Chief Information Security Officer(P5)

Organizational Setting

The Division of Information Technology provides support to the IAEA in the field of information and communication technology (ICT), including information systems for technical programmes and management. It is responsible for planning, developing and implementing an ICT strategy, for setting and enforcing common ICT standards throughout the Secretariat and for managing central ICT services. The IAEA's ICT infrastructure comprises hardware and software platforms, and cloud and externally-hosted services. The Division has implemented an IT service management model based on ITIL (IT Infrastructure Library) and Prince2 (Projects in a Controlled Environment) best practices.

Main Purpose

The Chief Information Security Officer (CISO), reporting to the IAEA's Director of Information Technology/Chief Information Officer (DIR-MTIT/CIO) is accountable for the creation, implementation, and oversight of information security program and policies designed to reduce and mitigate information security risk across the Agency to a level tolerable to the organization. The CISO will establish and lead an enterprise-wide information security and assurance function, ensuring that confidentiality, integrity, and availability requirements of information systems and assets are identified and managed appropriately.

Role

The CISO is: (1) a leader, providing vision and direction, while inspiring the implementation of innovative security solutions and best practices that address the IAEA's priorities; (2) a manager of direct and indirect resources within the Division as well as across the Agency; and (3) an advisor to DIR-MTIT/CIO and to others throughout the Agency on matters in connection with information security.

Functions / Key Results Expected

Business alignment
Build sound business relationships across the Agency to enable a strong understanding and close alignment with business needs, direction, and risk appetite.
Provide clear and timely business advice to executive management on key information security and assurance issues.
Ensure representation of relevant and adequate information security and risk on relevant business and governance forums is known, well-integrated, and addressed across the Agency.

Information Security Governance
Provide leadership, vision, direction and management to the various information and cyber security engineering and operations teams across the Agency, to the decentralised technical teams within departments and to the IAEA as a whole.
Oversee, implement and improve the IAEA's Information Security Management System (ISMS) including its policies, standards and processes and align them with ISO 27001.
Ensure that all IT and information security programs are in compliance with applicable laws, regulations, and policies.

Information Security Awareness
Create, manage, deliver the relevant information Security Awareness training to the staff, and review effective information security awareness training.

Information Security Risk management
Establish and manage an information security and risk management capability and framework across the organisation and align it with the IAEA's risk management strategy.
Develop and obtain management approval for short and long term strategies, roadmaps, and business cases to appropriately mitigate, detect, and deter information security threats.
Conduct information security risk assessments across the enterprise at suitable intervals.
Manage the creation and production of timely, accurate, and informative business and IT metrics relating to information risk initiatives.
Regularly verify that required information security and risk controls are in place, raising findings as noncompliance is found and driving improvement.
Ensure that internal and external audits are supported in development of an annual strategic audit plan.

Security Architecture
Develop and maintain an effective information security architectural approach.
Ensure the consistent application of security standards across global technical infrastructure.
Liaise with enterprise architecture to ensure that information security architecture standards, policies, and procedures are available and enacted consistently across application development projects and programs.
Collaboratively engage with other IS functions and business representatives to facilitate a globally standardized approach and governance structure to information security and risk.
Collaborate with enterprise architecture to define physical, virtual, and logical information security architecture specifications.

Security Engineering and Operations
While various units within IT have direct responsibility for Security Operations, the CISO has an oversight role for the following functions:
Establish processes, processes and appropriate staff training to respond to significant information security breaches in a timely and proactive manner.
Monitor, manage, and deploy security controls as appropriate to support business needs while minimizing risk.
Oversee the close management and analysis of security information and events.
Respond to investigations and forensic requests, managing situations with discretion, sensitivity, and objectivity, and with due consideration of chain-of-custody.
Lead the effort to maintain an effective and timely program to manage identity and access privileges.