Objective of job
The Information Security Architect contributes to the development of the system design and application architecture and ensures, that the security requirements, ICFR specifications will be fulfilled by the project and thus information security risks are mitigated.
In this role, he/she develops the Security Profile of the (application) system, by identifying potential weak points, assessing threats, developing adequate security measures and verifying their effectiveness. Thereby he/she ensures that incommensurate information security risks are addressed and technological, architectural or design-related decisions will not lead to any violation of corporate guidelines. He/she documents and communicates the results.
Job designation
1．Perform Threat Analysis & Create/Update the Security Profile
• The ISA performs threat analyses for complex technical designs and reports the results using standard templates.
• The ISA creates the initial Security Profile (with new applications/systems) or updates an existing Security Profile (with upgraded applications/systems).
• The ISA creates CISM-tickets for critical and high findings and updates the tickets along with respective changes in the Security Profile.

2．Derive Security Requirements
•Given application or system descriptions the ISA derives security requirements that will match the respective level of abstraction.
3．Review Design and Report Issues
•The ISA reviews the design documents with respect to
-fulfillment of security requirements
-(common) design errors
-already known design shortcomings (are they fixed or not)
•The ISA submits a written report that lists all shortcomings together with suggestions on how to fix them.
4. Review Implementation and Report Issues
•The ISA reviews the implementation with respect to
-fulfillment of security / design requirements
-(common) implementation errors,
-already known implementation shortcomings (e.g. from CodeScan or EPA, are they fixed or not?),
•The ISA submits a written report that lists all shortcomings together with suggestions on how to fix them.

5. Review Project Security Planning and Report Issue
•The ISA reviews various project management documents with respect to
-plausibility of effort estimates for planned security tasks,
-plausibility of cost estimates for planned security tasks,
-overall plausibility of timeline for security tasks,
-overall progress of security,
-completeness of planned security tasks
-security budget planning,
-ordering status of mandatory security services,
-mandatory security related tasks
•The ISA submits a written report that lists
•all shortcomings together with suggestions on how to fix them,
•all possible risks to achieving project goals that relate to information security.
6. Various Expert Consulting
•The ISA will answer explicit questions on various security related subjects, e.g. on
-Information Classification,
-DISF,
-security aspects of project management,
-technical information security, etc.

7. Technical Security Tasks
•Given the necessary input, the ISA will perform complex tasks with a specific, well described result. The tasks shall require substantial security expertise. The input the ISA needs will typically be provided in written form. Except for gathering of missing information there will be no further interaction with the project. The results will be in written form whenever possible.