Role: Security Information Risk Advisor
Contracting Authority: MOD
Contract Length: Until 25/04/2020
IR35: In Scope
Pay Rate to Candidate: £660.00
Security Clearance: DV
CV Deadline: 5pm Friday 8th Nov
Interview Process: face to face
Our client is a leading Defence Government body seeking an Security Information Risk Advisor, ideally DV cleared for an initial 6 month contract based in Wyton Cambridshire.
- Conduct Penetration Tests, Vulnerability Assessments and Compliance checks equivalent to a Lead CREST certified tester.
- Check whether security hardening has been correctly applied to equipment including mobile phones, tablets, laptops and servers and similar.
- Replace firmware in insecure USB devices.
- Compare installed operating systems with gold disc operating systems and report on the difference for equipment including mobile phones, tablets, laptops and servers and similar.
- Assess the security and cyber vulnerabilities in applications on Microsoft, Android and IOS operating systems.
- Assess the security and cyber vulnerabilities on devices including drones and IT peripherals.
- Assess security and cyber vulnerabilities in wifi provision.
- Assess security and cyber vulnerabilities in Information and Communications systems
- Assess security and cyber vulnerabilities in organisation’s governance, policy and procedures.
- Assess new technologies and products for security and cyber vulnerabilities.
- Qualifications that when combined with experience are appropriate to a top level expert in the field of cyber security.
Supporting in ensuring Information Risks are captured and managed. Ensuring Accreditation Plans and Risk Register actions are assigned to appropriate individuals. Responsible for ensuring all appropriate Information Security Policies and procedures are documented, verified and validated. Involvement in logging and escalation of Risk Balance Cases. Regularly liaising with stake holder groups and accreditor to ensure all programmes are on track. Recommends responses to audit findings in order to verify on-going conformance to security requirements, identifying trends and weaknesses. Assists with compliance audits and recommends responses to findings. Supporting the verification and validation process underpinning Information Assurance.Ensuring Projects/Programmes are aware at an early stage of the need to incorporate Risk Management into their work streams. Identifies systemic trends and weaknesses and Undertakes preliminary or fact finding enquiries into security incidents. Assists in the monitoring of risk treatment controls and reports on their effectiveness.
Document all aspects of the DAIS Lab to enable accreditation and maintenance of the capability over time.
· Document the procedures used to test and assess equipment and software so tests can be repeated and carried out on similar equipment or applications in future by MOD staff who have completed to level three of the DAIS Lab Training and experience Plan.
· Provide on-going support to DAIS SACs and attend SWGs where possible to help ensure informed decisions are being made with regards to each element (feature) being incorporated during the projects lifecycle.
· Continue support to DAIS accreditors as an SME for mobility projects ensuring that educated risk acceptance is being made in line with the SIROs risk appetite.
· Work alongside both DAIS SACs and accreditors to ensure that ITHCs and penetration tests are performed in line with industry best practice. As part of this process any gaps in security assessments will be performed at RAF Wyton where possible to ensure that a true and factual security assessment is made. This also involves helping to scope upcoming ITHCs and penetration tests.
· Develop monitoring guidance specifically for mobility projects that can then be applied to current and future capabilities. This will drive a capability that allows the GOSCC to ingress feeds giving a proactive capability to monitor both on device and network activities.
o Develop network monitoring guidance where full data capture is possible and for where only net flow data can be captured. Mobile device baselining will help to drive this guidance and amendments can be made for specific mobile platforms.
· Perform mobile baseline activities against the most commonly used mobile devices used across defence. The baseline activities performed assess a device in its raw state before any policies are applied and any applications are deployed.
· Incorporate NCSC mobile device lockdown policies into MoD policy for mobility projects; if such policies don’t exist look at developing a policy set across defence that can act as a crib sheet for project teams to work of for future mobility projects. This policy set should allow MoD to take its own stance alongside the guidance of NCSCs device lockdown policies on what is deemed as acceptable and unacceptable risk if a specific policy is not followed.
· Develop and maintain an enduring technical assurance testing capability at RAF Wyton. This capability should also ensure that kit (both hardware and software) requirements are met to allow testers/analysts with the technical capability to perform a full baseline of devices including forensic analysis; and to perform the same tests against a device in its deployable state.
· Develop and maintain an enduring technical assurance testing capability for applications at RAF Wyton. The process of testing mobile applications should involve an offensive stance where active steps should be taken to replicate how an adversary may target applications with a weak security posture on a device.
· Develop and maintain an enduring IOT technical security assurance testing capability.
· Plan and document a process that allows DAIS to drive an innovative internal capability for mobile application vetting as a service. This service is one that would allow projects with a high-risk capability to request a security assessment be performed against an application they wish to deploy across their mobility fleet.
· Hold regular brown bag sessions both with the technical assurance teams and the SACs and accreditors in DAIS to ensure that they are kept up to date with any newly found vulnerabilities in the mobility arena.
Hold regular training sessions with the technical assurance team in Wyton. The aim of this should be to up skill the current staff to a point where they can carry out some of the tasks required during a penetration test or security assessment without supervision.
· Work closely with the innovations team and where possible assess the security posture through penetration testing activities of potential projects that the innovations team are investigating. This liaison with the innovations team is critical as it means technical, new and innovative solutions/ideas can be translated into high level terminology that the SACs and accreditors can make informed decisions on.
· Liaise and work closely with the Application Services Development Team(ASDT) in Mustang to help develop a yellow team that supports and ensures the successful delivery of cloud application hosting and development solutions.
· Help identify, fix and translate the cloud application development solutions being developed by the team in Mustang to the relevant SACs and accreditors so they can not only understand any associated technical risks but also increase their own knowledge surrounding cloud security.
· Develop and implement a cloud security strategy that outlines the types of penetration tests to be performed against any cloud hosting environment and what needs to be true for a factual