|
Organizational Setting
|
The Department of Management (MT) provides a 'platform of services' that serves as a foundation for the successful delivery of the IAEA's scientific and technical programmes. Its mission statement is as follows: "MT is a partner and a business enabler that champions change and efficiency, leveraging a common purpose". Thus, among other support activities, it assists a scientific manager in recruiting the right expert, helps a technical officer coordinate the purchase of radiation equipment and ensures that all Board documents are translated and distributed on a timely basis to Member States.
The Division of Information Technology provides support to the IAEA in the field of ICT (information and communication technology), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises state of the art hardware and software platforms in a partially decentralized environment. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.
The Infrastructure Services Section is responsible for administering the central IT servers and virtualization platforms, providing secured services and managing the data centre which are run in compliance with best practices defined by international standards, in particular ITIL and ISO 27001.
|
Main purpose
|
The Chief Information Security Officer (CISO), reporting to the IAEA's Director of Information Technology/Chief Information Officer (CIO), and with an indirect reporting relationship to the Central Security Coordinator (CSC), is accountable for the creation, implementation, and oversight of strategies and programs designed to reduce and mitigate information security risk across the Agency to a level tolerable to the organization. The role will establish and lead an enterprise-wide information security and assurance function, ensuring that confidentiality, integrity, and availability requirements of information systems and assets are identified and managed appropriately.
|
Role
|
The CISO is: (1) a leader, providing strategic direction, while inspiring the implementation of innovative solutions and best practices that address the IAEA's priorities; (2) a manager of direct and indirect resources within the Division and across the Agency; and (3) an advisor to the Director of Information Technology/CISO and to others throughout the Agency on matters relating to information security.
|
Partnerships
|
The Chief Information Security Officer leads the planning and implementation of information security policy throughout the IAEA, and ensures that information security policy and practices align within the overall security framework put forth by the CSC. He/she liaises at divisional and departmental level within the IAEA and also acts as the focal point for information security, confidentiality, classification, disaster recovery and associated cyber incident response arrangements. He/she promotes partnerships with UN organizations, NGOs and other relevant institutions and serves as the leader on all aspects of information security training and awareness.
|
Functions / Key Results Expected
|
- Provide leadership, vision, management to the various engineering and operations teams across the central IT Division (on a dotted line basis); to the decentralized technical teams within departments; and to the IAEA as a whole.
- Lead programs and processes to monitor the emergence of new threats and vulnerabilities, assessing impacts and driving responses as appropriate.
- Ensure that clear and timely business advice is provided to executive management on key information security and assurance issues.
- Establish an information security and risk management functional capability and framework across the organization.
- Ensure that information security and risk is adequately represented on relevant business and governance forums and is known, well-integrated, and addressed across the enterprise.
- Ensure the delivery of the following key areas:
Information Security Oversight
- Provide leadership, vision, and direction on information security to the information security staff, across the central IT division, and enterprise-wide.
- Oversee and coordinate all aspects of alignment of the IAEA's Information Security Management System (ISMS) with ISO 27001.
- Build sound business relationships across the enterprise to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
- Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives. Utilize the metrics to prioritize key initiatives and respond to negative trends.
- Create, manage, deliver to the staff, and review effective information security awareness training.
- Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.
Information Risk Management
- Drive and maintain the information security management system, including information risks across the enterprise.
- Align with the IAEA's risk management strategy and build out information security specific elements, collaborating with appropriate business management heads and committees to get buy-in and build momentum.
- Collaborate with application owners to understand and address (as appropriate) the risk position around key business applications.
- Design a threat assessment framework. Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
- Ensure ongoing analysis of information security threats, vulnerabilities, and market trends. Determine potential impact on the organization's risk posture.
- Oversee the development and maintenance of an information security policy set, including standards and processes that fit the organization at all levels. Seek and confirm management approval as required.
- Ensure Agency-wide implementation of policies, reflecting varying departmental needs where necessary.
- Manage the process to administer policy exceptions, ensuring that they are subject to appropriate controls, both before and after approval.
- Ensure that strategic information security and risk guidance is provided to third-party suppliers in accordance with internal frameworks, and ensure compliance with required controls.
- Conduct information security risk assessments across the enterprise at suitable intervals. Ensure that key risk issues are understood, communicated, and tracked on the risk register.
- Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
- Ensure that internal and external audits are supported in development of an annual strategic audit plan.
Security Architecture
- Develop and maintain an effective information security architectural approach, ensuring that the approach is implemented in accordance with appropriate standards.
- Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
- Liaise with the relevant parties to ensure that appropriate controls are implemented to prevent recurrence of information security incidents.
- Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
- Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.
- Ensure the consistent application of security standards across global technical infrastructure.
Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, most notably the Security Systems Unit in the Infrastructure Services Section, the CISO has an oversight role for the following functions:
- Establish processes to respond in a timely and proactive manner to significant information security breaches.
- Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
- Oversee the close management and analysis of security information and events.
- Respond appropriately to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
- Ensure that processes are in place and that staff is appropriately skilled to respond to security incidents.
- Lead the effort to maintain an effective and timely program to manage identity and access privileges.
|
Knowledge, Skills and Abilities
|
The position will be most suitable to a recognized thought leader in the information security space, comfortable with the integration of people, process, and technology.
- Deep understanding of the enterprise information security architecture discipline, processes, concepts, and best practices.
- Demonstrated consultative approach to driving change and deploying controls.
- Knowledge of technological trends and developments in the area of information security and risk management.
- Knowledge of firewalls, anti-virus, intrusion detection/intrusion prevention systems, virtual private networks, remote access systems, network zoning, centralized monitoring, and application scanning.
- Knowledge of information security and risk control frameworks such as COBiT, ISO 27001, ITIL, and ISO 31000 is preferred.
- Knowledge of business continuity and IT disaster recovery frameworks such as ISO 22301 and ISO 27031 is preferred.
- Ability to quickly grasp how new technologies work and how they might be applied to achieve business goals.
- Demonstrated ability to work effectively with a team, delivering high performance and customer satisfaction, in a culturally diverse, matrix management environment.
- Strong facilitation skills and a clear ability to build strong relationships with business stakeholders at all levels, including executive managers and vendors.
- Strong, proven problem-solving skills and the ability to identify, analyse, and resolve problems, driving solutions through to completion.
- Strong affinity with technology and an interest in the wider implications of technology.
- Energy and a clear passion for the role.
- Proven integrity and the ability to handle confidential matters in a professional manner, applying the appropriate level of judgment and maturity.
|
Education, Experience and Language Skills
|
- Advanced university degree in computer science, engineering, mathematics, or related field of study or equivalent. A business certification, such as an MBA, or other business-related qualification is preferred.
- Professional certification, such as CISSP, CISM, CISA, CRISC, or other information security credentials, is preferred.
- A minimum of ten years of experience leading comparable information risk, security and governance teams, transforming functions and changing culture.
- Experience with carefully managing budgets to deliver demonstrable value.
- Experience with leading the response to incidents, crises, and investigations with sensitivity, tenacity, and a focus on detail.
- Extensive experience in information security architecture, consultative stakeholder management, and strategic planning.
- Experience with significant outsourced and cloud models, and the appropriate contract and vendor negotiations.
- Experience with classified networks, information classification, and confidentiality requirements associated with high security environments.
- Experience in an IT environment with some outsourcing, cloud solutions, and a multitude of vendors.
- Excellent written and verbal communications (English) that are compelling, convincing, and reassuring, and ability to articulate complex technical ideas to non-technical stakeholders.
- Fluency in spoken and written English, knowledge of other official IAEA languages (i.e. Arabic, Chinese, French, Russian or Spanish) is an advantage.
|
Remuneration
|
The IAEA offers an attractive remuneration package including a tax-free annual net base salary starting at US $80 887 (subject to mandatory deductions for pension contributions and health insurance), a variable post adjustment which currently amounts to US $54 194*, dependency benefits, diplomatic status, rental subsidy, education grant, relocation and repatriation expenses; 6 weeks' annual vacation,home leave, pension plan and health insurance.
How to apply to the IAEA
Complete an Online Application
* Subject to change without notice
|
|
Applications from qualified women and candidates from developing countries are encouraged
Applicants should be aware that IAEA staff members are international civil servants and may not accept instructions from any other authority. The IAEA is committed to applying the highest ethical standards in carrying out its mandate. As part of the United Nations common system, the IAEA subscribes to the following core ethical standards (or values): Integrity, Professionalism and Respect for diversity. Staff members may be assigned to any location. The IAEA retains the discretion not to make any appointment to this vacancy, to make an appointment at a lower grade or with a different contract type, or to make an appointment with a modified job description or for shorter duration than indicated above. Testing may be part of the recruitment process. |
