Carry out the security risk assessment for the client and its stakeholders

URN: SFSSCM2
Business Sectors (Suites): Security Management
Developed by: Skills for Security
Approved on: 2017

Overview

​This NOS sets out the skills, knowledge and understanding for you to identify and evaluate the client's assets and operations to determine the security risks to those assets.
This NOS is aimed at security managers and those who are involved in the provision of security advice.
This NOS covers the following activities:

Identify and evaluate the assets of the client and its stakeholders
Identify and evaluate threats to and vulnerabilities of the assets and security arrangements of the client and its stakeholders
Determine the security risks to the assets of the client and its stakeholders


Performance criteria

You must be able to:

Identify and evaluate the assets of the client and its stakeholders


1. gather relevant information from different sources sufficient to identify and evaluate assets of the client and its stakeholders
2. collate and take account of all relevant information to support the evaluation of assets of the client and its stakeholders
3. use logical and systematic analysis of information to evaluate assets of the client and its stakeholders
4. determine the potential impact to the client organisation through the loss of identified assets of the client and its stakeholders
5. take account of critical requirements that could impact on the security of the assets of the client and its stakeholders
6. prioritise the value of identified assets in accordance with criteria agreed with the clients
7. evaluate relevant information according to its usefulness
8. maintain the security and confidentiality of information relevant to the  assets and requirements

Identify and evaluate threats to and vulnerabilities of the assets and security arrangements of the client and its stakeholders

9. gather relevant information from different sources and conduct trend analysis 
10. Identify and evaluate threats to and vulnerabilities of the assets and security arrangements of the client and its stakeholders
11. collate and take account of all relevant information to support the evaluation of threats and vulnerabilities, including the sources of threats
12. use logical and systematic analysis of information to identify and evaluate threats to and vulnerabilities of the security of the assets and security arrangements of the client and its stakeholders
13. through the risk assessment process categorise threats and possible methods of attack on assets and potential security arrangements
14. maintain the security and confidentiality of information relevant to threats and vulnerabilities to the assets and security arrangements of the client and its stakeholders

Determine the security risks to the assets of the client and its stakeholders 

15. establish the levels of security risk and tolerance to the assets of the client and its stakeholders based on systematic analysis and evaluation of threats and vulnerabilities
16. inform the client and its stakeholders promptly of situations where there are imminent security risks to assets
17. produce reports that contain accurate and complete details of security risk and security measure options, where applicable
18. record information in a suitable and retrievable format
19. maintain the security and confidentiality of information relevant to security risks to the assets of the client and its stakeholders


Knowledge and Understanding

You need to know and understand:

Legal and organisational requirements


1. current relevant legislation, regulations, codes of practice, standards and guidelines relating to gathering, storing and maintaining information

Identify and evaluate the assets of the client and its stakeholders *

2. how to find information to evaluate the assets of the client and its stakeholders
3. why you need to have sufficient information regarding the assets of the client and its stakeholders and what to do if there are any gaps in this information 
4. how and why it is important to evaluate information according to its relevance and significance to the security of the client and Its stakeholders assets
5. how and why it is important to use systematic analysis methods when identifying and evaluating the assets of the client and its stakeholders
6. how to determine the potential impact to the client and its stakeholders if an asset was lost, interrupted, damaged or destroyed
7. how and why it is important to take account of critical requirements that may impact on the security of the client and its stakeholders assets

Identify and evaluate threats to and vulnerabilities of the assets and security arrangements of the client and its stakeholders

8. how to find information to identify and evaluate threats and vulnerabilities to the security of the client and its stakeholders assets and security arrangements
9. why it is essential to have all the relevant information regarding the threat and vulnerabilities to the security of the client and its stakeholders assets and security arrangements and what to do if there are any gaps in this information
10. how and why it is important to evaluate information according to its relevance and significance to the security of the client and its stakeholders assets and security arrangements
11. how and why it is important to use systematic analysis methods  when identifying and evaluating threats and vulnerabilities of the client and its stakeholders assets and security arrangements

Determine the security risks to the assets of the client and its stakeholders *

12. how and why it is important to use systematic analysis methods when determining risks to the assets of the client and its stakeholders
13. how and why it is important to produce accurate and complete details of analysis
14. the reason for recording information in a suitable and retrievable format

Confidentiality of information*

15. how and why you should maintain the security and confidentiality of information


Scope/range


Scope Performance


Scope Knowledge


Values


Behaviours


Skills


Glossary

​In these National Occupational Standards;


assets: anything with value, tangible or intangible, in need of protection can include but not exclusive to; people, information, property and reputation

impact: the effect of expected damage, harm or loss

risk: the likelihood of an event occurring presenting the potential to affect any person, property or other asset entailing a degree of damage, harm or loss

stakeholder: an organisation or individual which may include client, contractor, consultant, sub-contractor, suppliers, workforce, agent, management

threat: an indication of the potential for damage, harm or loss

trend analysis: understanding the pattern of any activity which could have the potential to cause damage, harm or loss to the client

vulnerabilities: a weakness that could be exploited to damage or harm an asset or to cause loss  


Links To Other NOS


External Links


Version Number

2

Indicative Review Date

2020

Validity

Current

Status

Original

Originating Organisation

Skills for Security

Original URN

SFS SCM 2

Relevant Occupations

Elementary Occupations, Elementary Security Occupations, Security Manager

SOC Code


Keywords

Assessments; risks; security