Organisation for the Prohibition of Chemical Weapons vacancy search engine

Information Security Officer (IT Systems) (P-3)


 

COMPLETE OUTLINE

1. Under the supervision of the Head, Confidentiality and Information Security (CIS), the incumbent coordinates all aspects of the OPCW Information security programme, assisting in managing the implementation of all ICT security measures to ensure the preservation of the confidentiality, integrity and availability of OPCW’s information assets:

  • Help develop policies, standards and action plans relating to information technology security issues.
  • Assist in the implementation of the ISO 27001 standard for Information Security Management.
  • Identify critical situations/sites and functions.
  • Assist in maintaining the OPCW Business Continuity Plan (BCP).
  • Perform routine security monitoring of any non-internet connected networks.
  • Perform routine security monitoring of any internet connected networks.
  • Support ongoing OPCW missions by providing advice on information security related matters.
  • Perform security testing, as needed, to verify compliance with information security architecture and policies.
  • Serve as a member of the Change Advisory Board reviewing and making recommendations on proposed changes to the ICT infrastructure within OPCW.

 

2. Perform security risk assessments; 

  • Write security risk assessments and coordinate with the business units and ICT units to communicate and implement information security risks and make recommendations for the development and implementation of security control measures to mitigate information security-related risks.
  • Assist in developing policy and standards for the backup and archiving of the organisation’s information to ensure its confidentiality, availability, and integrity at all times, especially relating to:
  • Software development requirements
  • Access control & user authentication
  • Controls & testing procedures
  • Change/configuration management
  • System logging
  • Virus protection
  • Business continuity, etc.

 

3. Assist in developing security incident response; 

  • Plan and conduct information security/confidentiality incident investigations and perform disciplinary/alleged fraud/misconduct investigations under the directions of Head, Office of Confidentiality and Security and the Director General of the OPCW.
  • Implement the ICT Incident Response Stages;
  • Lead responses to ICT Security incidents and digital forensic investigations;
  • Maintain custody for digital evidence gathered during internal investigations;
  • Maintain ICT Security capabilities by ensuring that the security systems and applications procured remain up to date and relevant;
  • Perform malware and advance persistent threat security investigations;
  • Communicate impact of security incidents to senior management.

 

4. Security Testing;

  • Plan and perform routine vulnerability assessments and security /penetration tests on the computing environment of the OPCW;
  • Evaluate, implement, and support tools and applications for vulnerability assessments; 
  • Liaise with external penetration testers and vendors to plan and coordinate security testing activities;

 

5. Assist with the implementation of the Security Information and Event Management System (SIEM) on both non-internet connected, and internet connected networks;

 

6. Monitor the implementation of all ICT-related security procedures;

  • Receive and investigate (at the direction of the Director-General and Head of OCS) information security incident reports; 
  • Assess/report weak spots in ICT security (i.e., access controls, environmental issues, security of cables, maintenance of equipment, destruction of equipment, function separation, virus control, authorisation privileges, etc.);  
  • Perform audit activities on OPCW information systems used for the processing of confidential information, determine the existence of and compliance with relevant policies and procedures and recommend improvements to system security and existing control measures;

 

7. Perform market analysis for new information security technology and products that may enhance the security of OPCW’s ICT systems and programmes;

 

8. Assist with the information security awareness training programmes for all Secretariat ICT users and administrators;

 

9. Liaise with the OPCW external Security Audit and Assessment Team (SAAT) and internal auditors to coordinate and plan all ICT audit activities; 

 

10. Support the Office of the Legal Adviser in reviewing contracts for the procurement of ICT services or where services related to information are being procured; 

 

11. Perform duties as acting Head of Confidentiality and Information Security and when required.

 

RECRUITING PROFILE:  

Education (Qualifications):

Essential:  

Advanced university degree or equivalent in information technology or information system security. First university degree with minimum of 7 years of professional experience may be accepted in lieu of an advanced degree. Documented professional experience and/or specialised training in information security or related field (with minimum 11 years of relevant experience) may be considered in lieu of a first university degree.

 

Required Certification:  

  • Network management certifications (vendor or non-vendor specific).

 

Desired Certification:  

  • Certified Information Systems Security Professional (CISSP); 
  • Global Information Assurance Certification (GIAC),
  • CISSP Concentration certifications such as Information Systems Security Architecture Professional (ISSAP) or, Information Systems Security Engineering Professional (ISSEP) or, Information Systems Security Management Professional (ISSMP); 
  • Microsoft Certified Systems Engineer (MCSE), Microsoft Azure Security related technologies 
  • Checkpoint or CISCO Firewall administrator.

 

Experience:  

Essential:  

  • At least 5 years’ experience in the area of information technology; (First university degree with minimum of 7 years of professional experience may be accepted in lieu of an advanced degree. Documented professional experience and/or specialised training in information security or related field with minimum 11 years of relevant experience may be considered in lieu of a university degree).
    Minimum of 3 years’ experience in information security implementation and management required. This must include as a minimum practical experience in;
    • Advising on and implementing ICT security solutions; 
    • Experience in incident monitoring and security investigations;
    • SIEM/log and Security Operation Center management and monitoring;
    • Experience in the use and monitoring of Data Loss Prevention systems; 
    • Firewall administration and monitoring (including web application firewalls); 
    • Malware investigation;
    • Experience in creation or consultation of security architecture. 

 

Desirable:  Experience with Certificate Authority management, Hardware Security Module, Skybox Security suite, Office/Microsoft 365 security, Cloud services security, digital forensics, communications systems and tools, mobile device management.  

 

Skills and Abilities (key competencies):

  • Knowledge of information security and confidentiality; management in the private or public environments;
  • Analytical skills and excellent ability to draft and edit documents in the English language;
  • Strong computer skills;
  • Experience in the development and drafting of information security-related policies and procedures.

 

Other Skills:  

Tact, diplomacy and demonstrated ability to work in an international organisation with diverse cultures.

 

Language Requirements:  Fluency in English is essential and a good working knowledge of one of the other official languages (Arabic, Chinese, French, Russian, and Spanish) is desirable.