<p><strong>Cloud Senior Information Security Officer</strong></p> <p>Band 2</p> <p>Type of contract: Full Time, permanent</p> <p>Salary: £60,188 to £70,217 per annum</p> <p><strong>Nationality Requirements:</strong></p> <p>UK nationals</p> <p>nationals of Commonwealth countries who have the right to work in the UK</p> <p>nationals from the EU, EEA or Switzerland with (or eligible for) status under the European Union Settlement Scheme (EUSS)</p> <p>Please note, we are not able to sponsor work visas. Please contact us at hrservicedesk@nao.org.uk should you have any questions on your nationality eligibility.</p> <p><strong>Why are we recruiting for this role?</strong></p> <p>The NAO is expanding its Information Security team to support the evolving needs of the business and enable continuous improvement in response to an ever-changing threat landscape. The continued adoption of cloud services changes how organisations identify, protect, detect, respond and recover from threats and risks; whilst maintaining continuous assurance and delivering continuous improvement of our security posture and risk profile in support of our ambition of being an exemplar organisation.</p> <p><strong>Who are the team?</strong></p> <p>The Senior Information Security Officer is an integral role in the ongoing development and continuous improvement of the NAO’s “Cloud First” strategy. You’ll play a key role in identifying, evaluating, measuring and managing cyber risks; and be responsible for supporting the continuous assurance and continuous improvement of our security posture and risk profile.</p> <p>The Senior Information Security Officer role sits within a diverse, inclusive, respectful and agile team of information security professionals; responsible for enabling the business to better understand, identify and manage the threats and risks that impact the NAO’s ability to deliver on its vision and strategy.</p> <p><strong>What are the main responsibilities of this role?</strong></p> <p>The Senior Information Security Officer role primarily focuses on the following key areas of responsibility:</p> <p>• Information Assurance – Evaluate and asses existing cloud security controls in accordance with the NAO’s ISO27001 certified Information Security Management System; providing assurance to key stakeholders around our security posture and risk profile, supported by appropriate and proportion recommendations around how the NAO can drive continuous improvement.</p> <p>• Risk Management - Proactively identifying, evaluating, assessing and reporting on risks that impact the NAO’s ability to deliver on its vision and strategy; working with key stakeholder groups in the delivery of appropriate and proportionate mitigations that continuously improve the NAO’s risk profile.</p> <p>• Continuous Improvement - Support the NAO’s commitment to information security by supporting the continuous improvement of our cloud security controls in response to the ever-changing threat, business and regulatory landscape.</p> <p>The successful Senior Information Security Officer will have the opportunity to develop and grow in field such as security testing, audit, assurance and ISO27001. Furthermore, you will have the opportunity to influence the direction of our Information Security Strategy; as we support the business in delivering on its strategic objective(s) of being an exemplar organisation.</p> <p><strong>About the National Audit Office</strong></p> <p>The National Audit Office (NAO) supports parliament to hold government to account and to improve public services. We focus on driving long-term sustainable improvement in public service delivery and work with government and our stakeholders to deliver better performance. In a nutshell, we help the nation spend wisely.</p> <p>The NAO welcomes applications from everyone. We value diversity in all its forms and the difference it makes to our organisation. By removing barriers and creating an inclusive culture all our people have the opportunity to develop and maximise their full potential. As members of the Business Disability Forum and the Disability Confident Scheme we guarantee to interview all disabled applicants who meet the minimum criteria. The NAO supports flexible working and is happy to discuss this with you at application stage.</p> <p><strong>Relationships:</strong></p> <p>• Reporting to: Head of Information Security</p> <p>• Internal relationships: Critical relationships with Information Security peers, Digital Services, IT Operations and project teams.</p> <p>• External: Suppliers, vendors, and peers in similar organisations.</p> <p>• Resources Managed: None</p> <p><strong>Responsibilities </strong></p> <p>Information Assurance</p> <p>• Discover, validate and drive remediation of security threats, risks, vulnerabilities and configuration gaps that may exist across NAO cloud services.</p> <p>• Evaluate and assess existing security controls in accordance with the NAO’s ISO27001 certified Information Security Management System</p> <p>• Develop and maintain a schedule for the ongoing assessment of security controls, seeking opportunities to leverage automation to enable a continuous assurance culture.</p> <p>• Support the ongoing assurance of suppliers and cloud service provider (CSPs), advising on cloud specific regulatory risks or regulatory requirements relating to cloud assurance</p> <p>• Proactively identify, evaluate, document and report on areas of non-compliance and non-conformity to key stakeholders</p> <p>Risk Management</p> <p>• Proactively identify, evaluate and assess threats and risks that may impact the NAO’s ability to deliver on its vision and strategy</p> <p>• Clearly communicate risks to key stakeholders with recommendations on appropriate and proportionate mitigations</p> <p>• Contribute to the management and maintenance of the Information Security Risk Register</p> <p>• Manage and coordinate the delivery of appropriate and proportionate mitigations in accordance with the</p> <p>Information Security Continuous Improvement Plan</p> <p>Continuous Improvement</p> <p>• Identify, develop, implement and continuously improve appropriate and proportionate cloud security controls in response to an evolving threat landscape</p> <p>• Work in collaboration with the wider Information Security and Digital Services teams in the continuous</p> <p>improvement of cloud controls, policies and standards; as part of our ISO27001 certified Information Security Management System</p> <p>• Promote, evangelise and support the continuous improvement of cloud security controls; empowering the business in the continued application of “security and privacy by default” principles</p> <p>• Support the delivery of the proactive communications and security awareness campaigns to key stakeholder groups across the business.</p> <p>• Support the delivery and continuous improvement of the NAO Information Security Strategy</p> <p>• Support the wider business in the delivery of strategic business changes and technical projects</p> <p>• Deliver and maintain documentation and procedures to ensure effective, ongoing management of our Information Security Management System.</p> <p>• Most importantly of all being curious, seeking to learn and striving for excellence</p> <p><strong>Skills required&nbsp;&nbsp; </strong></p> <p>Experience</p> <p>• Demonstrable, technical background working in an information security, cyber security or security leadership role within a fast paced and dynamic environment</p> <p>• Demonstrable experience contributing to the delivery of and continuous improvement of cloud security controls</p> <p>• Demonstrable experience working with cloud technology – including IaaS, PaaS, SaaS and hybrid cloud environments</p> <p>• Must hold relevant industry accreditations such as CISSP, CCSP, CISM or CISA.</p> <p>Key Behaviours</p> <p>• Customer First: Apply a customer first mindset in the engagement, enablement and support of internal</p> <p>stakeholders.</p> <p>• Develop and Apply Knowledge: Build on your existing technical and security expertise by being curious,</p> <p>continuously developing and seeking to learn new skills.</p> <p>• Deliver High Performance: Be bold in delivering and driving through improvements and innovative solutions</p> <p>• Collaborative: Be an effective and flexible contributor to the success of the team.</p> <p>• Communication: Apply your strong verbal and written communication skills to clearly articulate the threats and</p> <p>risks that impact the business to different audiences (both technical and non-technical.)</p> <p>Practical Experience</p> <p>• Strong background in the identification, evaluation and assessment of cloud security threats and risks; and</p> <p>providing recommendations on appropriate and proportionate mitigations.</p> <p>• Experience in the analysis of existing cloud security controls and making recommendations on how to drive</p> <p>continuous improvement</p> <p>• Experience working to industry standards such as ISO/IEC 27001, NCSC, NIST, CSA CCM, CREST and/or the</p> <p>HMG Security Policy Framework (HMG SPF)</p> <p>• Experience with risk assessment and threat modelling techniques such as ISO31000, ISO27005, the Diamond</p> <p>Model and/or MITRE ATT&amp;CK</p> <p>• Experience with data protection and privacy regulations such as GDPR and Data Protection Act</p> <p>• Able to work under pressure, as part of a multi-disciplinary team to deliver key outcomes to challenging</p> <p>timescales</p> <p>• Able to provide expertise from both a cyber security and technical perspective on projects</p> <p>• Ability to be self-sufficient and make independent decisions on problem resolution that align to departmental</p> <p>and functional strategy</p> <p>Technical Knowledge</p> <p>• Must have a strong background with a broad set of Microsoft Azure and Microsoft 365 cloud services, products</p> <p>and concepts</p> <p>• Strong experience in the testing, assessment, evaluation and/or audit of cloud security controls, including the</p> <p>ability to articulate the current state of controls to both technical and non-technical audiences.</p> <p>• Strong experience in three or more of the following security domains:</p> <p>• Cloud Security</p> <p>• Identity &amp; Access Management</p> <p>• Network Security (e.g. Firewalls, IDS/IPS, Proxy, Internet Filtering etc)</p> <p>• Email Security</p> <p>• Endpoint Security</p> <p>• Encryption &amp; Cryptography</p> <p>• Vulnerability Management</p> <p>• Strong experience with two or more of the following toolsets:</p> <p>• Identity &amp; Access Management platforms (such as Azure Active Directory)</p> <p>• Threat Protection tools (such as Defender ATP, Office 365 ATP and Cloud App Security)</p> <p>• Enterprise firewall technologies (such as Fortinet, Cisco, Checkpoint)</p> <p>• Vulnerability Management tools (such as Tenable, Qualys or Rapid7)</p> <p>• Security Incident &amp; Event Management (SIEM) platforms (such as Azure Sentinel)</p> <p><strong>Desirable</strong></p> <p>Whilst not essential for being successful in this role, the following key skills/competencies would be desirable:</p> <p>• Understanding of agile, DevOps or DevSecOps principles and practices</p> <p>• Hold one or more of the following accreditations:</p> <p>• CSA CCSK</p> <p>• ISC(2) CCSP</p> <p>• ISC(2) CISSP</p> <p>• ISACA CISA</p> <p>• IAPP CIPT</p> <p>• IAPP CIPP/E</p> <p>• Microsoft 365 Certified: Fundamentals</p> <p>• Microsoft 365 Certified: Security Administrator</p> <p>• Microsoft Azure Certified: Fundamentals</p> <p>• Microsoft Azure Certified: Administration Associate</p> <p>• Microsoft Azure Certified: Security Administrator</p>