Technical Information Assurance Team Structure. and Role Description

Transcription

1 Introduction Technical Information Assurance Team Structure and Role Description The Team is led by the Technical Information Assurance Leads. They are responsible for jointly managing the team, setting the strategy, designing the processes, principles and blueprints and have reporting responsibilities for the stream beneath their area of expertise Elaine Ventura, the Technical Information Assurance stream and Ray Neal, the Digital Products Technical Information Assurance stream. The Assurance streams have responsibility for providing assurance activities for existing traditional supplier led delivery, including the legacy estate, TTP, Shared Services etc and the Digital Information Assurance stream for in-house developed products and solutions. The diagram, below, shows the proposed structure of the Technical Information Assurance team. As can be seen, there are opportunities for all team members to progress through their roles to more senior positions. There may also be an opportunity for personnel in non IA roles to change career and join the team as junior Assurance practitioners. This role has a very wide definition and typical functions may be Risk management, 27001, auditing, IA doc production and supporting assurance work for both Streams. It is important that the job titles accurately describe the work we are carrying out and there are a number of suggestions against the job descriptions below.

2 Fig 1 - Proposed Technical Information Assurance Team Structure

3 Senior Technical Information Assurance Practitioner Reporting Report to Technical Information Assurance Lead Role/Purpose Supports the Technical Information Assurance Leads in constantly developing innovative ways for cost-effective and proportionate assurance making effective use of new techniques and the resources at hand A security-focused member of the team, responsible for information/cyber security throughout the team, and the products/projects the department delivers within MOJ HQ, Agencies 1 and ALBs The role demands creativity, innovation and proactivity to the challenge of making secure solutions part of the default for the Business, anticipating and driving change where needed and getting the buy in to robustly treat risks that are highlighted This includes agreeing strategies and delivery plans with the Security & Assurance Leads for managing proportionate assurance activities for both new solutions and existing assets in order to ensure that business priorities continue to be met while reducing overlap and unnecessary costs to the Department The senior Assurer is responsible for driving the assurance strategy in close collaboration with Assurers across the team Keep up-to-date with key information security developments in government, including security principles, PGA (Pan Government Accreditation), CESG, Cabinet Office, GDS advice and the wider security industry Champion the development of processes, blueprints, templates etc for wider MOJ use, including Agencies, ALBs etc Provide Information security advice and guidance to the Senior Management Team Manage the assurance team structure and processes necessary to ensure the secure delivery of all services, including setting the priorities and implementing the strategy for the team Influence the wider MOJ in bringing change, influenced by both traditional and agile approaches, to security and assurance Address the IA aspects of procurement exercises of complex systems and COTS services/systems Manage the delivery of assurance for supplier developed applications, infrastructure etc Engage with senior technical and non technical stakeholders across MOJ, including: The Heads of Assurance and Business Information Assurance Leads Information Operations Directorate 1 Agency assurance will devolve to business areas in the future.

4 Central Senior Information Risk Owners (SIROs) and their delegated IAOs Engage with senior technical and non technical stakeholders across Government, including: Government Digital Service Other government departments Office of the Government SIRO (OGSIRO) The National Technical Assurance Authority (CESG). Also, an outward-facing role, ensuring that the team obtains the right information security knowledge and influence it needs to continue to successfully deliver secure products/projects in a government and industry context - and ensuring that Ministry of Justice shares its security learnings and successes with others in government and industry Knowledge/Experience Understanding of the UK Government s Cyber Security and Digital strategies along with the implications and opportunities presented by such generally in central government but specifically in the context of MoJ Technology s current and future operating circumstances Knowledge and understanding of the specific interpersonal and communication skills that are effective in operating with impact in a complex organisation (the emphasis being on building rapport, communicating strongly through a range of channels, relationship building, and negotiation and influencing skills) Demonstrable credibility and integrity to facilitate effective working relationships with senior MoJ leaders, stakeholders and suppliers Demonstrable experience of management of personnel in an IA team Experience of addressing the IA aspects of procurement exercises of complex systems Deeper understanding/knowledge in at least one of the following areas and a good knowledge of the others: Security architecture Cloud hosting and services Security auditing - e.g ISO27001 Cryptography ITHCs and vulnerability testing The role has a focus on bringing high level analytical thinking to the challenges facing MOJ and offering creative approaches to addressing and solving them. The additional emphasis is on being highly proactive and not reactive. For this reason demonstrable experience in this regard is essential The ability to elicit information quickly and effectively from business people in face to face situations, and to analyse information obtained by a variety of formal and informal means Current and constantly renewed working knowledge of applicable industry standards e.g. ISO/IEC:27001 and legislation e.g. Data Protection Act 1998

5 Experienced HMG IA Accreditor, with effective and current knowledge of digital products and multiple ICT infrastructures operating at multiple classifications and supported by multiple suppliers Core Competencies - Level 4 Setting direction Leading and communicating Making effective decisions Changing and improving Collaborating and partnering Managing a Quality Service Delivering at Pace Professional Skills SFIA skills: Information Assurance (INAS 5) Information security (SCTY 6) Business Risk management (BURM 6) Security Administration (SCAD 6) Compliance Review (CORE 6) Advanced & Specialist Digital Skills Essential CCP at minimum Senior Accreditor Level (or equivalent - including the new gov sec approach) - new incumbents CCP, to be achieved within 6 months of appointment for internal personnel, at minimum Senior Accreditor Level (or equivalent - including the new gov sec approach) Information Security/Assurance degree or relevant IA experience/knowledge Willingness to undergo appropriate clearance Desirable ISO/IEC:27001 Lead Auditor CISSP CISSP-ISSMP ISACA-CISM MBCS or a willingness to obtain the appropriate qualifications Any relevant IA skills or qualifications will be considered