JOB DESCRIPTION/PERSON SPECIFICATION

Transcription

1 JOB DESCRIPTION/PERSON SPECIFICATION A POSITION DETAILS DIVISION: Business Support JOB TITLE: MIS Security Analyst DEPARTMENT/BUSINESS SECTOR: MIS REPORTING TO: MIS Security Manager GRADE: 11 B KEY RESPONSIBILITIES PEOPLE: Enabling staff to conduct their day-to-day tasks with Information Technology (IT) as a seamless, beneficial work tool. Providing staff with the information they need to do their job, where & when they need it, with the tools to enhance the value of that information through analysis, workflow and sharing. PROTECTION: Implement and support strategic IT solutions, which allow SITA UK to meet its environmental protection strategy. IT Specific: Ensure operational stability and appropriate levels of service from SITA s computing infrastructure by strategic input into systems design, implementation and operation. This includes ensuring appropriate levels of security and accountability to prevent operational impact from accidental or malicious activity. PROFILE: Improve SITA s ability to interact with existing & potential customers, suppliers and partners through the use of collaborative and integrated IT systems. PROFIT: Improving the effectiveness of staff by leveraging time-saving and ability-enhancing Information Technology: Reducing Total Cost of Ownership (TCO) of IT systems through the automation of routine tasks and leveraging economies of scale with standardisation of approaches and processes. Increasing competitive advantage by enabling smart working within geographically separated teams through collaborative solutions that allow remote working, information sharing and interaction Reducing overhead costs & the time taken to perform regular processes and improving the speed & quality of decisions through the availability of up-to-date and appropriate information.

2 In line with SITA UK s Health and Safety Policy the job holder is expected to; Take reasonable care of his/her own health, safety and welfare and that of other people who may be affected by his/her actions or omissions. To co operate with SITA UK and with other employees in order to comply with health and safety law and SITA UK s Health and safety Policies and Procedures Not to misuse or interfere with, intentionally or recklessly, anything provided in the interests of safety. To ensure that within his/her areas of responsibility, SITA UK complies fully with its legal duties in respect of the health, safety and welfare of its employees and of other people who may be affected by his/her actions or omissions To ensure that the responsibilities commensurate with his/her role as laid out in the Health and safety policies and Procedures are fully met. C RESPONSIBILITIES Role and Context PURPOSE: This is a new role within the IT Team, and is a multi-faceted position. Security covers aspects of Confidentiality, Integrity and Availability: the success of this role will be measured not only in terms of attempted / foiled un-authorised access, but also in the success in mitigating service degradation as a result of malicious or accidental actions. This could include avoidance of DoS attacks (or consequential DoS, through spam overload for example). The role will also be expected to ensure regulatory compliance regarding security controls implemented on IT systems and data networks. The primary purposes are: The creation and maintenance of a demonstrably secure data-networking environment in which the SITA UK can achieve its strategic goals. This state will be achieved by working with both the Communications Team and the IT Security Manager The provision of secure implementation of major project work that requires expertise and specialist knowledge of both the SITA security environment, and the policies and regulations to which all users and equipment must adhere. Taking responsibility for and initiating immediate counter measures to real-time threats to SITA that are identified through the implemented security systems. CONTEXT: Based at Maidenhead, working as part of the Security Team, deputising for IT Security Manager during absence. Will be expected to x-train to basic level in network skills to progress their own knowledge, and improve the solutions offered, as a result of a wider perspective RELATIONSHIPS: INTERNAL IT Security Manager Unified Communications Team Internal Audit team SDT & BAS staff, IT Project Managers and BAS Business Risk Office Business owners of core applications Pan-Suez peers

3 EXTERNAL Hardware and software suppliers and vendors Outsource Service providers Service Providers Company Auditors DECISION MAKING AUTHORITY: Participation in infrastructure strategy decisions information security expertise Determination and implementation of counter-activities to be taken in response to identified real-time security threats. Key Activities Key Outputs Assist in the provision, operation, documentation and maintenance of the secure elements of the IT infrastructure to UK business stated quality objectives, (measured through IT SLAs). MIS monitoring and reporting of security performance of the IT infrastructure and relevant components. Ensuring that any attacks on the SITA IT systems are countered immediately through activating counter-measures they deem appropriate. Taking a lead role in medium/long term counter-threat activities (e.g. post-virus clean-up projects) Provision of technical input to problem and incident resolution using network and system security tools and equipment Provision of technical input to ad-hoc project work relating to secure network connectivity, including DMZ, B-2-B, wireless and remote access devices. Often in conjunction with the Unified Communications Manager. General connectivity issues, user training and support as well as security elements of remote access will be addressed. Input to the annual audit process, showing CODIS compliance to security procedures through records, audit logs, and processes. Will be required to liaise directly with auditors about countermeasures (appropriateness and effectiveness) that have been implemented in the course of their duties. Participation in annual Disaster Recovery and continues vulnerability testing program demonstrating that IT systems and network s Integrity, Availability and Confidentiality are maintained. Provision of remedial actions to IT systems and Networks identified through on-going security management practices. MIS monitoring and reporting of IT Security objectives. Presentation and explanation of the security models and their purpose to other IT colleagues and Operational Management. Deputizing for Security Manager in times of absence. Assist in the delivery of Service Improvement and Quality Assurance plans implemented as per SIP Manager Involvement in other and diverse activities as required from time to time to ensure the smooth operation of the IT Department. Assist and advise operational functions to stated security standards, providing cost-effective security for the SITA UK community Ensuring that the Service Standards as measured by the SDT and IT SLAs pertaining to Security Targets are met and published. Other capacity and usage thresholds (e.g. spam control) are adhered to, and potential breaches mitigated with minimum business impact.

4 Ensuring Suez, and SITA UK standards for all aspects of information security are adhered to for all project delivery, whilst not negatively impacting timeliness, quality or cost. All audit compliant targets for security are met, or compensating control and mitigation plans available to be submitted to external auditors and SUEZ risk management teams. Includes BC and DR planning and testing. Production of an ongoing security audit program including ethical hacking, social engineering etc. Provision of MIS to the business and IT management both on a regular and ad-hoc basis, to enable quantitative business decisions to be made. Leading, with support from the IT Security Manager, completion of the annual UK IT ISMM (Information Security Maturity Model) position, and defining / actioning any remedial actions arising. Full participation in a culture of continuous improvement that is considered business as usual throughout the team. The contents of this job description reflect the main duties and responsibilities of the job and are not intended to form part of the contract of employment. SITA UK may revise the content of this Job Description/Person Specification at its discretion. D. GENERAL CRITERIA MINIMUM ESSENTIAL RATING QUALIFICATIONS / TRAINING: HNC or degree in a computer science discipline preferred. Working knowledge of Microsoft server and PC operating systems. ITIL understanding / foundation level CAREER HISTORY / EXPERIENCE: 2 years commercial experience in a system administration or support role. A good level of understanding of communication protocols, in particular IP (over Ethernet and WANs) and their impact on security A good level of understanding of system and application architecture Knowledge of MPLS, VPN, DSL WiFi and emerging connectivity technologies. Fault diagnosis and analysis for installed security hardware: Firewalls, IDS/IPS, SSL VPN, Encryption software Fault diagnostics and analysis of Anti-virus software Up-to-date knowledge of all SITA shrink-wrapped applications: (MS Office, Lotus Notes etc.) and their security implications Working knowledge of Active Directory and Group Policy Objects and Patch deployment software Understanding of the use of Citrix and its network and security impact. Ability to communicate clearly both with technical staff and non-technical customers, ranging from temps to MD. Keen interest in Information Security.

5 E. KEY COMPETENCIES & ATTRIBUTES SERVICE TO THE CUSTOMER/COLLEAGUE: Is this person passionate about personally understanding the customer and meeting their needs? FINANCIAL AWARENESS: Does this person understand the financial impact on the business of any decisions made? MINIMUM ESSENTIAL RATING BUILDING CAPABILITY: Does this person work to develop the long term capability of others? 2 COMMUNICATION EFFECTIVENESS: Does this person firmly believe in communication to all appropriate stakeholders and have the skill to get ideas accepted by others or to get others to change their opinion? DRIVE FOR RESULTS Does this person lead individuals or groups of people effectively and make continuous improvements and meet/surpass targets and goals? PROBLEM SOLVING: Can this person recognise a problem and decide what to do about it? QUALITY OF WORK: Is this business run in a manner that complies with all operational standards both internal and external? Prepared By (Line Manager): Approved By (Director): [If applicable] Approved by HR Manager: Signed to confirm received (Employee):