Senior Cyber and Information Assurance Consultant

Senior Information Assurance Consultant
Huybrid (1 day per week at Hook, London or Solihull)
Full Time
Package: Up to £80,000 + benefits.

We aim to create an inclusive workplace in which everyone can thrive:

• We are a proud Disability Confident Leader and holder of the Silver Inclusive Employer Standard
• We have reduced our gender pay gap from 10.9% to 6.9% (in the last 12 months) and increased women in leadership roles from 21% to 32% (2018-2022)
• We have reduced our ethnicity data gap from 40% to 20%, and our disability data gap from 95% to 50% over the last 12 months
• We were recognised in May 2022 as one of only 3 companies (from 100) to achieve Tier 1 accreditation in the CCLA Mental Health Benchmark Report

As a business we advocate flexible working as we know that your time is valuable, both inside and outside of work. We also provide an extensive Employee Assistance Program to include online counselling, webinars, health check-ins and financial wellbeing assistance.

Careers in IT Services:

IT is at the heart of many of the vital services that Serco provide, from caring for vulnerable people, managing complex public services, to heavy rail and hospital operations. IT Services underpin Serco teams in many of the key public services we deliver in the UK, Europe and globally, making a difference to thousands of people every day.

The people in IT Services are passionate about what they do and are proud to make a positive difference to the services that Serco delivers. Working together with the shared goal of providing the best service for our customers, this is what drives the culture and mindset, this is the Serco value and that is why a career with us is so rewarding.

The Role:

Serco is committed to protecting all our services from threats, whether internal or external, deliberate or accidental, that might have an adverse impact on individuals, our activities and our reputation. However, providing the right balance of security controls to protect an information system is a complex task: overly stringent controls will hamper the ability to conduct business, but conversely, if the controls are too weak, information (and organisational reputation) is put at risk, with potentially serious financial and legal consequences.

The key purpose of this role is to guide the design, implementation, and ongoing management of appropriate combinations of technical, physical, procedural and personnel controls to protect our customers' data and to comply with our legal, regulatory and contractual obligations while meeting our business requirements. This involves working with and influencing at all levels within bid and contract teams, producing a variety of verbal and written outputs.

Responsibilities:

• Provision of information assurance leadership in large and complex environments.
• Provision of security input into multidisciplinary bid teams, including security requirements definition, architectural design work, advice and guidance on security issues, risk assessment, guidance on residual risk and mitigation strategies, contracts review, governance strategies, costing of security operations, written submissions, creation of draft policies, and so on.
• Support to architectural design activities, advising on security factors such as HMG policy and good practice, assurance / evaluation requirements, technical requirements or constraints, selection of security technologies and controls, physical requirements or constraints, supporting personnel and / or procedural requirements.
• Undertaking risk assessments and production of assurance documentation in line with HMG policy or departmental processes (including Information Assurance Standards 1&2 or their replacement).
• Provision of support to security management functions, predominantly within 'formal' security frameworks such as accredited, ISO27001 compliant, or PCI compliant environments, adopting a proactive approach to security management and security assurance coordination, ensuring smooth running of scheduled activities (SWGs, penetration tests, security documentation review) and gaining the trust of key stakeholders (including customer representatives and accreditors).
• Provision of guidance on the appropriate components to utilise in implementing an architecture with the necessary security enforcing functionality, or guidance on retrofitting security capabilities to meet updated requirements or change requests.
• Engagement with IT Security Health Check suppliers, scoping test plans and helping stakeholders interpret the results of the tests, as well as supporting the implementation of any remedial actions, where required.
• Undertaking gap analyses against formal security frameworks (particularly ISO27001 and PCI DSS), reporting on areas of deficiency and producing remedial action plans (where appropriate).
• Support to procurement processes, including documentation of appropriate security requirements into RFP / tender documentation, the assessment of responses, and support in the production of appropriate statements of work / contractual schedules.

• Production of collateral to support the wider business, where appropriate.

Requirements:

• A broad Information Security knowledge, ranging from developing and reviewing security architectures through to risk assessment and certification. Excellent communications skills (written and oral) are essential, as are demonstrable experience of working within formal frameworks such as ISO27001 and PCI-DSS.
• Experience of operating with autonomy in a senior Information Assurance role and be educated to degree level in a relevant discipline (or possess equivalent vocational qualifications).

Detailed working knowledge of multiple Information Security-related requirements sources / standards, with examples including:

• The Government Security Policy Framework (SPF), along with NCSC (and legacy CESG) security standards and guidance
• PCI-DSS (Payment Card Security)
• ISO27001 (Information Security Management)
• NHS security standards and supplier assurance framework
• Data Protection Act / GDPR
• ISO 22301 (/BS 25999) (Business Continuity Management)
• UK Government Cyber Essentials Scheme.
• DefStan05-138 (Defence Cyber Protection Partnership).

Desirable certifications:

• Certified Information Systems Security Professional (CISSP)
• Certified Information Security Manager (CISM)
• Cloud Security Practitioner
• ISO27001 Lead Auditor and / or Implementer
• PCI-DSS Practitioner
• Certificate in Information Security Management Principles (CISMP)
• Certification against the NCSC Certified Cyber Professional (formally CESG Certified Professional Scheme is advantageous (but not essential).

What we offer:

• Flexible working considered
• Pension - 6%
• Childcare vouchers
• Bike4Work scheme
• Chance to contribute to innovation in the public services
• A company passionate about diversity and inclusion

We encourage you to apply even if you don't match every single aspect of the job description. We're looking for great people and are big on career development, so we're open to reviewing all applications.

About Serco
At Serco, not only is the nature of the work we do important, everyone has an important role to play, from caring for vulnerable people to managing complex public services. We are a team of 50,000 people responsible for delivering essential public services around the world in areas including defence, transport, justice, immigration, healthcare and citizen services. We are innovators, committed to redesigning and improving public services for the benefit of everyone.

By joining Serco you will have unlimited access to our Global Employee Networks - SercoInspire (Gender), SercoEmbrace (Multicultural), SercoUnlimited (Disability) and In@Serco (LGBT & Networks). Serco Employee Networks, led by colleagues who are passionate about diversity, inclusion and belonging.

Apply
Please click on the apply button to complete your application. Occasionally we receive a large volume of applications for our roles and when that happens we sometimes bring the closing date forward, so please apply promptly to avoid disappointment.

At Serco, we see people first and foremost for their performance and potential. We are committed to building a diverse and inclusive organisation that supports the needs of all. As such we will make reasonable adjustments at interview through to employment for our candidates and strongly encourage applications from a diverse candidate pool. We are open to discussions around flexibility and flexible working. We operate a hybrid work structure in many of our business areas. We are proudly Disability Confident Leader employers and holder of the Silver Inclusive Employer Standard. Disabled applicants who meet the minimum criteria for the job will be given the opportunity to demonstrate their abilities at an interview.

At Serco we support fair access to employment for those with unspent criminal convictions through the 'Ban the Box' pledge (some may be exempt due to the nature of the role and the security clearance required). Please contact our recruitment team directly on 0345 010 4000 to discuss.