Job description
Title:
IT Security OfficerIT Security Officer
Location: Mainly remote, but travel may be required to Warrington (Risley) and Cumbria (Whitehaven) two or three times per month, including probable overnight stays.
PPP overview:
PPP stands for the Programme and Project Partners and is an arrangement between Sellafield Ltd and four Lot Partners who will work collaboratively to deliver the future major project scope at Sellafield.
The four Lot Partners are:
- Integration: KBR
- Design & Engineering: Jacobs
- Civils Construction Management: Morgan Sindall Infrastructure Ltd
- Process Construction Management: Altrad
Sellafield site represents one of the UK’s most significant national risks; most complex Major Projects and largest programme funding. Achieving best attainable performance on the site generally, and in major project delivery in particular, is a key strategic priority for NDA.
PPP means working in a different way. The PPP model is an innovative approach to achieving faster, more effective project delivery, breaking down typical contractual barriers to provide an opportunity to explore more pioneering solutions for some of most unique and complex projects in the UK.
It is about sharing and collaborating at every stage, making sure the right people are in the right place to do the job, and more importantly it provides us all with the opportunity to shape the right behaviours for success.
The role
Reporting to the PPP ICT Programme Manager, the IT Security Officer is an autonomous co-ordination role to support the development of PPP services with establishing and maintaining an enduring cyber security and information assurance posture and environment that supports PPP business needs whilst satisfying SL and ONR/ICO Regulatory requirements. Where practicable ensuring adequacy of cyber security posture against cost, quality, time and exposure. To perform these tasks the ITSO manages a team of Security Risk advisors and works collaboratively with PPP solution architects.
The role has a broad scope spanning technical and process management across the cyber security, information security and privacy space and will necessitate engagement with SL CS&IA (Cyber Operations, Assurance, Risk, Data Protection), SL ISO (Architecture, Service and Knowledge Management) and PPP Partners. The output will include (but is not limited to) the production and maintenance of a PPP CS&IA Plan, schedule of activities, progress monitoring against agreed KPIs and reporting within PPP and out with to SL and, when appropriate ONR. The output will be used to determine the correctness of posture, providing evidence to support Contractual and Regulatory matters, demonstrate Return on Investment and identify potential gaps requiring improvement across the PPP CS&IA domains.
In order to provide the outcomes above, it is envisaged that the ITSO role will be leading the IA team responsible for:
- Oversight of the PPP O365/Azure security configuration and other systems.
- Oversight of PPP technical security.
- Assurance of PPP cyber security posture through audit and review.
- Production of the PPP CS&IA Plan and agreement of its content with stakeholders.
- Represents PPP cyber posture in any security related working groups within SL, Regulatory or internal PPP environs.
- Undertakes PPP related cyber security and incident reporting to SL.
- Detailed analysis and modelling reports against cyber event and incident data.
- Acts as the PPP co-ordination point in event of cyber or information compromise incidents with SL, ONR and NCSC.
- Analysis of system configurations and management of data against capability to support Cyber incident response by SL, PPP Partners and NCSC as required.
- Acts as the PPP co-ordination point for cyber threat information and dissemination as appropriate and agreed with SL.
- Risk tracking of PPP related cyber risks and management of a PPP Cyber and Information security/privacy risk register.
- Co-ordination of cyber and information security/privacy related risks, issues and opportunities identified in the PPP space, drawing on the separate work of the PPP Risk Assessors or risks identified by SL.
- To assist and support in conducting information risk assessments on existing, PPP systems, Sellafield Ltd information systems and new ICT systems; and to provide Reports against information flows, system domains and information exchange requirements mapped to security controls to aid SL with protective monitoring capability. Where appropriate, data analysis should use standard statistical and security functional analytics models.
Qualifications, Experience and Skills
Qualifications:
Essential:
- Qualified at a minimum of degree level or equivalent in an IT, Cyber Security, or analytical based studies.
- Qualification or membership of a professional body in Information Security.
- Experience of Cyber Security Standards.
- Experience in applying technical information technology and information assurance controls to process mapping and information flows
- Experience of working in a Regulated environment.
- Experience in leading a team of Security risk advisors
Desirable:
- Project Management experience.
Experience and Skills:
Essential:
- A good understanding of Cyber Security; Agile Methodologies; and Process Mapping and Information flows.
- Knowledge and experience of working in UK Government security environments
- Appropriate ICT experience in a large and complex ICT environment.
- Ability to interpret business requirements and technical ICT documents into Cyber Security requirements.
- Good understanding and knowledge of ICT systems (software, hardware and networks) and applications both legacy and current.
- Good communication skills across all levels of the business and able to talk to non-specialists, specialists and senior stakeholders.
- Ability to work independently and unsupervised.
- Excellent problem-solving skills and a methodical and logical approach;
- Self-motivated and can demonstrate high levels of resilience, honesty and integrity.
- Understanding and knowledge of the strengths and weakness of modern ICT technology to identify vulnerabilities when assessing information systems architectures and designs.
- Knowledge and experience of network and systems management.
- Knowledge and use of security and privacy policy (including but not limited to ISO27001, ISO 27005, ISO22301, NISR 2013, NIST 800-53, EU GDPR and DPA 2018).
- Knowledge of Cyber Security models and frameworks (e.g. NIST)
Desirable:
- Knowledge of Civil Nuclear Information security requirements and NCSC good practice; and
- Knowledge of process mapping and information flows.
Due to the nature of our work and security requirements, KBR does not offer sponsorship. We can only consider applicants with the right to live and work in the United Kingdom
We are an Equal Opportunities employer and strive to build a workforce that truly reflects the communities we represent. We welcome candidates from all backgrounds, regardless of age, disability, gender, gender identity, gender expression, race, religion or belief, sexual orientation, socioeconomic background, and any other protected characteristic. If you decide to apply for an opportunity with us, your application will be assessed based purely on your experience, the essential and desirable criteria, and your suitability for the role.
#LI-JI1 #LI-HYBRID