Department for Work and Pensions

4552 - Enterprise Security Risk Management - Controls

  • London, (GBR), Newcastle upon Tyne, (GBR), Leeds, (GBR)
  • £650 - £700 Per Day
  • 12 Months
  • Start date: ASAP
  • Ref: 4552
Apply now
Must have skills
  • security policies
  • cyber security
  • risk management
Nice to have skills
  • testing
  • internal compliance
  • Agile
  • auditor
  • digital
  • governance
  • security architecture
  • information security management
  • pci
  • cissp / cism
Job description Posted 25 June 2018

Team Background:

In this role you will work as part of a controls testing team within the Enterprise Security Risk Management (ESRM) team. As a Security Assurance and Controls Testing team member: You will focus on DWP digital systems and their security controls to determine, complete and report on appropriate tests, so that DWP Security Standards are being met. Controls testing will be completed at a technical level, but may also include architectural reviews, configuration analysis, and policy and procedural assessments.

This is a key role in supporting the Enterprise Security Risk Management and Governance Risk & Compliance (GRC) programmes of work, with risk driving security, enabling a clear and realistic view of security risk information.

• Working with risk, enabling risk owners and risk managers to take responsibility for the management and maintenance of their security risks.

• Support the process for circumventions to existing security policies and procedures, assessing the risk.

• Highlight deficiencies in the quality of DWP/supplier responses to security risk issues.

• Support security and other internal and external stakeholders, to ensure threats, vulnerabilities and opportunities with the potential to impact or improve resilience of DWP IT Infrastructure are identified and reported appropriately.

• Support the identification, assessment and measurement of emerging security risks based on current trends and issues across DWP and the external environment.

• Undertake Controls testing of counter measures to provide added assurance and feed results back into the risk assessment

Essential Skills

An information security compliance and auditing background is essential along with:

• Qualifications demonstrating your background e.g. ISO 27001 Lead Auditor, PCI-QSA, assessing or implementing ISAE3402, or equivalents.

• Familiarity of technical concepts, good practice, and ICT configurations is essential. Demonstration of those qualities through system administration qualifications and certifications would also be desirable as would experience of commissioning, managing, or executing penetration tests and familiarity with the CHECK scheme.

• The ability to communicate complex concepts to technical and non-technical colleagues, enabling risk owners and risk managers to take responsibility for the management and maintenance of their security risks.

• BCS Certificate in Information Security Management Principles (CISMP), or equivalent qualification.

• A good knowledge of risk management frameworks, enterprise scale GRC programmes, and risk management best practice. GRC Certified Professional GRC (P)

• Awareness and understanding of digital technologies, and secure development practices.

• Experience of providing advice and guidance on physical, procedural and technical security controls.

• Well-developed analytical skills.

• Well developed interpersonal and stakeholder management skills.


Desirable

• CISSP or CISM certification.

• Certified in Risk and Information Systems Controls (CRISC) or equivalent risk management qualifications, and/or proven knowledge of risk management.

• BCS Practitioners Certificate in Information Risk Management or equivalent risk qualification.

• Awareness of best practice IT controls and familiarity with GRC (Governance, Risk Management and Compliance) tools.

• Knowledge of SANS 20 Critical Controls for Cyber Security.

• Understanding of working with digital projects, and of agile project methodology.

• Knowledge of Her Majesty’s Government (HMG) policies and standards.

• Knowledge of the legal and regulatory framework in which government security and resilience policies operate.

• Informing risk-informed decisions about current and future security investments required to protect the Department’s assets, and transform the Department’s security architecture.

• Delivery of GRC strategy and approach, providing advice and support to all business areas across DWP.

• Ensuring physical, personnel and information security risks and vulnerabilities are identified, managed and escalated through agreed routes. Minimum Criteria You must already have current minimum vetting to Security Check (SC) or willing to be vetted to SC prior to commencement.

Accreditation & Qualifications

SFIA 6 • Information Security - Level 4 • Relationship Management – Level 4 • Business Risk Management – Level 5 • Emerging Technology Monitoring - Level 4

Additional information about the process

** For IR35 purposes, this role is out of scope**

Elevate Platform LTD. Copyright © 2017 - All Rights Reserved.