Home > Roles recruiting > Director of Information Security
Director of Information Security
SCS1 | circa £95,000 per annum
The role
The Parliamentary Digital Service is seeking a Director of Information Security to work as part of the Senior Management Team to provide strategic leadership and ownership of Parliament’s information security interests.
The role holder will be responsible for implementing and running the enterprise information security program. That will involve identifying, evaluating and reporting on legal and regulatory, IT, and cybersecurity risk to information assets, while supporting and advancing business objectives. Develops an information security vision and strategy that is aligned to organizational priorities and enables and facilitates the organization's business objectives, and ensures senior stakeholder buy-in and mandate.
This is a new role and the senior leader appointed will need to manage the change process required to define and establish it as a pan-Parliament capability.
This new capability aims to ensure the use of information within Parliament:
-
Meets the needs of Members and their staff in fulfilling their Parliamentary duties
-
Enables the two administrations to provide effective procedural and information support to the Chambers and Committees of the two Houses
-
Delivers accessible, accurate, open and timely data and information to the public and others with an interest in Parliament and the democratic process
This role serves as the process owner of all assurance activities related to the availability, integrity and confidentiality of Parliament’s information in compliance with the agreed information security policies. A key element of the role is working with senior stakeholders in both Houses to determine acceptable levels of risk.
This role is responsible for establishing and maintaining a pan-Parliament information security management program to ensure that information assets are adequately protected. At very high level the role will focus on the following four key principles.
-
Confidentiality, information should only be seen by people who are authorised to access it
-
Integrity, information should only be modified by people who are authorised to do so
-
Availability, information should be available when needed (problems or attacks shouldn’t stop you getting information from the system)
-
Non-repudiation, anything enacted in a system must be traced back to a responsible person
Key internal relationships include (not exhaustive):
-
Senior leaders of the Digital Service, most notably the Director of Cyber Security, the Chief Technology Officer, the Director of Products and the Deputy CTO leading Platforms.
-
Key senior leaders and stakeholders across both Houses
-
Members of key House Services’ governance boards
-
Members of the Management Boards of both Houses as appropriate
-
Digital Strategy Board
-
Information Authority
-
Members of the Website Steering Group
-
Members of the Joint Digital Board
-
-
Member Committees of both Houses
-
Commons - Administration, Finance and Audit Committees
-
Lords – Services, Finance and Audit Committees
-
-
Information Compliance teams in both House Services and the distributed network of Departmental Information Record Officers (Commons) and Information Managers (Lords).
Key external relationships include (not exhaustive):
-
Relevant application services leads in Government, including within Government Digital Service
Key responsibilities
-
Determine the information security approach and operating model in consultation with stakeholders and aligned with the risk management and cyber security approach and compliance monitoring of non-digital risk areas.
-
Develop, implement and lead a strategic, comprehensive information security framework to ensure appropriate levels of confidentiality, integrity, availability, safety, privacy and recovery of information assets owned, controlled or/and processed by the digital ecosystem with pan-Parliament remit. This framework to include:
-
Maintaining a document framework of continuously up-to-date information security policies, standards and guidelines. Oversees the approval and publication of these information security policies and practices
-
Creating a framework for roles and responsibilities for information ownership, classification, accountability and protection of information assets
-
Establishes and operates a metrics and reporting framework to measure the efficiency and effectiveness of the program, facilitates appropriate resource allocation, and increases the maturity of the information security, and reviews it with stakeholders at the executive and board levels.
-
Implementing a targeted information security culture and awareness training program for all employees, contractors and approved system users, and establishes metrics to measure the effectiveness of this security training program for the different audiences.
-
Operating a clear investigation process into information security breaches and pursuing associated disciplinary and legal matters, liaising with colleagues in relevant teams such as Cyber Security, Information Compliance and Information Rights Management on data protection legislation ensuring root-causes of such breaches are understood and addressed.
-
Ensures that information security requirements are implicit in all relevant standards applying within Parliament and contributes in terms of culture, working practices and policy to delivering the strategic imperative of digital solutions secure by design.
-
Lead the development and implementation of effective and reasonable policies and practices with relevant stakeholders to secure protected and sensitive data and ensure information security and compliance with relevant legislation and legal interpretation.
-
Provide senior leadership and oversight of effective information security risk management, integrated with each Houses’ risk management framework.
The above list of key responsibilities is not exclusive or exhaustive and the post holder will be required to undertake such tasks as may reasonably be expected within the scope and banding of the post.
Requirements
Criterion 1
Strong credentials and experience in successful design, implementation and operation of an effective, evidence based, information security framework within highly complex matrix managed organisations.
Criterion 2
An excellent understanding and proven expertise in operating within legislation and regulations that impact information Security e.g. Data Protection Act (2018), Freedom of Information Act, PCIDSS whilst reflecting best practice within Information Security and risk management in a proportionate and effective way, including standards such as ISO/IEC 27001, NIST (including 800-53), Cyber Essentials and CObIT.
Criterion 3
Highly effective leader with strong stakeholder management skills and evidence of the ability to translate business requirements and user/stakeholder needs into effective work plans and practical working solutions within a highly complex matrix managed organisation. This includes the ability to work across boundaries and form alliances, and able to transcend the challenges that come with complex decision making, political shifts in direction and distribution responsibilities across Parliament.
Criterion 4
A demonstrable ability to provide strong leadership, building and maintaining a high performing and actively engaged network of colleagues, including promoting a diverse and inclusive working environment).
Criterion 5
Excellent written and verbal communication skills with the ability to present complex information clearly and effectively in appropriate styles at all levels.
Criterion 6
One or more of the following qualifications:
-
Certified Information Security Manager (CISM)
-
Certified Information Systems Security Professional (CISSP)
-
Certified Information systems Auditor (CISA)
-
MSc Information Security
-
Achieved Senior or Lead level certification in the NCSC’s Certified Cyber Professional scheme in one or more of Security and Information Risk Advisor (SIRA), IA Architect, IA Auditor, IT Security Officer.
