SC cleared Security Assurance Coordinator

A Security Assurance Coordinator (SAC) is required to support the delivery of the NSoIT(D) Programme security governance, risk and compliance service through business as usual and any future capability enhancements. This service is specially focused on the JADE Black and Red development environments, the OpNET Security Operations Centre (SOC) function, and NSoIT(D) Cyber and Information Security Risk Management. The SAC will report to the NSoIT(D) Chief Information Security Officer (CISO) and is also required to support the other programme Security Assurance Coordinators (SACs). The SAC Service principle responsibilities will include:

• JADE:
  • Being accountable for all aspects of physical, procedural and personnel security related to JADE operation.
  • Identifying risks associated with business processes, operations, information security programmes and technology projects.
  • Developing solutions that balance business requirements with information and cyber security requirements.
  • Production of Security Management Plan, and Risk Assessments as required.
  • Management, maintaining and evidencing Secure by Design (SbD) compliance.
  • Providing subject matter expertise, advice, and guidance on security matters relating to accreditation of MoD systems, End User Device, password policy, protective marking, safe and secure disposal of classified equipment and material.
  • Producing and delivering security awareness material and briefings.
  • Security reporting for JADE.
  • Managing all aspects of 3rd party vulnerability assessments and penetration testing, and associated remediation activities.
  • Identifying and communicating current and emerging security threats.
• SOC:
  • Routine assurance of Live Service Security (LSS) delivery.
  • Security governance, risk and compliance direction to Network Operations and Service Management functions.
  • Acting as lead for Paxcroft building security.
• Risk:
  • Lead for NSoIT(D) Cyber and Information Security Risk Management.
  • Implementation and management of operational cyber and information security risk in STREAM across all elements of the NSoIT(D) Programme.
  • Conducting and managing NIST 800 based Risk Assessments (SbD) across systems within the NSoIT(D) Programme.
  • SbD focused management of cyber and information security controls/architecture within STREAM across the NSoIT(D) Programme.
  • Integration and coordination of NSoIT(D) Programme Cyber and Information Security risks within ARM.
  • Routine cyber and information security risk reporting.
• Acting as secretary to the main programme Security Working Group.
• Providing sound strategic advice, input, support, challenge, and knowledge transfer as required across the programme team, particularly in the areas of Information and Cyber Security.
• Managing relationships with key stakeholder groups including Project Teams within NSoIT(D) and Defence Digital Information Security and Assurance teams.
• Assisting with the delivery of security artefacts across the main delivery programme workstreams to tight timescales.

EXPERIENCE

ESSENTIAL

• At least 5 years demonstrable experience operating in a Security Assurance Coordinator type role and gaining Accreditation for novel system/network architectures.
• Detailed knowledge and understanding of defence policy and standards, particularly JSP 440, 453 and over-arching HMG policy.
• Experience of producing RMADS, Security Instructions and other security policy related documentation to a high standard.
• Knowledge of Security Incident Management policies, processes, and procedures.
• Delivery of Risk Assessments, Risk Treatment plans, scoping and managing IT health checks and associated remediation activities.
• Detailed, experience and understanding of the Software Defined Data Centre (SDDC) model including large scale virtualisation of servers, desktops, infrastructure and storage technologies.
• Comprehensive knowledge of UK Defence deployed network architectures, federations with coalition partners, security enforcing gateways and modern techniques for enforcement of security principles including micro-segmentation, VPN, VDI, hardware encryption and information flow handling.
• Excellent communication skills, both written and verbal, with a proven ability to explain technical issues to a non-technical audience.
• Strong critical thinking and analytical skills to solve problems and propose new ideas.
• Hold a current SC clearance and be prepared to undergo DV clearance if necessary.
• Competency in MS Office Suite.

DESIRABLE

In order to deliver this service, it is desirable that individuals have:

• Experience of:
  • Delivering in Agile and Waterfall project management environments and understanding the complexities of delivering accreditation evidence in these environments.
  • Working within the public sector, preferably Defence, and ideally with Defence Digital (formerly ISS).
• Knowledge of Cloud and/or Datacentre based Security Architectures.
• Security related qualifications, such as:
  • Certified Information Systems Security Professional (CISSP),
  • Certified Information Systems Auditor (CISA),
  • CCP SIRA Certification at Practitioner or above,
  • ISO27001 Auditor related qualification.
• Audit tooling knowledge (ideally ELASTIC and SolarWinds).