’ve provided on secure information system management.
Is aware of the need for information systems
and services to be operated securely
E3 – Vulnerability Assessment
Level 1
Give examples of scoping and recommending vulnerability assessments and interpreting their results,
and common sources of information on vulnerabilities.
Is aware of the need for vulnerability
assessments to maintain Information Security
F1 – Incident Management
Provide examples of how you’ve used your awareness of secure incident management, including if
Level 1
appropriate your contributions to incident management.
Is aware of the benefits of managing security
incidents
F2 – Investigation
Provide examples where you’ve considered the need for investigations when designing or reviewing
Level 1
architectures. What was the result of your work?
Is aware of basic principles of investigations
Page 11
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
F3 – Forensics
Level 1
Give examples of how you’ve considered the requirement for forensics as part of your security
architect work.
Is aware of the capability of forensics to support
investigations
G1 – Audit and Review
Level 1
Give examples of how you’ve used your understanding of basic techniques for testing compliance with
security criteria when developing or reviewing secure architectures.
Understands basic techniques for testing
compliance with security criteria (policies,
standards, legal and regulatory requirements)
H1 – Business Continuity Planning and H2 – Give examples from different work environments of how you considered business continuity in your
Business Continuity Management
architecture work. How did you test that existing processes were fit for the security architectures you
Level 1
worked on? What were the outcomes of your work?
Understands how Business Continuity Planning
& Management contributes to Information
Security
I1, Research
Level 1
BSMO – Business Modelling
SFIA level 2
REQM
–
Requirements
definition
&
Management
SFIA level 2
DESN – Systems Design
SFIA level 2
Give examples of how you’ve researched which architecture would be appropriate for an information
system.
Give examples of how you used your understanding of a customer’s business requirements when
advising or reviewing architectures.
Provide examples of how you identified the security requirements for a system you built or reviewed.
Give examples of designs you’ve worked on and how you influenced them.
Page 12
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
PEOPLE SKILLS ‘J skills’ (instead of SFIA levels)
J1 – Teamwork and Leadership
Level 2
Give examples of ways in which you’ve encouraged others to develop their own competence.
Is encouraging and supportive and provides a
lead within the local area. Task-based team
working
J2 – Delivering
Give examples of prioritising tasks to ensure that an organisation’s objectives were met.
Level 2
Responsibility for an element of delivery against
one or more business objectives, balancing
priorities to achieve this
J3 – Managing Customer Relationships
Describe occasions when you’ve had to negotiate different outcomes with customers from those which
Level 2
they originally requested.
Negotiates with customers to improve the
service to them and to manage their
expectations
J4 – Corporate Behaviour
Give examples of providing cost-effective advice whilst meeting the security requirements for an
Level 2
information system.
Understands the aims of own and related areas
across an organisation
J5 – Change and Innovation
Give examples of changes you’ve introduced – what did you do? How did you consider the impact on
Level 2
other people and processes? What was the outcome?
Generates creative ideas and demonstrates
sensitivity in implementing local change
Page 13
Application Guidance - CCP IA Architect Role,
Practitioner Level
SKILL
EVIDENCE OF SKILL
J6 – Analysis and Decision Making Level 2
Give examples of breaking down problems, especially if complex. What was the outcome of your
work?
Makes effective decisions in consultation with
others and/or solves complex problems in
immediate area
J7 – Communication and Knowledge Sharing
Give examples of how you’ve adapted your communication to suit different media, e.g. face to face,
Level 2
over the phone, emails, presentations and meetings. What outcomes have you achieved?
Encourages and contributes to discussion. Is
proactive in sharing information in own work
area
Page 14
Application Guidance - CCP IA Architect Role,
Practitioner Level
Experience
Agree a plan with your manager to ensure that you cover the necessary ground, as suggested below.
Your CCP certification will assure employers that you are competent to develop and review (with an appropriate level of supervision or support)
IA architectural designs.
Your evidence should show that you can give examples of:
driving beneficial security change into the business through the development or
review of architectures so that these:



fit business requirements for security
mitigate risks and conform to the relevant security policies
balance information risk against the cost of countermeasures
Give examples which show that you can:




understand an organisation’s environment and the information risks that
systems of interest are subject to
assist Senior or other Security Architects to identify information risks
arising from potential solution architectures
propose alternate architectures or countermeasures to mitigate risks from
initial solution architectures
assist with the secure configuration of ICT systems in compliance with the
intended architecture
Page 15
Application Guidance - CCP IA Architect Role,
Practitioner Level
The Certification Process
Next Steps
This Application Guidance contains material designed to help individuals applying for CCP Architect at Practitioner level. The CB certification
processes for the Practitioner level follow below.
Note:
1. If you are considering applying for CCP Architect at Senior level, you will need to show experience of complex systems and satisfy the
requirement for higher skill levels (see http://www.cesg.gov.uk/awarenesstraining/certified-professionals/Pages/index.aspx to the ‘CESG
Certification for IA Professionals’ and ‘Guidance to CESG Certification for IA Professionals’) publications. Supervisory experience to show
evidence of coaching and developing other architects would also be helpful.
2. If you are applying for CCP Architect at Lead level, you will need to show that you influence and direct security architecture strategy at an
organisational level and satisfy the requirement for higher skill levels. For example, you directly and regularly brief or advise a Directors’ Board
with regard to security architecture.
Page 16
Application Guidance - CCP IA Architect Role,
Practitioner Level
There are 3 CBs: the APM Group (www.apmg-ia.com ), BCS (www.bcs.org ) and the IISP, RHUL and CREST Consortium (www.iisp.org ).
Certification is for 3 years and requires evidence of continuing professional development throughout the period of certification.
Page 17
Application Guidance - CCP IA Architect Role,
Practitioner Level
The CCP Scheme Certification Learning Cycle
If you’ve identified a gap against
CCP requirements, make a timebounded plan to develop skills
and knowledge, with suitable
opportunities to apply them.
Page 18
Application Guidance – CCP IA Architect Role,
Practitioner Level
References
[a]
‘CESG Certification for IA Professionals’
http://www.cesg.gov.uk/awarenesstraining/certifiedprofessionals/Pages/index.aspx
[b]
‘Guidance to CESG Certification for IA Professionals’
http://www.cesg.gov.uk/awarenesstraining/certifiedprofessionals/Pages/index.aspx [LINK]
Page 19
IA
CESG
A2i
Hubble Road
Cheltenham
Gloucestershire
GL51 0EX
Tel: +44 (0)1242 709141
Fax: +44 (0)1242 709193
Email: [email protected]
© Crown Copyright 2015. Communications on CESG telecommunications systems may be monitored
or recorded to secure the effective operation of the system and for other lawful purposes. This
information is exempt under the Freedom of Information Act 2000 and may be exempt under other UK
Information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email
[email protected] .