Job Description

Information Security Analyst

Remote working

6 months FTC

Competitive rates

VIVO, a 50:50 joint venture between Serco and ENGIE, has been awarded places on the Defence FM and Housing Maintenance framework contracts.

VIVO embodies both experience and innovation. It combines Serco’s comprehensive track record delivering engineering, technical and FM services to the UK MOD for over 55 years with ENGIE’s market leading FM, energy, asset optimisation and regeneration capabilities.

Within VIVO, we are currently looking to recruit for an experienced Information Security Analyst on a 6 months fixed term contract basis.

The Information Security Analyst will support the wider IT team with the design, implementation and ongoing operation of systems and services to protect VIVO and our customers’ data, ensuring compliance with our legal, regulatory and contractual obligations. This will include involvement with appropriate combinations of technical, physical, procedural and stakeholder engagement. This role spans both ‘Design and Consultancy’ and ‘Operational’ services, and therefore involves working with and influencing at all levels within operational teams, producing a variety of verbal and written outputs, conducting audits internally and against subcontractors and suppliers. Initially, this role will be an integral part of the new contract mobilisation team, embedding VIVO’s data security framework and delivering on relevant security accreditations, notably ISO27001. Upon completion of mobilization the role will become Operationally focussed with responsibility for maintenance of all aspects of the ISMS and supporting Security functions deployed across the VIVO solution.

Duties:

• Implement the VIVO IT Security Strategy and assurance activity. VIVO is a new business, and during mobilisation this role is integral to creating VIVO’s information security framework by adapting and / or adopting shareholder methodologies, processes and solutions as appropriate by working closely with all shareholders.
• Embed a culture of IT and data security awareness and compliance across VIVO.
• Provide input into multidisciplinary operational teams, providing IT / data security requirements definition, architectural design work, advice and guidance on security issues, risk assessment, guidance on residual risk and mitigation strategies, contracts review, governance strategies, costing of security operations, written submissions, creation of draft policies, and so on.
• Advise on security factors such as HMG policy and good practice, assurance / evaluation requirements, technical requirements or constraints, selection of security technologies and controls, physical requirements or constraints, supporting personnel and / or procedural requirements.
• Undertake risk assessments using VIVO and / or Customer assessment methodologies, and production of supporting remediation and assurance plans.
• Implement the IT and data security management and assurance activities. Work with shareholders across VIVO to maintaining compliance with legal, regulatory, and contract-specific security standards (including ISO27001, RMADS and DART submissions, CyDR Accreditation and the Data Protection Act and GDPR).
• Implement and continually improve IT and data security management processes across VIVO, including: Security Risk Management; Security Incident Management, and; Security Service Delivery activities.
• Adopt a proactive approach to IT and data security management and security assurance coordination, ensuring smooth running of scheduled activities (penetration tests, security documentation review) and gaining the trust of key stakeholders (including customer representatives and accreditors).
• Engage with external audit and assurance providers, including IT Security Health Check suppliers, scoping test plans and helping stakeholders interpret the results of the tests and audits, as well as supporting the implementation of any remedial actions, where required.
• Maintain and update the Information Security Policy and related processes and procedures in line with ISO27001 and Government policies. Develop plans, processes and operational collateral which will gain and develop VIVO’s ISO27001 certification status.
• Undertake gap analyses against the ISO27001 framework, report on areas of deficiency and producing and implementing remedial action plans.

Manage security incident responses and conduct investigations to understand the source of security breaches, assess and contain damage and devise measures to protect against future breaches.

What you need to do the role

The candidate should have a broad Information Security knowledge, ranging from understanding and reviewing security architectures through to risk assessment and certification. Excellent communications skills (written and oral) are essential, as is knowledge and experience of ISO 27001.

Ideally the candidate will have recognized Information Security certification such as:

• Certified Information Security Manager (CISM) or Certified Information Systems Security Professional (CISSP) or Qualified ISO27001 Lead Auditor and / or Implementer or Certificate in Information Security Management Principles (CISMP)

• Knowledge and understanding of multiple Information Security-related requirement sources/standard, examples:o The Government Security Policy Framework (SPF), along with NCSC Security Guidance o Familiarity with MOD DCPP, JSP440, and other related MOD Standards o RMADS and DART submission process and CyDR accreditation o ISO27001 (Information Security Management) o Data Protection Act / GDPR o BS 25999 / ISO22301 (Business Continuity Management) o UK Government Cyber Essentials Scheme

“The role you have applied for is with VIVO Defence Services, a joint venture between Serco and ENGIE. By applying for this role, please be aware that information contained within your CV may be shared between VIVO Defence Services, ENGIE and Serco during the recruitment process.”