Chief Information Security Officer
- Recruiter
- Department for Education
- Location
- Warwickshire
- Salary
- Competitive
- Posted
- 13 Oct 2017
- Closes
- 30 Oct 2017
- Sectors
- Facilities Management
- Contract Type
- Permanent
- Hours
- Full Time
This is an opportunity to play a critical role in a large-scale programme of change that will radically improve how the civil service works and how government interacts with citizens. We are looking for candidates who can apply their 'on the ground' experience of driving the transformation of organisations, not those who will maintain the status quo. Your task will be guided by some fundamental principles; putting the needs of users first, focusing on delivery and outcomes over process, and making the most of openness - open standards, open source, open data and open markets.
The Chief Information Security Officer (CISO) works at Board level to provide the department's Management Committee with advice and support on cyber security matters for the sector and the department. As an integral member of the DDaT leadership cadre, you will develop enterprise strategy, approach and processes to reduce information security risks and enable services to the sector to be delivered effectively.
You will establish appropriate standards, controls, and implement policies to protect the department's information assets and technologies. You will also be the department's policy owner for cyber risk in the sector.
You will report to DfE's Director of Digital Services and be a member of the DDaT Senior Leadership Team (SLT) and as such share collective responsibility to:
• Develop the vision and objectives of the organisation as a whole.
• Work collaboratively and to be supportive of one another.
• Be overtly supportive of decisions made by the SLT.
• Champion and promote DfE DDaT in the wider Government & industry communities
The main responsibilities of the post are:
Security Strategy
• Leadership of DfE DDaT Security community.
• Set the high level DDaT security vision and goals for the department.
• Define DDaT security controls in IT systems across the department.
• Produces the business case for strategic security investment in enterprise or solution architectures.
• Ensure that DDaT security policy is updated as threats evolve and lessons learned are fed from incidents either within the Department, within Government or information from within the wider industry.
• Provide a department wide threat assessment and define the department's risk appetite. Where risk decisions are beyond SRO authority i.e. above the departmental risk appetite, provide an escalation point for risk decisions.
• Primary interface with National Cyber Security Centre (NCSC) and other government departments, including Cabinet Office on strategic developments in HMG cyber security. Ensuring DfE remains aligned.
• Primary point of contact for the Permanent Secretary, Management Committee and DDAT Senior Civil Service on cyber security matters (including cyber & IT incidents).
• Set, maintain and audit the implementation of DDaT Security policy and standards for the department e.g. chairs policy level IT security working group.
• Owns and delivers the training plan for DDaT security skills across DDaT.
• Build and maintain a central understanding of the DDaT security status of the departments IT systems. Develop an in-house capability, based on emerging NCSC tools, to undertake vulnerability testing at design and build phase, ahead of independent IT Health Checks (ITHC).
Security Architecture
• Drive beneficial security change into the business through the development or review of architectures and attendance at governance boards e.g. Design Authority. Ensures changes fit business requirements for strategic direction, security, mitigate risks and conform to security policies and balance information risk against cost of countermeasures.
• Identifies information risks that arise from potential solution architectures and designs solutions to mitigate identified information risks.
• Defines the department's architectural principles and objectives. Influences senior stakeholders to comply with them, including those mandated in legislative requirements e.g. GDPR.
• Applies 'standard' security techniques and architectures to mitigate security risks.
• Develops new architectures that mitigate the risks posed by new technologies and business practices.
• Provides consultancy and advice to customers on cyber security/IA and architectural problems.
Security Assurance
• Own and maintain the department's assurance strategy. Help system owners to understand the security of their system and reduce the level of risks they own.
• Contribute to the central understanding of the security status of the departments IT systems.
• Deliver advice and guidance on the operation of the assurance process. Steer the business on their responsibility to produce assurance products for the Senior Responsible Owner's awareness.
• Produce independent assessment of project (security assurance) outputs for the Senior Responsible Owner.
• Own and maintain the Department's Business Service Assurance strategy.
• Own and maintain the security clauses within the departments Library of Special Clauses for IT contracts.
• Own and maintain the Department's business process for offshoring of data on behalf of the Senior Information Risk Owner. Provide advice and guidance on risks and requirements around offshoring of data for business owners.
Please see the attached Candidate Pack for further details.
Competencies
We'll assess you against these competencies during the selection process:
- Seeing the big picture
- Leading and communicating
- Delivering value for money
- Making effective decisions
- Collaborating and partnering
- Delivering at pace
Civil Service Competency Framework
Benefits
Pensions
Civil Service pension schemes may be available for successful candidates.
Things you need to know
Security
Successful candidates must pass basic security checks.
Selection process details
Feedback will only be provided if you attend an interview or assessment.
Nationality requirements
Open to UK, Commonwealth and European Economic Area (EEA) and certain non EEA nationals. Further information on whether you are able to apply is available here.
Working for the Civil Service
The Civil Service Code sets out the standards of behaviour expected of civil servants.
We recruit by merit on the basis of fair and open competition, as outlined in the Civil Service Commission's recruitment principles.
The Civil Service embraces diversity and promotes equality of opportunity. There is a guaranteed interview scheme (GIS) for candidates with disabilities who meet the minimum selection criteria.