Civil Aviation Authority
The UK's aviation regulator, https://careers.caa.co.uk
Requirements of the role
Our Benefits
This role has a focus on cyber and information security controls and assurance. It is considered vital in enabling the organisation to achieve our strategic objectives with an appropriate and known level of risk.
This is an exciting opportunity working in a fast-paced and dynamic environment which will provide plenty of variety. You will help us to ensure the protection of CAA systems along with the information held internally and by related third parties, specifically focused on the delivery of security by design through projects and business change.
The Information Security Consultants are a small team who work closely with our Architecture function; however, this is a highly collaborative role where you will engage with stakeholders across the CAA. The Consultants report into the Information Security Consultant Team Lead and are part of the CAA’s wider Information Security function, responsible for security policy, operations, risk, reporting and security awareness.
You will be working on a variety of projects to ensure appropriate information security requirements are identified, delivered, and assured. The role includes assessing the impact of projects on information security and working with the project team in delivering a secure design and solution within the organisation risk appetite.
You will be involved in reviewing project documentation including technical designs and ensuring that information security requirements are adequately tested by co-ordinating external and/or internal security testing.
While the role primary objective is to support projects and programmes, you may be asked, as a subject matter expert in Information Security, to support or lead other workloads which contribute to the organisational goals.
Core Accountabilities
- Establish and maintain standard CAA information security control requirements which will form the basis for security requirements for new projects to implement.
- Collaborate with the Security Architect to support the establishment of common security design principles and patterns to accelerate the provision of security designs for new projects.
- Collaborate with the Security Architect to tailor standard security requirements and agree designs for specific solution needs for projects. Monitor control design throughout the project lifecycle to ensure best practice aligned to the CAA’s standards.
- Act as the subject matter expert for security controls relating to the solution being delivered, providing guidance regarding technical and procedural security best practice to projects and internal teams.
- Conduct threat modelling of services and applications that tie to the risk and data associated with the service or application.
- Identify, capture, assess and effectively communicate security risks associated with proposed projects and solutions, escalating risks where they exceed appetite.
- Ensure that actions to address gaps in the management of security risks during project delivery are completed or transferred to corporate risk registers.
- Co-ordinate and scope penetration testing and any required security assurance, including tracking closure of any findings.
- Validate security configurations and access to security infrastructure tools, including firewalls, web application firewalls (WAFs), anti-malware/endpoint protection systems, etc.
- Provide second and third line support and advice to Security Operations and assist in response to major incidents.
- Review security technologies, tools and services, and make recommendations to the wider business for their use, based on security, financial and operational metrics.
- Liaise with Procurement and the supplier management function to conduct security assessments of existing and prospective suppliers, especially those with which the CAA shares intellectual property, PII, ePHI, regulated or other protected data, including:
- SaaS providers
- Cloud/infrastructure as a service (IaaS) providers
- Managed service providers
- Review and assess third party suppliers’ security posture and the creation of security management plans.
- Review and provide guidance on any relevant security related contractual clauses, including engagement throughout the Procurement process.
- Support the Information Security function to deliver a security strategy, governance framework and risk mitigation activity across the CAA.
View on member website
ViewLocation
GatwickContract type
Full time, Permanent
Profession
Consultant, Information, Security
Working pattern
Flexible working, Hybrid
Closing Date
13/11/2024