- Career vs. Job
- Developing Job Roles
- SOC Job Roles
- NICE Cybersecurity Workforce Framework
- Role Tiers
- SOC Services and Associated Job Roles
- Soft Skills
- Security Clearance Requirements
- Onboarding Employees
- Managing People
- Job Retention
- Evaluating Training Providers
- Company Culture
Security Clearance Requirements
In addition to the previously discussed hard and soft skill requirements, another factor to consider as you develop a job description is that some roles in the SOC may require certain levels of security clearance in order to have access to specific content. Security clearance can be mandated by the organization and/or by law and is a license issued by an agency, the head of a department, or a branch of the federal government. Many U.S. federal employees and many employees in the private sector are required to obtain security clearance. The amount of time required to obtain any level of security clearance depends on different factors, but according to one source, Security Degree Hub (https://www.securitydegreehub.com), obtaining a U.S.-based security clearance on average takes six months to a year. During a clearance evaluation, various aspects of a candidate are verified, including their identity, where they were born, where they live, who lives with them, any previous or current financial troubles, or anything else that could represent a risk of granting the candidate enough trust for the specific level of clearance they are applying for.
Security clearances have different levels, which grant specific levels of access to classified content. Regarding the U.S. federal government clearance stages, there are three levels, corresponding to the potential impact data loss at that level could have on the government and associated parties:
Top Secret: Highest level of classification. Exposure would cause “exceptionally grave danger.”
Secret: Second highest level of classification. Exposure would cause “serious danger.”
Confidential: Lowest level of classification. Exposure would cause “damage.”
It is important to point out that the U.S. federal government has additional language and classification levels used in classified communities. Some Top Secret clearances indicate the employee has passed a Single Scope Background Investigation (SSBI). This means the employee needs Top Secret clearance and access to sensitive compartmented information (SCI) in order to do their work. This clearance is not the same as an employee granted Top Secret SCI, which represents a SCI program run by a specific agency. SCI programs can ask for additional validation, including polygraph examinations, as part of the screening process, but it is inaccurate to assume that all Top Secret SCI employees have had a polygraph or additional validation beyond what is required for a Top Secret clearance. The requirements for a SCI program are specific to the agency it is assigned to, meaning even if you have Top Secret clearance, you would not be granted access to any material deemed Top Secret SCI unless you have been granted SCI access by the specific agency behind the SCI program. If one SCI program grants an employee Top Secret SCI clearance to its agency’s SCI, that does not grant the same employee Top Secret SCI clearance access to any other agency’s SCI.
Countries in the European Union (EU) use a similar classification system known as the European Union Classified Information (EUCI) system. The EU approach breaks classified information into four levels. Like the U.S. classification system, each level is based on the potential impact data loss could have on the government and other associated parties.
Très Secret UE/EU Top Secret: The unauthorized disclosure of this information could cause exceptionally grave prejudice to the essential interests of the EU or one or more of the member states.
Secret UE/EU Secret: The unauthorized disclosure of this information could seriously harm the essential interests of the EU or one or more of the member states.
Confidentiel UE/EU Confidential: The unauthorized disclosure of this information could harm the essential interests of the EU or one or more of the member states.
Restreint UE/EU Restricted: The unauthorized disclosure of this information could be disadvantageous to the interests of the EU or one or more of the member states.
Certain groups, such as the General Secretariat of the Council (GSC), provide approval lists for the types of cryptographic products that can be used on certain levels of EUCI classified data. The same policies apply to people, process, and technology associated with EU classified information. Learn more about the EU classification system at https://www.consilium.europa.eu/en/.
The type of clearance your SOC or the organization protected by your SOC will or will not require will be based on the laws governing your organization and the data it is associated with. In some situations, access to content can be granted while a clearance is being processed, known as being in an “interim status” or temporary status. Other times, the clearance process must be completed before access to protected content can be granted. Most security programs require a periodic reinvestigation after a specific length of time, which time will be shorter as the level of clearance is increased. You will need to validate requirements for clearance with somebody that specializes in security clearances, such as a security clearance officer, before you consider providing specialized clearance to any of your employees.