Secure Systems Architecture and Design
Role overview
Secure System Architecture and Design is the designing of an IT system to meet its security requirements, balancing this with its functional requirements.
Role level
Typical role level expectations
At this role level, you may:
• Embed ‘secure by design’ principles into application development, integrating security tools, standards, and processes into product life cycles
• Support the assessment of application resilience throughout an IT estate, generating regular application security reports to provide information about statistics and trends
• Follow processes, provide standardised advice on tooling for, and conduct dynamic and static analysis in the product development life cycle
• Work with development teams to embed secure development life cycle and security awareness, and ensure appropriate tools and skills exist
• Recommend security controls and identify solutions that support a business objective
• Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
• Inspire and influence others to execute security principles, communicating widely with other stakeholders
• Help review ongoing security architectural activities
• Recommend security controls and identify solutions that support a business objective
• Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
• Inspire and influence others to execute security principles, communicating widely with other stakeholders
• Help review ongoing security architectural activities
Typical role level expectations
At this role level, you may:
• Lead the technical design of systems and services, justifying and communicating all design decisions, applying research and innovative security architecture solutions to new
• or existing problems
• Communicate the vision, principles and strategy for security architects for one project or technology
• Decipher subtle security needs and understand the impact of decisions, balancing requirements and deciding between approaches
• Lead on quality assurance, and act as the point of escalation for Security Architects within a team
• Interact with stakeholders across organisations, teams, or communities
Typical role level expectations
At this role level, you may:
• Lead the embedment of ‘secure by design’ principles into application development by providing advice and internal consultancy on highly complex criteria and contexts
• Lead multi-team assessment of application resilience throughout an IT estate, reviewing regular application security reports, holding accountability and responsibility for
• secure design implementation
• Lead and assure processes, and provide SME thought leadership on tooling and dynamic and static analysis in the product development life cycle
• Lead development teams alongside senior cross-government decision makers to embed secure development life cycle and security awareness, and ensure appropriate tools
• and skills exist
• Lead projects with high strategic impact, setting a strategy that can be used in the long term and across the whole organisation
• Develop vision, principles and strategy for Security Architects for multiple projects or technologies
• Recommend security design across several projects or technologies, up to an organisational or inter-organisational level, solving unprecedented issues and problems
• Influence key organisational and architectural decisions, and interact with senior stakeholders across organisations to reach and influence a wide range of people across larger teams and communities
Skills
| Skill | Associate | Lead | Principal |
|---|---|---|---|
| Security architecture | Working | Practitioner | Expert |
| Secure Design | Working | Practitioner | Expert |
| Secure Development | Working | Practitioner | Expert |
| Information risk assessment and risk management | Working | Working | Working |
| Protective security | Awareness | Awareness | Awareness |
| Threat Understanding | Awareness | Working | Working |
Core learning
Entry level
BCS Certificate in Information Security Management Principles (CISMP)
Secure by Design
CompTIA Server+
Associate level
SEC530: Defensible Security Architecture
CompTIA Security+
SEC573: Automating Information Security with Python
Lead level
SEC530: Defensible Security Architecture
SOA for Architects & Managers: Designing and Managing Service-Oriented Architectures
Security by Design : Embracing a Culture of Security by Design for Resilient Applications and Systems
Principal level
CompTIA Advanced Security Practitioner (CASP+)
(ISC)2 Certified Information Systems Security Professional Training (CISSP)
SOA for Architects & Managers: Designing and Managing Service-Oriented Architectures