SC Cleared Security Architect

On behalf of the MOD, we are looking for a Security Architect (Inside IR35) for a 6 month contract based REMOTELY with occasional travel to Corsham.

The Ministry of Defence (MOD) is a central government department with a mission to protect our country and provide the ultimate guarantee of its security and independence, as well as helping to protect its values and interests abroad.

To do this we have an annual budget of almost £40 billion and a workforce comprising 193,000 people, almost 59,000 of whom are civilians. We currently manage more than £11 billion of spend every year.

Our work really matters; we offer engaging roles which have a direct impact on the quality of services we provide. We employ people in many different roles and in many locations across the UK and abroad. We have jobs in policy, finance, HR, IS/IT, commercial and project management and all the types of jobs you would expect to find in a government department, or indeed in the private sector. We also employ doctors, dentists, teachers, police, fire service, quantity surveyors, and engineers to name a few. There are many opportunities to develop and progress both within MOD and across the wider Civil Service, whether you're a permanent appointee or an interim.

SC Clearance is an essential requirement for this role, (as a minimum you will need to eligible for SC)

As a Security Architect ideally you will be Security Cleared to SC and will advise and enable technical teams to make security decisions. They provide advice and guidance to ensure common tools and patterns are used effectively to deliver secure systems and implement proportionate controls to enable business outcomes.

As a Security Architect, your main responsibilities will be:
* Recommend security controls and identify solutions that support business objectives.
* Lead the transfer of security practices to meet Secure by Design requirements.
* Knowledge and experience dealing with JSP604 policy.
* Provide specialist advice and recommendations regarding approaches and technologies across teams and various stakeholders, assessing the risk associated with proposed changes
* Inspire and influence others to execute security principles, communicating widely with other stakeholders
* Help review ongoing security architectural activities
* Lead the security working group and ensure everyone is aware of existing issues
* Ensure appropriate security documentation and processes are maintained and created
* Lead security incidents and lessons learnt sessions about these
* Develop appropriate security and escalation processes, whilst inputting into the disaster recovery plan
* Lead the commissioning of any vulnerability assessments, pen-tests and bug-bounties
* Represent the Defence Information Platform Service at the Foundry Security Working Group
* Support any applications to the Technical Design Authority or Technology Coherence Board from a security perspective

Essential:
* Security architecture: Lead the transfer of security practices to meet Secure by Design requirements. Designs and reviews system architectures for a broad range of complex or uncommon requirements to identify security weaknesses and recommend mitigations. Designs (or significantly influences) the technical design of a system to enforce security properties that have been derived from first principles to meet a complex or uncommon set of requirements. Follows a methodical and repeatable approach to reviewing the security of a system architecture and can describe that approach. Advises on security architecture implications of technological trends when applied to existing systems, such as migration to the cloud. Can explain how those technologies change the security approach required. Contributes to new and innovative security architecture guidance for others to re-use. May have one or more technology specialisms where they are regarded as an expert in how their specialism supports security architecture design (e.g., telecoms, power, microservice architectures, identity).
* Applied security capability: Considers complicated, non-obvious security needs, e.g., where the connections between business need, the technology that supports that need and how it might be impacted are important to work out. Works closely with those who 'own' business needs, deduces their tolerances with regard to things they care about and turns those into meaningful security statements that can be applied. This might be either complicated and specific, or simple scenarios with broad applicability. Delivers security advice that is contextualised and appropriate for the strategic customer need Avoids providing 'point' solutions or advice that does not address the overall key need. Looks at the wider 'system' including sociotechnical considerations (e.g., the role the user plays in meeting the desired security outcomes). Provides security advice that extends beyond particular technologies of which the candidate is familiar and draws upon and directs appropriate expertise to solve the bigger security problem. Ensures the overall technical coherence and quality of advice. Together with assurance experts, develops and applies novel approaches to assurance of products/systems/services. Understands and applies different approaches to product, implementation, and operational assurance. Uses each appropriately to derive a genuine understanding of confidence that the overall business objective is protected. Provides technical leadership for specific experts (be they pen-testers, product, or behavioural assurance, for example) in the context of a specific technical assurance or confidence challenge. Effectively communicates difficult risk and security concepts in accessible ways that can be clearly understood by business leaders. Contributes to and develops risk communication strategies.
* Information risk assessment and risk management: Understands the organisation's business drivers and approach to managing risk to support delivery of balanced and cost-effective risk management decisions on situations with a relatively well-defined scope. Relates risk to corporate governance, organisational strategic direction, and planning. Delivers or reviews risk assessments using appropriate risk assessment methods for common scenarios such as enterprise IT systems. Inspects and reports on the security characteristics of systems with straight forward scope. Has a good understanding of how assessed risks are addressed as part of an approach to risk treatment.
* Protective security: Applies concepts of protective security within the context of the other specialisms/enablers and keeps knowledge up to date. Champions protective security within the wider security function, providing advice to others.
* Threat understanding: Interprets sources of threat information for the local environment and applies knowledge of the external environment. Maintains understanding of local and strategic threat environments, and trends affecting the landscape, and can apply to inform and provide context. Uses local and strategic threat information in decision-making and planning. Communicates tailored threat information to relevant local stakeholders within the organisation.

Please be aware that this role can only be worked within the UK and not Overseas.

In applying for this role, you acknowledge the following "this role falls in scope of the Off Payroll Working in the Public Sector legislation. Any rates of payment quoted will reflect the gross rate per day for the assignment and will be subject to appropriate taxes and statutory costs. As such the payment to the intermediary and your income resulting from this contract will be different.