Infrastructure Security Officer - 2 posts

JOB DESCRIPTION

REPORTS TO: Infrastructure Architect

RESPONSIBLE FOR: The Networks & Infrastructure Security Officer will be responsible for leading all aspects of Cyber Security for ICT services within the context of ICT Networks & Infrastructure team. The Networks & Infrastructure Security Officer will be responsible for the successful implementation of cyber security policies, as well as supplier assurance activities and identification and remediation of corporate information security risks. The Networks & Infrastructure Security Officer will be responsible for engaging with other public sector and cyber security organisations and for potentially managing and leading a small number of employees within the ICT Networks & Infrastructure service. The Networks & Infrastructure Security Officer will be required to liaise with the Head of Service for Networks & Infrastructure and other IT Security Officers on existing and emerging information security issues to ensure consistency across EA service areas.

JOB PURPOSE

• To align IT security with business objectives and ensure that the confidentiality, integrity and availability of EA’s assets, information, data and IT services supports the organisation to achieve the corporate objectives.
• To protect the interests of those relying on information, and the systems and communications that deliver the information, from harm resulting from failures of confidentiality, integrity and availability.
• The objectives of the post will be met when:

- Information is observed by or disclosed to only those who have the right to know (confidentiality)
- Information is complete, accurate and protected against unauthorised modification (integrity)
- Information is available and usable when required, and the systems that provide it can appropriately resist attacks and recover from or prevent failures (availability)
- Business transactions, as well as information exchanges between enterprises, or with partners, can be trusted (authenticity and non-repudiation)

Leadership and management responsibilities

The Networks & Infrastructure Security Officer has the following leadership responsibilities for this portfolio of services:

Setting Vision and Strategy

• Work with the Infrastructure Architect to establish, maintain and communicate a clear and compelling strategic direction for information security across EA.
• Contribute to the development of a strategic plan for cyber security and contribute to the development of an Infrastructure business plan.
• Translate the corporate vision into ICT Infrastructure specific initiatives.
• Contribute to the regionalisation and transformation of the section, and all related processes and procedures.
• Contribute to the development and implementation of new policies in line with strategic direction and other public sector/cyber security organisations.
• Contribute to the management of the scope of services being implemented by EA projects and 3rd party suppliers.
• Challenge conventional approaches, harness new approaches and technology and maximise efficiencies.

Managing the Organisation to Deliver

• Manage service delivery effectively to ensure that the section achieves the highest possible standards of performance and focuses on the needs of internal and external customers.
• Agree service performance targets with the Head of Networks & Infrastructure and other EA ICT Heads of Service and provide regular progress reports at potentially Board Level.
• Develop, agree and implement a robust annual operational plan for the section relevant to cyber security policies and procedures.
• Delegate responsibilities and deploy staff according to their skills and abilities to meet the needs of the section.
• Regularly monitor and review plans and make adjustments as required.
• Manage and continuously improve the section to ensure delivery against performance targets, and to ensure that best value for money is achieved.
• Ensure that the service contributes to overall Directorate and Corporate performance as appropriate and provide update reports as required.
• Ensure that the Head of Networks & Infrastructure receives high quality service-specific advice.
• Apply resources effectively across the section to maximise the delivery of front-line services.
• Ensure compliance with relevant legal, regulatory and statutory performance requirements.
• Manage the relevant ICT Infrastructure section budgets in accordance with all relevant financial policy and procedures.
• Contribute effectively to quality and performance management systems and ensure that the section is being managed as per the requirements of these systems.
• Investigate all complaints and adverse incidents where outcomes are below expected standards.
• Establish effective and rigorous quality assurance systems to maintain high standards.

Leadership

• Work closely with the Infrastructure Architect to provide the section with leadership and direction ensuring that corporate, directorate and service performance standards are achieved.
• Promote the ethos and values of the authority and ensure that the section is focused on customer needs.
• Foster a culture that supports achievement of the authority’s Strategic Plan by role modelling core values and leadership behaviours to staff in the section.
• Lead/manage and communicate change and improvement initiatives within the section.
• Lead, manage and develop staff within the section.
• Train relevant Education Authority staff on cyber security risks.
• Encourage staff involvement and engagement in the strategic development and operational delivery of the section.
• Actively encourage teamwork and self-development, and create opportunities to maximise individuals’ potential, stimulate innovation and connection at all levels with front line services.
• Promote a positive culture of performance management within the section through individual and small-team accountability. Foster a culture of constructive feedback and learning, and a genuine commitment to regular and effective appraisals.
• Prepare and deliver reports on behalf of the Head of Networks & Infrastructure as required.

Building Relationships and Working with Others

• Build and maintain effective, professional and respectful stakeholder relationships.
• Ensure efficient and effective internal communication with staff in the section.
• Work closely with partner organisations, the Infrastructure Architect and colleagues to benchmark services and lead/manage and monitor change.
• Build and maintain effective working relationships and clear lines of communication with the Head of ICT Networks & Infrastructure and Heads of Service within the Directorate and in other Directorates.
• Develop and maintain clear lines of communication and effective working partnerships with relevant external stakeholders and service user groups.
• Lead on/manage engagement with staff, schools and the public on major changes in the service that may affect them.
• Work with external agencies; for example, education sector partner organisations, to identify opportunities for joint working that might bring greater consistency across the sector, and/or improve efficiency and effectiveness of service delivery.

Section-specific responsibilities

The following list provides an outline of the key responsibilities. It does not, however, represent a comprehensive list of tasks.

Control

• Establish a management framework to initiate and manage information security for the ICT function and EA Programmes and deliverables within the context of the Networks & Infrastructure Service.
• Establish an organisational structure to prepare, approve and implement the information security policy for EA systems and solutions.
• Allocate information security responsibilities within the context of the Networks & Infrastructure Service.
• Establish and control information security documentation.

Plan

• Devise and recommend appropriate security measures, based on an understanding of the requirements of the organisation.
• Work closely with the Infrastructure Architect to design solutions which meet the wider needs of the Networks & Infrastructure Service.
• Gather requirements from such sources as business and service risk, plans and strategies, service and operational level agreements, and legal, moral and ethical responsibilities for information security.
• Consider factors such as the amount of funding available and the prevailing organisational culture and attitudes to security.
• Contribute to the upkeep of the information security policy as an organisation wide document, not just applicable to ICT.
• Develop a threat and risk assessment to inform the development of security requirements.

Implement

• Ensure that appropriate procedures, tools and controls are in place including security policies, incident management and disaster recovery.
• Lead on the installation, commissioning and maintenance of systems designed to provide security, resilience, disaster recovery capabilities, and cyber recovery capabilities.
• Determination of a clear and agreed policy, integrated with the needs of the business.
• Establish security procedures that are justified, appropriate and supported by senior management.
• Provide effective marketing and education in security requirements.
• Evaluate supplier security responses, technical designs and supplier operating models.
• Evaluate ongoing project implementation risk.
• Develop IT vulnerability assessment plans and scopes for new systems and services.
• Promote security awareness by developing and implementing a security awareness and training programme.
• Establish a mechanism for measuring and managing improvement.

Evaluate

• Supervise and check compliance with the security policy and security requirements in service and operational level agreements, and in underpinning contracts with suppliers.
• Carry out regular audits of the technical security of IT systems during and post implementation.
• Provide information to external auditors and regulators as required.
• Monitor Critical Success Factors (CSFs) and Key Performance Indicators (KPIs) for information security.

Maintain

• Improve security arrangements as specified in service and operational level agreements and other documentation.
• Improve the implementation of security measures and controls.
• Carry out continual service improvement in relation to information security.
• Work towards independent certification against ISO/IEC 27001.

This job description will be subject to review in light of changing circumstances and is not intended to be rigid and inflexible but should be regarded as providing guidelines within which the individual works. Other duties of a similar nature and appropriate to the grade may be assigned from time to time.

In accordance with Section 75 of the Northern Ireland Act (1998), the post-holder is expected to promote good relations, equality of opportunity and pay due regard for equality legislation at all times.

To view the summary of terms and conditions for this post, click here.

PERSON SPECIFICATION

NOTES TO JOB APPLICANTS

1. You must clearly demonstrate on your application form under each question, how, and to what extent you meet the required criteria as failure to do so may result in you not being shortlisted. You should clearly demonstrate this for both the essential and desirable criteria, where relevant.

2. You must demonstrate how you meet the criteria by the closing date for applications, unless the criteria state otherwise.

3. The stage in the process when the criteria will be measured is outlined in the table below.

4. Shortlisting will be carried out on the basis of the essential criteria set out in Section 1 below, using the information provided by you on your application form.

5. Please note that the Selection Panel reserves the right to shortlist only those applicants that it believes most strongly meet the criteria for the role.

6. In the event of an excessive number of applications, the Selection Panel also reserves the right to apply any desirable criteria as outlined in Section 3 at shortlisting, in which case these will be applied in the order listed. It is important therefore that you also clearly demonstrate on your application form on how you meet any desirable criteria.

Section 1 - Essential Criteria

The following are essential criteria which will initially be measured at the shortlisting stage and whichmay also be further explored during the interview/selection stage. You should therefore make it clear on your application form how, and to what extent you meet these criteria. Failure to do so may result in you not being shortlisted.

Factor Essential Criteria Method of Assessment Qualifications/
Experience

Hold a bachelor’s degree (QCF Level 6) or an equivalent or higher qualification in an ICT or Cyber Security Related subject AND have two years’ demonstrable experience working in a Cyber Security role with experience in:

• Design, implementation and management of endpoint security in a Microsoft Hybrid Infrastructure;
• Security incident detection, analysis, and response including expertise in threat hunting, malware analysis, and cloud security;

OR

Have four years’ demonstrable experience working in a Cyber Security role with experience in:

• Design, implementation and management of endpoint security in a Microsoft Hybrid Infrastructure;
• Security incident detection, analysis, and response including expertise in threat hunting, malware analysis, and cloud security.

Shortlisting by Application Form

Knowledge

Demonstrable knowledge of Microsoft Cloud Security Technologies including Microsoft Defender XDR and Microsoft Purview.

Demonstrable knowledge of IT Infrastructure technologies including systems designed for resilience, disaster recovery, and cyber recovery.

Demonstrable knowledge of threat and risk assessment frameworks and methodologies.

Demonstrable knowledge of monitoring and detection of Identity threats in a Hybrid Infrastructure.

Shortlisting by Application Form

Other

Willingness to work outside of normal working hours as and when required.

The successful candidate will be required:

to have access to a suitable vehicle (appropriately maintained and insured for Education Authority business) that will enable them to carry out the mobility requirements of the post in an efficient and effective manner and thus meet this essential criterion;

OR

be able to provide sufficient information on the application form that will satisfy the employer that he/she has access to an appropriate alternative form of transport that will enable them to carry out the mobility requirements of the post in an efficient and effective manner and thus meet this essential criterion.

Shortlisting by Application Form

Section 2 - Essential Criteria

The following are additional essential criteria which will be measured during the interview/selection stage in line with EA’s Game Changing People Model.

Factor Essential Criteria Method of Assessment Knowledge

Candidates must demonstrate knowledge and experience of:

Design and Implementation of Cyber/security incident response processes, procedures and policies within a Hybrid Infrastructure.

Current and anticipated challenges, relating to cyber security, facing the Education Sector.

Implementation of security compliance monitoring processes, procedures and remedial actions.

Supply chain risk management and the management and operation of supplier assurance processes.

Interview

Skills/
Abilities

In line with EA’s Game Changing People Model we will look for evidence of:

Excellent communication skills, with the ability to talk and present to a range of audiences, explaining technical information security risks in a manner that is understood by non-technical resources.

An analytical mindset with the capability to swiftly identify the root cause of issues.

The ability to deliver high performance whilst working under pressure on multiple objectives.

Strong collaborative skills to build genuine and productive relationships with internal & external stakeholders, to address security incidents and deliver analytical outcomes.

Ability to function under pressure in order to respond to cyber security incidents in a calm and effective manner.

Ability to provide design recommendations based on long term organisational strategy, for enterprise level applications and custom solutions.

Ability to prioritise objectives and make risk based decisions.

Interview

Values Orientation
Evidence of how your experience and approach to work reflect EA’s ethos and values. You will find information about our Values here .

Interview

Section 3 - Desirable Criteria

Some or all of the desirable criteria may be applied by the Selection Panel in order to determine a manageable pool of candidates. Desirable criteria will be applied in the order listed. You should make it clear on your application form how, and to what extent you meet the desirable criteria, as failure to do so may result in you not being shortlisted.

Factor Desirable Criteria Method of Assessment Knowledge /
Experience

Have knowledge/experience of Microsoft Sentinel.

Have knowledge/experience of Cyber Vault Technologies.

Shortlisting by Application Form

Our Values

Through the selection process we will also seek evidence that the personal values of candidates align with those of the EA. This will include evidence of commitment to equality and excellence in service delivery. These reflect our aim which is to meet the needs of all our children and young people equally, removing barriers to learning and ensuring equality of access to excellent education services so that every child can develop to his or her full potential.

DISCLOSURE OF CRIMINAL BACKGROUND

The Safeguarding Vulnerable Groups (Northern Ireland) Order 2007 defines working directly with children or young people or in specified places as ‘regulated activity’.

In the event that you are recommended for appointed to a post that involves ‘regulated activity’, the Education Authority will be required to undertake an Enhanced Disclosure of Criminal Background.Please note that youWILLbe expected to meet the cost of an Enhanced Disclosure Certificate. Details of how to make payment will be sent to you at the pre-employment stage.

Further information can be accessed atNI Director theDepartment of Justice.

APPLICANT GUIDANCE NOTES

To view the applicant guidance notes, please click here .

To learn about the many great benefits of joining the Education Authority, click here

The Education Authority is an Equal Opportunities Employer.