| Responsibilities | Responsibilities
Reporting to: SIRO (Executive Director, Strategy and Resources)
Relationships:
Internal: Critical relationships C&AG, ET, Audit Committee and Board.
Strong internal relationships with Heads of Departments and in particular a close working relationship with the Director of Digital Services and its management team. Liaison with appropriate hubs to support their work and add value to the insight and impact we seek to deliver.
Monitor compliance with our legal obligations and act as our nominated Data Protection Officer.
External: Peers in Government Departments, similar organisations and the financial services sector. Relationships with a number of support organisations such as Cabinet Office, National Cyber security Centre and Centre for the Protection of National Infrastructure. ICO
Resources Managed: As per project requirements and responsibility for team’s staff and cash budget |
|---|
| Skills required | •As Departmental Security Officer, be seen as a trusted advisor to C&AG and SIRO through displaying technical and managerial expertise to deliver and where needed update our information security strategy.
•Ensure through our security posture we maintain the confidence of our clients and from those we rely upon to provide or share information to discharge the C&AG responsibilities.
•Key leader in creating the right security culture in the NAO, making sure making sure that NAO people clearly understand why NAO security policies and practices are in place and maintaining compliance with them
•Achieving and influencing security by design deploying strong evidence in our new digital financial audit capabilities, a digital first collaborative authoring solution for vfm service line and modern data analytics capabilities.
•Raise the profile of the post consistent with our objectives to be seen internally and externally as a thought leader.
•Being the advocate and the bridge between NAO senior leaders and technical IT-leaders, teams and projects.
•Track and lead the improvement of the NAO’s security posture proactively considering changing threat landscape. Identifying and establishing security initiatives and standards throughout the Office
•Maintain an ISMS which is fit for purpose and sufficiently agile to respond quickly to changing threats and landscapes understood and complied with across the Office.
•Be accountable for incident response and disaster recovery efforts in the vent of security compromise or incidents. Providing technical and administrative support for the development of Disaster recovery and administrative support and development.
•Deliver cost effective solutions to protect our information assets.
•Design and maintain performance metrics and share with colleagues to measure the effectiveness of controls.
•Overseeing and coordinating security efforts across the Office including the implementation of the Digital Assurance components of the NAO Digital Plan and producing and overseeing the delivery of the NAO’s Information Security Programme
•Ensure compliance with privacy, client and information security laws and regulations applicable to HMG and other defined benchmarks we chose to adopt.
•Select an independently tested accreditation process of our security arrangements and ensure any non-conformities are implemented in a timely manner.
•Providing technical security advice in areas such as the development of new methods to providing digital services, new business cases for change projects with an information asset dimension and for the risk assessment of existing and planned information systems.
•Aligning our approach to information security within an approved Digital Plan including where cloud solutions drawing on the technical standards / principles produced by HMG.
•Identifying and recommending actions to mitigate information security risks within our stated appetite.
•Providing consultancy advice on the security of the NAO’s technical infrastructure including risk management, mitigation activities and tools.
•Ensuring that IT projects, policies and procedures comply with the HMG’s Security Policy Framework (SPF).
•Ensuring that IT Health Checks (PenTests) are undertaken at a predetermined frequency either by external and /or internal resources and any resulting action to address vulnerabilities are identified and implemented within an agreed action plan.
•Keeping up to date with the key requirements of standards including ISO27001, Cyber Essentials plus, and HMG guidance.
•Acting as the NAO lead liaison point with the technical security agencies.
Behavioural skills and personal qualities
•Strong communicator and change agent, linking strategic view with pragmatic, operational execution and excellence. Proven track record for driving continuous improvement from informed insight as a subject matter expert utilising and responding to new technologies and external threat assessments.
•Quickly understanding the context, enterprise risk and business rhythms of the NAO to ensure that solutions are proportionate balancing industry standards and the business need.
•Effective leadership style to deliver and develop the optimum performance from the team.
•Strong analytical and problem-solving skills with an attention to detail.
•Good team player who can facilitate knowledge sharing and collaborative working in multi-disciplinary teams with professional audit and IT staff.
•Self-starter, with energy and enthusiasm for driving continuous improvement and organisational learning from project experiences and analysis of business operations.
•Enthusiastic champion to promulgate and encourage good hygiene behaviours in information security across the office and to all colleagues.
Security Experience
•Substantial experience of leading an information security team
•Ability to understand and respond to the risks from emerging technologies
•Analysing risks derived from digital managed service contracts for all our digital operations and working in the cloud.
•Supporting and collaborating in transformation and major change projects with a track record of shaping and ensuring security by design.
•Skilled in the strategy, planning, delivery, implementation, operations and compliance reviews.
•Substantial knowledge of cyber and network security, cloud security (particularly on Azure), regulatory compliance, Data Protection Act, Microsoft security tools (eg Defender, Sentinel), data loss prevention, different authentication security models, IT Systems Disaster Recovery, business continuity and resilience, security operations, Security Incident and Event Management, third party vendor Compliance and Security Assessments (incl. SLAs)
•Substantial experience of an information security role gained in a similar sector
•Successful applicants will be required to achieve DV Security Clearance
Advanced knowledge of Government Information Assurance Policies; Current IT security issues, in particular those affecting government and or highly sensitive organisations.
Technical Experience
Deep knowledge of:
•Information security assessment and auditing procedures from both a technical and business perspective supported by a technical qualification supported by evidenced continuous professional development.
•Vulnerability scanning and auditing tools
•Enterprise scale network and host-based IDS architectures
•Enterprise scale firewall architectures
•Computer investigation and forensic methods and technologies
•Secure messaging architectures
•Strong knowledge of the regulatory framework
Deep strengths in:
•Understanding the threats from new emerging technologies and secure deployment of these to support the business need
•Project management skills and leadership
•Business continuity planning
•Effective communication and securing buy in from all colleagues.
•Positively supporting effective change management within a safe operating environment and meeting business need. |
|---|
