Analyst Compliance Audit
Analyst Compliance Audit

Analyst Compliance Audit:

Analyst Compliance Audit: in the IT-ITeS Industry Analyst compliance audit covers the roles cyber security auditor as well as Analyst Compliance.

Brief Job Description: This job role is responsible for ensuring the organization’s compliance with applicable Government regulations and International standard body recommendations by performing compliance audits, reporting and addressing risk. The main duties consist of identifying risks, identifying and exposing an organization to different legal & compliance regulations, performing the designated tasks in the workflow for closure of risks issues and satisfy requirements for compliances.

Personal Attributes: This job may require the individual to work independently
and take decisions for his/her own area of work. The individual should have a high level of analytical thinking ability, passion for information security and attention for detail, should be ethical, compliance and result oriented, should also be able to demonstrate interpersonal skills, along with willingness to undertake desk-based job with long working hours.

Analyst Compliance Audit

Identify and report compliance issues with respect to cyber security:

Performance Criteria

PC1. receive organizational policy, contractual requirements and legislative requirements relating to cyber security from authorized sources
PC2. gather relevant information about the asset or process under review
PC3. identify resources needed to support the asset (platforms, operating systems, personnel, etc.) and business processes impacted
PC4. develop with the support of stakeholders the checklist of compliance requirements, controls and possible threats identified along with this probability of occurrence and potential impact
PC5. obtain authorization to receive data and evaluate processes and operations from relevant authority
PC6. collect and store necessary evidences
PC7. evaluate processes and operations documents to identify non-conformance to policies, procedures, standards and controls as per compliance checklist
PC8. evaluate a system’s compliance with information technology (IT) security, resilience, and dependability requirements
PC9. perform validation steps, comparing actual results with expected results and analyze the differences to identify impact and risks
PC10. conduct and review security authorization reviews and assurance case development for initial installation of software applications, systems, and networks to confirm that the level of risk is within acceptable limits
PC11. verify that the software application/network/system accreditation and assurance documentation is current and postures are implemented
PC12. inspect continuous monitoring results to confirm that the level of risk is within acceptable limits for the software application, network, or system
PC13. identify & interpret exposure to risks and threats identified as per checklist
PC14. identify & interpret exposure to legal & compliance regulations as well as contractual obligations
PC15. Identify and review risks in inter0related cyber security actions between internal and external stakeholders and functions
PC16. document deviations and recommend required actions to correct those deviations
PC17. provide an accurate technical evaluation of the software application, system, or network, documenting the security posture, capabilities, and vulnerabilities against relevant Confidentiality, Integrity and Availability (CIA) compliances
PC18. prepare reports on compliance audit and analysis for various stakeholders

PC19. complete own assigned tasks and activities to defined standards and timelines
PC20. complete reporting dashboard as per schedule and as per organizational requirement
PC21. perform documentation of activities performed with all relevant details for compliance
PC22. correctly follow and apply the policies and standards relating to conducting of compliance audit
PC23. validate that customer needs are met within SLA and meet other time and quality commitment KPIs; provide guidance and suggestions as appropriate

Organizational
Context

Analyst Compliance Audit

KA1. relevant legislation, standards, policies, and procedures followed in the company
KA2. organization’s knowledge base and how to access and update this
KA3. limits of your role and responsibilities and who to seek guidance from
KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KA5. Organizational hierarchy and management structure
KA6. HR systems
KA7. how to engage with both internal and external specialists for support in order to resolve incidents and service requests
KA8. service request procedures, tools, and techniques
KA9. the operating procedures that are applicable to the system(s) being used
KA10. typical response times and service times related to own work area
KA11. standard tools and templates available and how to use these
KA12. computer network defense (CND) policies, procedures, and regulations

Technical
Knowledge

KB1. basic cyber security concepts e.g. the importance of confidentiality, integrity and availability for information systems; common types of malicious code; types of threats facing the information security of individuals and organizations; sources of threats to information security in terms of opportunity, ability and motive
KB2. explain how hardware and software vulnerabilities can be identified and resolved
KB3. what is meant by risk appetite, risk assessment & analysis, risk treatment and what these entail
KB4. what are the aims and objectives of risk management and the activities that are involved

KB5. the procedures, tools and techniques that can be used to conduct and document risk assessment activities
KB6. SIEM and Log management systems
KB7. known vulnerabilities from alerts, advisories, errata, and bulletins
KB8. business objectives of the organization as well as of relevant business processes
KB9. the steps involved in information security risk management
KB10. compliance policies of the organization concerned
KB11. organizational procedures for information security audits
KB12. Risk Management Framework (RMF) requirements
KB13. information technology (IT) supply chain security/risk management policies, requirements, and procedures
KB14. various types of controls and safeguards for cyber security
KB15. basics of physical and environmental controls
KB16. computer network defense (CND) and vulnerability assessment tools, including open source tools, and their capabilities
KB17. systems diagnostic tools and fault identification techniques
KB18. new and emerging information technology (IT) and cyber security technologies
KB19. structured analysis principles and methods
KB20. Interpretation of network and application design document
KB21. organization’s enterprise information technology (IT) goals and objectives
KB22. relevant laws, policies, procedures, or standards as they relate to work that may impact critical infrastructure
KB23. Cyber security concepts, policies, and procedures
KB24. Security infrastructure components
KB25. Network security architecture
Generic Skills

Analyst Compliance Audit

Writing Skills
You need to know and understand how to:
SA1. complete accurate well written work with attention to detail
SA2. document call logs, reports, task lists, and schedules with co-workers
SA3. prepare status and progress reports
SA4. log calls and raise tickets in the SIEM tool, providing proper indicators and descriptions as required
SA5. write memos and e-mail to customers, co-workers, and vendors to provide them with work updates and to request appropriate information without English language errors regarding grammar or sentence construct and following professional etiquettes

Skills
You need to know and understand how to:
SA6. read about new products and services with reference to the organization and also from external forums such as websites and blogs
SA7. keep abreast with the latest knowledge by reading brochures, pamphlets, and product information sheets
SA8. read comments, suggestions, and responses to Frequently Asked Questions (FAQs) posted on the helpdesk portal
SA9. read policy manual, standard operating procedures and service level agreements relevant to work area
SA10. read emails received from own team, across team and external vendors and clients
Oral Communication (Listening and Speaking skills)
You need to know and understand how to:
SA11. discuss task lists, schedules, and work-loads with co-workers
SA12. give clear instructions to specialists/vendors/users/clients as required
SA13. keep stakeholders informed about progress
SA14. avoid using jargon, slang or acronyms when communicating with a customer, unless it is required
SA15. receive and make phone calls, including call forward, call hold, and call mute
B. Professional Skills
Decision Making
You need to know and understand how to:
SB1. follow rule-based decision-making processes
SB2. make a decision on a suitable course of action
Plan and Organize
You need to know and understand how to:
SB3. plan and organize your work to achieve targets and deadlines
Customer Centricity
You need to know and understand how to:
SB4. Identify internal or external customer requirement and priorities clearly with respect to work at hand
SB5. carry out rule-based transactions in line with customer-specific guidelines, procedures, rules and service level agreements
SB6. check that your own and/or your peers work meets customer requirements
Problem Solving
You need to know and understand how to:
SB7. apply problem-solving approaches in different situations
SB8. seek clarification on problems from others
Analytical Thinking

You need to know and understand how to:
SB9. analyze data and activities
SB10. configure data and disseminate relevant information to others
SB11. pass on relevant information to others
Critical Thinking
You need to know and understand how to:
SB12. provide opinions on work in a detailed and constructive way
SB13. apply balanced judgments to different situations
Attention to Detail
You need to know and understand how to:
SB14. check your work is complete and free from errors
Team Working
You need to know and understand how to:
SB15. work effectively in a team environment
SB16. work independently and collaboratively
C. Technical Skills
You need to know and understand how to:
SC1. identify measures or indicators of system performance and the actions needed to improve or correct performance relative to the goals of the system
SC2. determine how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
SC3. work on various operating system
SC4. work with word processers, spreadsheets and presentations
SC5. stay abreast of the latest developments in terms of industry standards and information security tools and techniques

Maintain compliance to information security policies, regulations and
standards and address risk issues:

Performance Criteria

PC1. communicate the subsequent compliance audit and risk assessment results to specified organizational personnel
PC2. share compliance issues identified during the audit with appropriate organizational personnel as per process laid out
PC3. plan and coordinate the operational activities of a given company or organization to guarantee compliance with governmental regulations, ordinances and standards
PC4. ensure that all policies and procedures are implemented and well documented
PC5. perform occasional internal reviews, and identify compliance problems that call for formal attention
PC6. file compliance reports with regulatory bodies
PC7. take necessary actions for closure of the risk and non-conformance issues during the lifecycle
PC8. present compliance issues identified to the management for prioritizing, support risk mitigation plan
PC9. co-ordinate for ongoing monitoring of the risk factors to organizational operations and assets, individuals, other organizations
PC10. undertake corrective actions or implementation of controls or procedural steps for satisfying needs of compliances
PC11. implement an information system disposal strategy, when needed, which executes required actions when a system is removed from service
PC12. maintain quality service by establishing and enforcing organization standards
PC13. maintain legal and regulatory compliance by researching and communicating requirements, and obtain approvals
PC14. maintain regular communication and contact with organizational head and other departments to share information and to ensure that compliance related activities are coordinated
PC15. document steps undertaken during the process & outcomes of the steps taken

PC16. ensure that existing compliance related processes and procedures are being followed, with sufficient documentary evidence being maintained in the event of an internal/external audit
PC17. complete research assignments and deliver comprehensive but concise reports in a timely manner
PC18. provide timely feedback on contracts and agreements to be issued or entered into by the organization
PC19. maintain professional and technical knowledge by formal and informal means
PC20. ensure that customer needs are met within SLA and meet other time and quality commitment KPIs;
PC21. maintain a collaborative relationship with various stakeholders like management, other function heads and point of contacts, etc.
PC22. provide guidance and suggestions as appropriate
PC23. complete own assigned tasks and activities to defined standards and timelines
PC24. correctly follow and apply the policies and standards relating to information security identity and access management activities
Knowledge and Understanding (K)

Organizational
Context

You need to know and understand:
KA1. relevant legislation, standards, policies, and procedures followed in the company
KA2. organization’s knowledge base and how to access and update this
KA3. limits of your role and responsibilities and who to seek guidance from
KA4. the organizational systems, procedures and tasks/checklists within the domain and how to use these
KA5. Organizational hierarchy and management structure
KA6. Legal and regulatory guidelines applicable to the business or domain that the organization is engaged in
KA7. how to engage with both internal and external specialists for support in order to resolve incidents and service requests
KA8. service request procedures, tools, and techniques
KA9. the operating procedures that are applicable to the system(s) being used
KA10. typical response times and service times related to own work area
KA11. computer network defense (CND) policies, procedures, and regulations

Technical
Knowledge

You need to know and understand:
KB1. Basic cyber security concepts KB2. explain how hardware and software vulnerabilities can be identified and resolved
KB3. what is meant by risk management, risk mitigation and risk control and what these entail
KB4. what are the aims and objectives of risk management
KB5. activities that are involved in the management of risk
KB6. the procedures, tools and techniques that can be used to conduct and document risk assessment activities
KB7. known vulnerabilities from alerts, advisories, errata, and bulletins
KB8. business objectives of the organization
KB9. the steps involved in information security risk management
KB10. compliance policies of the organization concerned
KB11. organizational procedures for information security audits
KB12. Risk Management Framework (RMF) requirements
KB13. information technology (IT) supply chain security/risk management policies, requirements, and procedures
KB14. various types of controls and safeguards for cyber security
KB15. computer network defense (CND) and vulnerability assessment tools, including open source tools, and their capabilities
KB16. systems diagnostic tools and fault identification techniques
KB17. new and emerging information technology (IT) and information security technologies
KB18. structured analysis principles and methods
KB19. names and uses of systems diagnostic tools and fault identification techniques
KB20. organization’s enterprise information technology (IT) goals and objectives
KB21. relevant laws, policies, procedures, or standards as they relate to work that may impact critical infrastructure
KB22. Information Security concepts, policies, and procedures

Effective Tips for Working Remotely

Generic Skills

Writing Skills
The user/ individual on the job needs to know and understand how to:
SA1. document call logs, reports, task lists, and schedules with co-workers
SA2. prepare status and progress reports
SA3. write memos and e-mail to customers, co-workers, and vendors to provide them with work updates and to request appropriate information without English language errors regarding grammar or sentence construct and following professional etiquettes

Reading Skills
The user/individual on the job needs to know and understand how to:
SA4. read about new products and services with reference to the organization and also from external forums such as websites and blogs
SA5. keep abreast with the latest knowledge by reading brochures, pamphlets, and product information sheets
SA6. read comments, suggestions, and responses to Frequently Asked Questions (FAQs) posted on the helpdesk portal
SA7. read policy manual, standard operating procedures and service level agreements relevant to work area
SA8. read emails received from own team, across team and external vendors and clients

Oral Communication (Listening and Speaking skills)
The user/individual on the job needs to know and understand how to:
SA9. discuss task lists, schedules, and work-loads with co-workers
SA10. give clear instructions to specialists/vendors/users/clients as required
SA11. keep stakeholders informed about progress
SA12. avoid using jargon, slang or acronyms when communicating with a customer, unless it is required
SA13. receive and make phone calls, including call forward, call hold, and call mute

Professional Skills

Decision Making
The user/individual on the job needs to know and understand how to:
SB1. follow rule-based decision-making processes
SB2. make decisions on suitable courses of action

Plan and Organize
The user/individual on the job needs to know and understand:
SB3. plan and organize your work to achieve targets and deadlines

Customer Centricity
The user/individual on the job needs to know and understand how to:
SB4. carry out rule-based transactions in line with customer-specific guidelines,
SB5. procedures, rules and service level agreements
SB6. check your own and/or your peers work meets customer requirements

Problem Solving
The user/individual on the job needs to know and understand how to:
SB7. apply problem-solving approaches in different situations
SB8. seek clarification on problems from others

Analytical Thinking

The user/individual on the job needs to know and understand how to:
SB9. analyze data and activities
SB10. configure data and disseminate relevant information to others
SB11. pass on relevant information to others

Critical Thinking
The user/individual on the job needs to know and understand how to:
SB12. provide opinions on work in a detailed and constructive way
SB13. apply balanced judgments to different situations

Attention to Detail
You need to know and understand how to:
SB14. apply good attention to details
SB15. check your work is complete and free from errors

Team Working
You need to know and understand how to:
SB16. work effectively in a team environment
SB17. contribute to the quality of team working
SB18. work independently and collaboratively

Technical Skills
You need to know and understand how to:
SC1. determine how a security system should work (including its resilience and dependability capabilities) and how changes in conditions, operations, or the environment will affect these outcomes
SC2. identify measures or indicators of system performance and the actions needed to improve or correct performance relative to the goals of the system
SC3. evaluate the trustworthiness of the supplier and/or product
SC4. work on various operating systems
SC5. work with word processors, spreadsheets and presentations
SC6. stay abreast of the latest developments in terms of industry standards and information security tools and techniques

Manage your work to meet requirements:

Performance Criteria (PC) w.r.t. the Scope
To be competent on the job, you must be able to:
PC1. establish and agree your work requirements with appropriate people
PC2. keep your immediate work area clean and tidy
PC3. utilize your time effectively
PC4. use resources correctly and efficiently
PC5. treat confidential information correctly
PC6. work in line with your organization’s policies and procedures
PC7. work within the limits of your job role
PC8. obtain guidance from appropriate people, where necessary
PC9. ensure your work meets the agreed requirements

Organizational
Context

KA1. your organization’s policies, procedures and priorities for your area of work and your role and responsibilities in carrying out your work
KA2. limits of your responsibilities and when to involve others
KA3. your specific work requirements and who these must be agreed with
KA4. the importance of having a tidy work area and how to do this
KA5. how to prioritize your workload according to urgency and importance and the benefits of this
KA6. your organization’s policies and procedures for dealing with confidential information and the importance of complying with these
KA7. the purpose of keeping others updated with the progress of your work
KA8. who to obtain guidance from and the typical circumstances when this may be required
KA9. the purpose and value of being flexible and adapting work plans to reflect change

Technical
Knowledge
You need to know and understand:
KB1. the importance of completing work accurately and how to do this
KB2. appropriate timescales for completing your work and the implications of not meeting these for you and the organization
KB3. resources needed for your work and how to obtain and use these

Generic Skills

Writing Skills
You need to know and understand how to:
SA1. complete accurate work with attention to detail

Reading Skills
You need to know and understand how to:
SA2. read instructions, guidelines, procedures, rules and service level agreements

Oral Communication (Listening and Speaking skills)
You need to know and understand how to:
SA3. ask for clarification and advice from line managers
SA4. communicate orally with colleagues

Professional Skills

Decision Making
You need to know and understand how to:
SB1. make a decision on a suitable course of action

Plan and Organize
You need to know and understand how to:
SB2. plan and organize your work to achieve targets and deadlines
SB3. agree objectives and work requirements

Customer Centricity
You need to know and understand how to:

SB4. deliver consistent and reliable service to customers
SB5. check that your own work meets customer requirements

Problem Solving
You need to know and understand how to:
SB6. refer anomalies to the line manager
SB7. seek clarification on problems from others

Analytical Thinking
You need to know and understand how to:
SB8. provide relevant information to others
SB9. analyze needs, requirements and dependencies in order to meet your work requirements

Critical Thinking
You need to know and understand how to:
SB10. apply judgments to different situations

Attention to Detail
You need to know and understand how to:
SB11. check your work is complete and free from errors
SB12. get your work checked by peers

Team Working
You need to know and understand how to:
SB13. work effectively in a team environment

. Technical Skills
You need to know and understand how to:
SC1. use information technology effectively, to input and/or extract data accurately
SC2. identify and refer anomalies in data
SC3. store and retrieve information
SC4. keep up to date with changes, procedures and practices in your role

Guidelines for Assessment:

  1. Criteria for assessment for each Qualification Pack (QP) will be created by the Sector Skill Council (SSC). Each performance criteria (PC) will be assigned Theory and Skill/Practical marks proportional to its importance in NOS.
  2. The assessment will be conducted online through assessment providers authorised by SSC.
  3. Format of questions will include a variety of styles suitable to the PC being tested such as multiple choice questions, fill in the blanks, situational judgment test, simulation and programming test.
  4. To pass a QP, a trainee should pass each individual NOS. Standard passing criteria for each NOS is 70%.