Senior Information Risk Advisor

Senior Information Risk Advisor page is loaded Senior Information Risk Advisor Apply locations Cumbria time type Full time posted on Posted 30+ Days Ago job requisition id R2077475

Title:

The Programme and Project Partners (PPP) model was mobilised in 2019 with the purpose of transforming major project delivery at the Sellafield nuclear site.

The partnership brings together KBR, Jacobs, Morgan Sindall Infrastructure, Altrad Babcock and Sellafield Ltd to deliver a 20-year pipeline of major infrastructure projects to support the decommissioning of Sellafield and to create a clean and safe environment for future generations.

In delivering its pipeline of large-scale infrastructure projects, PPP is creating opportunities for its people, supply chain, economy and communities.

KBR’s rapidly growing nuclear team of teams is working at the forefront of the UK’s nuclear space on some of the most exciting new-build, defence and decommissioning programmes.

KBR was recently named a “Great Place to Work-Certified” company in 2023, an honour that underscores the company’s commitment to being a UK employer of choice for people who want to do work that matters.

Due to the nature of our work and security requirements, KBR does not offer sponsorship. We can only consider applicants with the right to live and work in the United Kingdom

We are an Equal Opportunities employer and strive to build a workforce that truly reflects the communities we represent. We welcome candidates from all backgrounds, regardless of age, disability, gender, gender identity, gender expression, race, religion or belief, sexual orientation, socioeconomic background, and any other protected characteristic. If you decide to apply for an opportunity with us, your application will be assessed based purely on your experience, the essential and desirable criteria, and your suitability for the role. 

#LI-JI1 #LI-HYBRID

Project: PPP Digital

Reports to: Head of IT / ITSO

Location: Warrington / Cumbria, 2 / 3 days per week on site with travel to opposite site potentially once per month

Qualifications, Experience and Skills

Qualifications :

• Qualification or membership of a professional body in Information Security.
• Qualification as an NCSC Cyber Certified Practitioner (CCP) at SIRA level, or a former GCHQ CESG CLAS consultant
• Significant experience in applying Cyber Security Standards.
• Experience in applying technical information technology and information assurance controls to business information models
• Experience of working in a Regulated environment.

Experience and Skills:

Essential:

• A good understanding of Cyber Security threats and exploitation.
• A good understanding of ICT (both IT and OT) architecture.
• A good understanding of NCSC architectural approach.
• Ability to interpret business requirements and technical ICT documents into Cyber Security requirements.
• Good understanding and knowledge of ICT systems (software, hardware and networks) and applications both legacy and current.
• Good communication skills across all levels of the business and able to talk to non-specialists, specialists and senior stakeholders.
• Ability to work independently and unsupervised.
• Excellent problem solving skills.
• Methodical and logical approach.
• Self-motivated and can demonstrate high levels of resilience, honesty and integrity.

Desirable:

• Ideally qualified at a minimum of degree level in an IT, Cyber Security, or associated technical or engineering studies.
• CISSP or equivalent.
• Experience of working with operational cyber security teams.
• Experience of working with Regulators/in a Regulated environment.

General:

The Senior Information Risk Adviser (SIRA) is an autonomous risk role to support the PPP ITSO and Head of IT with understanding the technology risks and propose mitigations to assist in establishing and maintaining an enduring cyber security and information assurance posture. The role’s primary function is to conduct formal risk assessments on the PPP IT environment that supports PPP business needs whilst satisfying SL and ONR/ICO Regulatory requirements. The role’s secondary function is to assist in developing the “secure by design” approach for the delivery of programmes and projects by PPP.

The role has a broad scope spanning technical and process risk across the cyber security, information security and privacy space and will necessitate engagement with SL CS&IA (Cyber Operations, Assurance, Risk, Data Protection), SL ISO (Architecture, Service and Knowledge Management), SL Cyber Programme and PPP Partners. The output will include (but is not limited to) the production of formal risk assessments conducted to the standards acceptable to SL, including but not limited to HMG IS1, IRAM 2 or other ISO27005 assessments as agreed. The output will be used to determine the exposure to risks and likelihood of materialisation, required mitigations and support to PPP CS&IA planning necessary to support correctness of posture, satisfy Regulatory matters.

In order to provide the outcomes above, it is envisaged that the SIRA role will be responsible for:

• Formal risk assessment of the PPP O365/Azure security configuration and other systems.
• Recommendations around mitigations necessary to minimise the materialisation of identified risks in line with the SL risk framework.
• Production of risk reports to support the PPP ITSO with the PPP CS&IA Plan.
• Represents PPP cyber risk exposure in any security related working groups within SL, Regulatory or internal PPP environs.
• Analysis of system configurations and in cognisance of NCSC guidance, determination of associated risk in relation to systems or solutions developed or implemented by PPP Partners for SL.
• Assists with input to the risk tracking of PPP related cyber risks and the management of a PPP Cyber and Information security/privacy risks by the PPP ITSO for the PPP ICT Manager.
• Formal determination of cyber and information security/privacy related risks and issues.

Specific: 

• Knowledge of Civil Nuclear Information security requirements and NCSC good practice.
• Understanding and knowledge of the strengths and weakness of modern ICT technology to identify vulnerabilities when assessing information systems architectures and designs.
• Knowledge and experience of network and systems management.
• Knowledge and use of security and privacy policy (including but not limited to ISO27001, ISO 27005, ISO22301, NISR 2013, NIST 800-53, EU GDPR and DPA 2018)
• Knowledge of Cyber Security models and frameworks (NIST PDRR, Mitre ATT&CK, ONR SyAPs).
• Thorough knowledge of Cyber Security risk methodologies including but not limited to HMG IS1, IRAM 2 and others such as NIST RMF (800-37)

KBR — Delivering Solutions, Changing the World.

KBR brings together the best and brightest to deliver science, technology and engineering solutions that help governments and companies around the world accomplish their most critical missions and objectives.

In everything we do, we are guided by our ONE KBR Values:

We Value Our People – We create diverse, inclusive environments in which each person can feel safe, respected and valued, and where everyone has opportunities to grow and reach their full potential.

We Deliver – We are uncompromising in our commitment to deliver innovative, high-quality, technology-led solutions for our customers and exceptional, sustainable value for all our stakeholders.

We Are People of Integrity – We value honesty, trust, courage, fairness, prudence and tenacity. We believe doing what’s right for the planet, the communities where we work, and our people is good for business.

We Empower – We empower our people with a shared purpose, the right tools and the supportive culture they need to be proactive decision-makers, to be adaptive to change, and to succeed.

We Are a Team of Teams – We have a will to succeed, but we value the achievements of our team of teams over individual accomplishments. Our collective focus makes us a better, stronger, more effective company.

We have also embedded environmental, social and governance (ESG) principles in every business operation and corporate function. Not only are we committed to operating safely, sustainably and equitably, but we are also committed to using our capabilities and expertise to help our customers accomplish their sustainability goals.

Worldwide, KBR employs a diverse workforce approximately 29,000 people strong, with customers in more than 80 countries and operations in 40 countries.

At KBR, We Deliver.

Fraud has infiltrated the job placement market via the internet, email and direct phone contact. Attempts have included unauthorized use of KBR’s name and logo to solicit potential job seekers or to extend false job offers. Bad actors may mix in fake job advertisements with legitimate postings. These ads can include contact instructions and require job seekers to send sensitive personal information or money to pay for visa applications, processing fees, etc., in exchange for consideration for a high-paying position.

KBR will never ask for any sort of advance payment as part of the recruiting/hiring process. Candidate profiles are carefully managed to protect personal information.