Information Security Officer
2 days per week
Initially 12 months with an optional extension up to a further 11 months.
Remote for foreeseeable/duration
The Information Security Officer will work as part of a multi-disciplinary team with other specialists from the Scottish Government and partner organisations focussed on the design build and implementation of the online national standardised assessments system as part of the National Improvement Framework programme.
The Information Security Officer will provide support to the procurement of a service provider for phase two of the National Standardised Assessments - an online assessment platform for children and young people in publicly funded education in Scotland. The system will be hosted in a cloud environment and will contain staff and learner personally identified information (some special category). It is essential that the company contracted to take this work forward adequately addresses our cyber security requirements; and that the implementation and delivery of the contract continues to be compliant with GDPR, Data Protection Act 2018 and/or any appropriate legislation. The Information Security Officer will provide this service alongside the ongoing assurance of security processes for the existing national standardised assessment projects (SNSA and MCNG).
The National Standardised Assessments are a manifesto and programme for government commitment. Information Security support is a critical aspect of delivery - ensuring SG can meet its legislative duties and ensure service provider compliance.
The Information Security Officer will be responsible for the delivery of the following outcomes for the National Improvement Framework programme:-
- Mobilisation meetings with successful service provider, to achieve clarity of expectations around information security requirements and clear roadmap towards achieving required standards within the timeline outlined in the Cyber Implementation Plan
- Identification of clear set of information security implementation deliverables - and agreed timeline for achieving them
- Creation of key set of documentation for data controllers and SG governance channels as appropriate: Customer Risk Report, Information Security Testing Policy, Information Security Risk Strategy, Data processing agreements (contribution), Information security risk register and clear process for updating and consulting senior governance on risk profile.
- Cycle and scope for SG penetration testing agreed with Service provider and Programme Board.
- Management and liaison between these parties during penetration testing and subsequent remediation.
Essential Skills, Competences, Relevant Qualifications and previous Experience required
- Subject-matter expertise within UK Government cyber security governance, risk management and standards compliance, including creation of information security management systems to ISO27001 standards and compliance with the NIS Directive for critical and national infrastructure
- Experience of delivering cyber security, counter fraud and threat intelligence strategies and relevant architectural designs suitable for UK Government purposes
- High level knowledge and understanding of the internal and external cyber and information security risks in a cloud environment
- Experience in working with non-technical stakeholders, assisting them in understanding the principles of cyber security and assisting in holistic decision-making around security matters. Ability to translate technical issues to the relevant audience and to put security issues into a wider context.
- Experience in evaluating new developments in cyber security in a timely manner. Ability to communicate the nature and importance of new developments in cyber security to colleagues and senior management.
- Proven ability to work within a multidisciplinary team, demonstrating an ability to balance risk, cost and usability as it pertains to security decisions and system design
- Ability to negotiate with system suppliers, partners and penetration testing companies to develop proportionate and realistic penetration test specifications.
- Scottish Government experience
- Experience of working within the education sector